You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When DNSSEC is deployed in a DNS zone, it is important to check not only the availability of the authoritative server and its responses, but also the validity of DNSSEC.
Validity itself can be verified through a third-party DNS resolver, which will not provide a response if the DNSSEC record is not valid.
However, it is a useful feature to monitor that the DNSSEC records are fresh and have the correct validity so that you can intervene to correct the signing on the server before the zone is invalid, which can have significant consequences as the remediation can take many hours due to caching.
The idea is to check the time of the last record signing and sufficient time until the signature expires.
$ dig A nic.cz @1.1.1.1 +dnssec
nic.cz. 30m IN A 217.31.205.50
nic.cz. 30m IN RRSIG A 13 2 1800 20240424072553 20240410055553 12833 nic.cz. cWOGbscTnLVPn070WDusLC6HxOZ5ZXPLd8tQ9JrekTWcceM/zTZL7FPv UiIm2XeGJYdyfuROWzr6/Hi59cdQVg==
The 5th and 6th fields in the RRSIG response are what we are interested in.
5th, Expiration Time: The signature expiration time in UTC format1.
6th, Inception Time: The signature inception time in UTC format1.
Describe the feature request
When DNSSEC is deployed in a DNS zone, it is important to check not only the availability of the authoritative server and its responses, but also the validity of DNSSEC.
Validity itself can be verified through a third-party DNS resolver, which will not provide a response if the DNSSEC record is not valid.
However, it is a useful feature to monitor that the DNSSEC records are fresh and have the correct validity so that you can intervene to correct the signing on the server before the zone is invalid, which can have significant consequences as the remediation can take many hours due to caching.
The idea is to check the time of the last record signing and sufficient time until the signature expires.
The 5th and 6th fields in the RRSIG response are what we are interested in.
For example, the "competitive" project https://github.com/berthubert/simplomon can do this.
Why do you personally want this feature to be implemented?
see above
How long have you been using this project?
I switched to Gatus in 2023
Additional information
Thank you for considering my request. Gatus is a very nice project and is well done! This would take it a step further.
Footnotes
Please note that in the protocol itself this is transmitted as 32-bit values. RFC 4034, chapter 3.1.15 ↩ ↩2
The text was updated successfully, but these errors were encountered: