@dsalzman thank you. This is awesome.
I don't need an error summary. Breaking on the first error is actually preferred because this speeds up the check. It would be useful if the exit code could be different (no error e.g. 0, error found e.g. 1) so that I can use it in scripts.
@lpeltan thanks for the fix. I have played with kzonesign
a bit and it works as I was hoping. It would be very useful for my use case.
Hello Libor, what zone format does kzonesign
expect?
I used the li-zone from our open-data page https://www.switch.ch/open-data/#tab-c5442a19-67cf-11e8-9cf6-5254009dc73c-3. I xfr-ed the zone with the command given on this web page and adapted your patch for knot 3.1.3. If I run kzonesign, I get the following error:
./kzonesign -v -c knot.conf li
DNSSEC validation failed (missing NSEC(3) record or wrong bitmap)
DNSSEC validation hint: li. ANY
Looking at the strace
output it looks like it breaks on the first line.
We use kzonecheck
to validate large DNSSEC-signed zones. I noticed that on a multi core processor (eg 16 cores) always only one cpu is used. I guess, validation time could be speed up a lot if all available cores would be used.
I would find it useful if kzonecheck
could either detect the number of cores and automatically use all available cores or a argument switch could be provided where the user can specify a specific number of cores/threads to use. For operations such as signature verification this should improve the run time a lot I guess.