check_dnssec_expiry icon indicating copy to clipboard operation
check_dnssec_expiry copied to clipboard

Published 20 hours ago verified publisher icon mrimann

No google resolver

Open robje opened this issue 7 years ago • 2 comments

This pull request contains 3 simple commits.

  • use local resolver when no resolver is specified. removes dependency on Google's 8.8.8.8
  • fix a typo
  • add usage information.

robje avatar Sep 15 '17 09:09 robje

Thanks for your suggestions. I'm not 100% sure yet about the change regarding the local resolver, the other two commits look fine for me from first reading. I'll have a look at it again later.

mrimann avatar Sep 19 '17 07:09 mrimann

I've just cherry-picked the two smaller changes you've proposed.

Then I checked the primary change you proposed regarding the resolver to be used: I checked out your code, and it didn't work out. Checking the same zone against 8.8.8.8 vs. checking it against the local resolver led to different results in my short test. In the end, using the local resolver led to a false-positive alert for a properly configured/signed zone.

So I think this would need some more thinking, how this could/should be implemented at all. If you don't want to check against Google's Resolver, you could just configure the check to be executed against a specific resolver you have access to.

mrimann avatar Sep 20 '17 12:09 mrimann