Hi all, I've been poking about a bit in other signed zones looking for impending signature expirations. I've been doing this mainly because we sign a lot of zones and have had at least one accident in the past, but this also seems like something that is worth knowing if you're the operator of a validator and you want to be able to prepare for impending signature expiration in zones that are otherwise going to cause you helpdesk problems.
See attached script for an example of what I have been doing. I have realised, however, that I can't tell whether a signature that is (say) going to expire in under three days is a cause for concern, or whether it's normal operations and something I should expect to be replaced as part of normal operations. This boils down to there being no way for a zone operator to publish their normal signature replacement policy in a way that I can obtain in a simple way. Sometimes that information is present in a DPS, but often there is no DPS to be found, sometimes there's a DPS but it doesn't contain that level of detail, and in any case this is all far too manual for an automated check script. Is there perhaps value in finding a mechanism by which zone operators can publish information in their zones which gives guidance as to what the normal limits for signature expiration ought to be? $ORIGIN HOPCOUNT.CA. @ RRSIGPOLICY DNSKEY <min planned remaining signature validity> <max planned remaining signature validity> @ RRSIGPOLICY SOA .... or something? Joe wifi-216-217:~]% ./sigexpire.sh 2011-06-01 15:30:41 UTC ---------- right now ----------------------------- 2011-06-02 15:30:41 UTC ---------- 1 day from now ------------------------ 2011-06-03 15:30:41 UTC ---------- 2 days from now ----------------------- 2011-06-03 18:25:33 UTC signature over COM. DNSKEY expires 2011-06-04 15:30:41 UTC ---------- 3 days from now ----------------------- 2011-06-04 18:02:19 UTC signature over VIP.ICANN.ORG. DNSKEY expires 2011-06-04 18:02:19 UTC signature over VIP.ICANN.ORG. DNSKEY expires 2011-06-05 15:30:41 UTC ---------- 4 days from now ----------------------- 2011-06-05 16:00:23 UTC signature over GOV. DNSKEY expires 2011-06-06 04:00:23 UTC signature over GOV. SOA expires 2011-06-06 15:30:41 UTC ---------- 5 days from now ----------------------- 2011-06-06 16:38:57 UTC signature over NET. DNSKEY expires 2011-06-06 19:28:05 UTC signature over EDU. DNSKEY expires 2011-06-07 06:21:17 UTC signature over DK. DNSKEY expires 2011-06-07 08:00:01 UTC signature over EU. DNSKEY expires 2011-06-07 08:00:01 UTC signature over EU. DNSKEY expires 2011-06-07 08:00:01 UTC signature over EU. DNSKEY expires 2011-06-07 09:09:09 UTC signature over CH. DNSKEY expires 2011-06-07 09:09:09 UTC signature over LI. DNSKEY expires 2011-06-07 15:30:41 UTC ---------- 6 days from now ----------------------- 2011-06-08 00:00:00 UTC signature over . SOA expires 2011-06-08 00:00:00 UTC signature over ARPA. SOA expires 2011-06-08 06:00:00 UTC signature over DE. SOA expires 2011-06-08 09:00:00 UTC signature over BR. SOA expires 2011-06-08 09:02:13 UTC signature over EU. SOA expires 2011-06-08 09:02:13 UTC signature over EU. SOA expires 2011-06-08 09:16:26 UTC signature over VIP.ICANN.ORG. SOA expires 2011-06-08 11:23:03 UTC signature over BE. DNSKEY expires 2011-06-08 14:34:51 UTC signature over XN--DEBA0AD. DNSKEY expires 2011-06-08 14:38:20 UTC signature over XN--0ZWM56D. SOA expires 2011-06-08 14:38:54 UTC signature over IANA.ORG. SOA expires 2011-06-08 14:38:54 UTC signature over IP6-SERVERS.ARPA. DNSKEY expires 2011-06-08 14:38:54 UTC signature over XN--G6W251D. DNSKEY expires 2011-06-08 14:50:18 UTC signature over ICANN.ORG. SOA expires 2011-06-08 14:57:44 UTC signature over IP6.ARPA. DNSKEY expires 2011-06-08 14:59:29 UTC signature over XN--9T4B11YI5A. SOA expires 2011-06-08 15:12:05 UTC signature over URI.ARPA. SOA expires 2011-06-08 15:14:51 UTC signature over COM. SOA expires 2011-06-08 15:15:06 UTC signature over EDU. SOA expires 2011-06-08 15:18:24 UTC signature over NET. SOA expires 2011-06-08 15:23:13 UTC signature over XN--ZCKZAH. SOA expires 2011-06-08 15:30:41 UTC ---------- 7 days from now ----------------------- 2011-06-08 15:40:41 UTC signature over IN-ADDR-SERVERS.ARPA. SOA expires 2011-06-08 16:02:53 UTC signature over IN-ADDR.ARPA. SOA expires 2011-06-08 16:02:53 UTC signature over XN--HLCJ6AYA9ESC7A. SOA expires 2011-06-08 16:22:55 UTC signature over XN--HGBK6AJ7F53BBA. DNSKEY expires 2011-06-08 17:12:02 UTC signature over URI.ARPA. DNSKEY expires 2011-06-08 17:47:06 UTC signature over URN.ARPA. SOA expires 2011-06-08 18:26:30 UTC signature over DK. SOA expires 2011-06-08 18:29:41 UTC signature over XN--JXALPDLP. DNSKEY expires 2011-06-08 18:46:03 UTC signature over IRIS.ARPA. SOA expires 2011-06-08 19:07:26 UTC signature over URN.ARPA. DNSKEY expires 2011-06-08 19:58:19 UTC signature over IANA.ORG. DNSKEY expires 2011-06-08 20:14:20 UTC signature over IN-ADDR-SERVERS.ARPA. DNSKEY expires 2011-06-08 20:19:01 UTC signature over XN--KGBECHTV. SOA expires 2011-06-08 20:23:40 UTC signature over XN--DEBA0AD. SOA expires 2011-06-08 21:00:28 UTC signature over XN--11B5BS3A9AJ6G. SOA expires 2011-06-08 21:23:22 UTC signature over XN--JXALPDLP. SOA expires 2011-06-08 21:28:57 UTC signature over IP6.ARPA. SOA expires 2011-06-08 21:52:46 UTC signature over XN--11B5BS3A9AJ6G. DNSKEY expires 2011-06-08 22:06:53 UTC signature over IRIS.ARPA. DNSKEY expires 2011-06-08 22:26:09 UTC signature over XN--ZCKZAH. DNSKEY expires 2011-06-08 23:54:38 UTC signature over ICANN.ORG. DNSKEY expires 2011-06-08 23:58:18 UTC signature over XN--KGBECHTV. DNSKEY expires 2011-06-08 23:59:30 UTC signature over XN--80AKHBYKNJ4F. SOA expires 2011-06-09 00:24:19 UTC signature over IN-ADDR.ARPA. DNSKEY expires 2011-06-09 00:24:19 UTC signature over XN--HLCJ6AYA9ESC7A. DNSKEY expires 2011-06-09 00:32:02 UTC signature over IP6-SERVERS.ARPA. SOA expires 2011-06-09 00:32:02 UTC signature over XN--G6W251D. SOA expires 2011-06-09 01:25:10 UTC signature over XN--80AKHBYKNJ4F. DNSKEY expires 2011-06-09 01:28:57 UTC signature over XN--0ZWM56D. DNSKEY expires 2011-06-09 01:44:31 UTC signature over XN--9T4B11YI5A. DNSKEY expires 2011-06-09 02:16:57 UTC signature over XN--HGBK6AJ7F53BBA. SOA expires 2011-06-09 04:47:12 UTC signature over MUSEUM. DNSKEY expires 2011-06-09 04:47:12 UTC signature over MUSEUM. DNSKEY expires 2011-06-09 05:53:12 UTC signature over CAT. DNSKEY expires 2011-06-09 15:30:42 UTC ---------- 8 days from now ----------------------- 2011-06-10 09:00:00 UTC signature over BR. DNSKEY expires 2011-06-10 15:30:42 UTC ---------- 9 days from now ----------------------- 2011-06-11 09:01:45 UTC signature over BE. SOA expires 2011-06-11 20:02:44 UTC signature over SE. DNSKEY expires 2011-06-12 17:32:10 UTC signature over CZ. DNSKEY expires 2011-06-13 04:02:44 UTC signature over SE. DNSKEY expires 2011-06-13 04:18:16 UTC signature over CZ. DNSKEY expires 2011-06-13 09:43:58 UTC signature over CZ. SOA expires 2011-06-14 04:35:53 UTC signature over LU. DNSKEY expires 2011-06-14 08:20:20 UTC signature over FI. DNSKEY expires 2011-06-14 10:39:30 UTC signature over SE. SOA expires 2011-06-14 17:10:30 UTC signature over LU. SOA expires 2011-06-14 23:18:40 UTC signature over NL. DNSKEY expires 2011-06-14 23:59:59 UTC signature over . DNSKEY expires 2011-06-14 23:59:59 UTC signature over ARPA. DNSKEY expires 2011-06-15 04:48:19 UTC signature over UK. SOA expires 2011-06-15 06:53:11 UTC signature over CAT. SOA expires 2011-06-15 10:48:19 UTC signature over UK. DNSKEY expires 2011-06-15 11:47:13 UTC signature over MUSEUM. SOA expires 2011-06-15 15:45:48 UTC signature over ASIA. DNSKEY expires 2011-06-15 15:45:48 UTC signature over ASIA. DNSKEY expires 2011-06-15 15:46:29 UTC signature over ME. DNSKEY expires 2011-06-15 15:46:29 UTC signature over ME. DNSKEY expires 2011-06-15 15:47:16 UTC signature over AG. DNSKEY expires 2011-06-15 15:47:16 UTC signature over AG. DNSKEY expires 2011-06-15 15:49:25 UTC signature over INFO. DNSKEY expires 2011-06-15 15:49:25 UTC signature over INFO. DNSKEY expires 2011-06-15 15:56:25 UTC signature over ORG. DNSKEY expires 2011-06-15 15:56:25 UTC signature over ORG. DNSKEY expires 2011-06-15 16:05:05 UTC signature over IN. DNSKEY expires 2011-06-15 16:05:05 UTC signature over IN. DNSKEY expires 2011-06-15 16:30:31 UTC signature over BZ. DNSKEY expires 2011-06-15 16:30:31 UTC signature over BZ. DNSKEY expires 2011-06-15 16:36:33 UTC signature over VC. DNSKEY expires 2011-06-15 16:36:33 UTC signature over VC. DNSKEY expires 2011-06-15 17:12:20 UTC signature over HN. DNSKEY expires 2011-06-15 17:12:20 UTC signature over HN. DNSKEY expires 2011-06-15 18:36:55 UTC signature over MN. DNSKEY expires 2011-06-15 18:36:55 UTC signature over MN. DNSKEY expires 2011-06-15 20:15:17 UTC signature over FI. SOA expires 2011-06-15 21:51:38 UTC signature over SC. DNSKEY expires 2011-06-15 21:51:38 UTC signature over SC. DNSKEY expires 2011-06-15 23:32:32 UTC signature over LC. DNSKEY expires 2011-06-15 23:32:32 UTC signature over LC. DNSKEY expires 2011-06-15 23:54:39 UTC signature over NL. SOA expires 2011-06-16 02:13:38 UTC signature over GI. DNSKEY expires 2011-06-16 02:13:38 UTC signature over GI. DNSKEY expires 2011-06-16 12:00:00 UTC signature over DE. DNSKEY expires 2011-06-18 03:44:21 UTC signature over AM. DNSKEY expires 2011-06-18 03:44:21 UTC signature over AM. DNSKEY expires 2011-06-21 20:13:06 UTC signature over LI. DNSKEY expires 2011-06-21 22:31:39 UTC signature over CH. DNSKEY expires 2011-06-22 08:34:51 UTC signature over LC. SOA expires 2011-06-22 11:27:43 UTC signature over SC. SOA expires 2011-06-22 11:56:35 UTC signature over VC. SOA expires 2011-06-22 14:06:18 UTC signature over MN. SOA expires 2011-06-22 14:28:51 UTC signature over HN. SOA expires 2011-06-22 14:55:24 UTC signature over BZ. SOA expires 2011-06-22 14:58:49 UTC signature over GI. SOA expires 2011-06-22 15:11:25 UTC signature over AG. SOA expires 2011-06-22 15:15:57 UTC signature over IN. SOA expires 2011-06-22 15:17:51 UTC signature over ASIA. SOA expires 2011-06-22 15:18:25 UTC signature over ME. SOA expires 2011-06-22 15:18:32 UTC signature over INFO. SOA expires 2011-06-22 15:21:45 UTC signature over ORG. SOA expires 2011-06-22 18:42:09 UTC signature over LA. SOA expires 2011-06-24 00:21:43 UTC signature over BIZ. DNSKEY expires 2011-06-24 00:21:43 UTC signature over BIZ. DNSKEY expires 2011-06-24 00:21:43 UTC signature over BIZ. DNSKEY expires 2011-06-24 02:08:36 UTC signature over US. DNSKEY expires 2011-06-24 02:08:36 UTC signature over US. DNSKEY expires 2011-06-24 13:00:00 UTC signature over CO. DNSKEY expires 2011-06-24 13:00:00 UTC signature over CO. DNSKEY expires 2011-06-24 13:00:00 UTC signature over CO. DNSKEY expires 2011-06-24 13:45:59 UTC signature over LA. DNSKEY expires 2011-06-25 10:17:03 UTC signature over XN--FZC2C9E2C. SOA expires 2011-06-25 10:17:38 UTC signature over XN--XKC2AL3HYE2A. SOA expires 2011-06-25 19:59:45 UTC signature over LA. DNSKEY expires 2011-06-26 18:41:02 UTC signature over TH. DNSKEY expires 2011-06-26 18:41:02 UTC signature over TH. DNSKEY expires 2011-06-26 18:41:02 UTC signature over TH. SOA expires 2011-06-27 17:45:03 UTC signature over JP. DNSKEY expires 2011-06-27 17:45:03 UTC signature over JP. SOA expires 2011-06-28 06:04:02 UTC signature over NA. DNSKEY expires 2011-06-28 06:04:02 UTC signature over NA. DNSKEY expires 2011-06-28 09:06:45 UTC signature over BE. DNSKEY expires 2011-06-28 09:06:45 UTC signature over BE. DNSKEY expires 2011-06-28 09:06:45 UTC signature over BE. DNSKEY expires 2011-06-29 05:46:24 UTC signature over AC. DNSKEY expires 2011-06-29 05:46:24 UTC signature over AC. DNSKEY expires 2011-06-29 05:46:24 UTC signature over AC. SOA expires 2011-06-29 05:46:24 UTC signature over IO. DNSKEY expires 2011-06-29 05:46:24 UTC signature over IO. DNSKEY expires 2011-06-29 05:46:24 UTC signature over IO. SOA expires 2011-06-29 05:46:24 UTC signature over SH. DNSKEY expires 2011-06-29 05:46:24 UTC signature over SH. DNSKEY expires 2011-06-29 05:46:24 UTC signature over SH. SOA expires 2011-06-29 05:46:24 UTC signature over TM. DNSKEY expires 2011-06-29 05:46:24 UTC signature over TM. DNSKEY expires 2011-06-29 05:46:24 UTC signature over TM. SOA expires 2011-06-30 10:29:51 UTC signature over LK. SOA expires 2011-07-01 03:01:01 UTC signature over PR. DNSKEY expires 2011-07-01 03:01:01 UTC signature over PR. DNSKEY expires 2011-07-01 03:17:05 UTC signature over NU. DNSKEY expires 2011-07-01 04:30:04 UTC signature over HOPCOUNT.CA. DNSKEY expires 2011-07-01 04:30:04 UTC signature over HOPCOUNT.CA. DNSKEY expires 2011-07-01 04:30:04 UTC signature over HOPCOUNT.CA. SOA expires 2011-07-01 06:01:01 UTC signature over PR. SOA expires 2011-07-01 06:04:01 UTC signature over NA. SOA expires 2011-07-01 06:17:05 UTC signature over NU. SOA expires 2011-07-01 07:00:07 UTC signature over PT. SOA expires 2011-07-01 07:53:19 UTC signature over AUTOMAGIC.ORG. DNSKEY expires 2011-07-01 07:53:19 UTC signature over AUTOMAGIC.ORG. DNSKEY expires 2011-07-01 07:53:19 UTC signature over AUTOMAGIC.ORG. SOA expires 2011-07-01 08:00:11 UTC signature over BG. SOA expires 2011-07-01 08:45:04 UTC signature over AM. SOA expires 2011-07-01 10:00:19 UTC signature over E164.ARPA. DNSKEY expires 2011-07-01 10:00:19 UTC signature over E164.ARPA. SOA expires 2011-07-01 12:00:05 UTC signature over PT. DNSKEY expires 2011-07-01 12:00:05 UTC signature over PT. DNSKEY expires 2011-07-01 12:12:12 UTC signature over GR. DNSKEY expires 2011-07-01 12:12:12 UTC signature over GR. DNSKEY expires 2011-07-01 12:12:12 UTC signature over GR. SOA expires 2011-07-01 13:00:13 UTC signature over BG. DNSKEY expires 2011-07-01 13:00:13 UTC signature over BG. DNSKEY expires 2011-07-01 13:34:40 UTC signature over CH. SOA expires 2011-07-01 13:59:07 UTC signature over LI. SOA expires 2011-07-01 15:14:32 UTC signature over BIZ. SOA expires 2011-07-01 15:14:50 UTC signature over CO. SOA expires 2011-07-01 15:19:33 UTC signature over US. SOA expires 2011-07-16 13:30:20 UTC signature over CL. SOA expires 2011-07-16 13:30:21 UTC signature over CL. DNSKEY expires 2011-07-29 12:16:31 UTC signature over FR. DNSKEY expires 2011-07-29 12:16:31 UTC signature over FR. DNSKEY expires 2011-07-29 12:17:36 UTC signature over PM. DNSKEY expires 2011-07-29 12:17:36 UTC signature over PM. DNSKEY expires 2011-07-29 12:17:36 UTC signature over PM. SOA expires 2011-07-29 12:17:37 UTC signature over RE. DNSKEY expires 2011-07-29 12:17:37 UTC signature over RE. DNSKEY expires 2011-07-29 12:17:37 UTC signature over TF. DNSKEY expires 2011-07-29 12:17:37 UTC signature over TF. DNSKEY expires 2011-07-29 12:17:37 UTC signature over TF. SOA expires 2011-07-29 12:17:39 UTC signature over WF. DNSKEY expires 2011-07-29 12:17:39 UTC signature over WF. DNSKEY expires 2011-07-29 12:17:39 UTC signature over WF. SOA expires 2011-07-29 12:17:39 UTC signature over YT. DNSKEY expires 2011-07-29 12:17:39 UTC signature over YT. DNSKEY expires 2011-07-29 12:17:39 UTC signature over YT. SOA expires 2011-07-30 06:29:31 UTC signature over JP. DNSKEY expires 2011-07-31 05:00:04 UTC signature over RE. SOA expires 2011-07-31 09:00:06 UTC signature over FR. SOA expires 2011-08-11 14:37:10 UTC signature over CL. DNSKEY expires 2011-08-15 00:00:00 UTC signature over LK. DNSKEY expires 2011-08-15 00:00:00 UTC signature over LK. DNSKEY expires 2011-08-15 00:00:00 UTC signature over XN--FZC2C9E2C. DNSKEY expires 2011-08-15 00:00:00 UTC signature over XN--FZC2C9E2C. DNSKEY expires 2011-08-15 00:00:00 UTC signature over XN--XKC2AL3HYE2A. DNSKEY expires 2011-08-15 00:00:00 UTC signature over XN--XKC2AL3HYE2A. DNSKEY expires 2011-08-28 13:06:23 UTC signature over MY. DNSKEY expires 2011-08-28 13:06:23 UTC signature over MY. DNSKEY expires 2011-08-30 05:06:22 UTC signature over MY. SOA expires 2011-12-31 23:59:59 UTC signature over KG. DNSKEY expires 2011-12-31 23:59:59 UTC signature over KG. DNSKEY expires 2011-12-31 23:59:59 UTC signature over KG. SOA expires [wifi-216-217:~]%
sigexpire.sh
Description: Binary data
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
