DNSSEC Negative Trust Anchor report
We have had a couple of requests for a log message warning that an NTA has just
expired. The use case is, there is a help desk that needs to know when
validation might be failing because of an NTA that was just removed.
Anyway, in response, Evan wrote a Python script that takes the output of rndc
nta -d and lists the NTA's that are expiring in the next 24 hours. If you ran
rndc nta -d and this script this daily, you would have a daily report.
It gives you the full list of ntas, an indicator of whether they're already
expired or yet to expire, and the time of expiration.
The python script filters out any that are already expired or whose expiration
is more than a day in the future.
#!/bin/python
import sys, time, re
print ('Negative trust anchors expiring in the next 24 hours:')
found = False
for line in sys.stdin.readlines():
r = re.compile('^([^ ]*): (expir[^ ]*) (.*)')
m = r.match(line)
try:
(name, status, date) = m.groups()
except:
continue
now = time.time()
then = time.mktime(time.strptime(date, '%d-%b-%Y %H:%M:%S.%f'))
if status == 'expiry' and then <= now + 86400:
print (' %s at %s' % (name, date))
found = True
if not found:
print (' None')
I thought this might be useful to someone else out there.
Vicky
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: [SOLVED] My Exchange server is now able to send email to httpd.apache.org domain after I added SPF TXT record to my DNS server
On 14.08.18 07:50, Lyle Giese wrote: The reverse lookup for 118.189.211.120 does not match your HELO greeting this does not matter much. The HELO string exchange.teo-en-ming.com does exist, which is good. and does not match the A record for exchange.teo-en-ming.com. neither does this one. Get your upstream ISP to fix that. this is the first and biggest problem, the reverse lookup points to non-existing host name: 120.211.189.118.in-addr.arpa domain name pointer 120.211.189.118.static.m1net.com.sg. Host 120.211.189.118.static.m1net.com.sg. not found: 3(NXDOMAIN) The second is that the reverse and matching forward (points back to 118.189.211.120) should not be generic. Yes, ISP pointing the reverse to exchange.teo-en-ming.com would be best solution. Btw, the OP should get second nameserver in different netwotk: ;; AUTHORITY SECTION: teo-en-ming.com.112671 IN NS ns1.teo-en-ming.com. teo-en-ming.com.112671 IN NS ns2.teo-en-ming.com. ;; ADDITIONAL SECTION: ns1.teo-en-ming.com.3475IN A 118.189.211.120 ns2.teo-en-ming.com.3475IN A 118.189.211.120 On 8/13/2018 8:28 PM, Turritopsis Dohrnii Teo En Ming wrote: Good morning from Singapore, Previously the mail server at httpd.apache.org domain rejected all of my emails. I have solved the problem by adding the following Sender Policy Framework (SPF) text (TXT) record to my DNS server: teo-en-ming.com. IN TXT "v=spf1 mx -all" Now my Exchange server is finally able to send emails to the httpd.apache.org domain. Am I an excellent troubleshooter? However, the mail server at freebsd.org is still rejecting my emails. Adding SPF TXT record did not solve the problem for this domain (freebsd.org). Perhaps I need to configure DKIM as well? I have no idea what is DKIM. Please help me to troubleshoot email delivery failure for the freebsd.org domain. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SOLVED] My Exchange server is now able to send email to httpd.apache.org domain after I added SPF TXT record to my DNS server
The reverse lookup for 118.189.211.120 does not match your HELO greeting and does not match the A record for exchange.teo-en-ming.com. Get your upstream ISP to fix that. Lyle Giese LCR Computer Services, Inc. On 8/13/2018 8:28 PM, Turritopsis Dohrnii Teo En Ming wrote: Good morning from Singapore, Previously the mail server at httpd.apache.org domain rejected all of my emails. I have solved the problem by adding the following Sender Policy Framework (SPF) text (TXT) record to my DNS server: teo-en-ming.com. IN TXT "v=spf1 mx -all" Now my Exchange server is finally able to send emails to the httpd.apache.org domain. Am I an excellent troubleshooter? However, the mail server at freebsd.org is still rejecting my emails. Adding SPF TXT record did not solve the problem for this domain (freebsd.org). Perhaps I need to configure DKIM as well? I have no idea what is DKIM. Please help me to troubleshoot email delivery failure for the freebsd.org domain. Thank you very much. ===BEGIN SIGNATURE=== Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017 [1] https://tdtemcerts.wordpress.com/ [2] http://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming ===END SIGNATURE=== ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
