Switch branches/tags
Nothing to show
Find file
Fetching contributors…
Cannot retrieve contributors at this time
54 lines (40 sloc) 1.66 KB
Public version of the DNSSEC key rollover monitor and checker.
The tool has been described in a paper released at the SATIN conference
<>. See the paper at
Basic instructions:
1) sqlite3 dnssec.sqlite < create.sql
[If you had the tool in production before 2015-10-08, upgrade the database with
sqlite3 dnssec.sqlite < upgrade-1.sql ]
2) Edit ~/.key-report.ini; you can use key-report.ini.sample as a
starting point. Set fileonly to a file which is appended to if
you don't want to (or can't) send e-mail.
Or you can put ' $YOURDOMAIN $YOURSERVER' into
the crontab.
If you want to monitor several domains, an example script is:
# $RANDOM is actually a bash extension so may be I should use /bin/bash
# Remember to add a dot at the end, specially for TLD which match a
# type or class name (Mexico, Madagascar...)
for domain in ; do
sleep $((RANDOM/320))
# Select a name server at random
set $(dig +cd +short NS $domain)
shift $(($RANDOM % $#))
# Select an IP address at random
set $(printf %s "$server" | dig +cd +short AAAA -f - ; printf %s "$server" | dig +cd +short A -f -)
shift $(($RANDOM % $#))
if [ "$address" = "" ]; then
echo "Cannot find an address for $server"
exit 1
./ $domain $address
which can also, obviously, put in a crontab.
Comments and requests can be sent to Stéphane Bortzmeyer <>