Or it is a matter of the readers of this list perhaps recognizing a
business opportunity and helping the 98% of net users who are less
technically sophisticated in a variety of ways...
Understanding what a DNS TTL is means that a Web site operator has
distinctly above average skill.
On Tue, Aug 31, 2010 at 9:05 PM, Mark Andrews <marka@xxxxxxx> wrote:
>
> In message <AANLkTinwMO6Sw-rvfrax-_VNN8x1kejc9iAkrNQGBf2v@xxxxxxxxxxxxxx>, Phil
> lip Hallam-Baker writes:
>> Whether or not the IAB zone is signed is of negligible consequence.
>>
>> But the fact that the IAB zone signatures had expired is a highly
>> significant data point: DNSSEC administration is not quite as easy as
>> some of the glib claims of its more enthusiastic supporters would lead
>> one to believe.
>
> It's more a matter of choosing the right tools. I've got signed
> zones that haven't been hand signed in 3 years using a 2 month
> signature validity interval. The nameserver just re-signs the
> records as they fall due. That's several thousand automatic updates
> of the zones in that period. Yes, I've changed the non DNSSEC
> content of the zones in that time.
>
> This isn't a protocol issue. It's a tools issue and DNSSEC tools
> from all vendors are improving.
>
> It's also extremely easy to construct tools that can warn you to
> re-sign if you are doing it by hand. You could replace awk with
> perl and have a cross platform tool. Such tools can easily be
> added to network management platforms as they are just small
> scripts. If you don't have a network managment platform use
> cron.
>
> e.g.
>
> % dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { print }' WARN=`date -u -v +7d +%Y%m%d%H%M%S`
> %
>
> % dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { print }' WARN=`date -u -v +1m +%Y%m%d%H%M%S`
> bind9-test-8.dv.isc.org. 86400 IN RRSIG NSEC 5 4 86400 20100929190221 20100731184853 14436 dv.isc.org. 2jHCGeJqH23dO0RV48Uqqp2hXIl1wp3kIslqmdz686uaCNz3WZZUhKzX EH+8iKc6QQWMZhFzhJoqruiTO6RyIA==
> BRNEE8E63.dv.isc.org. 1800 IN RRSIG A 5 4 1800 20100929190221 20100731184853 14436 dv.isc.org. ZhD6uAbGQYDWJ6rob9iyvRNWZ7Tod1as4WEtPV8C+mLF8aJbakwp/76/ f7r7jz/fQOtIMQ/NjXBRT7O4507gIA==
> BRNEE8E63.dv.isc.org. 1800 IN RRSIG TXT 5 4 1800 20100929190221 20100731184853 14436 dv.isc.org. Xl3nk8lf2exwGGy2iI2BxVjXO3emvI+8GRmkj+vi7n8rddmP6oJRqPGZ wmNoZVxMN9XMTghly6w6Cmj8aNAILQ==
> BRNEE8E63.dv.isc.org. 86400 IN RRSIG NSEC 5 4 86400 20100929190221 20100731184853 14436 dv.isc.org. JUR1M8GmlFFYF73v6oh+bdwYuKK0YBMe7b4mDsMBs1bdBqHB52KUZ8eS KNCRD3GTp8VzwxB1TGmuIq+dGr57lQ==
> %
>
> With a minor change it will print out just the zone.
>
> % dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { print "WARNING:", $12, "needs re-signing" ; exit }' WARN=`date -u -v +1m +%Y%m%d%H%M%S`
> WARNING: dv.isc.org. needs re-signing
> %
>
> Wrap it is a while loop and you can do all your zones. The getline
> is so we don't generate error messages in the nameserver logs by
> causing the axfr to be aborted.
>
> #!/bin/sh -f
> WARN=`date -u -v +7d +%Y%m%d%H%M%S`
> while read zone server
> do
> dig axfr "$zone" "@$server" | \
> awk '$4 == "RRSIG" && $9 < WARN
> { print "WARNING:", $12, "needs re-signing."; while (getline) ; }' \
> WARN=$WARN
> done
>
> Mark
>
>> On Tue, Aug 31, 2010 at 10:36 AM, Glen Barney (AMS) <glen@xxxxxxxx> wrote:
>> > Community -
>> >
>> > The DNS zone files have been re-signed, and we will look into alternative=
>> s to
>> > the original DNSSEC tools that were in use (which seem to be broken.)
>> >
>> > And just a reminder that, while posting complaints to this list might feel
>> > more therapeutic, the secretariat has an address set up for trouble repor=
>> ts,
>> > which is ietf-action@xxxxxxxx . =A0Sending complaints to that address will
>> > generally get much faster results.
>> >
>> > Thank you!
>> >
>> > Glen
>> > Glen Barney
>> > IT Director
>> > AMS (IETF Secretariat)
>> >
>> > _______________________________________________
>> > Ietf mailing list
>> > Ietf@xxxxxxxx
>> > https://www.ietf.org/mailman/listinfo/ietf
>> >
>>
>>
>>
>> -- =
>>
>> Website: http://hallambaker.com/
>> _______________________________________________
>> Ietf mailing list
>> Ietf@xxxxxxxx
>> https://www.ietf.org/mailman/listinfo/ietf
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx
>
--
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf