DNSSEC Negative Trust Anchor report

Victoria Risk vicky at isc.org
Wed Aug 15 00:29:18 UTC 2018

We have had a couple of requests for a log message warning that an NTA has just expired. The use case is, there is a help desk that needs to know when validation might be failing because of an NTA that was just removed.

Anyway, in response, Evan wrote a Python script that takes the output of rndc nta -d and lists the NTA's that are expiring in the next 24 hours. If you ran rndc nta -d and this script this daily, you would have a daily report. 

It gives you the full list of ntas, an indicator of whether they're already expired or yet to expire,  and the time of expiration.  
The python script filters out any that are already expired or whose expiration is more than a day in the future.

import sys, time, re

print ('Negative trust anchors expiring in the next 24 hours:')
found = False

for line in sys.stdin.readlines():
    r = re.compile('^([^ ]*): (expir[^ ]*) (.*)')
    m = r.match(line)
        (name, status, date) = m.groups()

    now = time.time()
    then = time.mktime(time.strptime(date, '%d-%b-%Y %H:%M:%S.%f'))
    if status == 'expiry' and then <= now + 86400:
        print ('  %s at %s' % (name, date))
        found = True

if not found:
    print ('  None')

I thought this might be useful to someone else out there.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180814/6e09a986/attachment.html>

More information about the bind-users mailing list