16 Úno
2022
16 Úno
'22
22:56
I'm trying to find a way to poll for any zones where knot is currently
waiting on DS submission to the parent.
I'm aware of the structured logging sent to systemd-journald but I see
this as not particularly useful for monitoring, as the event could be
missed by a dead daemon, bug in code, etc. I'd much prefer to be able
to actively monitor states by polling.
It looks like the only way I can do that right now is to run `keymgr
list` and analyze the output. If I'm reading the documentation
correctly, all I need to look for is a key that is `ksk=yes`, `ready
!= 0`, and `active = 0`.
Does that seem correct? Am I missing something simpler? :)
16 Úno
16 Úno
23:48
On 16/02/2022 22:56, Matthew Pounsett wrote:
Hi Matt,
I'm trying to find a way to poll for any zones
where knot is currently
waiting on DS submission to the parent.
We have a script that notifies us when it detects CDS records at our
zones' apices. The script doesn't even have to run on the signer; it can
be run anywhere, and can query either the signer, or any of the name
servers of the zones.
Regards,
Anand
18 Úno
18 Úno
21:05
On Wed, Feb 16, 2022 at 5:48 PM Anand Buddhdev <anandb(a)ripe.net> wrote:
We have a script that notifies us when it detects CDS records at our
zones' apices. The script doesn't even have to run on the signer; it can
be run anywhere, and can query either the signer, or any of the name
servers of the zones.
Ah yes! That seems like a way more useful way to monitor for this. Thanks!
17 Úno
17 Úno
8:43
Hi Matt,
On 2/16/22 22:56, Matthew Pounsett wrote:
I'm trying to find a way to poll for any zones
where knot is currently
waiting on DS submission to the parent.
I'm aware of the structured logging sent to systemd-journald but I see
this as not particularly useful for monitoring, as the event could be
missed by a dead daemon, bug in code, etc. I'd much prefer to be able
to actively monitor states by polling.
You won't miss the event as it's logged repeatedly - whenever the zone signing
event is started.
Knot DNS 3.1.6 offers another possibility. If you enable `server.dbus-event:
ksk-submission`,
you can listen on the system D-Bus for a specific signal
(https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#dbus-event).
A few sample client scripts can be found here
https://gitlab.nic.cz/knot/knot-dns/-/tree/master/samples
It looks like the only way I can do that right now is to run `keymgr
list` and analyze the output. If I'm reading the documentation
correctly, all I need to look for is a key that is `ksk=yes`, `ready
!= 0`, and `active = 0`.
That is correct.
Does that seem correct? Am I missing something simpler? :)
--
Also if you need to know the submission state for manual DS propagation, you can use
https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#ds-push
(One recent blog post on this topic
https://www.root.cz/clanky/knot-dns-dalsi-funkce-souvisejici-s-dnssec/ . Sorry for the
Czech version :-))
Daniel
9:39
On Wed, 16 Feb 2022 16:56:13 -0500
Matthew Pounsett <matt(a)conundrum.com> wrote:
I'm trying to find a way to poll for any zones
where knot is currently
waiting on DS submission to the parent.
Does that seem correct? Am I missing something
simpler? :)
I found this simplest in our system:
/usr/sbin/knotc zone-status | grep -v 'DS check: not scheduled' | \
sed 's/^\[\(..*\)\.\].*/\1/' | sort
That lists all domains where DS check is scheduled, so all domains
where CDS is published.
--
Tuomo Soini <tis(a)foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
22 Úno
22 Úno
18:06
Le 16/02/2022 à 22:56, Matthew Pounsett a écrit :
I'm trying to find a way to poll for any zones
where knot is currently
waiting on DS submission to the parent.
I'm aware of the structured logging sent to systemd-journald but I see
this as not particularly useful for monitoring, as the event could be
missed by a dead daemon, bug in code, etc. I'd much prefer to be able
to actively monitor states by polling.
It looks like the only way I can do that right now is to run `keymgr
list` and analyze the output. If I'm reading the documentation
correctly, all I need to look for is a key that is `ksk=yes`, `ready
!= 0`, and `active = 0`.
Does that seem correct? Am I missing something simpler? :)
--
Here is the script I have in my crontab :
#! /bin/sh
reponse=$(dig +short @ns.rail.eu.org CDS rail.eu.org)
if [ "$reponse" ];then
echo 'CDS present, rollover KSK en cours'
fi
1005
days inactive
1011
days old
5 comments
5 participants
participants (5)
-
Anand Buddhdev -
Daniel Salzman -
Erwan David -
Matthew Pounsett -
Tuomo Soini