DNSSEC monitoring tools

Symptom: A newly DNSSEC signed zone should be monitored to detect potential DNSSEC validation issues before the zone goes public.

Problem: A DNSSEC signed zone is much more vulnerable to software errors and operational errors, a small misconfiguration can render the whole zone invalid.

Solution: Below is a list of tools that can help verifying a DNSSEC signed zone. DNSSEC verification can be done in different stages of DNSSEC zone deployment.

Verisign jdnssec-tools

jdnssec-verifyzone: This is a tool to verify a signed zone for DNSSEC correctness. This tool verifies that a zone was correctly signed. It checks that all signatures are valid, all expected signatures exist, all expected NSEC or NSEC3 records exist and are correctly formed, and that the NSEC/NSEC3 chain is correctly formed.

java-based
http://www.verisignlabs.com/dnssec-tools/

AFNIC ZoneCheck

a generic DNS zone checker, include some DNSSEC checks
can be augmented with other tools
delivers a solid framework for DNS checks

ruby-based
http://www.zonecheck.fr/features.shtml

.SE dnssec-monitor

a small set of DNSSEC related tools .SE use for monitor DNSSEC-signed zones

perl-based
https://github.com/dotse/dnssec-monitor

SurfNet DNSSEC Checker

the DNSSEC Checker is a script that uses ubound-host and dnspython to verify DNSSEC information

python-based / unbound based
http://www.dnssecmonitor.org/source.php

YAZVS — Yet Another Zone Validation Script

yazvs.pl is one of the utilities that VeriSign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters.

perl-based
http://yazvs.verisignlabs.com/

Vantages D-Sync

"D-Sync" monitors the secure delegation state between a child zone's DNSKEY(s) and the parent zone's DS record(s) for that child.  D-Sync uses a state-engine to track consistency during DNSKEY rollovers and DS record updates and alerts operators to various events.

C++-based
http://www.vantage-points.org/index.html

NlNetLabs ldns-verify-zone (part of ldns)

ldns-verify-zone reads a DNS zone file and verifies it. RRSIG  resource  records are checked against the DNSKEY set at the zone apex. Each name is checked for an NSEC(3), if appropriate

C-based
http://www.nlnetlabs.nl/projects/ldns/

nagval

nagval - Nagios/Icinga plugin to check validity of one or more DNSSEC domains

C-based
https://github.com/jpmens/nagval

Keychecker

Monitor and analyze DNSSEC key rollovers

python based
https://github.com/bortzmeyer/key-checker

OpenDNSSEC auditor

The OpenDNSSEC DNSSEC automation suite contains a module (the auditor) that checks the DNSSEC signed zone created by the OpenDNSSEC signer. The list of checks done by the auditor can be found at
http://trac.opendnssec.org/wiki/Signer/AuditorRequirements

ruby-based
http://www.opendnssec.org/

OpenDNSSEC monitor

This project contains tools to monitor a DNSSEC-signed zone,
including a NAGIOS plug-in.

ruby-based
http://trac.opendnssec.org/wiki/Signer/MonitorRequirements
http://svn.opendnssec.org/trunk/monitor/

Do you know of any other DNSSEC monitoring tools that can help verifying a DNSSEC signed zone?