DNSSEC ISSUE (Msg: Request is not signed)

Edward Lewis Ed.Lewis at neustar.biz
Tue Jul 17 15:17:32 UTC 2007

At 17:03 +0900 7/17/07, Curt Sampson wrote:

>Actually, my main interest is just in make sure that my zones are valid
>before I load them into my server. (I.e., they got from the place where
>I sign them out to my servers without damage.) Is there a tool kicking
>around that validates them?

Most folks rely on VPN and host security to make sure the zone gets 
to the master okay (if "valid" means uncorrupted).  After that you 
have the option of TSIG covering XFR's or you can use some protected 
non-DNS-standard (yet widely popular or some-other-standard) means of 
replicating the data on each server.

I.e., most deal with such a threat (corruption between the signer and 
the server) via prevention instead of detection.  Partly because the 
preventative measures are already in place for other institutional 
activities (like protecting the web server).

If you mean "valid" as in syntactically correct, folks rely on BIND 
to tell them.  If you mean complete, then you can do use file 
checksums.  There are many ways to define "valid" come to think of it.

More or less, the DNS protocol engineers punted that question to the 
host security and operations staff people.
Edward Lewis                                                +1-571-434-5468

Think glocally.  Act confused.

More information about the bind-users mailing list