Am Mon, Nov 06, 2023 at 08:37:12AM +0100 schrieb Stefan Ubbink via
dns-operations:
> > There could be a new "rdnc" protocol verb that asks the nameserver
> > for a list of all the zones where the soonest expiration time is
> > below some threshold, or askes about a particular zone.
>
> This
--- Begin Message ---
On Thu, 2 Nov 2023 11:18:34 -0400
Viktor Dukhovni wrote:
> On Thu, Nov 02, 2023 at 09:34:17AM +0100, Stephane Bortzmeyer wrote:
>
> > > Specifically, in the case of signed zones, monitoring MUST also
> > > include regular checks of the remaining expiration time of at
> >
It'd still be good to have that exposed as a metric, since:
* that way you don't have to wait to make the mistake (or to find the
logs from someone else's mistake) in order to wrap alerting around it
* the metric's more or less the metric forever-ish, while it seems
more likely that a
On Fri, Nov 03, 2023 at 11:09:02AM +0100, Vladimír Čunát via dns-operations
wrote:
> On 01/11/2023 17.18, Viktor Dukhovni wrote:
> > Should authoritative [nameservers] have knobs to perform internal checks on
> > the signed zones they serve and at least syslog loud warnings?
>
> My
--- Begin Message ---
On 01/11/2023 17.18, Viktor Dukhovni wrote:
Should authoritative resolvers have knobs to perform internal checks on
the signed zones they serve and at least syslog loud warnings?
My understanding is that in this case the signer was producing loud
syslog warnings
I liked Viktor’s idea. It would be cool if time-to-re-sign and
time-to-signature-expiration were available on the json/xml stats port. (Or are
they and I missed it? The last time I used the json/xml stuff, I wasn’t
getting metrics for signed zones, just the usual counters and the
> On 3 Nov 2023, at 02:18, Viktor Dukhovni wrote:
>
> On Thu, Nov 02, 2023 at 09:34:17AM +0100, Stephane Bortzmeyer wrote:
>
>>> Specifically, in the case of signed zones, monitoring MUST also include
>>> regular checks of the remaining expiration time of at least the core
>>> zone apex
On Thu, Nov 02, 2023 at 09:34:17AM +0100, Stephane Bortzmeyer wrote:
> > Specifically, in the case of signed zones, monitoring MUST also include
> > regular checks of the remaining expiration time of at least the core
> > zone apex records (DNSKEY, SOA and NS), and ideally the whole zone, both
>
On Wed, Nov 01, 2023 at 12:18:42PM -0400,
Viktor Dukhovni wrote
a message of 67 lines which said:
> Specifically, in the case of signed zones, monitoring MUST also include
> regular checks of the remaining expiration time of at least the core
> zone apex records (DNSKEY, SOA and NS), and
On Wed, Nov 01, 2023 at 04:49:01PM +0100, Mark Andrews wrote:
> It shouldn’t take any time as the bogus records shouldn’t have been cached.
>
Right, unlike mismatched parent-side DS RRs, RRSIG expiration heals
fairly promptly once the zone is resigned at the origin.
I am repeatedly surprised
It shouldn’t take any time as the bogus records shouldn’t have been cached.
--
Mark Andrews
> On 1 Nov 2023, at 15:06, Paul de Weerd wrote:
>
> Dear Matthew,
>
>> On 01/11/2023 12:13, Matthew Richardson via dns-operations wrote:
>> Our systems use some RIPE Atlas anchors for general
Dear Matthew,
On 01/11/2023 12:13, Matthew Richardson via dns-operations wrote:
Our systems use some RIPE Atlas anchors for general connectivity
monitoring. Just now, they all failed.
If looks as if DNSSEC has expired:-
https://dnsviz.net/d/anchors.atlas.ripe.net/dnssec/
It also looks as if
On Wed, Nov 01, 2023 at 01:37:14PM +0100,
Stephane Bortzmeyer wrote
a message of 17 lines which said:
> > If looks as if DNSSEC has expired:-
>
> It seems it has been repaired around 1215 UTC.
https://twitter.com/ripencc/status/1719712189496311986
"Our services have been restored and all
On Wed, Nov 01, 2023 at 11:13:15AM +,
Matthew Richardson via dns-operations wrote
a message of 64 lines which said:
> If looks as if DNSSEC has expired:-
It seems it has been repaired around 1215 UTC.
___
dns-operations mailing list
--- Begin Message ---
Our systems use some RIPE Atlas anchors for general connectivity
monitoring. Just now, they all failed.
If looks as if DNSSEC has expired:-
https://dnsviz.net/d/anchors.atlas.ripe.net/dnssec/
It also looks as if other things in ripe.net may also have expired (eg
15 matches
Mail list logo