[Opendnssec-user] Final tests
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Tue Jan 19 12:11:19 UTC 2010
Rickard Bellgrim <rickard.bellgrim at iis.se> wrote on 18/01/2010 12:06:51:
> You could also load your signed zones into BIND or NSD, so that the
zones are
> available on your internal network. Then you can try to validate your
zone by
> using different tools like: http://opensource.iis.se/trac/dnscheck or
> configuring a local resolver with the public KSK.
Another tool to check a dnssec-enabled zone published by a nameserver is
the "monitor" program (in the OpenDNSSEC trunk). An extract from the
README file is listed below.
Stephen
./dnssec_monitor.rb -z <zone> [options]
where zone is the zone the be monitored. Additional options may be
viewed by running :
./dnssec_monitor.rb -?
(or -h, or --help)
Additional options include :
-n <ns1>[,<ns2>,<ns3>,...] Comma-separated list of nameservers
--nameservers to monitor for the zone. Defaults
to the nameservers listed in the
public DNS
--kskwarn [n] Warn if KSK RRSIG expiry is within n
days
Defaults to 14
--kskcritical [n] Error if KSK RRSIG expiry is within n
days
Defaults to 7
--zskwarn [n] Warn if the ZSK RRSIG expiry is
within n
days
Defaults to 3
--zskcritical [n] Error if ZSK RRSIG expiry is within n
days
Defaults to 1
--dwarn [n] Warn if RRSIG expiry is within n days
Defaults to 3
Only useful when a list of domains
to check is supplied
--dcritical [n] Error if RRSIG expiry is within n
days
Defaults to 1
Only useful when a list of domains to
check is supplied
--ods [ods_location] Load the OpenDNSSEC configuration
files
from this location and use values for
InceptionOffset and ValidityPeriod
from them. Otherwise, defaults will
be used for these (3600 for
InceptionOffset, 3600 for
ValidityPeriod).
OpenDNSSEC must have been installed
on this
system if this option is used
--[no-]wilcard NXDomain checks will be disabled if
wildcards are enabled
--names name1,name2,name3... List of names to check in the zone
Note that there must be no whitespace
between the names
--namefile file Name of file containing list of names
(and
optional types) to check in the zone
--zonefile file Name of zone file to load list of
names to
check against zone
--[no-]validation Define whether to check parent DS
records
and validation from the root
Defaults to true
--rootkey file Configure the key for the signed root
Defines file to load root key from
Validation from root will not be
tested
if this is not configured
--dlv Configure the location of the DLV
service
Defaults to dlv.isc.org.
DLV will only be used if dlvkey is
set
--dlvkey file Configure the DLV key
Defines file to load DLV key from
DLV won't be used if this isn't set
--hints hint1,hint2,hint3... Configure the root hints
Defines the servers to use as root
Note that there must be no whitespace
between the names
-l, --log [FACILITY] Specify the syslog facility for
results
Defaults to print to console
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100119/6a466da1/attachment.htm>
More information about the Opendnssec-user
mailing list