In message
<AANLkTinwMO6Sw-rvfrax-_VNN8x1kejc9iAkrNQGBf2v(_at_)mail(_dot_)gmail(_dot_)com>,
Phil
lip Hallam-Baker writes:
Whether or not the IAB zone is signed is of negligible consequence.
But the fact that the IAB zone signatures had expired is a highly
significant data point: DNSSEC administration is not quite as easy as
some of the glib claims of its more enthusiastic supporters would lead
one to believe.
It's more a matter of choosing the right tools. I've got signed
zones that haven't been hand signed in 3 years using a 2 month
signature validity interval. The nameserver just re-signs the
records as they fall due. That's several thousand automatic updates
of the zones in that period. Yes, I've changed the non DNSSEC
content of the zones in that time.
This isn't a protocol issue. It's a tools issue and DNSSEC tools
from all vendors are improving.
It's also extremely easy to construct tools that can warn you to
re-sign if you are doing it by hand. You could replace awk with
perl and have a cross platform tool. Such tools can easily be
added to network management platforms as they are just small
scripts. If you don't have a network managment platform use
cron.
e.g.
% dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN {
print }' WARN=`date -u -v +7d +%Y%m%d%H%M%S`
%
% dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN {
print }' WARN=`date -u -v +1m +%Y%m%d%H%M%S`
bind9-test-8.dv.isc.org. 86400 IN RRSIG NSEC 5 4 86400 20100929190221
20100731184853 14436 dv.isc.org.
2jHCGeJqH23dO0RV48Uqqp2hXIl1wp3kIslqmdz686uaCNz3WZZUhKzX
EH+8iKc6QQWMZhFzhJoqruiTO6RyIA==
BRNEE8E63.dv.isc.org. 1800 IN RRSIG A 5 4 1800 20100929190221
20100731184853 14436 dv.isc.org.
ZhD6uAbGQYDWJ6rob9iyvRNWZ7Tod1as4WEtPV8C+mLF8aJbakwp/76/
f7r7jz/fQOtIMQ/NjXBRT7O4507gIA==
BRNEE8E63.dv.isc.org. 1800 IN RRSIG TXT 5 4 1800 20100929190221
20100731184853 14436 dv.isc.org.
Xl3nk8lf2exwGGy2iI2BxVjXO3emvI+8GRmkj+vi7n8rddmP6oJRqPGZ
wmNoZVxMN9XMTghly6w6Cmj8aNAILQ==
BRNEE8E63.dv.isc.org. 86400 IN RRSIG NSEC 5 4 86400 20100929190221
20100731184853 14436 dv.isc.org.
JUR1M8GmlFFYF73v6oh+bdwYuKK0YBMe7b4mDsMBs1bdBqHB52KUZ8eS
KNCRD3GTp8VzwxB1TGmuIq+dGr57lQ==
%
With a minor change it will print out just the zone.
% dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN {
print "WARNING:", $12, "needs re-signing" ; exit }' WARN=`date -u -v +1m
+%Y%m%d%H%M%S`
WARNING: dv.isc.org. needs re-signing
%
Wrap it is a while loop and you can do all your zones. The getline
is so we don't generate error messages in the nameserver logs by
causing the axfr to be aborted.
#!/bin/sh -f
WARN=`date -u -v +7d +%Y%m%d%H%M%S`
while read zone server
do
dig axfr "$zone" "@$server" | \
awk '$4 == "RRSIG" && $9 < WARN
{ print "WARNING:", $12, "needs re-signing."; while (getline) ; }' \
WARN=$WARN
done
Mark
On Tue, Aug 31, 2010 at 10:36 AM, Glen Barney (AMS)
<glen(_at_)amsl(_dot_)com> wrote:
Community -
The DNS zone files have been re-signed, and we will look into alternative=
s to
the original DNSSEC tools that were in use (which seem to be broken.)
And just a reminder that, while posting complaints to this list might feel
more therapeutic, the secretariat has an address set up for trouble repor=
ts,
which is ietf-action(_at_)ietf(_dot_)org . =A0Sending complaints to that
address will
generally get much faster results.
Thank you!
Glen
Glen Barney
IT Director
AMS (IETF Secretariat)
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
-- =
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf