Monitor and analyze DNSSEC key rollovers
Python
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LICENSE
README Bashism spotted May 2, 2016
create.sql Store flags (they may change) and which RRs are signed (this is for #3 Oct 9, 2015
examine-history.py Double-signature (something which is uncommon but can be found in isc… Apr 23, 2011
key-report.ini.sample Add option to produce output to a file for environments w/o mail Jan 27, 2015
key-store-and-report.py Correct a couple of typos in the comments. No functional change Feb 12, 2016
keyset-zone.py Store flags (they may change) and which RRs are signed (this is for #3 Oct 9, 2015
upgrade-1.sql

README

Public version of the DNSSEC key rollover monitor and checker.

The tool has been described in a paper released at the SATIN conference
<http://conferences.npl.co.uk/satin/>. See the paper at
<http://conferences.npl.co.uk/satin/papers/satin2011-Bortzmeyer.pdf>.


Basic instructions:

1) sqlite3 dnssec.sqlite < create.sql
[If you had the tool in production before 2015-10-08, upgrade the database with
sqlite3 dnssec.sqlite < upgrade-1.sql ]

2) Edit ~/.key-report.ini; you can use key-report.ini.sample as a
starting point. Set fileonly to a file which is appended to if
you don't want to (or can't) send e-mail.

3) while true:
      key-store-and-report.py $YOURDOMAIN $YOURSERVER
      sleep $SOMETIME

Or you can put 'key-store-and-report.py $YOURDOMAIN $YOURSERVER' into
the crontab.

If you want to monitor several domains, an example script is:

#!/bin/sh

# $RANDOM is actually a bash extension so may be I should use /bin/bash

# Remember to add a dot at the end, specially for TLD which match a
# type or class name (Mexico, Madagascar...)
for domain in example.com example.net example.org ; do
    sleep $((RANDOM/320))
    # Select a name server at random
    set $(dig +cd +short NS $domain)
    shift $(($RANDOM % $#))
    server=$1
    # Select an IP address at random
    set $(printf %s "$server" | dig +cd +short AAAA -f - ; printf %s "$server" | dig +cd +short A -f -)
    shift $(($RANDOM % $#))
    address=$1
    if [ "$address" = "" ]; then
	echo "Cannot find an address for $server"
	exit 1
    fi
    ./key-store-and-report.py $domain $address
done

which can also, obviously, put in a crontab.

--
Comments and requests can be sent to Stéphane Bortzmeyer <bortzmeyer@nic.fr>