From: Kees Monshouwer <mind04@monshouwer.org>
Date: Sat, 30 May 2015 23:11:12 +0000 (+0200)
Subject: pdnssec: check for glue and delegations in parent zones
X-Git-Tag: auth-3.3.3^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f318a7dffd82666745dda55d0691ff6d4435bccc;p=thirdparty%2Fpdns.git

pdnssec: check for glue and delegations in parent zones
---

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 352e9a054a..022c56c42d 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -364,17 +364,38 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
   bool isSecure=dk.isSecuredZone(zone);
   bool presigned=dk.isPresigned(zone);
 
-  sd.db->list(zone, sd.domain_id);
   DNSResourceRecord rr;
   uint64_t numrecords=0, numerrors=0, numwarnings=0;
 
+
+  // Check for delegation in parent zone
+  string parent(zone);
+  while(chopOff(parent)) {
+    SOAData sd_p;
+    if(B.getSOA(parent, sd_p)) {
+      bool ns=false;
+      DNSResourceRecord rr;
+      B.lookup(QType(QType::ANY), zone, NULL, sd_p.domain_id);
+      while(B.get(rr))
+        ns |= (rr.qtype == QType::NS);
+      if (!ns) {
+        cerr<<"[Error] No delegation for zone '"<<zone<<"' in parent '"<<parent<<"'"<<endl;
+        numerrors++;
+      }
+      break;
+    }
+  }
+
+
   bool hasNsAtApex = false;
-  set<string> records, cnames, noncnames;
+  set<string> records, cnames, noncnames, glue, checkglue;
   map<string, unsigned int> ttl;
 
   ostringstream content;
   pair<map<string, unsigned int>::iterator,bool> ret;
 
+  sd.db->list(zone, sd.domain_id);
+
   while(sd.db->get(rr)) {
     if(!rr.qtype.getCode())
       continue;
@@ -473,6 +494,10 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
       } else if (rr.qtype.getCode() == QType::DNSKEY) {
         cout<<"[Warning] DNSKEY record not at apex '"<<rr.qname<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone<<"', should not be here."<<endl;
         numwarnings++;
+      } else if (rr.qtype.getCode() == QType::NS && endsOn(rr.content, rr.qname)) {
+        checkglue.insert(toLower(rr.content));
+      } else if (rr.qtype.getCode() == QType::A || rr.qtype.getCode() == QType::AAAA) {
+        glue.insert(toLower(rr.qname));
       }
     }
 
@@ -549,6 +574,13 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
     numerrors++;
   }
 
+  BOOST_FOREACH(const string& qname, checkglue) {
+    if (!glue.count(qname)) {
+      cerr<<"[Error] Missing glue for '"<<qname<<"' in zone '"<<zone<<"'"<<endl;
+      numerrors++;
+    }
+  }
+
   cout<<"Checked "<<numrecords<<" records of '"<<zone<<"', "<<numerrors<<" errors, "<<numwarnings<<" warnings."<<endl;
   return numerrors;
 }