Scripting dnssec-verify - processing command output

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Scripting dnssec-verify - processing command output

Matthew Richardson
I have been using Perl to do a reasonable amount of scripting, running bind
utilities and processing the results into variables.  The details below are
from Bind 9.11.27 on Centos 7.

The code:-

    $resp = `dig -t soa example.com`;
    print "dig resp:'$resp'\n";

gets the result of the dig command into the variable $resp and prints it.

However:-

    $resp = `dnssec-verify -I text -o example.com example.com.zone`;
    print "dnssec-verify resp:'$resp'\n";

displays the results of the dnssec-verify command on the console and leaves
the variable $resp empty.

Any ideas would be appreciated...

As an aside, using dnssec-keygen DOES put the results into the variable.

Best wishes,
Matthew
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Scripting dnssec-verify - processing command output

Bind-Users forum mailing list
It sounds to me like dnssec-verify is sending the output in question to STDERR instead of STDOUT.


On Sat, 06 Feb 2021 19:02:28 +0000
Matthew Richardson <[hidden email]> wrote:

> I have been using Perl to do a reasonable amount of scripting, running bind
> utilities and processing the results into variables.  The details below are
> from Bind 9.11.27 on Centos 7.
>
> The code:-
>
>     $resp = `dig -t soa example.com`;
>     print "dig resp:'$resp'\n";
>
> gets the result of the dig command into the variable $resp and prints it.
>
> However:-
>
>     $resp = `dnssec-verify -I text -o example.com example.com.zone`;
>     print "dnssec-verify resp:'$resp'\n";
>
> displays the results of the dnssec-verify command on the console and leaves
> the variable $resp empty.
>
> Any ideas would be appreciated...
>
> As an aside, using dnssec-keygen DOES put the results into the variable.
>
> Best wishes,
> Matthew
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Scripting dnssec-verify - processing command output

@lbutlr
On 06 Feb 2021, at 17:45, Paul Kosinski via bind-users <[hidden email]> wrote:
> It sounds to me like dnssec-verify is sending the output in question to STDERR instead of STDOUT.

Dnssec-verify sends errors (like missing /Bad/Expected lines) to stderr, it sends status warnings like "The zone is not fully signed" to stdout.

Easy to see that the output is by adding 2>/dev/null to your command on the shell and seeing what goes where.

On my system messages like

Zone fully signed:
Algorithm: …

appear on stdout.

--
BART BUCKS ARE NOT LEGAL TENDER Bart chalkboard Ep. 8F06

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Scripting dnssec-verify - processing command output

Matthew Richardson
In reply to this post by Bind-Users forum mailing list
Thanks!  That diagnosis is spot on: dnssec-verify is sending all its output
to STDERR as demonstrated by:-

>[matthew@m71 ~]$ dnssec-verify -I text -o itconsult.net itconsult.net.zone >temp-out 2>temp-err
>[matthew@m71 ~]$ ls -l temp-*
>-rw-rw-r-- 1 matthew matthew 279 Feb  7 09:34 temp-err
>-rw-rw-r-- 1 matthew matthew   0 Feb  7 09:34 temp-out

The fix (well, lash up) in Perl then becomes:-

    $resp = `dnssec-verify -I text -o example.com example.com.zone 2>&1`;

which then gets the output from STDERR into the variable.

Let's wait for the ISC folks to see whether they think this is a bug...

Best wishes,
Matthew

 ------
>From: Paul Kosinski via bind-users <[hidden email]>
>To: [hidden email]
>Cc:
>Date: Sat, 6 Feb 2021 19:45:54 -0500
>Subject: Re: Scripting dnssec-verify - processing command output

>It sounds to me like dnssec-verify is sending the output in question to STDERR instead of STDOUT.
>
>
>On Sat, 06 Feb 2021 19:02:28 +0000
>Matthew Richardson <[hidden email]> wrote:
>
>> I have been using Perl to do a reasonable amount of scripting, running bind
>> utilities and processing the results into variables.  The details below are
>> from Bind 9.11.27 on Centos 7.
>>
>> The code:-
>>
>>     $resp = `dig -t soa example.com`;
>>     print "dig resp:'$resp'\n";
>>
>> gets the result of the dig command into the variable $resp and prints it.
>>
>> However:-
>>
>>     $resp = `dnssec-verify -I text -o example.com example.com.zone`;
>>     print "dnssec-verify resp:'$resp'\n";
>>
>> displays the results of the dnssec-verify command on the console and leaves
>> the variable $resp empty.
>>
>> Any ideas would be appreciated...
>>
>> As an aside, using dnssec-keygen DOES put the results into the variable.
>>
>> Best wishes,
>> Matthew
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
>bind-users mailing list
>[hidden email]
>https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users