[Opendnssec-user] Guidance on Chained Zone Validation
Erwin Lansing
erwin at dk-hostmaster.dk
Tue Oct 11 17:08:16 UTC 2016
> On 11 Oct 2016, at 19.01, Mark Elkins <mje at posix.co.za> wrote:
>
> (Someone here must have done this)
>
> I've got the zones..
>
> ZA
> / | \
> org co web(.za)
>
> All sign just fine. My own checking tool plus tools like dnssec-verify
> and validns pass the individual zones just fine. My copy of the ZA zone
> also contains the DS records of my children.
>
> I'd like to somehow test the signature chain down from my ZA Zones
> DNSKEY (Trust Anchor) to the SOA of one of the second levels - or even
> the SOA of a child of one of the second levels.
>
> How could I do this?
> Going "live" is not yet an option.
I think what you’re looking for is a pre-delated domain check in zonemaster. You can point to your test server, but have it evaluate as if it were already live.
https://zonemaster.net
Erwin
More information about the Opendnssec-user
mailing list