[dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration
Stefan Ubbink
Stefan.Ubbink at sidn.nl
Mon Nov 6 07:37:12 UTC 2023
On Thu, 2 Nov 2023 11:18:34 -0400
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> On Thu, Nov 02, 2023 at 09:34:17AM +0100, Stephane Bortzmeyer wrote:
>
> > > Specifically, in the case of signed zones, monitoring MUST also
> > > include regular checks of the remaining expiration time of at
> > > least the core zone apex records (DNSKEY, SOA and NS), and
> > > ideally the whole zone, both on the primary server and the
> > > secondaries.
> >
> > Indeed. If you use Nagios or compatible (such as Icinga), I
> > recommend this plugin for signatures monitoring:
> >
> > http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html
> >
>
> I wonder whether the widely authoritative resolvers could do more to
> to help?
>
> For example, BIND loads zone data into memory. It should be able to
> know the time of the soonest signature expiration for a zone, or at
> least (if not loaing the whole zone into memory) the soonest
> expiration time is of recently queried records.
>
> There could be a new "rdnc" protocol verb that asks the nameserver
> for a list of all the zones where the soonest expiration time is
> below some threshold, or askes about a particular zone.
This would still be based on polling the name server, and I think
active signalling would be better. There is a IETF draft [1] which
writes something about sending a signal when signatures are (about to)
expire.
[1]
https://datatracker.ietf.org/doc/draft-grubto-dnsop-dns-out-of-protocol-signalling/
--
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20231106/b436d061/attachment.sig>
More information about the dns-operations
mailing list