Public version of the DNSSEC key rollover monitor and checker.

The tool has been described in a paper released at the SATIN conference
<http:https://conferences.npl.co.uk/satin/>. See the paper at
<http:https://conferences.npl.co.uk/satin/papers/satin2011-Bortzmeyer.pdf>.


Basic instructions:

1) sqlite3 dnssec.sqlite < create.sql
[If you had the tool in production before 2015-10-08, upgrade the database with
sqlite3 dnssec.sqlite < upgrade-1.sql ]

2) Edit ~/.key-report.ini; you can use key-report.ini.sample as a
starting point. Set fileonly to a file which is appended to if
you don't want to (or can't) send e-mail.

3) while true:
      key-store-and-report.py $YOURDOMAIN $YOURSERVER
      sleep $SOMETIME

Or you can put 'key-store-and-report.py $YOURDOMAIN $YOURSERVER' into
the crontab.

If you want to monitor several domains, an example script is:

#!/bin/sh

# Remember to add a dot at the end, specially for TLD which match a
# type or class name (Mexico, Madagascar...)
for domain in example.com example.net example.org ; do
    sleep $((RANDOM/320))
    # Select a name server at random
    set $(dig +cd +short NS $domain)
    shift $(($RANDOM % $#))
    server=$1
    # Select an IP address at random
    set $(printf %s "$server" | dig +cd +short AAAA -f - ; printf %s "$server" | dig +cd +short A -f -)
    shift $(($RANDOM % $#))
    address=$1
    if [ "$address" = "" ]; then
	echo "Cannot find an address for $server"
	exit 1
    fi
    ./key-store-and-report.py $domain $address
done

which can also, obviously, put in a crontab.

--
Comments and requests can be sent to Stéphane Bortzmeyer <[email protected]>