[Opendnssec-user] DNSSEC zone pre-deployment checks
Rickard Bellgrim
rickard.bellgrim at iis.se
Mon Mar 28 08:27:31 UTC 2011
On 25 mar 2011, at 11.55, Carsten Strotmann (Men & Mice) wrote:
> * Completeness
> ** check that all RRs records from the unsigned zone appear in the
> signed zone
Excluding out-of-zone data.
> * Signatures
Check that every authoritative RRset is signed with each algorithm appearing in the DNSKEY RRset.
> DNSSEC post-deployment check
>
> * Completeness
> ** check that deployed (published) zone matches the "pre-fligh" zone
This check is not DNSSEC specific, but zone transfer specific.
> ** check that zone validates from a trust-anchor down
This can also be done in the pre-flight check.
// Rickard
More information about the Opendnssec-user
mailing list