On Wed, Feb 10, 2021 at 08:17:28AM +0100, Arsen STASIC wrote: > >That said, if "dnssec-verify" had a parameter to set a minimum remaining > >signature time, I wouldn't need the Perl script. > > Your script is really nice.
Thanks, but I wouldn't go that far, it is merely spartan... I've been using it for ~7 years now, don't know which of the more comprehensive tools mentioned in this thread already existed back then, perhaps I should have looked harder. > ldns-verify-zone and kzonecheck have both a time option. I also like lddns-verify-zone. With "-V1" I even get no output except on error: -- Good: $ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org 2>/dev/null | ldns-verify-zone -e P0Y0M3DT3H23M54S -V1 -S /dev/stdin; echo $? 0 -- Expiring: $ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org 2>/dev/null | ldns-verify-zone -e P0Y0M5DT3H23M54S -V1 -S /dev/stdin; echo $? Error: DNSSEC signature will expire too soon for dukhovni.org. TYPE65534 There were errors in the zone 78 -- Mutated: $ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org 2>/dev/null | perl -pe 's{IN\s+MX\s+(\d+)}{IN MX 9}' | ldns-verify-zone -e P0Y0M3DT3H23M54S -V1 -S /dev/stdin; echo $? Error: Bogus DNSSEC signature for dukhovni.org. MX There were errors in the zone 35 -- Viktor. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations