-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Carsten,
Some minor refinements. On 03/25/2011 11:55 AM, Carsten Strotmann (Men & Mice) wrote: > * Chain of trust > ** check that all active KSKs have a matching DS record in the parent > ** check that all DS records in the parent match an active KSK in the zone Not all DS records should have a matching KSK. In the case of Double-DS Rollover, you can temporarily have an 'unlinked' DS record. So, the check should be that there is at least one DS record matches an active KSK per algorithm. > * NSEC/NSEC3 > ** check that every RR-Set has an NSEC/NSEC3 (if not in opt out) every authoritative and delegation RRset. > ** each NSEC3 RR in the zone should use the same salt and iterations There should be at least one complete chain with same salt and iterations. Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNjwrDAAoJEA8yVCPsQCW5lmIIAN6ZX0+rraeo8kmKE80qVOrY zmF6sgUrLs2uQo92Pxzge6xboVWYMNkH6GYxiCmdA2LvCb+ZnTCEjPehhgVbzzey oDVH+nj9FsI+Nfuoyc5YQD79siQgDdfkMSXx1wDg4f2H6F4aL1r0ddCdeiELFyUE t0MsoUrCekGapeY774bfsh5MU1p/TA0tM+LPkkOtfrMH7YQitX8R3VZZAWJ3YJL3 AdQ9htFdLg64tJZUN4UnISTyKj1iBXgK9XTYTYnEaSubP5PeoneepYy7Sxz2+2BL qMcgo462OPTXzzZ/AS0vmSWVJzscDBPmK9XlmW8ueks+HtY6WkKFQ8PTppcf4IE= =e1pr -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
