From ff5e4ef87194735870012f73ff998a7b4d8da4a9 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 14 Jul 2014 13:42:24 +0200 Subject: [PATCH] netexternal.cgi: Show DNSSEC status The netexternal.cgi has been extended to show what type of DNSSEC support the upstream nameservers offer. --- config/rootfiles/core/80/filelists/files | 1 + doc/language_issues.es | 5 ++ doc/language_issues.fr | 5 ++ doc/language_issues.nl | 5 ++ doc/language_issues.pl | 5 ++ doc/language_issues.ru | 5 ++ doc/language_issues.tr | 5 ++ doc/language_missings | 20 +++++ html/cgi-bin/netexternal.cgi | 107 ++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 5 ++ langs/en/cgi-bin/en.pl | 5 ++ 11 files changed, 167 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/80/filelists/files b/config/rootfiles/core/80/filelists/files index 8ece4f83e..91d3b62e2 100644 --- a/config/rootfiles/core/80/filelists/files +++ b/config/rootfiles/core/80/filelists/files @@ -6,6 +6,7 @@ etc/rc.d/init.d/dnsmasq etc/rc.d/init.d/networking/red.up/30-ddns srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/netexternal.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/routing.cgi usr/sbin/dhcrelay diff --git a/doc/language_issues.es b/doc/language_issues.es index 11e11d1e9..117688362 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -663,6 +663,10 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: dnssec aware +WARNING: untranslated string: dnssec information +WARNING: untranslated string: dnssec not supported +WARNING: untranslated string: dnssec validating WARNING: untranslated string: downlink WARNING: untranslated string: download tls-auth key WARNING: untranslated string: dpd delay @@ -874,6 +878,7 @@ WARNING: untranslated string: modem sim information WARNING: untranslated string: modem status WARNING: untranslated string: monitor interface WARNING: untranslated string: most preferred +WARNING: untranslated string: nameserver WARNING: untranslated string: no hardware random number generator WARNING: untranslated string: not a valid dh key WARNING: untranslated string: notice diff --git a/doc/language_issues.fr b/doc/language_issues.fr index e93eeb0f0..beca0080b 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -674,6 +674,10 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: dnssec aware +WARNING: untranslated string: dnssec information +WARNING: untranslated string: dnssec not supported +WARNING: untranslated string: dnssec validating WARNING: untranslated string: downlink WARNING: untranslated string: download tls-auth key WARNING: untranslated string: dpd delay @@ -885,6 +889,7 @@ WARNING: untranslated string: modem sim information WARNING: untranslated string: modem status WARNING: untranslated string: monitor interface WARNING: untranslated string: most preferred +WARNING: untranslated string: nameserver WARNING: untranslated string: no hardware random number generator WARNING: untranslated string: not a valid dh key WARNING: untranslated string: notice diff --git a/doc/language_issues.nl b/doc/language_issues.nl index ce44d14fd..6162636f6 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -671,6 +671,10 @@ WARNING: untranslated string: dh key warn WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dh parameter WARNING: untranslated string: dns servers +WARNING: untranslated string: dnssec aware +WARNING: untranslated string: dnssec information +WARNING: untranslated string: dnssec not supported +WARNING: untranslated string: dnssec validating WARNING: untranslated string: download tls-auth key WARNING: untranslated string: drop outgoing WARNING: untranslated string: firewall logs country @@ -693,6 +697,7 @@ WARNING: untranslated string: modem no connection message WARNING: untranslated string: modem sim information WARNING: untranslated string: modem status WARNING: untranslated string: monitor interface +WARNING: untranslated string: nameserver WARNING: untranslated string: not a valid dh key WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 11e11d1e9..117688362 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -663,6 +663,10 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: dnssec aware +WARNING: untranslated string: dnssec information +WARNING: untranslated string: dnssec not supported +WARNING: untranslated string: dnssec validating WARNING: untranslated string: downlink WARNING: untranslated string: download tls-auth key WARNING: untranslated string: dpd delay @@ -874,6 +878,7 @@ WARNING: untranslated string: modem sim information WARNING: untranslated string: modem status WARNING: untranslated string: monitor interface WARNING: untranslated string: most preferred +WARNING: untranslated string: nameserver WARNING: untranslated string: no hardware random number generator WARNING: untranslated string: not a valid dh key WARNING: untranslated string: notice diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 1cea7f36e..547e1d406 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -668,6 +668,10 @@ WARNING: untranslated string: dnsforward edit an entry WARNING: untranslated string: dnsforward entries WARNING: untranslated string: dnsforward forward_server WARNING: untranslated string: dnsforward zone +WARNING: untranslated string: dnssec aware +WARNING: untranslated string: dnssec information +WARNING: untranslated string: dnssec not supported +WARNING: untranslated string: dnssec validating WARNING: untranslated string: downlink WARNING: untranslated string: download tls-auth key WARNING: untranslated string: dpd delay @@ -870,6 +874,7 @@ WARNING: untranslated string: modem sim information WARNING: untranslated string: modem status WARNING: untranslated string: monitor interface WARNING: untranslated string: most preferred +WARNING: untranslated string: nameserver WARNING: untranslated string: no hardware random number generator WARNING: untranslated string: not a valid dh key WARNING: untranslated string: notice diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 2843d53fb..cc40178b8 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -672,6 +672,10 @@ WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dh parameter +WARNING: untranslated string: dnssec aware +WARNING: untranslated string: dnssec information +WARNING: untranslated string: dnssec not supported +WARNING: untranslated string: dnssec validating WARNING: untranslated string: download tls-auth key WARNING: untranslated string: firewall logs country WARNING: untranslated string: fwhost err hostip @@ -693,6 +697,7 @@ WARNING: untranslated string: modem no connection message WARNING: untranslated string: modem sim information WARNING: untranslated string: modem status WARNING: untranslated string: monitor interface +WARNING: untranslated string: nameserver WARNING: untranslated string: not a valid dh key WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh diff --git a/doc/language_missings b/doc/language_missings index 69cd2185c..4699f1276 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -94,6 +94,10 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dnssec aware +< dnssec information +< dnssec not supported +< dnssec validating < dns servers < downlink < download dh parameter @@ -351,6 +355,7 @@ < monitor interface < most preferred < MTU settings +< nameserver < never < no hardware random number generator < not a valid dh key @@ -620,6 +625,10 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dnssec aware +< dnssec information +< dnssec not supported +< dnssec validating < dns servers < downlink < download dh parameter @@ -877,6 +886,7 @@ < monitor interface < most preferred < MTU settings +< nameserver < never < no hardware random number generator < not a valid dh key @@ -1138,6 +1148,10 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dnssec aware +< dnssec information +< dnssec not supported +< dnssec validating < dns servers < downlink < download dh parameter @@ -1387,6 +1401,7 @@ < monitor interface < most preferred < MTU settings +< nameserver < never < no hardware random number generator < not a valid dh key @@ -1635,6 +1650,10 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone +< dnssec aware +< dnssec information +< dnssec not supported +< dnssec validating < dns servers < downlink < download dh parameter @@ -1889,6 +1908,7 @@ < month-graph < most preferred < MTU settings +< nameserver < never < no hardware random number generator < not a valid dh key diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi index 156ef2418..39c50e15c 100644 --- a/html/cgi-bin/netexternal.cgi +++ b/html/cgi-bin/netexternal.cgi @@ -76,6 +76,82 @@ if ( $querry[0] ne~ ""){ &Header::closebox(); } + ## DNSSEC + my @nameservers = (); + foreach my $f ("${General::swroot}/red/dns1", "${General::swroot}/red/dns2") { + open(DNS, "<$f"); + my $nameserver = ; + close(DNS); + + chomp($nameserver); + if ($nameserver) { + push(@nameservers, $nameserver); + } + } + + &Header::openbox('100%', 'center', $Lang::tr{'dnssec information'}); + + print < + + + + $Lang::tr{'nameserver'} + + + $Lang::tr{'status'} + + + + +END + + my $id = 0; + for my $nameserver (@nameservers) { + my $status = &check_dnssec($nameserver, "ping.ipfire.org"); + + my $colour = ""; + my $message = ""; + + # DNSSEC Not supported + if ($status == 0) { + $message = $Lang::tr{'dnssec not supported'}; + $colour = ${Header::colourred}; + + # DNSSEC Aware + } elsif ($status == 1) { + $message = $Lang::tr{'dnssec aware'}; + $colour = ${Header::colouryellow}; + + # DNSSEC Validating + } elsif ($status == 2) { + $message = $Lang::tr{'dnssec validating'}; + $colour = ${Header::colourgreen}; + + # Error + } else { + $colour = ${Header::colourred}; + } + + my $table_colour = ($id++ % 2) ? $color{'color22'} : $color{'color20'}; + + print < + $nameserver + + $message + + +END + } + + print < + +END + + &Header::closebox(); + if ( $netsettings{'CONFIG_TYPE'} =~ /^(1|2|3|4)$/ && $netsettings{'RED_TYPE'} eq "DHCP"){ &Header::openbox('100%', 'left', "RED $Lang::tr{'dhcp configuration'}"); @@ -161,4 +237,33 @@ END &Header::closebigbox(); &Header::closepage(); -} +} + +sub check_dnssec($$) { + my $nameserver = shift; + my $record = shift; + + my @command = ("dig", "+dnssec", $record, "\@$nameserver"); + + my @output = qx(@command); + my $output = join("", @output); + + my $status = 0; + if ($output =~ m/status: (\w+)/) { + $status = ($1 eq "NOERROR"); + + if (!$status) { + return -1; + } + } + + my @flags = (); + if ($output =~ m/flags: (.*);/) { + @flags = split(/ /, $1); + } + + my $aware = ($output =~ m/RRSIG/); + my $validating = ("ad" ~~ @flags); + + return $aware + $validating; +} diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 86d365f0c..556e65cfd 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -750,6 +750,10 @@ 'dnsforward entries' => 'Aktuelle Einträge', 'dnsforward forward_server' => 'DNS-Server', 'dnsforward zone' => 'Zone', +'dnssec aware' => 'DNSSEC-aware', +'dnssec information' => 'DNSSEC-Informationen', +'dnssec not supported' => 'DNSSEC wird nicht unterstützt', +'dnssec validating' => 'DNSSEC-validierend', 'do not log this port list' => 'Verwerfe diese Port-Liste kurz bevor sie protokolliert werden (reduziert Protokollgröße)', 'dod' => 'Dial-on-Demand-Modus', 'dod for dns' => 'Dial-on-Demand für DNS:', @@ -1523,6 +1527,7 @@ 'name is invalid' => 'Name ist ungültig', 'name must only contain characters' => 'Name darf nur Buchstaben enthalten.', 'name too long' => 'Der volle Benutzername oder der System Hostname ist zu lang', +'nameserver' => 'Nameserver', 'nat-traversal' => 'Nat Traversal:', 'needreboot' => 'Ein Update benötigt einen Neustart', 'net' => 'Netz', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 085dd3f75..f4fafca08 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -775,6 +775,10 @@ 'dnsforward entries' => 'Current entries', 'dnsforward forward_server' => 'Nameserver', 'dnsforward zone' => 'Zone', +'dnssec aware' => 'DNSSEC Aware', +'dnssec information' => 'DNSSEC Information', +'dnssec not supported' => 'DNSSEC Not supported', +'dnssec validating' => 'DNSSEC Validating', 'do not log this port list' => 'Drop this port list just before they are logged (reduces log size)', 'dod' => 'Dial on Demand', 'dod for dns' => 'Dial on Demand for DNS:', @@ -1553,6 +1557,7 @@ 'name is invalid' => 'Name is invalid', 'name must only contain characters' => 'Name must only contain characters.', 'name too long' => 'User\'s full name or system hostname is too long', +'nameserver' => 'Nameserver', 'nat-traversal' => 'Nat Traversal:', 'needreboot' => 'An update requires a restart', 'net' => 'Net', -- 2.39.2