On Tue, Feb 09, 2021 at 06:53:33PM +0000, Wessels, Duane via dns-operations wrote:
> > Are there any existing tools which would take a whole zonefile and check > > the expirations? In a similar way to (for example) dnssec-verify from > > Bind. > > YAZVS: Yet Another Zone Validation Script > > https://github.com/verisign/yazvs > > It is designed to also show changes between a new and current zone, > but you can skip that part with the -x option. This looks very useful. Thanks! I just need to separately enforce the presence of a couple of expected RRsets, but this is certainly a more comprehensive validator than the quick-n-dirty script I cobbled together for my own zones a few years back... I just Had to install a few new for me Perl dependencies from CPAN, but otherwise no issues. I just queried the parent zone for my DS RR and used that as trust anchor, and the script does the rest: -- Check of "good" zone: $ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org | perl yazvs.pl -e 3.14 -a /tmp/dukhovni.org.ds -x /dev/stdin; echo $? zone dukhovni.org/IN: loaded serial 2358 (DNSSEC signed) OK Crypto Validation of dukhovni.org 2358 ---------------------------------------------------------------------- OK: Parsed 47 RRs from /dev/stdin OK: DS=34314 verifies DNSKEY=34314/SEP OK: 1 trusted KSKs found OK: Apex DNSKEY RRset validated OK: 0 expiring RRSIGs found OK: 0 bad RRSIGs found OK: 19 good RRSIGs found Validation for dukhovni.org 2358 PASSED, 0 problems 0 -- Check of "corrupted" zone (modified MX RData after signing): $ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org | perl -pe 's{IN\s+MX\s+(\d+)}{IN MX 9}' | perl yazvs.pl -e 3.14 -a /tmp/dukhovni.org.ds -x /dev/stdin; echo $? zone dukhovni.org/IN: loaded serial 2358 (DNSSEC signed) OK Crypto Validation of dukhovni.org 2358 ---------------------------------------------------------------------- OK: Parsed 47 RRs from /dev/stdin OK: DS=34314 verifies DNSKEY=34314/SEP OK: 1 trusted KSKs found OK: Apex DNSKEY RRset validated OK: 0 expiring RRSIGs found PROBLEM: 1 bad RRSIGs found OK: 18 good RRSIGs found Validation for dukhovni.org 2358 FAILED, 1 problems 1 -- Check of "expiring" zone (I have one expiring in 5.1 days): $ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org | perl yazvs.pl -d -e 5.2 -a /tmp/dukhovni.org.ds -x /dev/stdin; echo $? zone dukhovni.org/IN: loaded serial 2358 (DNSSEC signed) OK DEBUG: Read 1 trust anchors from /tmp/dukhovni.org.ds Crypto Validation of dukhovni.org 2358 ---------------------------------------------------------------------- OK: Parsed 47 RRs from /dev/stdin ... OK: Apex DNSKEY RRset validated ... DEBUG: Time to first RRSIG expiry: 5.1 days OK: 0 bad RRSIGs found OK: 18 good RRSIGs found Validation for dukhovni.org 2358 FAILED, 1 problems 1 -- Viktor. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations