On 2010-03-16 15:57, prock...@yahoo.com wrote: > I'm trying to figure out how many tests I need to run for an > individual product (layer 2, 3, 4, and 7) before I can say it is > completely DNSSEC compliant. By definition, any layer 2, 3 and 4 product is DNSSEC-agnostic: DNS with or without SEC-extension is considered payload. If a L2,3 or 4 devices does work with DNS and doesn't work with DNSSEC, it's broken and needs replacement. For completeness: switches and routers are layer 2 and 3 respectively.
Layer 7 devices might be affected, since they may preform extensive checking on the DNS-content itself. To answer your question: 0 tests for layer 2, 3 and 4. To be "completely compliant", you'd need to run an infinite number of tests for layer 7 devices. I'd test the different algorithms, including some very recent (RSASHA512) and different security statuses (bogus, insecure, secure). Niobos _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users