3 # Copyright (c) 2010 Peter Palfrader <peter@palfrader.org>
5 # Permission is hereby granted, free of charge, to any person obtaining
6 # a copy of this software and associated documentation files (the
7 # "Software"), to deal in the Software without restriction, including
8 # without limitation the rights to use, copy, modify, merge, publish,
9 # distribute, sublicense, and/or sell copies of the Software, and to
10 # permit persons to whom the Software is furnished to do so, subject to
11 # the following conditions:
13 # The above copyright notice and this permission notice shall be
14 # included in all copies or substantial portions of the Software.
16 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
27 use Net::DNS::Resolver;
30 $SIG{'__DIE__'} = sub { print @_; exit 4; };
32 my $RES = Net::DNS::Resolver->new;
33 my $DLV = 'dlv.isc.org';
41 print "Querying $type $zone\n" if $params->{'verbose'};
42 my $pkt = $RES->send($zone, $type);
43 return () unless $pkt;
44 return () unless $pkt->answer;
45 for my $rr ($pkt->answer) {
46 next unless ($rr->type eq $type);
47 next unless (lc($rr->name) eq lc($zone));
49 # only handle KSKs, i.e. keys with the SEP flag set
50 next if ($type eq 'DNSKEY' && !($rr->is_sep));
52 push @result, $rr->keytag;
55 @result = sort {$a <=> $b} grep {!$unique{$_}++} @result;
61 return get_tag_generic($zone, 'DNSKEY');
65 return get_tag_generic($zone, 'DS');
70 return get_tag_generic($zone, 'DLV');
72 sub has_dnskey_parent {
77 $potential_parent = $zone;
78 $potential_parent =~ s/^[^.]+\.//;
80 $potential_parent = '.';
83 print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
84 my $pkt = $RES->send($potential_parent, 'DNSKEY');
85 return undef unless $pkt;
86 return undef unless $pkt->header;
88 unless ($pkt->answer) {
89 return undef unless $pkt->authority;
90 for my $rr ($pkt->authority) {
91 next unless ($rr->type eq 'SOA');
93 $potential_parent = $rr->name;
94 print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
95 $pkt = $RES->send($potential_parent, 'DNSKEY');
96 return undef unless $pkt;
101 return (0, $potential_parent) unless $pkt->answer;
102 for my $rr ($pkt->answer) {
103 next unless ($rr->type eq 'DNSKEY');
104 return (1, $potential_parent);
107 sub get_parent_dnssec_status {
112 my ($status, $parent) = has_dnskey_parent($zone);
113 last unless defined $status;
114 push @result, ($status ? "yes" : "no") . ("($parent)");
116 last if $zone eq "" || $zone eq '.';
119 return join(', ', @result);
126 print $fd "Usage: $PROGRAM_NAME [--dir <dir>] overview|check-dlv|check-ds|check-header zone [zone...]\n";
127 print $fd " $PROGRAM_NAME --dir <dir> overview|check-dlv|check-ds|check-header\n";
128 print $fd " $PROGRAM_NAME --help\n";
139 open(F, "<", $indir."/".$zone) or die ("Cannot open zonefile for $zone: $!\n");
141 if (/^;\s*dlv-submit\s*=\s*yes\s*$/) { $do_dlv = 1; }
142 if (/^;\s*ds-in-parent\s*=\s*yes\s*$/) { $do_ds = 1; }
147 push @keys, 'dlv' if $do_dlv;
148 push @keys, 'ds' if $do_ds;
152 Getopt::Long::config('bundling');
154 '--help' => \$params->{'help'},
155 '--dir=s' => \$params->{'dir'},
156 '--dlv=s' => \$params->{'dlv'},
157 '--verbose' => \$params->{'verbose'},
158 ) or usage(\*STDERR, 1);
159 usage(\*STDOUT, 0) if ($params->{'help'});
161 my $mode = shift @ARGV;
162 usage(\*STDOUT, 0) unless (defined $mode && $mode =~ /^(overview|check-dlv|check-ds|check-header)$/);
163 die ("check-header needs --dir") if ($mode eq 'check-header' && !defined $params->{'dir'});
167 if (defined $params->{'dir'} && $mode ne 'check-header') {
168 warn "--dir option ignored"
172 my $dir = $params->{'dir'};
173 usage(\*STDOUT, 0) unless (defined $dir);
175 chdir $dir or die "chdir $dir failed? $!\n";
176 opendir DIR, '.' or die ("Cannot opendir $dir\n");
177 for my $file (readdir DIR) {
178 next if ( -l "$file" );
179 next unless ( -f "$file" );
180 next if $file =~ /^(dsset|keyset)-/;
187 $DLV = $params->{'dlv'} if $params->{'dlv'};
190 if ($mode eq 'overview') {
192 for my $zone (@zones) {
193 $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)),
194 'ds' => join(', ', get_dstags($zone)),
195 'dlv' => join(', ', get_dlvtags($zone)),
196 'parent_dnssec' => get_parent_dnssec_status($zone) };
199 my $format = "%60s %-10s %-10s %-10s %-10s\n";
200 printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent";
201 printf $format, "-"x 60, "-"x 10, "-"x 10, "-"x 10, "-"x 10;
202 for my $zone (sort {$a cmp $b} keys %data) {
203 printf $format, $zone,
204 $data{$zone}->{'dnskey'},
205 $data{$zone}->{'ds'},
206 $data{$zone}->{'dlv'},
207 $data{$zone}->{'parent_dnssec'};
210 } elsif ($mode eq 'check-dlv' || $mode eq 'check-ds' || $mode eq 'check-header') {
212 $key = 'dlv' if $mode eq 'check-dlv';
213 $key = 'ds' if $mode eq 'check-ds';
214 $key = 'per-zone' if $mode eq 'check-header';
215 die ("key undefined") unless $key;
219 for my $zone (sort {$a cmp $b} @zones) {
220 my @thiskeys = $key eq 'per-zone' ? what_to_check($zone, $params->{'dir'}) : ($key);
222 my $dnskey = join(', ', get_dnskeytags($zone)) || '-';
223 for my $thiskey (@thiskeys) {
224 my $target = join(', ', $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone)) || '-';
226 if ($dnskey ne $target) {
227 push @warn, "$zone ([$dnskey] != [$target])";
229 push @ok, "$zone ($dnskey)";
233 print "WARNING: ", join(", ", @warn), "\n" if (scalar @warn);
234 print "OK: ", join(", ", @ok), "\n" if (scalar @ok);
235 exit (1) if (scalar @warn);
238 die ("Invalid mode '$mode'\n");