[dns-operations] anybody awake over at comcast.net?

Matthew Richardson matthew-l at itconsult.co.uk
Tue Feb 9 18:57:21 UTC 2021

On Tue, 9 Feb 2021 13:19:02 -0500, Viktor Dukhovni wrote:-

>My Perl script (below) just checks that none of the RRSIGs are expiring
>too soon.  If some RRset is not signed at all, that's not detected
>presently, but should be easy to add.

That is most useful - thank you!

My existing monitoring does feature a daily "dnssec-verify" of each
zonefile accessed via AXFR.  I hope this would detect any unsigned RRset.
If so, would simply parsing the zonefile to get each RRSIG with its expiry
(ie not bothering with other record types) check everything was in order?

>That said, if "dnssec-verify" had a parameter to set a minimum remaining
>signature time, I wouldn't need the Perl script.

A most splendid suggestion!  :-)

Best wishes,

More information about the dns-operations mailing list