In response to ICANN's consultation on DNSSEC root key rollovers http://www.icann.org/en/news/public-comment/root-zone-consultation-08mar13-en.htm I was wondering how to check that a rollover is progressing OK. BIND doesn't provide much help with this (unless I have missed something) so I thought it might be useful to write a script to summarize the RFC 5011 managed keys status. Run it with the path to your managed-keys.bind file as an argument.
Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. #!/usr/bin/perl use warnings; use strict; use POSIX qw(strftime); my $now = strftime "%Y%m%d%H%M%S", gmtime; sub ext8601 ($) { my $d = shift; $d =~ s{(....)(..)(..)(..)(..)(..)} {$1-$2-$3.$4:$5:$6}; return $d; } sub getkey ($$) { my $h = shift; my $k = shift; m{\s+(\d+)\s+(\d+)\s+(\d+)\s+[(]\s*$}; $k->{flags} = $1; $k->{protocol} = $2; $k->{algorithm} = $3; my $data = "("; while (<$h>) { s{^\s+}{}; s{\s+$}{}; last if m{^[)]}; $data .= $_; } m{ alg = (\S+); key id = (\d+)}; $k->{alg} = $1; $k->{id} = $2; $k->{data} = $data; return $k; } sub fmtkey ($) { my $k = shift; return sprintf "%16s tag %s", $k->{name}, $k->{id}; } sub printstatus ($) { my $a = shift; if ($a->{removehd} ne "19700101000000") { printf " untrusted and to be removed at %s\n", ext8601 $a->{removehd}; } elsif ($a->{addhd} lt $now) { printf " trusted\n"; } else { printf " waiting for %s\n", ext8601 $a->{addhd}; } } sub digkeys ($) { my $name = shift; my $keys; open my $d, "-|", qw{dig +multiline DNSKEY}, $name; while (<$d>) { next unless m{^([a-z0-9.-]*)\s+\d+\s+IN\s+DNSKEY\s+}; next unless $name eq $1; push @$keys, getkey $d, { name => $name }; } return $keys; } my $anchor; while (<>) { next unless m{^([a-z0-9.-]*)\s+KEYDATA\s+(\d+)\s+(\d+)\s+(\d+)\s+}; my $k = getkey *ARGV, { name => $1, refresh => $2, addhd => $3, removehd => $4, }; $k->{name} =~ s{[.]*$}{.}; push @{$anchor->{$k->{name}}}, $k; } for my $name (keys %$anchor) { my $keys = digkeys $name; my $anchors = $anchor->{$name}; for my $k (@$keys) { if ($k->{flags} & 1) { printf "%s %s KSK", fmtkey $k, $k->{alg}; } else { # ZSK - skipping next; } if ($k->{flags} & 512) { print " revoked"; } my $a; for my $t (@$anchors) { if ($t->{data} eq $k->{data} and $t->{protocol} eq $k->{protocol} and $t->{algorithm} eq $k->{algorithm}) { $t->{matched} = 1; $a = $t; last; } } if (not defined $a) { print " - WARNING NO MATCHING TRUST ANCHOR\n"; next; } printstatus $a; } for my $a (@$anchors) { next if $a->{matched}; printf "%s %s ???", fmtkey $a, $a->{alg}; printstatus $a; } } _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
