[Opendnssec-user] Final tests

Rick Zijlker rick.zijlker at sidn.nl
Mon Jan 18 11:18:22 UTC 2010

Hello Sven-Åke,

I am running tests as well and after signing a zone I check the following points:
- Keytags in the DNSKEY records and see if they correspond to the "ods-ksmutil key list -v" list;
- Presence of NSEC(3) records;
- Number of RRSIGs in relation to number of DS records;
- Possible changes in the SOA record according to policy;
- Logging to see if there is warnings and to see how well the signing is performing. You can see the signs/second;
- Integration with BIND 9.7 and the IXFR's BIND makes when signing a changed zone;

We are testing with a Safenet Luna SA HSM.

Rick Zijlker

-----Original Message-----
From: opendnssec-user-bounces at lists.opendnssec.org [mailto:opendnssec-user-bounces at lists.opendnssec.org] On Behalf Of Sven-Åke Svensson
Sent: maandag 18 januari 2010 11:56
To: opendnssec-user at lists.opendnssec.org
Subject: [Opendnssec-user] Final tests


I have set up a test environment with opendnssec and a hsm. It's running 
on an internal network so it's not published. The main purpose for this 
was to test if this hsm (Safenet Protect Server Gold) will be useful for 
dnssec. And so far it looks good.

I'm not an expert in dns so I wonder if there are anything I should look 
for in the files or any tests I can do to be sure that it works correct 
and that the files are signed as they should?

Best regards


Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list