[dns-operations] check DNSSEC RRSIG expiry (anybody awake over at comcast.net?)
Arsen STASIC
arsen.stasic at univie.ac.at
Wed Feb 10 07:17:28 UTC 2021
* Viktor Dukhovni <ietf-dane at dukhovni.org> [2021-02-09 13:19 (-0500)]:
>My Perl script (below) just checks that none of the RRSIGs are expiring
>too soon. If some RRset is not signed at all, that's not detected
>presently, but should be easy to add.
>
> named-compilezone -i local -jD -f raw -o - $zone $db 2>/dev/null |
> perl -MPOSIX -lane '
> BEGIN {
> @nsec = () # NSEC signed zones, rest assumed NSEC3
> ($domain, $maxdays) = splice(@ARGV, 0, 2);
> $now = time();
> # Expect at least DNSKEY and NS RRsets
> for (qw(DNSKEY NS)) { $want->{"IN"}->{$_}->{$domain} = 1; }
> if (!grep { $domain eq "$_" } @nsec) {
> # Expect NSEC3PARAM in non-NSEC zones
> for (qw(MX NSEC3PARAM)) { $want->{"IN"}->{$_}->{$domain} = 1; }
> }
> }
> ($owner, $ttl, $class, $rrtype, @rdata) = @F;
> next if $rrtype ne "RRSIG";
> ($sigtype, $alg, $labels, $maxtll, $expiration, $inception) = @rdata;
> $expiration =~ m{^(\d\d\d\d)(\d\d)(\d\d)(\d\d)(\d\d)(\d\d)$}
> or die "Malformed expiration $owner $sigtype: $expiration\n";
> $s = POSIX::mktime($6, $5, $4, $3, $2 - 1, $1 - 1900);
> $d = ($s - $now) / 86400;
> if ($d < $maxdays) {
> warn sprintf("Signature of $owner $class $sigtype expires in %.2f days\n", $d);
> }
> $owner =~ s/.\K\.$//;
> delete $want->{$class}->{$sigtype}->{lc($owner)};
> END {
> while (($class, $vc) = each %$want) {
> while (($rrtype, $vr) = each %$vc) {
> while (($domain, $dummy) = each %$vr) {
> warn "No signature found for $domain $class $rrtype\n"
> }
> }
> }
> }
> ' "$zone" "$maxdays"
>
>That said, if "dnssec-verify" had a parameter to set a minimum remaining
>signature time, I wouldn't need the Perl script.
Your script is really nice.
ldns-verify-zone and kzonecheck have both a time option.
cheers,
-arsen
More information about the dns-operations
mailing list