To:
dnssec@cafax.se, olaf@ripe.net
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Fri, 15 Nov 2002 16:00:18 -0500
Sender:
owner-dnssec@cafax.se
Subject:
DNSSEC verify tool requirements
-----BEGIN PGP SIGNED MESSAGE-----
My suggestions for a diagnostics tool.
I admit that I don't have a lot of reason for this proceedure, but it
appeals to me.
1) the tool has a recursive resolver in it.
2) it takes a list of root name servers (or some or starting point).
3) walk down the tree, gathering SOA/SIG/KEY/NS/A/AAAA records, verifying looking
for lame name servers.
Ask EACH NS that is listed for the records, noting any differences.
(do we need NXT records here? maybe)
4) starting at the bottom, start validating the signatures on each
record, until you get to a trusted key.
5) don't stop because of a SIG failure. Keep moving.
If there are SIG failures, and there are multiple KEYs, attempt each
one in turn, despite the keyid.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPdVgX4qHRg3pndX9AQEyLQQAizUeZCQ7glaBksI4KtY3w+NYi37i+x04
U/GT1EXqcgUSB4RPvDh7iMX5O9dXGwuweF+DOW4thhGFCSm+xFrc7bxbCF89Vssc
Q6zsuF0JV8RkB6IxFb3hX5R481wYyeTLKcK8sifS1JvMDwzRp8pq0jpWIglSFA6H
jIiWKGoCv3g=
=W8TV
-----END PGP SIGNATURE-----