Support for DNSSEC signature freshness

[petrkutalek]

Describe the feature request

When DNSSEC is deployed in a DNS zone, it is important to check not only the availability of the authoritative server and its responses, but also the validity of DNSSEC.

Validity itself can be verified through a third-party DNS resolver, which will not provide a response if the DNSSEC record is not valid.

However, it is a useful feature to monitor that the DNSSEC records are fresh and have the correct validity so that you can intervene to correct the signing on the server before the zone is invalid, which can have significant consequences as the remediation can take many hours due to caching.

The idea is to check the time of the last record signing and sufficient time until the signature expires.

$ dig A nic.cz @1.1.1.1 +dnssec
nic.cz.    30m  IN  A      217.31.205.50
nic.cz.    30m  IN  RRSIG  A 13 2 1800 20240424072553 20240410055553 12833 nic.cz. cWOGbscTnLVPn070WDusLC6HxOZ5ZXPLd8tQ9JrekTWcceM/zTZL7FPv UiIm2XeGJYdyfuROWzr6/Hi59cdQVg==

The 5th and 6th fields in the RRSIG response are what we are interested in.

• 5th, Expiration Time: The signature expiration time in UTC format¹.
• 6th, Inception Time: The signature inception time in UTC format¹.

For example, the "competitive" project https://github.com/berthubert/simplomon can do this.

Why do you personally want this feature to be implemented?

see above

How long have you been using this project?

I switched to Gatus in 2023

Additional information

Thank you for considering my request. Gatus is a very nice project and is well done! This would take it a step further.

Footnotes

1. Please note that in the protocol itself this is transmitted as 32-bit values. RFC 4034, chapter 3.1.15 ↩ ↩²

[ser]

It's a very important parameter, as a workaround I use zonemaster-cli and passive submission to gatus. But it would be cool to have it natively.