<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-checkds</command>
- verifies the correctness of Delegation Signer (DS) or DNSSEC
- Lookaside Validation (DLV) resource records for keys in a specified
- zone.
+ verifies the correctness of Delegation Signer (DS)
+ resource records for keys in a specified zone.
</para>
</refsection>
<listitem>
<para>
Specify a digest algorithm to use when converting the
- zone's DNSKEY records to expected DS or DLV records. This
+ zone's DNSKEY records to expected DS records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>-l <replaceable class="parameter">domain</replaceable></term>
- <listitem>
- <para>
- Check for a DLV record in the specified lookaside domain,
- instead of checking for a DS record in the zone's parent.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry>
<term>-s <replaceable class="parameter">file</replaceable></term>
<listitem>
############################################################################
# SECRR class:
-# Class for DS/DLV resource record
+# Class for DS resource record
############################################################################
class SECRR:
hashalgs = {1: 'SHA-1', 2: 'SHA-256', 3: 'GOST', 4: 'SHA-384'}
digest = ''
ttl = 0
- def __init__(self, rrtext, dlvname = None):
+ def __init__(self, rrtext):
if not rrtext:
raise Exception
if len(fields) < 7:
raise Exception
- if dlvname:
- self.rrtype = "DLV"
- self.dlvname = dlvname.lower()
- parent = fields[0].lower().strip('.').split('.')
- parent.reverse()
- dlv = dlvname.split('.')
- dlv.reverse()
- while len(dlv) != 0 and len(parent) != 0 and parent[0] == dlv[0]:
- parent = parent[1:]
- dlv = dlv[1:]
- if dlv:
- raise Exception
- parent.reverse()
- self.parent = '.'.join(parent)
- self.rrname = self.parent + '.' + self.dlvname + '.'
- else:
- self.rrtype = "DS"
- self.rrname = fields[0].lower()
+ self.rrtype = "DS"
+ self.rrname = fields[0].lower()
fields = fields[1:]
if fields[0].upper() in ['IN', 'CH', 'HS']:
############################################################################
# check:
-# Fetch DS/DLV RRset for the given zone from the DNS; fetch DNSKEY
+# Fetch DS RRset for the given zone from the DNS; fetch DNSKEY
# RRset from the masterfile if specified, or from DNS if not.
-# Generate a set of expected DS/DLV records from the DNSKEY RRset,
+# Generate a set of expected DS records from the DNSKEY RRset,
# and report on congruency.
############################################################################
def check(zone, args):
if args.dssetfile:
fp = open(args.dssetfile).read()
else:
- cmd = [args.dig, "+noall", "+answer", "-t",
- "dlv" if args.lookaside else "ds", "-q",
- zone + "." + args.lookaside if args.lookaside else zone]
+ cmd = [args.dig, "+noall", "+answer", "-t", "ds", "-q", zone]
fp, _ = Popen(cmd, stdout=PIPE).communicate()
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
- rrlist.append(SECRR(line, args.lookaside))
+ rrlist.append(SECRR(line))
rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg))
klist = []
cmd = [args.dsfromkey]
for algo in args.algo:
cmd += ['-a', algo]
- if args.lookaside:
- cmd += ["-l", args.lookaside]
if args.masterfile:
cmd += ["-f", args.masterfile, zone]
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
- klist.append(SECRR(line, args.lookaside))
+ klist.append(SECRR(line))
if len(klist) < 1:
print("No DNSKEY records found in zone apex")
type=str, help='path to \'dnssec-dsfromkey\'')
parser.add_argument('-f', '--file', dest='masterfile', type=str,
help='zone master file')
- parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,
- help='DLV lookaside zone')
parser.add_argument('-s', '--dsset', dest='dssetfile', type=str,
help='prepared DSset file')
parser.add_argument('-v', '--version', action='version',
args = parser.parse_args()
args.zone = args.zone.strip('.')
- if args.lookaside:
- args.lookaside = args.lookaside.strip('.')
return args
if "%arg%" == "-t" goto next
if "%arg%" == "ds" goto ds
if "%arg%" == "DS" goto ds
-if "%arg%" == "dlv" goto dlv
-if "%arg%" == "DLV" goto dlv
if "%arg%" == "dnskey" goto dnskey
if "%arg%" == "DNSKEY" goto dnskey
set file=%arg%
set ext=ds
goto next
-:dlv
-set ext=dlv
-goto next
-
:dnskey
set ext=dnskey
goto next
$ext = "ds";
next;
}
- if ($arg =~ /^dlv$/i) {
- $ext = "dlv";
- next;
- }
if ($arg =~ /^dnskey$/i) {
$ext = "dnskey";
next;
+*) shift ;;
-t) shift ;;
DS|ds) ext=ds ; shift ;;
- DLV|dlv) ext=dlv ; shift ;;
DNSKEY|dnskey) ext=dnskey ; shift ;;
*) file=$1 ; shift ;;
esac
+++ /dev/null
-missing.example.dlv.example. 3600 IN DLV 12892 5 1 9D4CD60491D372207FA584D2EE460CC51D7FF8A7
-missing.example.dlv.example. 3600 IN DLV 12892 5 2 EF59E5C70BC4153B7DB4C11F9C36B729577DA71474E0A5C9B8875173 6E583200
+++ /dev/null
-ok.example.dlv.example. 3600 IN DLV 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390
-ok.example.dlv.example. 3600 IN DLV 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-echo_i "checking for correct DLV, looking up key via 'dig' ($n)"
-ret=0
-$CHECKDS -l dlv.example ok.example > checkds.out.$n 2>&1 || ret=1
-grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-echo_i "checking for correct DLV, obtaining key from file ($n)"
-ret=0
-$CHECKDS -l dlv.example -f ok.example.dnskey.db ok.example > checkds.out.$n 2>&1 || ret=1
-grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
echo_i "checking for incorrect DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-echo_i "checking for incorrect DLV, looking up key via 'dig' ($n)"
-ret=0
-$CHECKDS -l dlv.example wrong.example > checkds.out.$n 2>&1 || ret=1
-grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-echo_i "checking for incorrect DLV, obtaining key from file ($n)"
-ret=0
-$CHECKDS -l dlv.example -f wrong.example.dnskey.db wrong.example > checkds.out.$n 2>&1 || ret=1
-grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
echo_i "checking for partially missing DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-echo_i "checking for partially missing DLV, looking up key via 'dig' ($n)"
-ret=0
-$CHECKDS -l dlv.example missing.example > checkds.out.$n 2>&1 && ret=1
-grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-echo_i "checking for partially missing DLV, obtaining key from file ($n)"
-ret=0
-$CHECKDS -l dlv.example -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1
-grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
-grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS none.example > checkds.out.$n 2>&1 && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-echo_i "checking for entirely missing DLV, looking up key via 'dig' ($n)"
-ret=0
-$CHECKDS -l dlv.example none.example > checkds.out.$n 2>&1 && ret=1
-grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
-grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
-echo_i "checking for entirely missing DLV, obtaining key from file ($n)"
-ret=0
-$CHECKDS -l dlv.example -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1
-grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
-grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
echo_i "checking with prepared dsset file ($n)"
ret=0
$CHECKDS -f prep.example.db -s prep.example.ds.db prep.example > checkds.out.$n 2>&1 || ret=1
+++ /dev/null
-wrong.example.dlv.example. 3600 IN DLV 1192 5 1 684BB5119673C9272A0A7582AF8576561B5D80EC
-wrong.example.dlv.example. 3600 IN DLV 1192 5 2 14E4A873360E512CD2E8C2C331C4472F5EDAB0736669901F4D42E976 3D7B1F5C
./bin/tests/system/checkds/dig.bat BAT 2016,2018,2019
./bin/tests/system/checkds/dig.pl PERL 2014,2016,2017,2018,2019
./bin/tests/system/checkds/dig.sh SH 2012,2013,2016,2017,2018,2019
-./bin/tests/system/checkds/missing.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/missing.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/missing.example.ds.db X 2012,2018,2019
-./bin/tests/system/checkds/none.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/none.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/none.example.ds.db X 2012,2018,2019
-./bin/tests/system/checkds/ok.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/ok.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/ok.example.ds.db X 2012,2018,2019
./bin/tests/system/checkds/prep.example.db X 2017,2018,2019
./bin/tests/system/checkds/prep.example.ds.db X 2017,2018,2019
./bin/tests/system/checkds/setup.sh SH 2012,2013,2014,2016,2018,2019
./bin/tests/system/checkds/tests.sh SH 2012,2013,2014,2016,2017,2018,2019
-./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/wrong.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/wrong.example.ds.db X 2012,2018,2019
./bin/tests/system/checknames/clean.sh SH 2004,2007,2012,2014,2015,2016,2018,2019
projects / thirdparty / bind9.git / commitdiff
