DNSSEC DSSET & KEYSET
Paul Wouters
paul at xelerance.com
Thu Jan 28 18:18:10 UTC 2010
On Thu, 28 Jan 2010, prock111 at yahoo.com wrote:
> So my question is, is there a way through DIG (or some other utility) to confirm that the parent domain has the DSSET and KEYSET records required to support the child domain?
http://opensource.iis.se/trac/dnscheck/
$ dnscheck -test=dnssec xelerance.org.
0.000: INFO Begin testing DNSSEC for xelerance.org..
19.914: INFO Found DS record for xelerance.org. at parent.
25.983: INFO Nameserver 193.110.157.135 does DNSSEC extra processing.
26.256: INFO Nameserver 209.237.247.134 does DNSSEC extra processing.
26.256: INFO Servers for xelerance.org. have consistent extra processing status.
26.256: INFO Found DNSKEY record for xelerance.org. at child.
26.256: INFO Consistent security for xelerance.org..
26.256: INFO Checking DNSSEC at child (xelerance.org.).
26.256: INFO DNSKEY xelerance.org. (tag 10146) is marked as a secure entry point (SEP).
26.257: INFO At least one mandatory algorithm found for DNSKEY xelerance.org..
26.257: WARNING DNSSEC signature expired: RRSIG(xelerance.org/IN/DNSKEY/10146)
26.257: INFO DNSSEC signature expires at: Fri Feb 5 12:54:58 2010
26.278: INFO DNSSEC signature RRSIG(xelerance.org/IN/DNSKEY/49550) matches records.
26.278: INFO DNSSEC signature valid: RRSIG(xelerance.org/IN/DNSKEY/49550)
26.278: INFO Enough valid signatures found for xelerance.org..
31.598: INFO DNSSEC signature expires at: Sun Feb 7 12:53:42 2010
31.598: INFO DNSSEC signature RRSIG(xelerance.org/IN/SOA/49550) matches records.
31.598: INFO DNSSEC signature valid: RRSIG(xelerance.org/IN/SOA/49550)
31.598: INFO Enough valid signatures over SOA RRset found for xelerance.org..
31.598: INFO DNSSEC child checks for xelerance.org. complete.
31.599: INFO Checking DNSSEC at parent of xelerance.org..
31.599: INFO Parent DS(xelerance.org.) refers to valid key at child: DS(xelerance.org./5/1/10146)
31.599: INFO Parent DS(xelerance.org.) refers to secure entry point (SEP) at child: DS(xelerance.org./5/1/10146)
31.599: INFO At least one mandatory DS algorithm found for xelerance.org..
31.599: INFO DNSSEC parent checks for xelerance.org. complete.
31.599: INFO Done testing DNSSEC for xelerance.org..
Paul
More information about the bind-users
mailing list