dns/bind9
1
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9.git synced 2025-07-31 18:04:32 +03:00
Code Activity
Files
main
bind9/doc/design/verify
Ondřej Surý 58bd26b6cf Update the copyright information in all files in the repository 
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.
2022-01-11 09:05:02 +01:00

38 lines
1.5 KiB
Plaintext
Raw Permalink Blame History

<!--
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-->
dnssec-verify a tool to verify a zone is correctly signed.
* check that every record that should be signed has a valid RRSIG set.
* check that every record that shouldn't be signed isn't.
* check that each RRSIG set has a valid RRSIG and that all DNSKEY algorithms
in use are checked.
* provide a mechanism to mark DNSKEY algorithms to be ignored to support
verification of zones that are in the process of adding/removing
support for a algorithm.
* provide a mechanism to check the zone as of a specified date and time.
* check that RRSIG won't expire within the TTL interval.
* check that original TTL matches.
NSEC:
* check that every node with data within the zone has a NSEC RRset.
* check that empty nodes don't have a NSEC record.
* check that nodes outside the zone do not have a NSEC record.
* check that the NSEC chain is valid.
NSEC3: for each NSEC3 chain
* check that every node with data within the zone has a NSEC3 RRset.
* check that empty nodes within the zone have a NSEC3 record.
* check that nodes outside the zone do not have a NSEC3 record.
* check that each NSEC3 in the NSEC3PARAM record is valid.
View Git Blame Copy Permalink