From 0ece47f7c1cf03718726d9dff183b02fa35115e6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 21 Dec 2010 02:32:21 +0000 Subject: [PATCH] 2992. [contrib] contrib/check-secure-delegation.pl: A simple tool for looking at a secure delegation. [RT #22059] --- CHANGES | 3 + configure.in | 3 +- contrib/check-secure-delegation.pl.in | 121 ++++++++++++++++++++++++++ util/copyrights | 2 + 4 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 contrib/check-secure-delegation.pl.in diff --git a/CHANGES b/CHANGES index 8cf4cf47cf..b62f0c23d8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2992. [contrib] contrib/check-secure-delegation.pl: A simple tool + for looking at a secure delegation. [RT #22059] + 2991. [contrib] contrib/zone-edit.sh: A simple zone editing tool for dynamic zones. [RT #22365] diff --git a/configure.in b/configure.in index 1b993eb727..565f413cec 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.507 $) +AC_REVISION($Revision: 1.508 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.59) @@ -3298,6 +3298,7 @@ AC_CONFIG_FILES([ bin/tools/Makefile bin/dnssec/Makefile bin/pkcs11/Makefile + contrib/check-secure-delegation.pl doc/Makefile doc/arm/Makefile doc/misc/Makefile diff --git a/contrib/check-secure-delegation.pl.in b/contrib/check-secure-delegation.pl.in new file mode 100644 index 0000000000..87c868ae3f --- /dev/null +++ b/contrib/check-secure-delegation.pl.in @@ -0,0 +1,121 @@ +#!@PERL@ +# +# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: check-secure-delegation.pl.in,v 1.2 2010/12/21 02:32:21 marka Exp $ + +use warnings; +use FileHandle; +use IPC::Open2; +use POSIX qw/strftime/; + +# +# We only compare keyid / DNSSEC algorithm pairs. If this succeeds then +# the crypto will likely succeed. If it fails then the crypto will definitely +# fail. +# +$prefix = "@prefix@"; +$dig = "$prefix/bin/dig +cd +dnssec +noall +answer"; +$dsfromkey = "$prefix/sbin/dnssec-dsfromkey -1 -A -f /dev/stdin"; + +# Get "now" in a RRSIG datestamp format. +$now = strftime "%Y%m%d%H%M%S", gmtime; + +foreach $zone (@ARGV) { + my %algorithms = (); + my %dnskeygood = (); + my %dnskeyalg = (); + my %dnskey = (); + my %dsgood = (); + my %ds = (); + + # Read the DS records and extract the key id, algorithm pairs + open(DS, "$dig -t DS -q $zone|") || die("dig DS failed"); + while() { + @words = split; + if ($words[3] eq "RRSIG" && $words[4] eq "DS") { + next if ($words[8] >= $now && $words[9] <= $now); + print "BAD SIG DATES: $_"; + } + next if ($words[3] ne "DS"); + $ds{"$words[4] $words[5]"} = 1; + $algorithms{"$words[5]"} = 1; + } + close(DS); + + # Read the RRSIG(DNSKEY) records and extract the key id, + # algorithm pairs. Set good if we have a match against the DS + # records. DNSKEY records should be before the RRSIG records. + open(DNSKEY, "$dig -t DNSKEY -q $zone|") || die("dig DNSKEY failed"); + while () { + @words = split; + if ($words[3] eq "DNSKEY") { + $dnskeyalg{"$words[6]"} = 1; + next if (! -e "/dev/stdin"); + # get the key id ($dswords[3]). + $pid = open2(*Reader, *Writer, "$dsfromkey $zone"); + die("dsfromkey failed") if ($pid == -1); + print Writer "$_"; + close(Writer); + $line = ; + close(Reader); + @dswords = split /\s/, $line; + $dnskey{"$dswords[3] $dswords[4]"} = 1; + next; + } + next if ($words[3] ne "RRSIG" || $words[4] ne "DNSKEY"); + if ($words[8] >= $now && $words[9] <= $now) { + # If we don't have /dev/stdin then just check for the + # RRSIG otherwise check for both the DNSKEY and + # RRSIG. + $dsgood{"$words[5]"} = 1 + if (! -e "/dev/stdin" && + exists($ds{"$words[10] $words[5]"})); + $dsgood{"$words[5]"} = 1 + if (exists($ds{"$words[10] $words[5]"}) && + exists($dnskey{"$words[10] $words[5]"})); + $dnskeygood{"$words[5]"} = 1 + if (! -e "/dev/stdin"); + $dnskeygood{"$words[5]"} = 1 + if (exists($dnskey{"$words[10] $words[5]"})); + } else { + $dnskeygood{"$words[5]"} = 1; + print "BAD SIG DATES: $_"; + } + } + close(DNSKEY); + + # Do we have signatures for all DNSKEY algorithms? + foreach $alg ( keys %dnskeyalg ) { + print "Missing $zone DNSKEY RRSIG for algorithm $alg\n" + if (!exists($dnskeygood{$alg})); + } + + # Do we have a matching self signed DNSKEY for all DNSSEC algorithms + # in the DS records. + $count = 0; + foreach $alg ( keys %algorithms ) { + if (exists($dsgood{$alg})) { + print "$zone algorithm $alg good " . + "(found DS / self signed DNSKEY pair)\n"; + } else { + print "$zone algorithm $alg bad " . + "(no DS / self signed DNSKEY pair found)\n"; + } + $count++; + } + print "$zone has no secure delegation records\n" + if (! $count); +} diff --git a/util/copyrights b/util/copyrights index 04a00bdde8..3759b80b43 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1365,6 +1365,7 @@ ./conftools/perllib/dnsconf/named1.conf CONF-C 2000,2001,2004,2007 ./conftools/perllib/dnsconf/test.pl PERL 2000,2001,2004,2007 ./contrib/.cvsignore X 2000,2001 +./contrib/check-secure-delegation.pl.in PERL 2010 ./contrib/dbus/GetForwarders X 2006 ./contrib/dbus/INSTALL X 2006 ./contrib/dbus/Makefile.9.3.2b1 X 2006 @@ -1786,6 +1787,7 @@ ./contrib/zkt/zkt.h X 2008 ./contrib/zkt/zone.c X 2008,2009,2010 ./contrib/zkt/zone.h X 2008 +./contrib/zone-edit.sh.in SH 2010 ./doc/.cvsignore X 2000,2001 ./doc/Makefile.in MAKE 2000,2001,2004,2005,2006,2007 ./doc/arm/.cvsignore X 2000,2001,2005