3 # Copyright (c) 2010 Peter Palfrader <peter@palfrader.org>
5 # Permission is hereby granted, free of charge, to any person obtaining
6 # a copy of this software and associated documentation files (the
7 # "Software"), to deal in the Software without restriction, including
8 # without limitation the rights to use, copy, modify, merge, publish,
9 # distribute, sublicense, and/or sell copies of the Software, and to
10 # permit persons to whom the Software is furnished to do so, subject to
11 # the following conditions:
13 # The above copyright notice and this permission notice shall be
14 # included in all copies or substantial portions of the Software.
16 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
27 use Net::DNS::Resolver;
31 $SIG{'__DIE__'} = sub { print @_; exit 4; };
33 my $RES = Net::DNS::Resolver->new;
34 my $DLV = 'dlv.isc.org';
42 print "Querying $type $zone\n" if $params->{'verbose'};
43 my $pkt = $RES->send($zone, $type);
44 return () unless $pkt;
45 return () unless $pkt->answer;
46 for my $rr ($pkt->answer) {
47 next unless ($rr->type eq $type);
48 next unless (lc($rr->name) eq lc($zone));
50 # only handle KSKs, i.e. keys with the SEP flag set
51 next if ($type eq 'DNSKEY' && !($rr->is_sep));
53 push @result, $rr->keytag;
56 @result = sort {$a <=> $b} grep {!$unique{$_}++} @result;
62 return get_tag_generic($zone, 'DNSKEY');
66 return get_tag_generic($zone, 'DS');
71 return get_tag_generic($zone, 'DLV');
73 sub has_dnskey_parent {
78 $potential_parent = $zone;
79 $potential_parent =~ s/^[^.]+\.//;
81 $potential_parent = '.';
84 print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
85 my $pkt = $RES->send($potential_parent, 'DNSKEY');
86 return undef unless $pkt;
87 return undef unless $pkt->header;
89 unless ($pkt->answer) {
90 return undef unless $pkt->authority;
91 for my $rr ($pkt->authority) {
92 next unless ($rr->type eq 'SOA');
94 $potential_parent = $rr->name;
95 print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
96 $pkt = $RES->send($potential_parent, 'DNSKEY');
97 return undef unless $pkt;
102 return (0, $potential_parent) unless $pkt->answer;
103 for my $rr ($pkt->answer) {
104 next unless ($rr->type eq 'DNSKEY');
105 return (1, $potential_parent);
108 sub get_parent_dnssec_status {
113 my ($status, $parent) = has_dnskey_parent($zone);
114 last unless defined $status;
115 push @result, ($status ? "yes" : "no") . ("($parent)");
117 last if $zone eq "" || $zone eq '.';
120 return join(', ', @result);
127 print $fd "Usage: $PROGRAM_NAME [--dir <dir>] overview|check-dlv|check-ds|check-header zone [zone...]\n";
128 print $fd " $PROGRAM_NAME --dir <dir> overview|check-dlv|check-ds|check-header\n";
129 print $fd " $PROGRAM_NAME --help\n";
135 my $zonefile = shift;
140 open(F, "<", $zonefile) or die ("Cannot open zonefile $zonefile for $zone: $!\n");
142 if (/^[#;]\s*dlv-submit\s*=\s*yes\s*$/) { $do_dlv = 1; }
143 if (/^[#;]\s*ds-in-parent\s*=\s*yes\s*$/) { $do_ds = 1; }
148 push @keys, 'dlv' if $do_dlv;
149 push @keys, 'ds' if $do_ds;
153 Getopt::Long::config('bundling');
155 '--help' => \$params->{'help'},
156 '--dir=s@' => \$params->{'dir'},
157 '--dlv=s' => \$params->{'dlv'},
158 '--verbose' => \$params->{'verbose'},
159 ) or usage(\*STDERR, 1);
160 usage(\*STDOUT, 0) if ($params->{'help'});
162 my $mode = shift @ARGV;
163 usage(\*STDOUT, 0) unless (defined $mode && $mode =~ /^(overview|check-dlv|check-ds|check-header)$/);
164 die ("check-header needs --dir") if ($mode eq 'check-header' && !defined $params->{'dir'});
168 if (defined $params->{'dir'} && $mode ne 'check-header') {
169 warn "--dir option ignored"
171 %zones = map { $_ => $_} @ARGV;
173 my $dirs = $params->{'dir'};
174 usage(\*STDOUT, 0) unless (defined $dirs);
176 for my $dir (@$dirs) {
177 chdir $dir or die "chdir $dir failed? $!\n";
178 opendir DIR, '.' or die ("Cannot opendir $dir\n");
179 for my $file (readdir DIR) {
180 next if ( -l "$file" );
181 next unless ( -f "$file" );
182 next if $file =~ /^(dsset|keyset)-/;
185 if ($file =~ /\.zone$/) { # it's one of our yaml things
186 $zone = basename($file, '.zone');
188 $zones{$zone} = "$dir/$file";
194 $DLV = $params->{'dlv'} if $params->{'dlv'};
197 if ($mode eq 'overview') {
199 for my $zone (keys %zones) {
200 $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)),
201 'ds' => join(', ', get_dstags($zone)),
202 'dlv' => join(', ', get_dlvtags($zone)),
203 'parent_dnssec' => get_parent_dnssec_status($zone) };
206 my $format = "%60s %-10s %-10s %-10s %-10s\n";
207 printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent";
208 printf $format, "-"x 60, "-"x 10, "-"x 10, "-"x 10, "-"x 10;
209 for my $zone (sort {$a cmp $b} keys %data) {
210 printf $format, $zone,
211 $data{$zone}->{'dnskey'},
212 $data{$zone}->{'ds'},
213 $data{$zone}->{'dlv'},
214 $data{$zone}->{'parent_dnssec'};
217 } elsif ($mode eq 'check-dlv' || $mode eq 'check-ds' || $mode eq 'check-header') {
219 $key = 'dlv' if $mode eq 'check-dlv';
220 $key = 'ds' if $mode eq 'check-ds';
221 $key = 'per-zone' if $mode eq 'check-header';
222 die ("key undefined") unless $key;
226 for my $zone (sort {$a cmp $b} keys %zones) {
227 my @thiskeys = $key eq 'per-zone' ? what_to_check($zone, $zones{$zone}) : ($key);
229 my $dnskey = join(', ', get_dnskeytags($zone)) || '-';
230 for my $thiskey (@thiskeys) {
231 my $target = join(', ', $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone)) || '-';
233 if ($dnskey ne $target) {
234 push @warn, "$zone ([$dnskey] != [$target])";
236 push @ok, "$zone ($dnskey)";
240 print "WARNING: ", join(", ", @warn), "\n" if (scalar @warn);
241 print "OK: ", join(", ", @ok), "\n" if (scalar @ok);
242 exit (1) if (scalar @warn);
245 die ("Invalid mode '$mode'\n");