mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

remove DLV support from dnssec-checkds

Browse Source
This commit is contained in:
Evan Hunt 2019-08-07 12:19:19 -07:00
parent a73350a210
commit 0b2b6b2ed1
11 changed files with 12 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
bin/python/dnssec-checkds.docbook
View File

@ -59,9 +59,8 @@
<refsection><info><title>DESCRIPTION</title></info>
<para><command>dnssec-checkds</command>
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
zone.
verifies the correctness of Delegation Signer (DS)
resource records for keys in a specified zone.
</para>
</refsection>
@ -74,7 +73,7 @@
<listitem>
<para>
Specify a digest algorithm to use when converting the
zone's DNSKEY records to expected DS or DLV records. This
zone's DNSKEY records to expected DS records. This
option can be repeated, so that multiple records are
checked for each DNSKEY record.
</para>
@ -98,16 +97,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">file</replaceable></term>
<listitem>

38
bin/python/isc/checkds.py.in
View File

@ -21,7 +21,7 @@ prog = 'dnssec-checkds'
############################################################################
# SECRR class:
# Class for DS/DLV resource record
# Class for DS resource record
############################################################################
class SECRR:
hashalgs = {1: 'SHA-1', 2: 'SHA-256', 3: 'GOST', 4: 'SHA-384'}
@ -33,7 +33,7 @@ class SECRR:
digest = ''
ttl = 0
def __init__(self, rrtext, dlvname = None):
def __init__(self, rrtext):
if not rrtext:
raise Exception
@ -45,22 +45,6 @@ class SECRR:
if len(fields) < 7:
raise Exception
if dlvname:
self.rrtype = "DLV"
self.dlvname = dlvname.lower()
parent = fields[0].lower().strip('.').split('.')
parent.reverse()
dlv = dlvname.split('.')
dlv.reverse()
while len(dlv) != 0 and len(parent) != 0 and parent[0] == dlv[0]:
parent = parent[1:]
dlv = dlv[1:]
if dlv:
raise Exception
parent.reverse()
self.parent = '.'.join(parent)
self.rrname = self.parent + '.' + self.dlvname + '.'
else:
self.rrtype = "DS"
self.rrname = fields[0].lower()
@ -91,9 +75,9 @@ class SECRR:
############################################################################
# check:
# Fetch DS/DLV RRset for the given zone from the DNS; fetch DNSKEY
# Fetch DS RRset for the given zone from the DNS; fetch DNSKEY
# RRset from the masterfile if specified, or from DNS if not.
# Generate a set of expected DS/DLV records from the DNSKEY RRset,
# Generate a set of expected DS records from the DNSKEY RRset,
# and report on congruency.
############################################################################
def check(zone, args):
@ -101,15 +85,13 @@ def check(zone, args):
if args.dssetfile:
fp = open(args.dssetfile).read()
else:
cmd = [args.dig, "+noall", "+answer", "-t",
"dlv" if args.lookaside else "ds", "-q",
zone + "." + args.lookaside if args.lookaside else zone]
cmd = [args.dig, "+noall", "+answer", "-t", "ds", "-q", zone]
fp, _ = Popen(cmd, stdout=PIPE).communicate()
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
rrlist.append(SECRR(line, args.lookaside))
rrlist.append(SECRR(line))
rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg))
klist = []
@ -117,8 +99,6 @@ def check(zone, args):
cmd = [args.dsfromkey]
for algo in args.algo:
cmd += ['-a', algo]
if args.lookaside:
cmd += ["-l", args.lookaside]
if args.masterfile:
cmd += ["-f", args.masterfile, zone]
@ -132,7 +112,7 @@ def check(zone, args):
for line in fp.splitlines():
if type(line) is not str:
line = line.decode('ascii')
klist.append(SECRR(line, args.lookaside))
klist.append(SECRR(line))
if len(klist) < 1:
print("No DNSKEY records found in zone apex")
@ -182,8 +162,6 @@ def parse_args():
type=str, help='path to \'dnssec-dsfromkey\'')
parser.add_argument('-f', '--file', dest='masterfile', type=str,
help='zone master file')
parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,
help='DLV lookaside zone')
parser.add_argument('-s', '--dsset', dest='dssetfile', type=str,
help='prepared DSset file')
parser.add_argument('-v', '--version', action='version',
@ -191,8 +169,6 @@ def parse_args():
args = parser.parse_args()
args.zone = args.zone.strip('.')
if args.lookaside:
args.lookaside = args.lookaside.strip('.')
return args

6
bin/tests/system/checkds/dig.bat
View File

@ -9,8 +9,6 @@ if "%arg:~0,1%" == "+" goto next
if "%arg%" == "-t" goto next
if "%arg%" == "ds" goto ds
if "%arg%" == "DS" goto ds
if "%arg%" == "dlv" goto dlv
if "%arg%" == "DLV" goto dlv
if "%arg%" == "dnskey" goto dnskey
if "%arg%" == "DNSKEY" goto dnskey
set file=%arg%
@ -20,10 +18,6 @@ goto next
set ext=ds
goto next
:dlv
set ext=dlv
goto next
:dnskey
set ext=dnskey
goto next

4
bin/tests/system/checkds/dig.pl
View File

@ -24,10 +24,6 @@ foreach $arg (@ARGV) {
$ext = "ds";
next;
}
if ($arg =~ /^dlv$/i) {
$ext = "dlv";
next;
}
if ($arg =~ /^dnskey$/i) {
$ext = "dnskey";
next;

1
bin/tests/system/checkds/dig.sh
View File

@ -14,7 +14,6 @@ while [ "$#" != 0 ]; do
+*) shift ;;
-t) shift ;;
DS|ds) ext=ds ; shift ;;
DLV|dlv) ext=dlv ; shift ;;
DNSKEY|dnskey) ext=dnskey ; shift ;;
*) file=$1 ; shift ;;
esac

2
bin/tests/system/checkds/missing.example.dlv.example.dlv.db
View File

@ -1,2 +0,0 @@
missing.example.dlv.example. 3600 IN DLV 12892 5 1 9D4CD60491D372207FA584D2EE460CC51D7FF8A7
missing.example.dlv.example. 3600 IN DLV 12892 5 2 EF59E5C70BC4153B7DB4C11F9C36B729577DA71474E0A5C9B8875173 6E583200

0
bin/tests/system/checkds/none.example.dlv.example.dlv.db
View File

2
bin/tests/system/checkds/ok.example.dlv.example.dlv.db
View File

@ -1,2 +0,0 @@
ok.example.dlv.example. 3600 IN DLV 12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390
ok.example.dlv.example. 3600 IN DLV 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13

76
bin/tests/system/checkds/tests.sh
View File

@ -43,24 +43,6 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for correct DLV, looking up key via 'dig' ($n)"
ret=0
$CHECKDS -l dlv.example ok.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for correct DLV, obtaining key from file ($n)"
ret=0
$CHECKDS -l dlv.example -f ok.example.dnskey.db ok.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for incorrect DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1
@ -79,24 +61,6 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for incorrect DLV, looking up key via 'dig' ($n)"
ret=0
$CHECKDS -l dlv.example wrong.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for incorrect DLV, obtaining key from file ($n)"
ret=0
$CHECKDS -l dlv.example -f wrong.example.dnskey.db wrong.example > checkds.out.$n 2>&1 || ret=1
grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for partially missing DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1
@ -119,28 +83,6 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for partially missing DLV, looking up key via 'dig' ($n)"
ret=0
$CHECKDS -l dlv.example missing.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for partially missing DLV, obtaining key from file ($n)"
ret=0
$CHECKDS -l dlv.example -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
grep 'SHA-256.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)"
ret=0
$CHECKDS none.example > checkds.out.$n 2>&1 && ret=1
@ -159,24 +101,6 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for entirely missing DLV, looking up key via 'dig' ($n)"
ret=0
$CHECKDS -l dlv.example none.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking for entirely missing DLV, obtaining key from file ($n)"
ret=0
$CHECKDS -l dlv.example -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1
grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking with prepared dsset file ($n)"
ret=0
$CHECKDS -f prep.example.db -s prep.example.ds.db prep.example > checkds.out.$n 2>&1 || ret=1

2
bin/tests/system/checkds/wrong.example.dlv.example.dlv.db
View File

@ -1,2 +0,0 @@
wrong.example.dlv.example. 3600 IN DLV 1192 5 1 684BB5119673C9272A0A7582AF8576561B5D80EC
wrong.example.dlv.example. 3600 IN DLV 1192 5 2 14E4A873360E512CD2E8C2C331C4472F5EDAB0736669901F4D42E976 3D7B1F5C

4
util/copyrights
View File

@ -426,20 +426,16 @@
./bin/tests/system/checkds/dig.bat BAT 2016,2018,2019
./bin/tests/system/checkds/dig.pl PERL 2014,2016,2017,2018,2019
./bin/tests/system/checkds/dig.sh SH 2012,2013,2016,2017,2018,2019
./bin/tests/system/checkds/missing.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/missing.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/missing.example.ds.db X 2012,2018,2019
./bin/tests/system/checkds/none.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/none.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/none.example.ds.db X 2012,2018,2019
./bin/tests/system/checkds/ok.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/ok.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/ok.example.ds.db X 2012,2018,2019
./bin/tests/system/checkds/prep.example.db X 2017,2018,2019
./bin/tests/system/checkds/prep.example.ds.db X 2017,2018,2019
./bin/tests/system/checkds/setup.sh SH 2012,2013,2014,2016,2018,2019
./bin/tests/system/checkds/tests.sh SH 2012,2013,2014,2016,2017,2018,2019
./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/wrong.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/wrong.example.ds.db X 2012,2018,2019
./bin/tests/system/checknames/clean.sh SH 2004,2007,2012,2014,2015,2016,2018,2019