* Viktor Dukhovni [2021-02-09 13:19 (-0500)]:
My Perl script (below) just checks that none of the RRSIGs are expiring
too soon. If some RRset is not signed at all, that's not detected
presently, but should be easy to add.
named-compilezone -i local -jD -f raw -o - $zone $db 2>/dev/null |
perl -MPOSIX -lane '
BEGIN {
@nsec = () # NSEC signed zones, rest assumed NSEC3
($domain, $maxdays) = splice(@ARGV, 0, 2);
$now = time();
# Expect at least DNSKEY and NS RRsets
for (qw(DNSKEY NS)) { $want->{"IN"}->{$_}->{$domain} = 1; }
if (!grep { $domain eq "$_" } @nsec) {
# Expect NSEC3PARAM in non-NSEC zones
for (qw(MX NSEC3PARAM)) { $want->{"IN"}->{$_}->{$domain} =
1; }
}
}
($owner, $ttl, $class, $rrtype, @rdata) = @F;
next if $rrtype ne "RRSIG";
($sigtype, $alg, $labels, $maxtll, $expiration, $inception) = @rdata;
$expiration =~ m{^(\d\d\d\d)(\d\d)(\d\d)(\d\d)(\d\d)(\d\d)$}
or die "Malformed expiration $owner $sigtype: $expiration\n";
$s = POSIX::mktime($6, $5, $4, $3, $2 - 1, $1 - 1900);
$d = ($s - $now) / 86400;
if ($d < $maxdays) {
warn sprintf("Signature of $owner $class $sigtype expires in %.2f
days\n", $d);
}
$owner =~ s/.\K\.$//;
delete $want->{$class}->{$sigtype}->{lc($owner)};
END {
while (($class, $vc) = each %$want) {
while (($rrtype, $vr) = each %$vc) {
while (($domain, $dummy) = each %$vr) {
warn "No signature found for $domain $class
$rrtype\n"
}
}
}
}
' "$zone" "$maxdays"
That said, if "dnssec-verify" had a parameter to set a minimum remaining
signature time, I wouldn't need the Perl script.
Your script is really nice.
ldns-verify-zone and kzonecheck have both a time option.
cheers,
-arsen
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations