DNSSEC DSSET & KEYSET
Michael Milligan
milli at acmeps.com
Sun Jan 31 04:33:21 UTC 2010
prock111 at yahoo.com wrote:
> Is there a tool/process to verify if the parenet domain has DSSET, KEYSET, or keys in place for the child domain? Thanks.
>
You can use 'dig' or 'drill' for this, which are available as part of
the BIND9 distribution (contrib) or from NLNet Labs, respectively.
First, make sure you have the DNSKEY for the parent zone (since the root
zone is just now starting to roll out with DNSSEC info, there is no
trusted root yet). If it's a TLD, you can find the trust anchors at
https://itar.iana.org/ with instructions to validate and store DNSKEYs
for the signed TLDs. Dig/drill need to be fed trusted DNSKEYs to function.
If you save the above trusted DNSKEY into a file called 'trusted-keys',
then you can use either:
dig +sigchase +trusted-key=trusted-keys your.domain.tld
or
drill -TD -k trusted-keys your.domain.tld
and the output will show you if all the right things are in place and
that there is (or is not) a chain of trust from your trusted anchor
(DNSKEY) to your domain, and if not, where the chain is broken.
Regards,
Mike
--
Michael Milligan -> milli at acmeps.com
More information about the bind-users
mailing list