Monitor and analyze DNSSEC key rollovers
Python
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LICENSE
README
create.sql
examine-history.py
key-report.ini.sample
key-store-and-report.py
keyset-zone.py Store flags (they may change) and which RRs are signed (this is for #3 Oct 9, 2015
upgrade-1.sql

README

Public version of the DNSSEC key rollover monitor and checker.

The tool has been described in a paper released at the SATIN conference
<http://conferences.npl.co.uk/satin/>. See the paper at
<http://conferences.npl.co.uk/satin/papers/satin2011-Bortzmeyer.pdf>.


Basic instructions:

1) sqlite3 dnssec.sqlite < create.sql
[If you had the tool in production before 2015-10-08, upgrade the database with
sqlite3 dnssec.sqlite < upgrade-1.sql ]

2) Edit ~/.key-report.ini; you can use key-report.ini.sample as a
starting point. Set fileonly to a file which is appended to if
you don't want to (or can't) send e-mail.

3) while true:
      key-store-and-report.py $YOURDOMAIN $YOURSERVER
      sleep $SOMETIME

Or you can put 'key-store-and-report.py $YOURDOMAIN $YOURSERVER' into
the crontab.

If you want to monitor several domains, an example script is:

#!/bin/sh

# $RANDOM is actually a bash extension so may be I should use /bin/bash

# Remember to add a dot at the end, specially for TLD which match a
# type or class name (Mexico, Madagascar...)
for domain in example.com example.net example.org ; do
    sleep $((RANDOM/320))
    # Select a name server at random
    set $(dig +cd +short NS $domain)
    shift $(($RANDOM % $#))
    server=$1
    # Select an IP address at random
    set $(printf %s "$server" | dig +cd +short AAAA -f - ; printf %s "$server" | dig +cd +short A -f -)
    shift $(($RANDOM % $#))
    address=$1
    if [ "$address" = "" ]; then
	echo "Cannot find an address for $server"
	exit 1
    fi
    ./key-store-and-report.py $domain $address
done

which can also, obviously, put in a crontab.

--
Comments and requests can be sent to Stéphane Bortzmeyer <bortzmeyer@nic.fr>