[Opendnssec-user] Guidance on Chained Zone Validation

Mark Elkins mje at posix.co.za
Tue Oct 11 17:01:43 UTC 2016

(Someone here must have done this)

I've got the zones..

    /  | \
 org  co  web(.za)

All sign just fine. My own checking tool plus tools like dnssec-verify
and validns pass the individual zones just fine. My copy of the ZA zone
also contains the DS records of my children.

I'd like to somehow test the signature chain down from my ZA Zones
DNSKEY (Trust Anchor) to the SOA of one of the second levels - or even
the SOA of a child of one of the second levels.

How could I do this?
Going "live" is not yet an option.

Setting up a separate DNSSEC aware resolver and adding my ZA Trust
Anchor is an easy first step. Not sure after that.
Using BIND, would things like stub records be the way to go?

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3854 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161011/dfd967d1/attachment.bin>

More information about the Opendnssec-user mailing list