[Opendnssec-user] DNSSEC zone pre-deployment checks

Matthijs Mekking matthijs at NLnetLabs.nl
Sun Mar 27 10:00:35 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Carsten,

Some minor refinements.

On 03/25/2011 11:55 AM, Carsten Strotmann (Men & Mice) wrote:
> * Chain of trust
> ** check that all active KSKs have a matching DS record in the parent
> ** check that all DS records in the parent match an active KSK in the zone

Not all DS records should have a matching KSK. In the case of Double-DS
Rollover, you can temporarily have an 'unlinked' DS record. So, the
check should be that there is at least one DS record matches an active
KSK per algorithm.

> * NSEC/NSEC3
> ** check that every RR-Set has an NSEC/NSEC3 (if not in opt out)

every authoritative and delegation RRset.

> ** each NSEC3 RR in the zone should use the same salt and iterations

There should be at least one complete chain with same salt and iterations.


Best regards,

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNjwrDAAoJEA8yVCPsQCW5lmIIAN6ZX0+rraeo8kmKE80qVOrY
zmF6sgUrLs2uQo92Pxzge6xboVWYMNkH6GYxiCmdA2LvCb+ZnTCEjPehhgVbzzey
oDVH+nj9FsI+Nfuoyc5YQD79siQgDdfkMSXx1wDg4f2H6F4aL1r0ddCdeiELFyUE
t0MsoUrCekGapeY774bfsh5MU1p/TA0tM+LPkkOtfrMH7YQitX8R3VZZAWJ3YJL3
AdQ9htFdLg64tJZUN4UnISTyKj1iBXgK9XTYTYnEaSubP5PeoneepYy7Sxz2+2BL
qMcgo462OPTXzzZ/AS0vmSWVJzscDBPmK9XlmW8ueks+HtY6WkKFQ8PTppcf4IE=
=e1pr
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list