[dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration

[Andreas S. Kerber]

Am Mon, Nov 06, 2023 at 08:37:12AM +0100 schrieb Stefan Ubbink via dns-operations:
> > There could be a new "rdnc" protocol verb that asks the nameserver
> > for a list of all the zones where the soonest expiration time is
> > below some threshold, or askes about a particular zone.
> 
> This would still be based on polling the name server, and I think
> active signalling would be better. There is a IETF draft [1] which
> writes something about sending a signal when signatures are (about to)
> expire.

FYI: maybe the simplistic approach below might be nice for some operators.
I like it because is independent from the actual namserver software.

The operator could simply grep for RRSIGs of all zones on the nameserver.
This quick and dirty approach gives me a list of >140.000 RRSIGs of about 7000 zones:

$ grep -A1 RRSIG /var/named/<path-to-your-zonefiles>/* | awk '{print $2" "$1}' | grep ^20

Than just pipe the output to a simple script (e.g perl) and compare the first column
with the output of "date -d+5days +%Y%m%d%H%M00" and you quick and nicely checked
that all RRSIGs are valid for at least 5 days. 

quick and dirty perl:

#!/usr/bin/perl

$date = `date -d+5days +%Y%m%d%H%M00`;
chomp $date;

while(<>) {
   chomp;
   ($a,$file) = split(/ /, $_);
   if ($a > $date) { next; }
   if ($seen{$file} eq 1) { next; }
   $seen{$file} = 1;
   print "rrsig with lifetime <5 days: $file ($a)\n";
}

If it's preferred to run such operations on a workstation/monitoring station,
one could AXFR the zones using dig and check the RRSIGs there.

Andreas