#!@PERL@
#
# Copyright (C) 2010, 2012, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# $Id: check-secure-delegation.pl.in,v 1.2 2010/12/21 02:32:21 marka Exp $
use warnings;
use FileHandle;
#
# We only compare keyid / DNSSEC algorithm pairs. If this succeeds then
# the crypto will likely succeed. If it fails then the crypto will definitely
# fail.
#
$prefix = "@prefix@";
$dsfromkey = "$prefix/sbin/dnssec-dsfromkey -1 -A -f /dev/stdin";
# Get "now" in a RRSIG datestamp format.
# Read the DS records and extract the key id, algorithm pairs
print "BAD SIG DATES: $_";
}
}
# Read the RRSIG(DNSKEY) records and extract the key id,
# algorithm pairs. Set good if we have a match against the DS
# records. DNSKEY records should be before the RRSIG records.
# get the key id ($dswords[3]).
next;
}
# RRSIG otherwise check for both the DNSKEY and
# RRSIG.
} else {
print "BAD SIG DATES: $_";
}
}
# Do we have signatures for all DNSKEY algorithms?
}
# Do we have a matching self signed DNSKEY for all DNSSEC algorithms
# in the DS records.
$count = 0;
"(found DS / self signed DNSKEY pair)\n";
} else {
"(no DS / self signed DNSKEY pair found)\n";
}
$count++;
}
print "$zone has no secure delegation records\n"
}