We use FreeBSD-12 and Bind-9.11.6. We have DNSSEC enabled for some of our domains. I wish to verify the signature expiry date for these zones. I cannot seem to locate any information on exactly how this is done. Can someone provide me with this information?
Asked
Active
Viewed 281 times
1 Answers
0
drill -D [domain] should return the RRSIG value for your domain (if DNSSEC is working) with the expiration as well
Bob Dole
- 96
- 3
-
Sorry it's `drill -D [domain]` to enable DNSSEC, you can find more information about drill [here](https://linux.die.net/man/1/drill) I'll edit my answer – Bob Dole Apr 11 '19 at 17:25
-
This is what I had returned: `172800 IN RRSIG A 8 3 172800 20190505052042 20190405052042 59931` I gather the key signing date was 2019-04-05 at 05:20:42 and that the key expires on 2019-05-05 05:20:42. Am I correct? – James B. Byrne Apr 11 '19 at 17:35
-
Pretty much. According to the [RFC](https://www.ietf.org/rfc/rfc4034.txt), 2019-04-05 is the signature inception date, as in the date/time that the key is valid from and you are correct that 2019-05-05 is the expiration date. – Bob Dole Apr 11 '19 at 17:50