DNSSEC HW Support
Niobos
niobos at dest-unreach.be
Tue Mar 16 15:39:14 UTC 2010
On 2010-03-16 15:57, prock111 at yahoo.com wrote:
> I'm trying to figure out how many tests I need to run for an
> individual product (layer 2, 3, 4, and 7) before I can say it is
> completely DNSSEC compliant.
By definition, any layer 2, 3 and 4 product is DNSSEC-agnostic: DNS with
or without SEC-extension is considered payload. If a L2,3 or 4 devices
does work with DNS and doesn't work with DNSSEC, it's broken and needs
replacement. For completeness: switches and routers are layer 2 and 3
respectively.
Layer 7 devices might be affected, since they may preform extensive
checking on the DNS-content itself.
To answer your question: 0 tests for layer 2, 3 and 4. To be "completely
compliant", you'd need to run an infinite number of tests for layer 7
devices. I'd test the different algorithms, including some very recent
(RSASHA512) and different security statuses (bogus, insecure, secure).
Niobos
More information about the bind-users
mailing list