2018-02-23 09:53:12 +01:00
|
|
|
Copyright (C) 2012, 2016, 2018 Internet Systems Consortium, Inc. ("ISC")
|
2016-06-27 14:56:38 +10:00
|
|
|
|
|
|
|
|
This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
2012-06-26 23:45:56 +00:00
|
|
|
|
2018-02-23 09:53:12 +01:00
|
|
|
See the COPYRIGHT file distributed with this work for additional
|
|
|
|
|
information regarding copyright ownership.
|
|
|
|
|
|
2012-06-26 23:45:56 +00:00
|
|
|
$Id$
|
2012-06-25 13:57:32 +10:00
|
|
|
|
|
|
|
|
dnssec-verify a tool to verify a zone is correctly signed.
|
|
|
|
|
|
|
|
|
|
* check that every record that should be signed has a valid RRSIG set.
|
|
|
|
|
* check that every record that shouldn't be signed isn't.
|
|
|
|
|
* check that each RRSIG set has a valid RRSIG and that all DNSKEY algorithms
|
|
|
|
|
in use are checked.
|
|
|
|
|
* provide a mechanism to mark DNSKEY algorithms to be ignored to support
|
|
|
|
|
verification of zones that are in the processs of adding/removing
|
|
|
|
|
support for a algorithm.
|
|
|
|
|
* provide a mechanism to check the zone as of a specified date and time.
|
|
|
|
|
* check that RRSIG won't expire within the TTL interval.
|
|
|
|
|
* check that original TTL matches.
|
|
|
|
|
|
|
|
|
|
NSEC:
|
|
|
|
|
* check that every node with data within the zone has a NSEC RRset.
|
|
|
|
|
* check that empty nodes don't have a NSEC record.
|
|
|
|
|
* check that nodes outside the zone do not have a NSEC record.
|
|
|
|
|
* check that the NSEC chain is valid.
|
|
|
|
|
|
|
|
|
|
NSEC3: for each NSEC3 chain
|
|
|
|
|
* check that every node with data within the zone has a NSEC3 RRset.
|
|
|
|
|
* check that empty nodes within the zone have a NSEC3 record.
|
|
|
|
|
* check that nodes outside the zone do not have a NSEC3 record.
|
|
|
|
|
* check that each NSEC3 in the NSEC3PARAM record is valid.
|
