Improvements to dnssec-verify
Summary
This is both a bug report and a feature request.
dnssec-verify is not finding everything that is wrong with a zone, possibly because it is only looking for faults that would cause its RRs to fail validation and/or it is ignoring RRsets that ordinarily would be considered to be occluded, even though their DNSSEC-state is ambiguous in the zone itself.
BIND version used
9.11.5
Potential new features/fixes
-
Detect RRsets that are DNSSEC-signed that shouldn't be because they're out-of-zone - for example necessary glue, unnecessary glue (usually occluded) and DNSKEY RRs that have inappropriately been added to the parent along with the DS RRs.
-
Check that the NSEC/NSEC3 RRs don't 'cover' any RTYPEs that they should not (I'm assuming that the check already includes matching the RRsets at the name being covered with the type list)
-
Better 'this is broken' error messages detailing what is wrong, particularly when it is that an NSEC/NSEC3 chain is broken
-
Match NSEC3 RRs to the names that they cover when reporting problems
-
#1863 (closed) Add an option for retrospective checking of a historic copy of a zone file by introducing an option to provide a date/time to be treated as 'now' for the purposes of DNSSEC validation
See also https://support.isc.org/Ticket/Display.html?id=13752