[dns-operations] anybody awake over at comcast.net?

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Feb 9 19:35:55 UTC 2021


On Tue, Feb 09, 2021 at 06:57:21PM +0000, Matthew Richardson wrote:

> >My Perl script (below) just checks that none of the RRSIGs are expiring
> >too soon.  If some RRset is not signed at all, that's not detected
> >presently, but should be easy to add.
> 
> That is most useful - thank you!
> 
> My existing monitoring does feature a daily "dnssec-verify" of each
> zonefile accessed via AXFR.  I hope this would detect any unsigned RRset.
> If so, would simply parsing the zonefile to get each RRSIG with its expiry
> (ie not bothering with other record types) check everything was in order?

Yes, just parsing the presentation form of the RRSIGs should do it.

> >That said, if "dnssec-verify" had a parameter to set a minimum remaining
> >signature time, I wouldn't need the Perl script.
> 
> A most splendid suggestion!  :-)

Perhaps some of the ISC folks are reading this thread, and would
consider this a feature request.  Otherwise, I might need to find the
website for opening feature request tickets.

-- 
    Viktor.



More information about the dns-operations mailing list