At 13:02 +0300 6/2/11, Joe Abley wrote:
I have realised, however, that I can't tell whether a signature that is (say) going to expire in under three days is a cause for concern, or whether it's normal operations and something I should expect to be replaced as part of normal operations.
Once upon a time a DNS set up had two NS records and the two IP addresses were neighbors. I was sitting next to the admin of the zone and mentioned this to him. He said "but you don't know..." how he had set up the zone to avoid the problem I thought I detected. It turns out, what I "didn't know" didn't really solve the problem but the moral is that with all the tricks available to admins these days, it's nearly impossible to poke at port 53 and make an accurate diagnosis and recommendation. (You can detect symptoms, but not a reason.)
I also repeated this lesson writing lame server detection software years ago. Again, you can find symptoms but can't really diagnose or prescribe fixes.
So, I would bet that about all you can do is list when signatures are to expire (in the future) and list signatures that expire and notify the admins. Except for the expired ones, there's not much you can say definitively to the admin. More remote monitoring and reporting symptoms is good, trying to diagnose and offer fixes is likely to drive you crazy (unless you like false positives).
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Now, don't say I'm always complaining. Wait, that's a complaint, isn't it? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
