happyDomain/checker-dnssec
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
1 commit 1 branch 1 tag 87 KiB
  • Go 98.6%
  • Makefile 0.8%
  • Dockerfile 0.6%
Find a file
Pierre-Olivier Mercier 834c2eb37f Initial commit
2026-04-26 19:03:36 +07:00
checker Initial commit 2026-04-26 19:03:36 +07:00
plugin Initial commit 2026-04-26 19:03:36 +07:00
.gitignore Initial commit 2026-04-26 19:03:36 +07:00
Dockerfile Initial commit 2026-04-26 19:03:36 +07:00
go.mod Initial commit 2026-04-26 19:03:36 +07:00
go.sum Initial commit 2026-04-26 19:03:36 +07:00
LICENSE Initial commit 2026-04-26 19:03:36 +07:00
main.go Initial commit 2026-04-26 19:03:36 +07:00
Makefile Initial commit 2026-04-26 19:03:36 +07:00
NOTICE Initial commit 2026-04-26 19:03:36 +07:00
README.md Initial commit 2026-04-26 19:03:36 +07:00

README.md

checker-dnssec

DNSSEC operational hygiene checker for happyDomain.

Cryptographic chain validation is delegated to checker-dnsviz. This checker focuses on policy and operational hygiene:

  • NSEC vs NSEC3 zone walking exposure
  • RFC 9276 NSEC3 parameter compliance (iterations, salt)
  • Algorithm policy and key sizes (allowed / forbidden / modern)
  • RRSIG presence, validity windows and freshness
  • TTL recommendations for DNSKEY / RRSIG
  • Per-name-server consistency of the DNSKEY RRset and denial scheme

The HTML report is laid out so the most common operator-facing failure scenarios appear first, with a fix line citing the relevant RFC.

Build

make            # standalone binary
make docker     # FROM scratch image
make test       # tests

See checker-dnssec.md in the workspace root for the full specification.