* Viktor Dukhovni <[email protected]> [2021-02-09 13:19 (-0500)]:
My Perl script (below) just checks that none of the RRSIGs are expiring too soon. If some RRset is not signed at all, that's not detected presently, but should be easy to add.named-compilezone -i local -jD -f raw -o - $zone $db 2>/dev/null | perl -MPOSIX -lane ' BEGIN { @nsec = () # NSEC signed zones, rest assumed NSEC3 ($domain, $maxdays) = splice(@ARGV, 0, 2); $now = time(); # Expect at least DNSKEY and NS RRsets for (qw(DNSKEY NS)) { $want->{"IN"}->{$_}->{$domain} = 1; } if (!grep { $domain eq "$_" } @nsec) { # Expect NSEC3PARAM in non-NSEC zones for (qw(MX NSEC3PARAM)) { $want->{"IN"}->{$_}->{$domain} = 1; } } } ($owner, $ttl, $class, $rrtype, @rdata) = @F; next if $rrtype ne "RRSIG"; ($sigtype, $alg, $labels, $maxtll, $expiration, $inception) = @rdata; $expiration =~ m{^(\d\d\d\d)(\d\d)(\d\d)(\d\d)(\d\d)(\d\d)$} or die "Malformed expiration $owner $sigtype: $expiration\n"; $s = POSIX::mktime($6, $5, $4, $3, $2 - 1, $1 - 1900); $d = ($s - $now) / 86400; if ($d < $maxdays) { warn sprintf("Signature of $owner $class $sigtype expires in %.2f days\n", $d); } $owner =~ s/.\K\.$//; delete $want->{$class}->{$sigtype}->{lc($owner)}; END { while (($class, $vc) = each %$want) { while (($rrtype, $vr) = each %$vc) { while (($domain, $dummy) = each %$vr) { warn "No signature found for $domain $class $rrtype\n" } } } } ' "$zone" "$maxdays" That said, if "dnssec-verify" had a parameter to set a minimum remaining signature time, I wouldn't need the Perl script.
Your script is really nice. ldns-verify-zone and kzonecheck have both a time option. cheers, -arsen _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
