Initial commit
This commit is contained in:
commit
834c2eb37f
24 changed files with 2794 additions and 0 deletions
26
README.md
Normal file
26
README.md
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
# checker-dnssec
|
||||
|
||||
DNSSEC operational hygiene checker for happyDomain.
|
||||
|
||||
Cryptographic chain validation is delegated to `checker-dnsviz`. This
|
||||
checker focuses on **policy and operational hygiene**:
|
||||
|
||||
- NSEC vs NSEC3 zone walking exposure
|
||||
- RFC 9276 NSEC3 parameter compliance (iterations, salt)
|
||||
- Algorithm policy and key sizes (allowed / forbidden / modern)
|
||||
- RRSIG presence, validity windows and freshness
|
||||
- TTL recommendations for DNSKEY / RRSIG
|
||||
- Per-name-server consistency of the DNSKEY RRset and denial scheme
|
||||
|
||||
The HTML report is laid out so the most common operator-facing failure
|
||||
scenarios appear first, with a fix line citing the relevant RFC.
|
||||
|
||||
## Build
|
||||
|
||||
```sh
|
||||
make # standalone binary
|
||||
make docker # FROM scratch image
|
||||
make test # tests
|
||||
```
|
||||
|
||||
See `checker-dnssec.md` in the workspace root for the full specification.
|
||||
Loading…
Add table
Add a link
Reference in a new issue