Monitor and analyze DNSSEC key rollovers
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
README Bashism spotted May 2, 2016
create.sql Store flags (they may change) and which RRs are signed (this is for #3 Oct 9, 2015 Double-signature (something which is uncommon but can be found in isc… Apr 23, 2011
key-report.ini.sample Add option to produce output to a file for environments w/o mail Jan 27, 2015 Correct a couple of typos in the comments. No functional change Feb 12, 2016 Store flags (they may change) and which RRs are signed (this is for #3 Oct 9, 2015


Public version of the DNSSEC key rollover monitor and checker.

The tool has been described in a paper released at the SATIN conference
<>. See the paper at

Basic instructions:

1) sqlite3 dnssec.sqlite < create.sql
[If you had the tool in production before 2015-10-08, upgrade the database with
sqlite3 dnssec.sqlite < upgrade-1.sql ]

2) Edit ~/.key-report.ini; you can use key-report.ini.sample as a
starting point. Set fileonly to a file which is appended to if
you don't want to (or can't) send e-mail.

      sleep $SOMETIME

Or you can put ' $YOURDOMAIN $YOURSERVER' into
the crontab.

If you want to monitor several domains, an example script is:


# $RANDOM is actually a bash extension so may be I should use /bin/bash

# Remember to add a dot at the end, specially for TLD which match a
# type or class name (Mexico, Madagascar...)
for domain in ; do
    sleep $((RANDOM/320))
    # Select a name server at random
    set $(dig +cd +short NS $domain)
    shift $(($RANDOM % $#))
    # Select an IP address at random
    set $(printf %s "$server" | dig +cd +short AAAA -f - ; printf %s "$server" | dig +cd +short A -f -)
    shift $(($RANDOM % $#))
    if [ "$address" = "" ]; then
	echo "Cannot find an address for $server"
	exit 1
    ./ $domain $address

which can also, obviously, put in a crontab.

Comments and requests can be sent to Stéphane Bortzmeyer <>