On Thu, 28 Jan 2010, prock...@yahoo.com wrote:
So my question is, is there a way through DIG (or some other utility) to confirm that the parent domain has the DSSET and KEYSET records required to support the child domain?
http://opensource.iis.se/trac/dnscheck/ $ dnscheck -test=dnssec xelerance.org. 0.000: INFO Begin testing DNSSEC for xelerance.org.. 19.914: INFO Found DS record for xelerance.org. at parent. 25.983: INFO Nameserver 193.110.157.135 does DNSSEC extra processing. 26.256: INFO Nameserver 209.237.247.134 does DNSSEC extra processing. 26.256: INFO Servers for xelerance.org. have consistent extra processing status. 26.256: INFO Found DNSKEY record for xelerance.org. at child. 26.256: INFO Consistent security for xelerance.org.. 26.256: INFO Checking DNSSEC at child (xelerance.org.). 26.256: INFO DNSKEY xelerance.org. (tag 10146) is marked as a secure entry point (SEP). 26.257: INFO At least one mandatory algorithm found for DNSKEY xelerance.org.. 26.257: WARNING DNSSEC signature expired: RRSIG(xelerance.org/IN/DNSKEY/10146) 26.257: INFO DNSSEC signature expires at: Fri Feb 5 12:54:58 2010 26.278: INFO DNSSEC signature RRSIG(xelerance.org/IN/DNSKEY/49550) matches records. 26.278: INFO DNSSEC signature valid: RRSIG(xelerance.org/IN/DNSKEY/49550) 26.278: INFO Enough valid signatures found for xelerance.org.. 31.598: INFO DNSSEC signature expires at: Sun Feb 7 12:53:42 2010 31.598: INFO DNSSEC signature RRSIG(xelerance.org/IN/SOA/49550) matches records. 31.598: INFO DNSSEC signature valid: RRSIG(xelerance.org/IN/SOA/49550) 31.598: INFO Enough valid signatures over SOA RRset found for xelerance.org.. 31.598: INFO DNSSEC child checks for xelerance.org. complete. 31.599: INFO Checking DNSSEC at parent of xelerance.org.. 31.599: INFO Parent DS(xelerance.org.) refers to valid key at child: DS(xelerance.org./5/1/10146) 31.599: INFO Parent DS(xelerance.org.) refers to secure entry point (SEP) at child: DS(xelerance.org./5/1/10146) 31.599: INFO At least one mandatory DS algorithm found for xelerance.org.. 31.599: INFO DNSSEC parent checks for xelerance.org. complete. 31.599: INFO Done testing DNSSEC for xelerance.org.. Paul _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users