[dns-operations] anybody awake over at comcast.net?
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Feb 9 19:35:55 UTC 2021
On Tue, Feb 09, 2021 at 06:57:21PM +0000, Matthew Richardson wrote:
> >My Perl script (below) just checks that none of the RRSIGs are expiring
> >too soon. If some RRset is not signed at all, that's not detected
> >presently, but should be easy to add.
>
> That is most useful - thank you!
>
> My existing monitoring does feature a daily "dnssec-verify" of each
> zonefile accessed via AXFR. I hope this would detect any unsigned RRset.
> If so, would simply parsing the zonefile to get each RRSIG with its expiry
> (ie not bothering with other record types) check everything was in order?
Yes, just parsing the presentation form of the RRSIGs should do it.
> >That said, if "dnssec-verify" had a parameter to set a minimum remaining
> >signature time, I wouldn't need the Perl script.
>
> A most splendid suggestion! :-)
Perhaps some of the ISC folks are reading this thread, and would
consider this a feature request. Otherwise, I might need to find the
website for opening feature request tickets.
--
Viktor.
More information about the dns-operations
mailing list