26 lines
844 B
Markdown
26 lines
844 B
Markdown
# checker-dnssec
|
|
|
|
DNSSEC operational hygiene checker for happyDomain.
|
|
|
|
Cryptographic chain validation is delegated to `checker-dnsviz`. This
|
|
checker focuses on **policy and operational hygiene**:
|
|
|
|
- NSEC vs NSEC3 zone walking exposure
|
|
- RFC 9276 NSEC3 parameter compliance (iterations, salt)
|
|
- Algorithm policy and key sizes (allowed / forbidden / modern)
|
|
- RRSIG presence, validity windows and freshness
|
|
- TTL recommendations for DNSKEY / RRSIG
|
|
- Per-name-server consistency of the DNSKEY RRset and denial scheme
|
|
|
|
The HTML report is laid out so the most common operator-facing failure
|
|
scenarios appear first, with a fix line citing the relevant RFC.
|
|
|
|
## Build
|
|
|
|
```sh
|
|
make # standalone binary
|
|
make docker # FROM scratch image
|
|
make test # tests
|
|
```
|
|
|
|
See `checker-dnssec.md` in the workspace root for the full specification.
|