Skip to end of metadata
Go to start of metadata

Symptom:

A newly DNSSEC signed zone should be monitored to detect potential DNSSEC validation issue before the zone goes public.

Problem:

a DNSSEC signed zone is much more vulnerable to software errors and operational errors, a small misconfiguration can render the whole zone invalid.

Solution

Below is a list of tools that can help verifying a DNSSEC signed zone. DNSSEC verification can be done in different stages of DNSSEC zone deployment:


Verisign jdnssec-tools

jdnssec-verifyzone: This is a tool to verify a signed zone for DNSSEC correctness. This tool verifies that a zone was correctly signed. It checks that all signatures are valid, all expected signatures exist, all expected NSEC or NSEC3 records exist and are correctly formed, and that the NSEC/NSEC3 chain is correctly formed.
java-based
http://www.verisignlabs.com/dnssec-tools/

AFNIC ZoneCheck

a generic DNS zone checker, include some DNSSEC checks
can be augmented with other tools
delivers a solid framework for DNS checks
ruby-based
http://www.zonecheck.fr/features.shtml

.SE dnssec-monitor

a small set of DNSSEC related tools .SE use for monitor DNSSEC-signed zones
perl-based
https://github.com/dotse/dnssec-monitor

SurfNet DNSSEC Checker

the DNSSEC Checker is a script that uses ubound-host and dnspython to verify DNSSEC information
python-based / unbound based
http://www.dnssecmonitor.org/source.php

YAZVS — Yet Another Zone Validation Script

yazvs.pl is one of the utilities that VeriSign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters.
perl-based
http://yazvs.verisignlabs.com/

Vantages D-Sync

"D-Sync" monitors the secure delegation state between a child zone's DNSKEY(s) and the parent zone's DS record(s) for that child.  D-Sync uses a state-engine to track consistency during DNSKEY rollovers and DS record updates and alerts operators to various events.
C++-based
http://www.vantage-points.org/index.html

NlNetLabs ldns-verify-zone (part of ldns)

ldns-verify-zone reads a DNS zone file and verifies it. RRSIG  resource  records are checked against the DNSKEY set at the zone apex. Each name is checked for an NSEC(3), if appropriate

C-based
http://www.nlnetlabs.nl/projects/ldns/

nagval

nagval - Nagios/Icinga plugin to check validity of one or more DNSSEC domains
C-based
https://github.com/jpmens/nagval

Keychecker

Monitor and analyze DNSSEC key rollovers
python based
https://github.com/bortzmeyer/key-checker

OpenDNSSEC auditor

The OpenDNSSEC DNSSEC automation suite contains a module (the auditor) that checks the DNSSEC signed zone created by the OpenDNSSEC signer. The list of checks done by the auditor can be found at
http://trac.opendnssec.org/wiki/Signer/AuditorRequirements

ruby-based
http://www.opendnssec.org/

OpenDNSSEC monitor

This project contains tools to monitor a DNSSEC-signed zone,
including a NAGIOS plug-in.

ruby-based
http://trac.opendnssec.org/wiki/Signer/MonitorRequirements

http://svn.opendnssec.org/trunk/monitor/


ValiDNS

DNS and DNSSEC zone file validator.

known to compile and work on:

- FreeBSD 9.0 amd64
- FreeBSD 8.2 i386
- Ubuntu 10.10 1 i386
- Debian 5.0.3 "lenny" x86_64
- MacOS X 10.6.7 (10.7.0 Darwin) i386

Is likely to compile and work on any modern Unix-like OS.

https://github.com/tobez/validns