3 # Copyright (c) 2010 Peter Palfrader <peter@palfrader.org>
5 # Permission is hereby granted, free of charge, to any person obtaining
6 # a copy of this software and associated documentation files (the
7 # "Software"), to deal in the Software without restriction, including
8 # without limitation the rights to use, copy, modify, merge, publish,
9 # distribute, sublicense, and/or sell copies of the Software, and to
10 # permit persons to whom the Software is furnished to do so, subject to
11 # the following conditions:
13 # The above copyright notice and this permission notice shall be
14 # included in all copies or substantial portions of the Software.
16 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20 # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
27 use Net::DNS::Resolver;
31 # taken from Array::Utils
32 # http://cpansearch.perl.org/src/ZMIJ/Array-Utils-0.5/Utils.pm
33 # This module is Copyright (c) 2007 Sergei A. Fedorov.
34 # You may distribute under the terms of either the GNU General Public
35 # License or the Artistic License, as specified in the Perl README file.
38 my %e = map { $_ => undef } @{$_[0]};
39 return grep { exists( $e{$_} ) } @{$_[1]};
41 sub array_diff(\@\@) {
42 my %e = map { $_ => undef } @{$_[1]};
43 return @{[ ( grep { (exists $e{$_}) ? ( delete $e{$_} ) : ( 1 ) } @{ $_[0] } ), keys %e ] };
45 sub array_minus(\@\@) {
46 my %e = map{ $_ => undef } @{$_[1]};
47 return grep( ! exists( $e{$_} ), @{$_[0]} );
51 $SIG{'__DIE__'} = sub { print @_; exit 4; };
53 my $RES = Net::DNS::Resolver->new;
54 my $DLV = 'dlv.isc.org';
63 print "Querying $type $zone\n" if $params->{'verbose'};
64 my $pkt = $RES->send($zone, $type);
65 return () unless $pkt;
66 return () unless $pkt->answer;
67 for my $rr ($pkt->answer) {
68 next unless ($rr->type eq $type);
69 next unless (lc($rr->name) eq lc($zone));
71 # for now only handle KSKs, i.e. keys with the SEP flag set
72 if ($type eq 'DNSKEY' && !($rr->is_sep)) {
73 push @zsks, $rr->keytag;
77 push @result, $rr->keytag;
79 if ($type eq 'DNSKEY' && (scalar @result) == 0) {
80 # use remaining keys if no keys with the SEP bit are present
84 @result = sort {$a <=> $b} grep {!$unique{$_}++} @result;
90 return get_tag_generic($zone, 'DNSKEY');
94 return get_tag_generic($zone, 'DS');
99 return get_tag_generic($zone, 'DLV');
101 sub has_dnskey_parent {
104 my $potential_parent;
105 if ($zone =~ m/\./) {
106 $potential_parent = $zone;
107 $potential_parent =~ s/^[^.]+\.//;
109 $potential_parent = '.';
112 print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
113 my $pkt = $RES->send($potential_parent, 'DNSKEY');
114 return undef unless $pkt;
115 return undef unless $pkt->header;
117 unless ($pkt->answer) {
118 return undef unless $pkt->authority;
119 for my $rr ($pkt->authority) {
120 next unless ($rr->type eq 'SOA');
122 $potential_parent = $rr->name;
123 print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
124 $pkt = $RES->send($potential_parent, 'DNSKEY');
125 return undef unless $pkt;
130 return (0, $potential_parent) unless $pkt->answer;
131 for my $rr ($pkt->answer) {
132 next unless ($rr->type eq 'DNSKEY');
133 return (1, $potential_parent);
136 sub get_parent_dnssec_status {
141 my ($status, $parent) = has_dnskey_parent($zone);
142 last unless defined $status;
143 push @result, ($status ? "yes" : "no") . ("($parent)");
145 last if $zone eq "" || $zone eq '.';
148 return join(', ', @result);
155 print $fd "Usage: $PROGRAM_NAME [--dir <dir>] overview|check-dlv|check-ds|check-header zone [zone...]\n";
156 print $fd " $PROGRAM_NAME --dir <dir> overview|check-dlv|check-ds|check-header\n";
157 print $fd " $PROGRAM_NAME --help\n";
163 my $zonefile = shift;
168 open(F, "<", $zonefile) or die ("Cannot open zonefile $zonefile for $zone: $!\n");
170 if (/^[#;]\s*dlv-submit\s*=\s*yes\s*$/) { $do_dlv = 1; }
171 if (/^[#;]\s*ds-in-parent\s*=\s*yes\s*$/) { $do_ds = 1; }
175 return { 'dlv' => $do_dlv,
182 my @elems = intersect(@$a, @$b);
183 push @elems, map { '-'.$_ } array_minus(@$a, @$b);
184 push @elems, map { '+'.$_ } array_minus(@$b, @$a);
185 return join(',', @elems);
188 Getopt::Long::config('bundling');
190 '--help' => \$params->{'help'},
191 '--dir=s@' => \$params->{'dir'},
192 '--dlv=s' => \$params->{'dlv'},
193 '--verbose' => \$params->{'verbose'},
194 ) or usage(\*STDERR, 1);
195 usage(\*STDOUT, 0) if ($params->{'help'});
197 my $mode = shift @ARGV;
198 usage(\*STDOUT, 0) unless (defined $mode && $mode =~ /^(overview|check-dlv|check-ds|check-header)$/);
199 die ("check-header needs --dir") if ($mode eq 'check-header' && !defined $params->{'dir'});
203 if (defined $params->{'dir'} && $mode ne 'check-header') {
204 warn "--dir option ignored"
206 %zones = map { $_ => $_} @ARGV;
208 my $dirs = $params->{'dir'};
209 usage(\*STDOUT, 0) unless (defined $dirs);
211 for my $dir (@$dirs) {
212 chdir $dir or die "chdir $dir failed? $!\n";
213 opendir DIR, '.' or die ("Cannot opendir $dir\n");
214 for my $file (readdir DIR) {
215 next if ( -l "$file" );
216 next unless ( -f "$file" );
217 next if $file =~ /^(dsset|keyset)-/;
220 if ($file =~ /\.zone$/) { # it's one of our yaml things
221 $zone = basename($file, '.zone');
223 $zones{$zone} = "$dir/$file";
229 $DLV = $params->{'dlv'} if $params->{'dlv'};
232 if ($mode eq 'overview') {
234 for my $zone (keys %zones) {
235 $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone)),
236 'ds' => join(', ', get_dstags($zone)),
237 'dlv' => join(', ', get_dlvtags($zone)),
238 'parent_dnssec' => get_parent_dnssec_status($zone) };
241 my $format = "%60s %-15s %-15s %-3s %-10s\n";
242 printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent";
243 printf $format, "-"x 60, "-"x 15, "-"x 15, "-"x 3, "-"x 10;
244 for my $zone (sort {$a cmp $b} keys %data) {
245 printf $format, $zone,
246 $data{$zone}->{'dnskey'},
247 $data{$zone}->{'ds'},
248 $data{$zone}->{'dlv'},
249 $data{$zone}->{'parent_dnssec'};
252 } elsif ($mode eq 'check-dlv' || $mode eq 'check-ds' || $mode eq 'check-header') {
254 push @to_check, 'dlv' if $mode eq 'check-header' || $mode eq 'check-dlv';
255 push @to_check, 'ds' if $mode eq 'check-header' || $mode eq 'check-ds';
259 for my $zone (sort {$a cmp $b} keys %zones) {
260 my $require = { map { $_ => 1 } @to_check };
261 if ($mode eq 'check-header') {
262 $require = what_to_check($zone, $zones{$zone})
265 my @dnskey = get_dnskeytags($zone);
266 for my $thiskey (@to_check) {
267 my @target = $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone);
269 my $spec = diff_spec(\@target, \@dnskey);
270 # if the intersection between DS and KEY is empty,
271 # or if there are DS records for keys we do not have, that's an issue.
272 if (intersect(@dnskey, @target) == 0 || array_minus(@target, @dnskey)) {
273 if ($require->{$thiskey} || scalar @target > 0) {
274 push @warn, "$zone ($spec)";
277 if ($require->{$thiskey}) {
278 push @ok, "$zone ($spec)";
283 print "WARNING: ", join(", ", @warn), "\n" if (scalar @warn);
284 print "OK: ", join(", ", @ok), "\n" if (scalar @ok);
285 exit (1) if (scalar @warn);
288 die ("Invalid mode '$mode'\n");