[dns-operations] anybody awake over at comcast.net?

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Feb 9 18:19:02 UTC 2021 

On Tue, Feb 09, 2021 at 05:58:08PM +0000, Matthew Richardson wrote:

> >But it only checks one RR (default SOA) since it doesn't assume access to the whole zone.
> >That would be a good upgrade, though, to have it axfr the zone and check everything.
> 
> Are there any existing tools which would take a whole zonefile and check
> the expirations?  In a similar way to (for example) dnssec-verify from
> Bind.

My Perl script (below) just checks that none of the RRSIGs are expiring
too soon.  If some RRset is not signed at all, that's not detected
presently, but should be easy to add.

    named-compilezone -i local -jD -f raw -o - $zone $db 2>/dev/null |
        perl -MPOSIX -lane '
            BEGIN {
                @nsec = () # NSEC signed zones, rest assumed NSEC3
                ($domain, $maxdays) = splice(@ARGV, 0, 2);
                $now = time();
                # Expect at least DNSKEY and NS RRsets
                for (qw(DNSKEY NS)) { $want->{"IN"}->{$_}->{$domain} = 1; }
                if (!grep { $domain eq "$_" } @nsec) {
                    # Expect NSEC3PARAM in non-NSEC zones
                    for (qw(MX NSEC3PARAM)) { $want->{"IN"}->{$_}->{$domain} = 1; }
                }
            }
            ($owner, $ttl, $class, $rrtype, @rdata) = @F;
            next if $rrtype ne "RRSIG";
            ($sigtype, $alg, $labels, $maxtll, $expiration, $inception) = @rdata;
            $expiration =~ m{^(\d\d\d\d)(\d\d)(\d\d)(\d\d)(\d\d)(\d\d)$}
                or die "Malformed expiration $owner $sigtype: $expiration\n";
            $s = POSIX::mktime($6, $5, $4, $3, $2 - 1, $1 - 1900);
            $d = ($s - $now) / 86400;
            if ($d < $maxdays) {
                warn sprintf("Signature of $owner $class $sigtype expires in %.2f days\n", $d);
            }
            $owner =~ s/.\K\.$//;
            delete $want->{$class}->{$sigtype}->{lc($owner)};
            END {
                while (($class, $vc) = each %$want) {
                    while (($rrtype, $vr) = each %$vc) {
                        while (($domain, $dummy) = each %$vr) {
                            warn "No signature found for $domain $class $rrtype\n"
                        }
                    }
                }
            }
        ' "$zone" "$maxdays"

That said, if "dnssec-verify" had a parameter to set a minimum remaining
signature time, I wouldn't need the Perl script.

-- 
    Viktor.

More information about the dns-operations mailing list