bind-9.11.3/contrib/check-secure-delegation.pl.in

	check-secure-delegation.pl.in revision bf8267aa453e5d2a735ed732a043b77a0b355b20
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews#!@PERL@
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews#
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews#
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# Permission to use, copy, modify, and/or distribute this software for any
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# purpose with or without fee is hereby granted, provided that the above
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# copyright notice and this permission notice appear in all copies.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews#
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# PERFORMANCE OF THIS SOFTWARE.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# $Id: check-secure-delegation.pl.in,v 1.2 2010/12/21 02:32:21 marka Exp $
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsuse warnings;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsuse FileHandle;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsuse IPC::Open2;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsuse POSIX qw/strftime/;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews#
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# We only compare keyid / DNSSEC algorithm pairs.  If this succeeds then
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# the crypto will likely succeed.  If it fails then the crypto will definitely
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# fail.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews#
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews$prefix = "@prefix@";
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews$dig = "$prefix/bin/dig +cd +dnssec +noall +answer";
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews$dsfromkey = "$prefix/sbin/dnssec-dsfromkey -1 -A -f /dev/stdin";
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews# Get "now" in a RRSIG datestamp format.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews$now = strftime "%Y%m%d%H%M%S", gmtime;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrewsforeach $zone (@ARGV) {
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	my %algorithms = ();
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	my %dnskeygood = ();
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	my %dnskeyalg = ();
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	my %dnskey = ();
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	my %dsgood = ();
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	my %ds = ();
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	# Read the DS records and extract the key id, algorithm pairs
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	open(DS, "$dig -t DS -q $zone|") || die("dig DS failed");
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	while(<DS>) {
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		@words = split;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		if ($words[3] eq "RRSIG" && $words[4] eq "DS") {
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			next if ($words[8] >= $now && $words[9] <= $now);
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			print "BAD SIG DATES: $_";
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		}
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		next if ($words[3] ne "DS");
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		$ds{"$words[4] $words[5]"} = 1;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		$algorithms{"$words[5]"} = 1;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	}
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	close(DS);
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	# Read the RRSIG(DNSKEY) records and extract the key id,
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	# algorithm pairs.  Set good if we have a match against the DS
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	# records.  DNSKEY records should be before the RRSIG records.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	open(DNSKEY, "$dig -t DNSKEY -q $zone|") || die("dig DNSKEY failed");
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews	while (<DNSKEY>) {
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		@words = split;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		if ($words[3] eq "DNSKEY") {
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			$dnskeyalg{"$words[6]"} = 1;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			next if (! -e "/dev/stdin");
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			# get the key id ($dswords[3]).
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			$pid = open2(*Reader, *Writer, "$dsfromkey $zone");
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			die("dsfromkey failed") if ($pid == -1);
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			print Writer "$_";
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			close(Writer);
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			$line = <Reader>;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			close(Reader);
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			@dswords = split /\s/, $line;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			$dnskey{"$dswords[3] $dswords[4]"} = 1;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			next;
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		}
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		next if ($words[3] ne "RRSIG" || $words[4] ne "DNSKEY");
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews		if ($words[8] >= $now && $words[9] <= $now) {
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			# If we don't have /dev/stdin then just check for the
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			# RRSIG otherwise check for both the DNSKEY and
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			# RRSIG.
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			$dsgood{"$words[5]"} = 1
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews				if (! -e "/dev/stdin" &&
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews				    exists($ds{"$words[10] $words[5]"}));
5c526acb82c882e41b655c31f5fa4425c87b671cMark Andrews			$dsgood{"$words[5]"} = 1
				if (exists($ds{"$words[10] $words[5]"}) &&
				    exists($dnskey{"$words[10] $words[5]"}));
			$dnskeygood{"$words[5]"} = 1
				if (! -e "/dev/stdin");
			$dnskeygood{"$words[5]"} = 1
				if (exists($dnskey{"$words[10] $words[5]"}));
		} else {
			$dnskeygood{"$words[5]"} = 1;
			print "BAD SIG DATES: $_";
		}
	}
	close(DNSKEY);

	# Do we have signatures for all DNSKEY algorithms?
	foreach $alg ( keys %dnskeyalg ) {
		print "Missing $zone DNSKEY RRSIG for algorithm $alg\n"
			if (!exists($dnskeygood{$alg}));
	}

	# Do we have a matching self signed DNSKEY for all DNSSEC algorithms
	# in the DS records.
	$count = 0;
	foreach $alg ( keys %algorithms ) {
		if (exists($dsgood{$alg})) {
			print "$zone algorithm $alg good " .
			      "(found DS / self signed DNSKEY pair)\n";
		} else {
			print "$zone algorithm $alg bad " .
			      "(no DS / self signed DNSKEY pair found)\n";
		}
		$count++;
	}
	print "$zone has no secure delegation records\n"
		if (! $count);
}