New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for signed zone with no signatures from above #6
Comments
@gryphius Any comments on this one? |
"no keys/signatures in the registry + zone is signed" is called an "island of security". This is pretty common. People want to test signing their zones first without causing any problems if something in the signing process goes wrong. Resolvers can validate these zones with locally configured trust anchors only. I'd suggest you check for both
|
also, it should configurable per zone if the zone is supposed to be an island of security or not. |
If you eg. configure a Domain to be DNSSEC signed on your nameservers, but don't have the keys defined in the domain registry (either not yet, or they got removed), then the script currently says something like
WARNING: Zone foobar.tld seems to be unsigned (= resolvable, but no DNSSEC involved at all)
Which is not completely correct, because DNSSEC is involved, but not from top down, but only in the DNS zone itself.
Goal of this task would be to differentiate those two scenarios better:
The text was updated successfully, but these errors were encountered: