Re: [dns-operations] check DNSSEC RRSIG expiry (anybody awake over at comcast.net?)
On Wed, Feb 10, 2021 at 08:17:28AM +0100, Arsen STASIC wrote:
> >That said, if "dnssec-verify" had a parameter to set a minimum remaining
> >signature time, I wouldn't need the Perl script.
>
> Your script is really nice.
Thanks, but I wouldn't go that far, it is merely spartan... I've been
using it for ~7 years now, don't know which of the more comprehensive
tools mentioned in this thread already existed back then, perhaps I
should have looked harder.
> ldns-verify-zone and kzonecheck have both a time option.
I also like lddns-verify-zone. With "-V1" I even get no output except on error:
-- Good:
$ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org
2>/dev/null |
ldns-verify-zone -e P0Y0M3DT3H23M54S -V1 -S /dev/stdin; echo $?
0
-- Expiring:
$ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org
2>/dev/null |
ldns-verify-zone -e P0Y0M5DT3H23M54S -V1 -S /dev/stdin; echo $?
Error: DNSSEC signature will expire too soon for dukhovni.org. TYPE65534
There were errors in the zone
78
-- Mutated:
$ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org
2>/dev/null |
perl -pe 's{IN\s+MX\s+(\d+)}{IN MX 9}' |
ldns-verify-zone -e P0Y0M3DT3H23M54S -V1 -S /dev/stdin; echo $?
Error: Bogus DNSSEC signature for dukhovni.org. MX
There were errors in the zone
35
--
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] check DNSSEC RRSIG expiry (anybody awake over at comcast.net?)
* Viktor Dukhovni [2021-02-09 13:19 (-0500)]:
My Perl script (below) just checks that none of the RRSIGs are expiring
too soon. If some RRset is not signed at all, that's not detected
presently, but should be easy to add.
named-compilezone -i local -jD -f raw -o - $zone $db 2>/dev/null |
perl -MPOSIX -lane '
BEGIN {
@nsec = () # NSEC signed zones, rest assumed NSEC3
($domain, $maxdays) = splice(@ARGV, 0, 2);
$now = time();
# Expect at least DNSKEY and NS RRsets
for (qw(DNSKEY NS)) { $want->{"IN"}->{$_}->{$domain} = 1; }
if (!grep { $domain eq "$_" } @nsec) {
# Expect NSEC3PARAM in non-NSEC zones
for (qw(MX NSEC3PARAM)) { $want->{"IN"}->{$_}->{$domain} =
1; }
}
}
($owner, $ttl, $class, $rrtype, @rdata) = @F;
next if $rrtype ne "RRSIG";
($sigtype, $alg, $labels, $maxtll, $expiration, $inception) = @rdata;
$expiration =~ m{^(\d\d\d\d)(\d\d)(\d\d)(\d\d)(\d\d)(\d\d)$}
or die "Malformed expiration $owner $sigtype: $expiration\n";
$s = POSIX::mktime($6, $5, $4, $3, $2 - 1, $1 - 1900);
$d = ($s - $now) / 86400;
if ($d < $maxdays) {
warn sprintf("Signature of $owner $class $sigtype expires in %.2f
days\n", $d);
}
$owner =~ s/.\K\.$//;
delete $want->{$class}->{$sigtype}->{lc($owner)};
END {
while (($class, $vc) = each %$want) {
while (($rrtype, $vr) = each %$vc) {
while (($domain, $dummy) = each %$vr) {
warn "No signature found for $domain $class
$rrtype\n"
}
}
}
}
' "$zone" "$maxdays"
That said, if "dnssec-verify" had a parameter to set a minimum remaining
signature time, I wouldn't need the Perl script.
Your script is really nice.
ldns-verify-zone and kzonecheck have both a time option.
cheers,
-arsen
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
