[dns-operations] check DNSSEC RRSIG expiry (anybody awake over at comcast.net?)
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Feb 10 07:47:52 UTC 2021
On Wed, Feb 10, 2021 at 08:17:28AM +0100, Arsen STASIC wrote:
> >That said, if "dnssec-verify" had a parameter to set a minimum remaining
> >signature time, I wouldn't need the Perl script.
>
> Your script is really nice.
Thanks, but I wouldn't go that far, it is merely spartan... I've been
using it for ~7 years now, don't know which of the more comprehensive
tools mentioned in this thread already existed back then, perhaps I
should have looked harder.
> ldns-verify-zone and kzonecheck have both a time option.
I also like lddns-verify-zone. With "-V1" I even get no output except on error:
-- Good:
$ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org 2>/dev/null |
ldns-verify-zone -e P0Y0M3DT3H23M54S -V1 -S /dev/stdin; echo $?
0
-- Expiring:
$ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org 2>/dev/null |
ldns-verify-zone -e P0Y0M5DT3H23M54S -V1 -S /dev/stdin; echo $?
Error: DNSSEC signature will expire too soon for dukhovni.org. TYPE65534
There were errors in the zone
78
-- Mutated:
$ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org 2>/dev/null |
perl -pe 's{IN\s+MX\s+(\d+)}{IN MX 9}' |
ldns-verify-zone -e P0Y0M3DT3H23M54S -V1 -S /dev/stdin; echo $?
Error: Bogus DNSSEC signature for dukhovni.org. MX
There were errors in the zone
35
--
Viktor.
More information about the dns-operations
mailing list