From 95ba91f72771d6e55cbe0dc7f5456fc2cad9b705 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Sun, 31 May 2015 01:11:12 +0200
Subject: [PATCH] pdnssec: check for glue and delegations in parent zones

---
 pdns/pdnssec.cc | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 1919a01a42..84539cc83c 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -417,17 +417,38 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
   bool isSecure=dk.isSecuredZone(zone);
   bool presigned=dk.isPresigned(zone);
 
-  sd.db->list(zone, sd.domain_id, true);
   DNSResourceRecord rr;
   uint64_t numrecords=0, numerrors=0, numwarnings=0;
 
+
+  // Check for delegation in parent zone
+  string parent(zone);
+  while(chopOff(parent)) {
+    SOAData sd_p;
+    if(B.getSOAUncached(parent, sd_p)) {
+      bool ns=false;
+      DNSResourceRecord rr;
+      B.lookup(QType(QType::ANY), zone, NULL, sd_p.domain_id);
+      while(B.get(rr))
+        ns |= (rr.qtype == QType::NS);
+      if (!ns) {
+        cerr<<"[Error] No delegation for zone '"<<zone<<"' in parent '"<<parent<<"'"<<endl;
+        numerrors++;
+      }
+      break;
+    }
+  }
+
+
   bool hasNsAtApex = false;
-  set<string> records, cnames, noncnames;
+  set<string> records, cnames, noncnames, glue, checkglue;
   map<string, unsigned int> ttl;
 
   ostringstream content;
   pair<map<string, unsigned int>::iterator,bool> ret;
 
+  sd.db->list(zone, sd.domain_id, true);
+
   while(sd.db->get(rr)) {
     if(!rr.qtype.getCode())
       continue;
@@ -523,6 +544,10 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
       } else if (rr.qtype.getCode() == QType::DNSKEY) {
         cout<<"[Warning] DNSKEY record not at apex '"<<rr.qname<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone<<"', should not be here."<<endl;
         numwarnings++;
+      } else if (rr.qtype.getCode() == QType::NS && endsOn(rr.content, rr.qname)) {
+        checkglue.insert(toLower(rr.content));
+      } else if (rr.qtype.getCode() == QType::A || rr.qtype.getCode() == QType::AAAA) {
+        glue.insert(toLower(rr.qname));
       }
     }
 
@@ -599,6 +624,13 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
     numerrors++;
   }
 
+  for(const auto &qname : checkglue) {
+    if (!glue.count(qname)) {
+      cerr<<"[Error] Missing glue for '"<<qname<<"' in zone '"<<zone<<"'"<<endl;
+      numerrors++;
+    }
+  }
+
   cout<<"Checked "<<numrecords<<" records of '"<<zone<<"', "<<numerrors<<" errors, "<<numwarnings<<" warnings."<<endl;
   return numerrors;
 }
-- 
2.47.2