happyDomain/checker-dnssec
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
checker-dnssec/README.md

844 B
Raw Blame History

checker-dnssec

DNSSEC operational hygiene checker for happyDomain.

Cryptographic chain validation is delegated to checker-dnsviz. This checker focuses on policy and operational hygiene:

  • NSEC vs NSEC3 zone walking exposure
  • RFC 9276 NSEC3 parameter compliance (iterations, salt)
  • Algorithm policy and key sizes (allowed / forbidden / modern)
  • RRSIG presence, validity windows and freshness
  • TTL recommendations for DNSKEY / RRSIG
  • Per-name-server consistency of the DNSKEY RRset and denial scheme

The HTML report is laid out so the most common operator-facing failure scenarios appear first, with a fix line citing the relevant RFC.

Build

make            # standalone binary
make docker     # FROM scratch image
make test       # tests

See checker-dnssec.md in the workspace root for the full specification.