From 0b2b6b2ed1a176db707e9478c80bf6de7fda36d0 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 7 Aug 2019 12:19:19 -0700 Subject: [PATCH] remove DLV support from dnssec-checkds --- bin/python/dnssec-checkds.docbook | 17 +---- bin/python/isc/checkds.py.in | 42 +++------- bin/tests/system/checkds/dig.bat | 6 -- bin/tests/system/checkds/dig.pl | 4 - bin/tests/system/checkds/dig.sh | 1 - .../missing.example.dlv.example.dlv.db | 2 - .../checkds/none.example.dlv.example.dlv.db | 0 .../checkds/ok.example.dlv.example.dlv.db | 2 - bin/tests/system/checkds/tests.sh | 76 ------------------- .../checkds/wrong.example.dlv.example.dlv.db | 2 - util/copyrights | 4 - 11 files changed, 12 insertions(+), 144 deletions(-) delete mode 100644 bin/tests/system/checkds/missing.example.dlv.example.dlv.db delete mode 100644 bin/tests/system/checkds/none.example.dlv.example.dlv.db delete mode 100644 bin/tests/system/checkds/ok.example.dlv.example.dlv.db delete mode 100644 bin/tests/system/checkds/wrong.example.dlv.example.dlv.db diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook index bc18b616f6..b4af540655 100644 --- a/bin/python/dnssec-checkds.docbook +++ b/bin/python/dnssec-checkds.docbook @@ -59,9 +59,8 @@ DESCRIPTION dnssec-checkds - verifies the correctness of Delegation Signer (DS) or DNSSEC - Lookaside Validation (DLV) resource records for keys in a specified - zone. + verifies the correctness of Delegation Signer (DS) + resource records for keys in a specified zone. @@ -74,7 +73,7 @@ Specify a digest algorithm to use when converting the - zone's DNSKEY records to expected DS or DLV records. This + zone's DNSKEY records to expected DS records. This option can be repeated, so that multiple records are checked for each DNSKEY record. @@ -98,16 +97,6 @@ - - -l domain - - - Check for a DLV record in the specified lookaside domain, - instead of checking for a DS record in the zone's parent. - - - - -s file diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in index f20d6bf564..0d71629436 100644 --- a/bin/python/isc/checkds.py.in +++ b/bin/python/isc/checkds.py.in @@ -21,7 +21,7 @@ prog = 'dnssec-checkds' ############################################################################ # SECRR class: -# Class for DS/DLV resource record +# Class for DS resource record ############################################################################ class SECRR: hashalgs = {1: 'SHA-1', 2: 'SHA-256', 3: 'GOST', 4: 'SHA-384'} @@ -33,7 +33,7 @@ class SECRR: digest = '' ttl = 0 - def __init__(self, rrtext, dlvname = None): + def __init__(self, rrtext): if not rrtext: raise Exception @@ -45,24 +45,8 @@ class SECRR: if len(fields) < 7: raise Exception - if dlvname: - self.rrtype = "DLV" - self.dlvname = dlvname.lower() - parent = fields[0].lower().strip('.').split('.') - parent.reverse() - dlv = dlvname.split('.') - dlv.reverse() - while len(dlv) != 0 and len(parent) != 0 and parent[0] == dlv[0]: - parent = parent[1:] - dlv = dlv[1:] - if dlv: - raise Exception - parent.reverse() - self.parent = '.'.join(parent) - self.rrname = self.parent + '.' + self.dlvname + '.' - else: - self.rrtype = "DS" - self.rrname = fields[0].lower() + self.rrtype = "DS" + self.rrname = fields[0].lower() fields = fields[1:] if fields[0].upper() in ['IN', 'CH', 'HS']: @@ -91,9 +75,9 @@ class SECRR: ############################################################################ # check: -# Fetch DS/DLV RRset for the given zone from the DNS; fetch DNSKEY +# Fetch DS RRset for the given zone from the DNS; fetch DNSKEY # RRset from the masterfile if specified, or from DNS if not. -# Generate a set of expected DS/DLV records from the DNSKEY RRset, +# Generate a set of expected DS records from the DNSKEY RRset, # and report on congruency. ############################################################################ def check(zone, args): @@ -101,15 +85,13 @@ def check(zone, args): if args.dssetfile: fp = open(args.dssetfile).read() else: - cmd = [args.dig, "+noall", "+answer", "-t", - "dlv" if args.lookaside else "ds", "-q", - zone + "." + args.lookaside if args.lookaside else zone] + cmd = [args.dig, "+noall", "+answer", "-t", "ds", "-q", zone] fp, _ = Popen(cmd, stdout=PIPE).communicate() for line in fp.splitlines(): if type(line) is not str: line = line.decode('ascii') - rrlist.append(SECRR(line, args.lookaside)) + rrlist.append(SECRR(line)) rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg)) klist = [] @@ -117,8 +99,6 @@ def check(zone, args): cmd = [args.dsfromkey] for algo in args.algo: cmd += ['-a', algo] - if args.lookaside: - cmd += ["-l", args.lookaside] if args.masterfile: cmd += ["-f", args.masterfile, zone] @@ -132,7 +112,7 @@ def check(zone, args): for line in fp.splitlines(): if type(line) is not str: line = line.decode('ascii') - klist.append(SECRR(line, args.lookaside)) + klist.append(SECRR(line)) if len(klist) < 1: print("No DNSKEY records found in zone apex") @@ -182,8 +162,6 @@ def parse_args(): type=str, help='path to \'dnssec-dsfromkey\'') parser.add_argument('-f', '--file', dest='masterfile', type=str, help='zone master file') - parser.add_argument('-l', '--lookaside', dest='lookaside', type=str, - help='DLV lookaside zone') parser.add_argument('-s', '--dsset', dest='dssetfile', type=str, help='prepared DSset file') parser.add_argument('-v', '--version', action='version', @@ -191,8 +169,6 @@ def parse_args(): args = parser.parse_args() args.zone = args.zone.strip('.') - if args.lookaside: - args.lookaside = args.lookaside.strip('.') return args diff --git a/bin/tests/system/checkds/dig.bat b/bin/tests/system/checkds/dig.bat index bf07a4f153..9465a46025 100755 --- a/bin/tests/system/checkds/dig.bat +++ b/bin/tests/system/checkds/dig.bat @@ -9,8 +9,6 @@ if "%arg:~0,1%" == "+" goto next if "%arg%" == "-t" goto next if "%arg%" == "ds" goto ds if "%arg%" == "DS" goto ds -if "%arg%" == "dlv" goto dlv -if "%arg%" == "DLV" goto dlv if "%arg%" == "dnskey" goto dnskey if "%arg%" == "DNSKEY" goto dnskey set file=%arg% @@ -20,10 +18,6 @@ goto next set ext=ds goto next -:dlv -set ext=dlv -goto next - :dnskey set ext=dnskey goto next diff --git a/bin/tests/system/checkds/dig.pl b/bin/tests/system/checkds/dig.pl index 35cf973e5d..7312f02421 100644 --- a/bin/tests/system/checkds/dig.pl +++ b/bin/tests/system/checkds/dig.pl @@ -24,10 +24,6 @@ foreach $arg (@ARGV) { $ext = "ds"; next; } - if ($arg =~ /^dlv$/i) { - $ext = "dlv"; - next; - } if ($arg =~ /^dnskey$/i) { $ext = "dnskey"; next; diff --git a/bin/tests/system/checkds/dig.sh b/bin/tests/system/checkds/dig.sh index 41354fa627..e6fd84e2f0 100755 --- a/bin/tests/system/checkds/dig.sh +++ b/bin/tests/system/checkds/dig.sh @@ -14,7 +14,6 @@ while [ "$#" != 0 ]; do +*) shift ;; -t) shift ;; DS|ds) ext=ds ; shift ;; - DLV|dlv) ext=dlv ; shift ;; DNSKEY|dnskey) ext=dnskey ; shift ;; *) file=$1 ; shift ;; esac diff --git a/bin/tests/system/checkds/missing.example.dlv.example.dlv.db b/bin/tests/system/checkds/missing.example.dlv.example.dlv.db deleted file mode 100644 index 5dd94621c6..0000000000 --- a/bin/tests/system/checkds/missing.example.dlv.example.dlv.db +++ /dev/null @@ -1,2 +0,0 @@ -missing.example.dlv.example. 3600 IN DLV 12892 5 1 9D4CD60491D372207FA584D2EE460CC51D7FF8A7 -missing.example.dlv.example. 3600 IN DLV 12892 5 2 EF59E5C70BC4153B7DB4C11F9C36B729577DA71474E0A5C9B8875173 6E583200 diff --git a/bin/tests/system/checkds/none.example.dlv.example.dlv.db b/bin/tests/system/checkds/none.example.dlv.example.dlv.db deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/bin/tests/system/checkds/ok.example.dlv.example.dlv.db b/bin/tests/system/checkds/ok.example.dlv.example.dlv.db deleted file mode 100644 index 5896bcc7b4..0000000000 --- a/bin/tests/system/checkds/ok.example.dlv.example.dlv.db +++ /dev/null @@ -1,2 +0,0 @@ -ok.example.dlv.example. 3600 IN DLV 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390 -ok.example.dlv.example. 3600 IN DLV 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 diff --git a/bin/tests/system/checkds/tests.sh b/bin/tests/system/checkds/tests.sh index 1d46bc53c4..b205d25cde 100644 --- a/bin/tests/system/checkds/tests.sh +++ b/bin/tests/system/checkds/tests.sh @@ -43,24 +43,6 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking for correct DLV, looking up key via 'dig' ($n)" -ret=0 -$CHECKDS -l dlv.example ok.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for correct DLV, obtaining key from file ($n)" -ret=0 -$CHECKDS -l dlv.example -f ok.example.dnskey.db ok.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "checking for incorrect DS, looking up key via 'dig' ($n)" ret=0 $CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1 @@ -79,24 +61,6 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking for incorrect DLV, looking up key via 'dig' ($n)" -ret=0 -$CHECKDS -l dlv.example wrong.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for incorrect DLV, obtaining key from file ($n)" -ret=0 -$CHECKDS -l dlv.example -f wrong.example.dnskey.db wrong.example > checkds.out.$n 2>&1 || ret=1 -grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "checking for partially missing DS, looking up key via 'dig' ($n)" ret=0 $CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1 @@ -119,28 +83,6 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking for partially missing DLV, looking up key via 'dig' ($n)" -ret=0 -$CHECKDS -l dlv.example missing.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for partially missing DLV, obtaining key from file ($n)" -ret=0 -$CHECKDS -l dlv.example -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)" ret=0 $CHECKDS none.example > checkds.out.$n 2>&1 && ret=1 @@ -159,24 +101,6 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking for entirely missing DLV, looking up key via 'dig' ($n)" -ret=0 -$CHECKDS -l dlv.example none.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -echo_i "checking for entirely missing DLV, obtaining key from file ($n)" -ret=0 -$CHECKDS -l dlv.example -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1 -grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - echo_i "checking with prepared dsset file ($n)" ret=0 $CHECKDS -f prep.example.db -s prep.example.ds.db prep.example > checkds.out.$n 2>&1 || ret=1 diff --git a/bin/tests/system/checkds/wrong.example.dlv.example.dlv.db b/bin/tests/system/checkds/wrong.example.dlv.example.dlv.db deleted file mode 100644 index 096969b415..0000000000 --- a/bin/tests/system/checkds/wrong.example.dlv.example.dlv.db +++ /dev/null @@ -1,2 +0,0 @@ -wrong.example.dlv.example. 3600 IN DLV 1192 5 1 684BB5119673C9272A0A7582AF8576561B5D80EC -wrong.example.dlv.example. 3600 IN DLV 1192 5 2 14E4A873360E512CD2E8C2C331C4472F5EDAB0736669901F4D42E976 3D7B1F5C diff --git a/util/copyrights b/util/copyrights index ce505528e3..2c84376481 100644 --- a/util/copyrights +++ b/util/copyrights @@ -426,20 +426,16 @@ ./bin/tests/system/checkds/dig.bat BAT 2016,2018,2019 ./bin/tests/system/checkds/dig.pl PERL 2014,2016,2017,2018,2019 ./bin/tests/system/checkds/dig.sh SH 2012,2013,2016,2017,2018,2019 -./bin/tests/system/checkds/missing.example.dlv.example.dlv.db X 2012,2018,2019 ./bin/tests/system/checkds/missing.example.dnskey.db X 2012,2018,2019 ./bin/tests/system/checkds/missing.example.ds.db X 2012,2018,2019 -./bin/tests/system/checkds/none.example.dlv.example.dlv.db X 2012,2018,2019 ./bin/tests/system/checkds/none.example.dnskey.db X 2012,2018,2019 ./bin/tests/system/checkds/none.example.ds.db X 2012,2018,2019 -./bin/tests/system/checkds/ok.example.dlv.example.dlv.db X 2012,2018,2019 ./bin/tests/system/checkds/ok.example.dnskey.db X 2012,2018,2019 ./bin/tests/system/checkds/ok.example.ds.db X 2012,2018,2019 ./bin/tests/system/checkds/prep.example.db X 2017,2018,2019 ./bin/tests/system/checkds/prep.example.ds.db X 2017,2018,2019 ./bin/tests/system/checkds/setup.sh SH 2012,2013,2014,2016,2018,2019 ./bin/tests/system/checkds/tests.sh SH 2012,2013,2014,2016,2017,2018,2019 -./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db X 2012,2018,2019 ./bin/tests/system/checkds/wrong.example.dnskey.db X 2012,2018,2019 ./bin/tests/system/checkds/wrong.example.ds.db X 2012,2018,2019 ./bin/tests/system/checknames/clean.sh SH 2004,2007,2012,2014,2015,2016,2018,2019