Skip to content

huguei/key-checker

 
 

Repository files navigation

Public version of the DNSSEC key rollover monitor and checker.

The tool has been described in a paper released at the SATIN conference 
<https://conferences.npl.co.uk/satin/>. See the paper at 
<https://conferences.npl.co.uk/satin/papers/satin2011-Bortzmeyer.pdf>.


Basic instructions:

1) sqlite3 dnssec.sqlite < create.sql

2) Edit ~/.key-report.ini may be using key-report.ini.sample as a
starting point.

3) while true:
   key-store-and-report.py $YOURDOMAIN $YOURSERVER
   sleep $SOMETIME

Or you can put 'key-store-and-report.py $YOURDOMAIN $YOURSERVER' into
the crontab.

If you want to monitor several domains, an example script is:

#!/bin/sh

# Remember to add a dot at the end, specially for TLD which match a
# type or class name (Mexico, Madagascar...)
for domain in example.com example.net example.org ; do
    sleep $((RANDOM/320))
    # Select a name server at random
    set $(dig +cd +short NS $domain)
    shift $(($RANDOM % $#))
    server=$1
    # Select an IP address at random
    set $(dig +cd +short AAAA $server ; dig +cd +short A $server)
    shift $(($RANDOM % $#))
    address=$1
    if [ "$address" = "" ]; then
	echo "Cannot find an address for $server"
	exit 1
    fi
    ./key-store-and-report.py $domain $address
done

which can also, obviously, put in a crontab.

--
Comments and requests can be sent to Stéphane Bortzmeyer <[email protected]>

About

Monitor and analyze DNSSEC key rollovers

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%