summaryrefslogtreecommitdiffstats
path: root/contrib/scripts/check-secure-delegation.pl.in
blob: 0f38c08f229cb95b97e87c2a8c49c44db0fd2903 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#!@PERL@
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.

use warnings;
use FileHandle;
use IPC::Open2;
use POSIX qw/strftime/;

#
# We only compare keyid / DNSSEC algorithm pairs.  If this succeeds then
# the crypto will likely succeed.  If it fails then the crypto will definitely
# fail.
#
$prefix = "@prefix@";
$dig = "$prefix/bin/dig +cd +dnssec +noall +answer";
$dsfromkey = "$prefix/sbin/dnssec-dsfromkey -1 -A -f /dev/stdin";

# Get "now" in a RRSIG datestamp format.
$now = strftime "%Y%m%d%H%M%S", gmtime;

foreach $zone (@ARGV) {
	my %algorithms = ();
	my %dnskeygood = ();
	my %dnskeyalg = ();
	my %dnskey = ();
	my %dsgood = ();
	my %ds = ();

	# Read the DS records and extract the key id, algorithm pairs
	open(DS, "$dig -t DS -q $zone|") || die("dig DS failed");
	while(<DS>) {
		@words = split;
		if ($words[3] eq "RRSIG" && $words[4] eq "DS") {
			next if ($words[8] >= $now && $words[9] <= $now);
			print "BAD SIG DATES: $_";
		}
		next if ($words[3] ne "DS");
		$ds{"$words[4] $words[5]"} = 1;
		$algorithms{"$words[5]"} = 1;
	}
	close(DS);

	# Read the RRSIG(DNSKEY) records and extract the key id,
	# algorithm pairs.  Set good if we have a match against the DS
	# records.  DNSKEY records should be before the RRSIG records.
	open(DNSKEY, "$dig -t DNSKEY -q $zone|") || die("dig DNSKEY failed");
	while (<DNSKEY>) {
		@words = split;
		if ($words[3] eq "DNSKEY") {
			$dnskeyalg{"$words[6]"} = 1;
			next if (! -e "/dev/stdin");
			# get the key id ($dswords[3]).
			$pid = open2(*Reader, *Writer, "$dsfromkey $zone");
			die("dsfromkey failed") if ($pid == -1);
			print Writer "$_";
			close(Writer);
			$line = <Reader>;
			close(Reader);
			@dswords = split /\s/, $line;
			$dnskey{"$dswords[3] $dswords[4]"} = 1;
			next;
		}
		next if ($words[3] ne "RRSIG" || $words[4] ne "DNSKEY");
		if ($words[8] >= $now && $words[9] <= $now) {
			# If we don't have /dev/stdin then just check for the
			# RRSIG otherwise check for both the DNSKEY and
			# RRSIG.
			$dsgood{"$words[5]"} = 1
				if (! -e "/dev/stdin" &&
				    exists($ds{"$words[10] $words[5]"}));
			$dsgood{"$words[5]"} = 1
				if (exists($ds{"$words[10] $words[5]"}) &&
				    exists($dnskey{"$words[10] $words[5]"}));
			$dnskeygood{"$words[5]"} = 1
				if (! -e "/dev/stdin");
			$dnskeygood{"$words[5]"} = 1
				if (exists($dnskey{"$words[10] $words[5]"}));
		} else {
			$dnskeygood{"$words[5]"} = 1;
			print "BAD SIG DATES: $_";
		}
	}
	close(DNSKEY);

	# Do we have signatures for all DNSKEY algorithms?
	foreach $alg ( keys %dnskeyalg ) {
		print "Missing $zone DNSKEY RRSIG for algorithm $alg\n"
			if (!exists($dnskeygood{$alg}));
	}

	# Do we have a matching self signed DNSKEY for all DNSSEC algorithms
	# in the DS records.
	$count = 0;
	foreach $alg ( keys %algorithms ) {
		if (exists($dsgood{$alg})) {
			print "$zone algorithm $alg good " .
			      "(found DS / self signed DNSKEY pair)\n";
		} else {
			print "$zone algorithm $alg bad " .
			      "(no DS / self signed DNSKEY pair found)\n";
		}
		$count++;
	}
	print "$zone has no secure delegation records\n"
		if (! $count);
}