Mark Elkins
2016-10-11 17:01:43 UTC
(Someone here must have done this)
I've got the zones..
ZA
/ | \
org co web(.za)
All sign just fine. My own checking tool plus tools like dnssec-verify
and validns pass the individual zones just fine. My copy of the ZA zone
also contains the DS records of my children.
I'd like to somehow test the signature chain down from my ZA Zones
DNSKEY (Trust Anchor) to the SOA of one of the second levels - or even
the SOA of a child of one of the second levels.
How could I do this?
Going "live" is not yet an option.
Setting up a separate DNSSEC aware resolver and adding my ZA Trust
Anchor is an easy first step. Not sure after that.
Using BIND, would things like stub records be the way to go?
I've got the zones..
ZA
/ | \
org co web(.za)
All sign just fine. My own checking tool plus tools like dnssec-verify
and validns pass the individual zones just fine. My copy of the ZA zone
also contains the DS records of my children.
I'd like to somehow test the signature chain down from my ZA Zones
DNSKEY (Trust Anchor) to the SOA of one of the second levels - or even
the SOA of a child of one of the second levels.
How could I do this?
Going "live" is not yet an option.
Setting up a separate DNSSEC aware resolver and adding my ZA Trust
Anchor is an easy first step. Not sure after that.
Using BIND, would things like stub records be the way to go?
--
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za