[Opendnssec-user] Guidance on Chained Zone Validation

Erwin Lansing erwin at dk-hostmaster.dk
Tue Oct 11 17:08:16 UTC 2016

> On 11 Oct 2016, at 19.01, Mark Elkins <mje at posix.co.za> wrote:
> (Someone here must have done this)
> I've got the zones..
>      ZA
>    /  | \
> org  co  web(.za)
> All sign just fine. My own checking tool plus tools like dnssec-verify
> and validns pass the individual zones just fine. My copy of the ZA zone
> also contains the DS records of my children.
> I'd like to somehow test the signature chain down from my ZA Zones
> DNSKEY (Trust Anchor) to the SOA of one of the second levels - or even
> the SOA of a child of one of the second levels.
> How could I do this?
> Going "live" is not yet an option.

I think what you’re looking for is a pre-delated domain check in zonemaster. You can point to your test server, but have it evaluate as if it were already live.



More information about the Opendnssec-user mailing list