[dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Nov 2 08:34:17 UTC 2023
On Wed, Nov 01, 2023 at 12:18:42PM -0400,
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote
a message of 67 lines which said:
> Specifically, in the case of signed zones, monitoring MUST also include
> regular checks of the remaining expiration time of at least the core
> zone apex records (DNSKEY, SOA and NS), and ideally the whole zone, both
> on the primary server and the secondaries.
Indeed. If you use Nagios or compatible (such as Icinga), I recommend
this plugin for signatures monitoring:
http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html
(If you use Debian, it is in the package monitoring-plugins-contrib.)
More information about the dns-operations
mailing list