Commit 0ece47f7 authored by Mark Andrews's avatar Mark Andrews
Browse files

2992. [contrib] contrib/check-secure-delegation.pl: A simple tool

                        for looking at a secure delegation. [RT #22059]
parent 1f512cd0
2992. [contrib] contrib/check-secure-delegation.pl: A simple tool
for looking at a secure delegation. [RT #22059]
2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for
dynamic zones. [RT #22365]
......
......@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
AC_REVISION($Revision: 1.507 $)
AC_REVISION($Revision: 1.508 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
......@@ -3298,6 +3298,7 @@ AC_CONFIG_FILES([
bin/tools/Makefile
bin/dnssec/Makefile
bin/pkcs11/Makefile
contrib/check-secure-delegation.pl
doc/Makefile
doc/arm/Makefile
doc/misc/Makefile
......
#!@PERL@
#
# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: check-secure-delegation.pl.in,v 1.2 2010/12/21 02:32:21 marka Exp $
use warnings;
use FileHandle;
use IPC::Open2;
use POSIX qw/strftime/;
#
# We only compare keyid / DNSSEC algorithm pairs. If this succeeds then
# the crypto will likely succeed. If it fails then the crypto will definitely
# fail.
#
$prefix = "@prefix@";
$dig = "$prefix/bin/dig +cd +dnssec +noall +answer";
$dsfromkey = "$prefix/sbin/dnssec-dsfromkey -1 -A -f /dev/stdin";
# Get "now" in a RRSIG datestamp format.
$now = strftime "%Y%m%d%H%M%S", gmtime;
foreach $zone (@ARGV) {
my %algorithms = ();
my %dnskeygood = ();
my %dnskeyalg = ();
my %dnskey = ();
my %dsgood = ();
my %ds = ();
# Read the DS records and extract the key id, algorithm pairs
open(DS, "$dig -t DS -q $zone|") || die("dig DS failed");
while(<DS>) {
@words = split;
if ($words[3] eq "RRSIG" && $words[4] eq "DS") {
next if ($words[8] >= $now && $words[9] <= $now);
print "BAD SIG DATES: $_";
}
next if ($words[3] ne "DS");
$ds{"$words[4] $words[5]"} = 1;
$algorithms{"$words[5]"} = 1;
}
close(DS);
# Read the RRSIG(DNSKEY) records and extract the key id,
# algorithm pairs. Set good if we have a match against the DS
# records. DNSKEY records should be before the RRSIG records.
open(DNSKEY, "$dig -t DNSKEY -q $zone|") || die("dig DNSKEY failed");
while (<DNSKEY>) {
@words = split;
if ($words[3] eq "DNSKEY") {
$dnskeyalg{"$words[6]"} = 1;
next if (! -e "/dev/stdin");
# get the key id ($dswords[3]).
$pid = open2(*Reader, *Writer, "$dsfromkey $zone");
die("dsfromkey failed") if ($pid == -1);
print Writer "$_";
close(Writer);
$line = <Reader>;
close(Reader);
@dswords = split /\s/, $line;
$dnskey{"$dswords[3] $dswords[4]"} = 1;
next;
}
next if ($words[3] ne "RRSIG" || $words[4] ne "DNSKEY");
if ($words[8] >= $now && $words[9] <= $now) {
# If we don't have /dev/stdin then just check for the
# RRSIG otherwise check for both the DNSKEY and
# RRSIG.
$dsgood{"$words[5]"} = 1
if (! -e "/dev/stdin" &&
exists($ds{"$words[10] $words[5]"}));
$dsgood{"$words[5]"} = 1
if (exists($ds{"$words[10] $words[5]"}) &&
exists($dnskey{"$words[10] $words[5]"}));
$dnskeygood{"$words[5]"} = 1
if (! -e "/dev/stdin");
$dnskeygood{"$words[5]"} = 1
if (exists($dnskey{"$words[10] $words[5]"}));
} else {
$dnskeygood{"$words[5]"} = 1;
print "BAD SIG DATES: $_";
}
}
close(DNSKEY);
# Do we have signatures for all DNSKEY algorithms?
foreach $alg ( keys %dnskeyalg ) {
print "Missing $zone DNSKEY RRSIG for algorithm $alg\n"
if (!exists($dnskeygood{$alg}));
}
# Do we have a matching self signed DNSKEY for all DNSSEC algorithms
# in the DS records.
$count = 0;
foreach $alg ( keys %algorithms ) {
if (exists($dsgood{$alg})) {
print "$zone algorithm $alg good " .
"(found DS / self signed DNSKEY pair)\n";
} else {
print "$zone algorithm $alg bad " .
"(no DS / self signed DNSKEY pair found)\n";
}
$count++;
}
print "$zone has no secure delegation records\n"
if (! $count);
}
......@@ -1365,6 +1365,7 @@
./conftools/perllib/dnsconf/named1.conf CONF-C 2000,2001,2004,2007
./conftools/perllib/dnsconf/test.pl PERL 2000,2001,2004,2007
./contrib/.cvsignore X 2000,2001
./contrib/check-secure-delegation.pl.in PERL 2010
./contrib/dbus/GetForwarders X 2006
./contrib/dbus/INSTALL X 2006
./contrib/dbus/Makefile.9.3.2b1 X 2006
......@@ -1786,6 +1787,7 @@
./contrib/zkt/zkt.h X 2008
./contrib/zkt/zone.c X 2008,2009,2010
./contrib/zkt/zone.h X 2008
./contrib/zone-edit.sh.in SH 2010
./doc/.cvsignore X 2000,2001
./doc/Makefile.in MAKE 2000,2001,2004,2005,2006,2007
./doc/arm/.cvsignore X 2000,2001,2005
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment