Am Mon, Nov 06, 2023 at 08:37:12AM +0100 schrieb Stefan Ubbink via
dns-operations:
> > There could be a new "rdnc" protocol verb that asks the nameserver
> > for a list of all the zones where the soonest expiration time is
> > below some threshold, or askes about a particular zone.
>
> This would still be based on polling the name server, and I think
> active signalling would be better. There is a IETF draft [1] which
> writes something about sending a signal when signatures are (about to)
> expire.
FYI: maybe the simplistic approach below might be nice for some operators.
I like it because is independent from the actual namserver software.
The operator could simply grep for RRSIGs of all zones on the nameserver.
This quick and dirty approach gives me a list of >140.000 RRSIGs of about 7000
zones:
$ grep -A1 RRSIG /var/named/<path-to-your-zonefiles>/* | awk '{print $2" "$1}'
| grep ^20
Than just pipe the output to a simple script (e.g perl) and compare the first
column
with the output of "date -d+5days +%Y%m%d%H%M00" and you quick and nicely
checked
that all RRSIGs are valid for at least 5 days.
quick and dirty perl:
#!/usr/bin/perl
$date = `date -d+5days +%Y%m%d%H%M00`;
chomp $date;
while(<>) {
chomp;
($a,$file) = split(/ /, $_);
if ($a > $date) { next; }
if ($seen{$file} eq 1) { next; }
$seen{$file} = 1;
print "rrsig with lifetime <5 days: $file ($a)\n";
}
If it's preferred to run such operations on a workstation/monitoring station,
one could AXFR the zones using dig and check the RRSIGs there.
Andreas
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
