at first glance it might look useful, but this is the kind of info that tends to go stale and then what do you do when there is a mismatch? Would you invalidate a still-valid signature if it doesn't conform to policy in case someone else is signing the zone other than the authorised party? Would you send mail to the zone admin? (and knowing the people on this list, that would be a lot email on top of that admin) :)
Shouldn't this sort of admin work be done by the admin, either internally or by outsourcing to some other organisation? Joao On 2 Jun 2011, at 12:02, Joe Abley wrote: > Hi all, > > I've been poking about a bit in other signed zones looking for impending > signature expirations. I've been doing this mainly because we sign a lot of > zones and have had at least one accident in the past, but this also seems > like something that is worth knowing if you're the operator of a validator > and you want to be able to prepare for impending signature expiration in > zones that are otherwise going to cause you helpdesk problems. > > See attached script for an example of what I have been doing. > > I have realised, however, that I can't tell whether a signature that is (say) > going to expire in under three days is a cause for concern, or whether it's > normal operations and something I should expect to be replaced as part of > normal operations. > > This boils down to there being no way for a zone operator to publish their > normal signature replacement policy in a way that I can obtain in a simple > way. Sometimes that information is present in a DPS, but often there is no > DPS to be found, sometimes there's a DPS but it doesn't contain that level of > detail, and in any case this is all far too manual for an automated check > script. > > Is there perhaps value in finding a mechanism by which zone operators can > publish information in their zones which gives guidance as to what the normal > limits for signature expiration ought to be? > > $ORIGIN HOPCOUNT.CA. > @ RRSIGPOLICY DNSKEY <min planned remaining signature validity> <max planned > remaining signature validity> > @ RRSIGPOLICY SOA .... > > or something? > > > > Joe > > wifi-216-217:~]% ./sigexpire.sh > 2011-06-01 15:30:41 UTC ---------- right now ----------------------------- > 2011-06-02 15:30:41 UTC ---------- 1 day from now ------------------------ > 2011-06-03 15:30:41 UTC ---------- 2 days from now ----------------------- > 2011-06-03 18:25:33 UTC signature over COM. DNSKEY expires > 2011-06-04 15:30:41 UTC ---------- 3 days from now ----------------------- > 2011-06-04 18:02:19 UTC signature over VIP.ICANN.ORG. DNSKEY expires > 2011-06-04 18:02:19 UTC signature over VIP.ICANN.ORG. DNSKEY expires > 2011-06-05 15:30:41 UTC ---------- 4 days from now ----------------------- > 2011-06-05 16:00:23 UTC signature over GOV. DNSKEY expires > 2011-06-06 04:00:23 UTC signature over GOV. SOA expires > 2011-06-06 15:30:41 UTC ---------- 5 days from now ----------------------- > 2011-06-06 16:38:57 UTC signature over NET. DNSKEY expires > 2011-06-06 19:28:05 UTC signature over EDU. DNSKEY expires > 2011-06-07 06:21:17 UTC signature over DK. DNSKEY expires > 2011-06-07 08:00:01 UTC signature over EU. DNSKEY expires > 2011-06-07 08:00:01 UTC signature over EU. DNSKEY expires > 2011-06-07 08:00:01 UTC signature over EU. DNSKEY expires > 2011-06-07 09:09:09 UTC signature over CH. DNSKEY expires > 2011-06-07 09:09:09 UTC signature over LI. DNSKEY expires > 2011-06-07 15:30:41 UTC ---------- 6 days from now ----------------------- > 2011-06-08 00:00:00 UTC signature over . SOA expires > 2011-06-08 00:00:00 UTC signature over ARPA. SOA expires > 2011-06-08 06:00:00 UTC signature over DE. SOA expires > 2011-06-08 09:00:00 UTC signature over BR. SOA expires > 2011-06-08 09:02:13 UTC signature over EU. SOA expires > 2011-06-08 09:02:13 UTC signature over EU. SOA expires > 2011-06-08 09:16:26 UTC signature over VIP.ICANN.ORG. SOA expires > 2011-06-08 11:23:03 UTC signature over BE. DNSKEY expires > 2011-06-08 14:34:51 UTC signature over XN--DEBA0AD. DNSKEY expires > 2011-06-08 14:38:20 UTC signature over XN--0ZWM56D. SOA expires > 2011-06-08 14:38:54 UTC signature over IANA.ORG. SOA expires > 2011-06-08 14:38:54 UTC signature over IP6-SERVERS.ARPA. DNSKEY expires > 2011-06-08 14:38:54 UTC signature over XN--G6W251D. DNSKEY expires > 2011-06-08 14:50:18 UTC signature over ICANN.ORG. SOA expires > 2011-06-08 14:57:44 UTC signature over IP6.ARPA. DNSKEY expires > 2011-06-08 14:59:29 UTC signature over XN--9T4B11YI5A. SOA expires > 2011-06-08 15:12:05 UTC signature over URI.ARPA. SOA expires > 2011-06-08 15:14:51 UTC signature over COM. SOA expires > 2011-06-08 15:15:06 UTC signature over EDU. SOA expires > 2011-06-08 15:18:24 UTC signature over NET. SOA expires > 2011-06-08 15:23:13 UTC signature over XN--ZCKZAH. SOA expires > 2011-06-08 15:30:41 UTC ---------- 7 days from now ----------------------- > 2011-06-08 15:40:41 UTC signature over IN-ADDR-SERVERS.ARPA. SOA expires > 2011-06-08 16:02:53 UTC signature over IN-ADDR.ARPA. SOA expires > 2011-06-08 16:02:53 UTC signature over XN--HLCJ6AYA9ESC7A. SOA expires > 2011-06-08 16:22:55 UTC signature over XN--HGBK6AJ7F53BBA. DNSKEY expires > 2011-06-08 17:12:02 UTC signature over URI.ARPA. DNSKEY expires > 2011-06-08 17:47:06 UTC signature over URN.ARPA. SOA expires > 2011-06-08 18:26:30 UTC signature over DK. SOA expires > 2011-06-08 18:29:41 UTC signature over XN--JXALPDLP. DNSKEY expires > 2011-06-08 18:46:03 UTC signature over IRIS.ARPA. SOA expires > 2011-06-08 19:07:26 UTC signature over URN.ARPA. DNSKEY expires > 2011-06-08 19:58:19 UTC signature over IANA.ORG. DNSKEY expires > 2011-06-08 20:14:20 UTC signature over IN-ADDR-SERVERS.ARPA. DNSKEY expires > 2011-06-08 20:19:01 UTC signature over XN--KGBECHTV. SOA expires > 2011-06-08 20:23:40 UTC signature over XN--DEBA0AD. SOA expires > 2011-06-08 21:00:28 UTC signature over XN--11B5BS3A9AJ6G. SOA expires > 2011-06-08 21:23:22 UTC signature over XN--JXALPDLP. SOA expires > 2011-06-08 21:28:57 UTC signature over IP6.ARPA. SOA expires > 2011-06-08 21:52:46 UTC signature over XN--11B5BS3A9AJ6G. DNSKEY expires > 2011-06-08 22:06:53 UTC signature over IRIS.ARPA. DNSKEY expires > 2011-06-08 22:26:09 UTC signature over XN--ZCKZAH. DNSKEY expires > 2011-06-08 23:54:38 UTC signature over ICANN.ORG. DNSKEY expires > 2011-06-08 23:58:18 UTC signature over XN--KGBECHTV. DNSKEY expires > 2011-06-08 23:59:30 UTC signature over XN--80AKHBYKNJ4F. SOA expires > 2011-06-09 00:24:19 UTC signature over IN-ADDR.ARPA. DNSKEY expires > 2011-06-09 00:24:19 UTC signature over XN--HLCJ6AYA9ESC7A. DNSKEY expires > 2011-06-09 00:32:02 UTC signature over IP6-SERVERS.ARPA. SOA expires > 2011-06-09 00:32:02 UTC signature over XN--G6W251D. SOA expires > 2011-06-09 01:25:10 UTC signature over XN--80AKHBYKNJ4F. DNSKEY expires > 2011-06-09 01:28:57 UTC signature over XN--0ZWM56D. DNSKEY expires > 2011-06-09 01:44:31 UTC signature over XN--9T4B11YI5A. DNSKEY expires > 2011-06-09 02:16:57 UTC signature over XN--HGBK6AJ7F53BBA. SOA expires > 2011-06-09 04:47:12 UTC signature over MUSEUM. DNSKEY expires > 2011-06-09 04:47:12 UTC signature over MUSEUM. DNSKEY expires > 2011-06-09 05:53:12 UTC signature over CAT. DNSKEY expires > 2011-06-09 15:30:42 UTC ---------- 8 days from now ----------------------- > 2011-06-10 09:00:00 UTC signature over BR. DNSKEY expires > 2011-06-10 15:30:42 UTC ---------- 9 days from now ----------------------- > 2011-06-11 09:01:45 UTC signature over BE. SOA expires > 2011-06-11 20:02:44 UTC signature over SE. DNSKEY expires > 2011-06-12 17:32:10 UTC signature over CZ. DNSKEY expires > 2011-06-13 04:02:44 UTC signature over SE. DNSKEY expires > 2011-06-13 04:18:16 UTC signature over CZ. DNSKEY expires > 2011-06-13 09:43:58 UTC signature over CZ. SOA expires > 2011-06-14 04:35:53 UTC signature over LU. DNSKEY expires > 2011-06-14 08:20:20 UTC signature over FI. DNSKEY expires > 2011-06-14 10:39:30 UTC signature over SE. SOA expires > 2011-06-14 17:10:30 UTC signature over LU. SOA expires > 2011-06-14 23:18:40 UTC signature over NL. DNSKEY expires > 2011-06-14 23:59:59 UTC signature over . DNSKEY expires > 2011-06-14 23:59:59 UTC signature over ARPA. DNSKEY expires > 2011-06-15 04:48:19 UTC signature over UK. SOA expires > 2011-06-15 06:53:11 UTC signature over CAT. SOA expires > 2011-06-15 10:48:19 UTC signature over UK. DNSKEY expires > 2011-06-15 11:47:13 UTC signature over MUSEUM. SOA expires > 2011-06-15 15:45:48 UTC signature over ASIA. DNSKEY expires > 2011-06-15 15:45:48 UTC signature over ASIA. DNSKEY expires > 2011-06-15 15:46:29 UTC signature over ME. DNSKEY expires > 2011-06-15 15:46:29 UTC signature over ME. DNSKEY expires > 2011-06-15 15:47:16 UTC signature over AG. DNSKEY expires > 2011-06-15 15:47:16 UTC signature over AG. DNSKEY expires > 2011-06-15 15:49:25 UTC signature over INFO. DNSKEY expires > 2011-06-15 15:49:25 UTC signature over INFO. DNSKEY expires > 2011-06-15 15:56:25 UTC signature over ORG. DNSKEY expires > 2011-06-15 15:56:25 UTC signature over ORG. DNSKEY expires > 2011-06-15 16:05:05 UTC signature over IN. DNSKEY expires > 2011-06-15 16:05:05 UTC signature over IN. DNSKEY expires > 2011-06-15 16:30:31 UTC signature over BZ. DNSKEY expires > 2011-06-15 16:30:31 UTC signature over BZ. DNSKEY expires > 2011-06-15 16:36:33 UTC signature over VC. DNSKEY expires > 2011-06-15 16:36:33 UTC signature over VC. DNSKEY expires > 2011-06-15 17:12:20 UTC signature over HN. DNSKEY expires > 2011-06-15 17:12:20 UTC signature over HN. DNSKEY expires > 2011-06-15 18:36:55 UTC signature over MN. DNSKEY expires > 2011-06-15 18:36:55 UTC signature over MN. DNSKEY expires > 2011-06-15 20:15:17 UTC signature over FI. SOA expires > 2011-06-15 21:51:38 UTC signature over SC. DNSKEY expires > 2011-06-15 21:51:38 UTC signature over SC. DNSKEY expires > 2011-06-15 23:32:32 UTC signature over LC. DNSKEY expires > 2011-06-15 23:32:32 UTC signature over LC. DNSKEY expires > 2011-06-15 23:54:39 UTC signature over NL. SOA expires > 2011-06-16 02:13:38 UTC signature over GI. DNSKEY expires > 2011-06-16 02:13:38 UTC signature over GI. DNSKEY expires > 2011-06-16 12:00:00 UTC signature over DE. DNSKEY expires > 2011-06-18 03:44:21 UTC signature over AM. DNSKEY expires > 2011-06-18 03:44:21 UTC signature over AM. DNSKEY expires > 2011-06-21 20:13:06 UTC signature over LI. DNSKEY expires > 2011-06-21 22:31:39 UTC signature over CH. DNSKEY expires > 2011-06-22 08:34:51 UTC signature over LC. SOA expires > 2011-06-22 11:27:43 UTC signature over SC. SOA expires > 2011-06-22 11:56:35 UTC signature over VC. SOA expires > 2011-06-22 14:06:18 UTC signature over MN. SOA expires > 2011-06-22 14:28:51 UTC signature over HN. SOA expires > 2011-06-22 14:55:24 UTC signature over BZ. SOA expires > 2011-06-22 14:58:49 UTC signature over GI. SOA expires > 2011-06-22 15:11:25 UTC signature over AG. SOA expires > 2011-06-22 15:15:57 UTC signature over IN. SOA expires > 2011-06-22 15:17:51 UTC signature over ASIA. SOA expires > 2011-06-22 15:18:25 UTC signature over ME. SOA expires > 2011-06-22 15:18:32 UTC signature over INFO. SOA expires > 2011-06-22 15:21:45 UTC signature over ORG. SOA expires > 2011-06-22 18:42:09 UTC signature over LA. SOA expires > 2011-06-24 00:21:43 UTC signature over BIZ. DNSKEY expires > 2011-06-24 00:21:43 UTC signature over BIZ. DNSKEY expires > 2011-06-24 00:21:43 UTC signature over BIZ. DNSKEY expires > 2011-06-24 02:08:36 UTC signature over US. DNSKEY expires > 2011-06-24 02:08:36 UTC signature over US. DNSKEY expires > 2011-06-24 13:00:00 UTC signature over CO. DNSKEY expires > 2011-06-24 13:00:00 UTC signature over CO. DNSKEY expires > 2011-06-24 13:00:00 UTC signature over CO. DNSKEY expires > 2011-06-24 13:45:59 UTC signature over LA. DNSKEY expires > 2011-06-25 10:17:03 UTC signature over XN--FZC2C9E2C. SOA expires > 2011-06-25 10:17:38 UTC signature over XN--XKC2AL3HYE2A. SOA expires > 2011-06-25 19:59:45 UTC signature over LA. DNSKEY expires > 2011-06-26 18:41:02 UTC signature over TH. DNSKEY expires > 2011-06-26 18:41:02 UTC signature over TH. DNSKEY expires > 2011-06-26 18:41:02 UTC signature over TH. SOA expires > 2011-06-27 17:45:03 UTC signature over JP. DNSKEY expires > 2011-06-27 17:45:03 UTC signature over JP. SOA expires > 2011-06-28 06:04:02 UTC signature over NA. DNSKEY expires > 2011-06-28 06:04:02 UTC signature over NA. DNSKEY expires > 2011-06-28 09:06:45 UTC signature over BE. DNSKEY expires > 2011-06-28 09:06:45 UTC signature over BE. DNSKEY expires > 2011-06-28 09:06:45 UTC signature over BE. DNSKEY expires > 2011-06-29 05:46:24 UTC signature over AC. DNSKEY expires > 2011-06-29 05:46:24 UTC signature over AC. DNSKEY expires > 2011-06-29 05:46:24 UTC signature over AC. SOA expires > 2011-06-29 05:46:24 UTC signature over IO. DNSKEY expires > 2011-06-29 05:46:24 UTC signature over IO. DNSKEY expires > 2011-06-29 05:46:24 UTC signature over IO. SOA expires > 2011-06-29 05:46:24 UTC signature over SH. DNSKEY expires > 2011-06-29 05:46:24 UTC signature over SH. DNSKEY expires > 2011-06-29 05:46:24 UTC signature over SH. SOA expires > 2011-06-29 05:46:24 UTC signature over TM. DNSKEY expires > 2011-06-29 05:46:24 UTC signature over TM. DNSKEY expires > 2011-06-29 05:46:24 UTC signature over TM. SOA expires > 2011-06-30 10:29:51 UTC signature over LK. SOA expires > 2011-07-01 03:01:01 UTC signature over PR. DNSKEY expires > 2011-07-01 03:01:01 UTC signature over PR. DNSKEY expires > 2011-07-01 03:17:05 UTC signature over NU. DNSKEY expires > 2011-07-01 04:30:04 UTC signature over HOPCOUNT.CA. DNSKEY expires > 2011-07-01 04:30:04 UTC signature over HOPCOUNT.CA. DNSKEY expires > 2011-07-01 04:30:04 UTC signature over HOPCOUNT.CA. SOA expires > 2011-07-01 06:01:01 UTC signature over PR. SOA expires > 2011-07-01 06:04:01 UTC signature over NA. SOA expires > 2011-07-01 06:17:05 UTC signature over NU. SOA expires > 2011-07-01 07:00:07 UTC signature over PT. SOA expires > 2011-07-01 07:53:19 UTC signature over AUTOMAGIC.ORG. DNSKEY expires > 2011-07-01 07:53:19 UTC signature over AUTOMAGIC.ORG. DNSKEY expires > 2011-07-01 07:53:19 UTC signature over AUTOMAGIC.ORG. SOA expires > 2011-07-01 08:00:11 UTC signature over BG. SOA expires > 2011-07-01 08:45:04 UTC signature over AM. SOA expires > 2011-07-01 10:00:19 UTC signature over E164.ARPA. DNSKEY expires > 2011-07-01 10:00:19 UTC signature over E164.ARPA. SOA expires > 2011-07-01 12:00:05 UTC signature over PT. DNSKEY expires > 2011-07-01 12:00:05 UTC signature over PT. DNSKEY expires > 2011-07-01 12:12:12 UTC signature over GR. DNSKEY expires > 2011-07-01 12:12:12 UTC signature over GR. DNSKEY expires > 2011-07-01 12:12:12 UTC signature over GR. SOA expires > 2011-07-01 13:00:13 UTC signature over BG. DNSKEY expires > 2011-07-01 13:00:13 UTC signature over BG. DNSKEY expires > 2011-07-01 13:34:40 UTC signature over CH. SOA expires > 2011-07-01 13:59:07 UTC signature over LI. SOA expires > 2011-07-01 15:14:32 UTC signature over BIZ. SOA expires > 2011-07-01 15:14:50 UTC signature over CO. SOA expires > 2011-07-01 15:19:33 UTC signature over US. SOA expires > 2011-07-16 13:30:20 UTC signature over CL. SOA expires > 2011-07-16 13:30:21 UTC signature over CL. DNSKEY expires > 2011-07-29 12:16:31 UTC signature over FR. DNSKEY expires > 2011-07-29 12:16:31 UTC signature over FR. DNSKEY expires > 2011-07-29 12:17:36 UTC signature over PM. DNSKEY expires > 2011-07-29 12:17:36 UTC signature over PM. DNSKEY expires > 2011-07-29 12:17:36 UTC signature over PM. SOA expires > 2011-07-29 12:17:37 UTC signature over RE. DNSKEY expires > 2011-07-29 12:17:37 UTC signature over RE. DNSKEY expires > 2011-07-29 12:17:37 UTC signature over TF. DNSKEY expires > 2011-07-29 12:17:37 UTC signature over TF. DNSKEY expires > 2011-07-29 12:17:37 UTC signature over TF. SOA expires > 2011-07-29 12:17:39 UTC signature over WF. DNSKEY expires > 2011-07-29 12:17:39 UTC signature over WF. DNSKEY expires > 2011-07-29 12:17:39 UTC signature over WF. SOA expires > 2011-07-29 12:17:39 UTC signature over YT. DNSKEY expires > 2011-07-29 12:17:39 UTC signature over YT. DNSKEY expires > 2011-07-29 12:17:39 UTC signature over YT. SOA expires > 2011-07-30 06:29:31 UTC signature over JP. DNSKEY expires > 2011-07-31 05:00:04 UTC signature over RE. SOA expires > 2011-07-31 09:00:06 UTC signature over FR. SOA expires > 2011-08-11 14:37:10 UTC signature over CL. DNSKEY expires > 2011-08-15 00:00:00 UTC signature over LK. DNSKEY expires > 2011-08-15 00:00:00 UTC signature over LK. DNSKEY expires > 2011-08-15 00:00:00 UTC signature over XN--FZC2C9E2C. DNSKEY expires > 2011-08-15 00:00:00 UTC signature over XN--FZC2C9E2C. DNSKEY expires > 2011-08-15 00:00:00 UTC signature over XN--XKC2AL3HYE2A. DNSKEY expires > 2011-08-15 00:00:00 UTC signature over XN--XKC2AL3HYE2A. DNSKEY expires > 2011-08-28 13:06:23 UTC signature over MY. DNSKEY expires > 2011-08-28 13:06:23 UTC signature over MY. DNSKEY expires > 2011-08-30 05:06:22 UTC signature over MY. SOA expires > 2011-12-31 23:59:59 UTC signature over KG. DNSKEY expires > 2011-12-31 23:59:59 UTC signature over KG. DNSKEY expires > 2011-12-31 23:59:59 UTC signature over KG. SOA expires > [wifi-216-217:~]% > > <sigexpire.sh>_______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
