[dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Nov 2 15:18:34 UTC 2023
On Thu, Nov 02, 2023 at 09:34:17AM +0100, Stephane Bortzmeyer wrote:
> > Specifically, in the case of signed zones, monitoring MUST also include
> > regular checks of the remaining expiration time of at least the core
> > zone apex records (DNSKEY, SOA and NS), and ideally the whole zone, both
> > on the primary server and the secondaries.
>
> Indeed. If you use Nagios or compatible (such as Icinga), I recommend
> this plugin for signatures monitoring:
>
> http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html
I wonder whether the widely authoritative resolvers could do more to
to help?
For example, BIND loads zone data into memory. It should be able to
know the time of the soonest signature expiration for a zone, or at
least (if not loaing the whole zone into memory) the soonest expiration
time is of recently queried records.
There could be a new "rdnc" protocol verb that asks the nameserver for a
list of all the zones where the soonest expiration time is below some
threshold, or askes about a particular zone.
Of course in that case the monitoring agent would be a in a "privileged"
position to query the nameserver's internal control plane, rather than
having to send queries through "the front door".
Both kinds of monitoring are likely important, but more visibility via
the control plane may be able to offer a precise/timely view.
- Check each nameserver's control plane.
- Check as much of the zone as possible.
- Check each nameserver VIP over each supported protocol
(UDP, TCP, DoT, DoQ, ...)
- From multiple vantage points if possible/applicable when
service is on anycast IPs.
Perhaps through OARC support development of monitoring plugins that
many operators can use?
If after all the past incidents minor and not so minor operators
still aren't doing adequate monitoring, perhaps we (the software
and standards) developers and haven't given them adequate tools?
--
Viktor.
More information about the dns-operations
mailing list