diff --git a/common.h b/common.h index 81fe65e..06f244a 100644 --- a/common.h +++ b/common.h @@ -21,7 +21,7 @@ struct file_info extern struct file_info *file_info; -#define N_POLICY_CHECKS 9 +#define N_POLICY_CHECKS 10 #define POLICY_SINGLE_NS 0 #define POLICY_CNAME_OTHER_DATA 1 @@ -32,6 +32,7 @@ extern struct file_info *file_info; #define POLICY_DNAME 6 #define POLICY_DNSKEY 7 #define POLICY_TLSA_HOST 8 +#define POLICY_KSK_EXISTS 9 #define MAX_TIMES_TO_CHECK 32 diff --git a/dnskey.c b/dnskey.c index 1f81c91..a8fa298 100644 --- a/dnskey.c +++ b/dnskey.c @@ -20,6 +20,8 @@ #include "carp.h" #include "rr.h" +static struct rr_dnskey *all_dns_keys = NULL; + static struct rr* dnskey_parse(char *name, long ttl, int type, char *s) { struct rr_dnskey *rr = getmem(sizeof(*rr)); @@ -27,6 +29,7 @@ static struct rr* dnskey_parse(char *name, long ttl, int type, char *s) int flags, proto, algorithm; unsigned int ac; int i; + static struct rr *result; flags = extract_integer(&s, "flags"); if (flags < 0) return NULL; @@ -68,11 +71,17 @@ static struct rr* dnskey_parse(char *name, long ttl, int type, char *s) rr->pkey_built = 0; rr->pkey = NULL; + rr->key_type = KEY_TYPE_UNUSED; if (*s) { return bitch("garbage after valid DNSKEY data"); } - return store_record(type, name, ttl, rr); + result = store_record(type, name, ttl, rr); + if (result) { + rr->next_key = all_dns_keys; + all_dns_keys = rr; + } + return result; } static char* dnskey_human(struct rr *rrv) @@ -187,3 +196,18 @@ int dnskey_build_pkey(struct rr_dnskey *rr) return rr->pkey ? 1 : 0; } +void +dnskey_ksk_policy_check(void) +{ + struct rr_dnskey *rr = all_dns_keys; + int ksk_found = 0; + + while (rr) { + if (rr->key_type == KEY_TYPE_KSK) + ksk_found = 1; + rr = rr->next_key; + } + if (!ksk_found) + moan(all_dns_keys->rr.file_name, all_dns_keys->rr.line, "No KSK found"); +} + diff --git a/main.c b/main.c index 435ce78..8f04578 100644 --- a/main.c +++ b/main.c @@ -248,6 +248,8 @@ void usage(char *err) fprintf(stderr, "\t\t\tmx-alias\n"); fprintf(stderr, "\t\t\tns-alias\n"); fprintf(stderr, "\t\t\trp-txt-exists\n"); + fprintf(stderr, "\t\t\ttlsa-host\n"); + fprintf(stderr, "\t\t\tksk-exists\n"); fprintf(stderr, "\t\t\tall\n"); fprintf(stderr, "\t-n N\t\tuse N worker threads\n"); @@ -369,6 +371,8 @@ main(int argc, char **argv) G.opt.policy_checks[POLICY_RP_TXT_EXISTS] = 1; } else if (strcmp(optarg, "tlsa-host") == 0) { G.opt.policy_checks[POLICY_TLSA_HOST] = 1; + } else if (strcmp(optarg, "ksk-exists") == 0) { + G.opt.policy_checks[POLICY_KSK_EXISTS] = 1; } else { usage("unknown policy name"); } @@ -417,6 +421,9 @@ main(int argc, char **argv) if (first_nsec3) nsec3_validate(&first_nsec3->rr); perform_remaining_nsec3checks(); } + if (G.dnssec_active && G.opt.policy_checks[POLICY_KSK_EXISTS]) { + dnskey_ksk_policy_check(); + } gettimeofday(&stop, NULL); if (G.opt.summary) { printf("records found: %d\n", G.stats.rr_count); diff --git a/rr.h b/rr.h index fb17836..717a4e7 100644 --- a/rr.h +++ b/rr.h @@ -458,10 +458,18 @@ struct rr_dnskey uint16_t key_tag; int pkey_built; void *pkey; + /* extras */ + int key_type; + struct rr_dnskey *next_key; }; extern struct rr_methods dnskey_methods; +#define KEY_TYPE_UNUSED 0 +#define KEY_TYPE_KSK 1 +#define KEY_TYPE_ZSK 2 + int dnskey_build_pkey(struct rr_dnskey *rr); +void dnskey_ksk_policy_check(void); struct rr_ds { diff --git a/rrsig.c b/rrsig.c index 111a9df..ed4333a 100644 --- a/rrsig.c +++ b/rrsig.c @@ -434,6 +434,12 @@ void verify_all_keys(void) unsigned long e = 0; for (i = 0; i < k->n_keys; i++) { if (k->to_verify[i].ok) { + if (k->to_verify[i].rr->rr.rr_set->named_rr->flags & NAME_FLAG_APEX) { + if (k->to_verify[i].key->key_type == KEY_TYPE_UNUSED) + k->to_verify[i].key->key_type = KEY_TYPE_KSK; + } else { + k->to_verify[i].key->key_type = KEY_TYPE_ZSK; + } ok = 1; break; } else { diff --git a/t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.key b/t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.key new file mode 100644 index 0000000..38a0df9 --- /dev/null +++ b/t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.key @@ -0,0 +1,5 @@ +; This is a key-signing key, keyid 7686, for example.sec. +; Created: 20150630133112 (Tue Jun 30 15:31:12 2015) +; Publish: 20150630133112 (Tue Jun 30 15:31:12 2015) +; Activate: 20150630133112 (Tue Jun 30 15:31:12 2015) +example.sec. IN DNSKEY 257 3 7 AwEAAciLWglw17dt8EDAN88BrQYCIaGPifC4pxrizfz3S1cC4XbSyRW5 loj5SSHVveUmmIV90MTEOhGCDUVq/qiYG7NgTNHn3YiqyRU3sirw4SAC Fiwln/ejxFDpQkeAbZMCzU8FQhTIB1K9y7QRiLacI6naULzgP3h4PsdQ SQmw3/TWy973M+lHzwkgVq6ML42L18rGG0sn1KQDNSs/6sd9dcRjPo7u J2OuUsnbu/5N3vWYLciSBUnY27FUvbFLkVIq072wjUMIb0Xc2EgYGRFK yV2MMckLvoD7vPclBE0Krv9fO/B2/KXsbObTgz4m5iQNF45QLU02kmvw B4iyIzIk9O0= diff --git a/t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.private b/t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.private new file mode 100644 index 0000000..8ddfd32 --- /dev/null +++ b/t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 7 (NSEC3RSASHA1) +Modulus: yItaCXDXt23wQMA3zwGtBgIhoY+J8LinGuLN/PdLVwLhdtLJFbmWiPlJIdW95SaYhX3QxMQ6EYINRWr+qJgbs2BM0efdiKrJFTeyKvDhIAIWLCWf96PEUOlCR4BtkwLNTwVCFMgHUr3LtBGItpwjqdpQvOA/eHg+x1BJCbDf9NbL3vcz6UfPCSBWrowvjYvXysYbSyfUpAM1Kz/qx311xGM+ju4nY65Sydu7/k3e9ZgtyJIFSdjbsVS9sUuRUirTvbCNQwhvRdzYSBgZEUrJXYwxyQu+gPu89yUETQqu/1878Hb8pexs5tODPibmJA0XjlAtTTaSa/AHiLIjMiT07Q== +PublicExponent: AQAB +PrivateExponent: d5kDfRXaz/20hikcH0v0j9y9icg8j17P6WzRQ8eHGsERDPfwDBC+AboJLzB1Ky+1TgcWdgJATyisGXYRoSH1gygvKA+LQnH3sbuheZJl79zOtE1L9TepYEd7y4B/2GiXYETWf+Y619Fwpla+nYjIjAcylzF1KLctWVg79peROEXC0zb+IxWQFIBpe7OzTZ1qxG8ymm6uiu9KXH6qQi3BLSarxj5rY+tO8oj0qQNOGkbSVsXFax0arZ0qMRFT5UooOm+2Yl8Q9Z/PC52qwNqkSDZ2QeoYTJx5tDFhuVJxXhioxGIueA4QuCRA4cRL2U5ZnCYcQa10JFE2O4N990eLUQ== +Prime1: 5LW1fl8ky4bBaIPg48Cq8bXQIvaK5syFTvzzMopuTeD6PGwOByuzc4u9KLVrDRebjeYfNVkqXIJAHMjolOr4jURWp2Q3FUrewqdgyY2ULSLMmQo0+dHkvjJIs2A/6vNme+MtFms6msJjyzj3EhLf32djvCH+jWStP3Vb/jopYWs= +Prime2: 4HlJJB25JSLygHd0GWi8yu0z3FaYhWXnIs8bwpT8er1lH+tsBeYI8ughuX9h19STMRnBhAh0ZlQaKHOrPTsdVOFQJWr6aUbWIAhv5m+ij1IFsQ58DKnsYP0DXiNkR7K4pXO8yzPTo9UfaMCJAKYipENTgpfb43sVBQnDIGr9oQc= +Exponent1: aJpK9g9h7swlLT4T31bBWGeFWFhWUxT7a5L5UAZMSMY67OOmztTH8HLbAwFmgshnVtEHOQkc/M59sCybY3DMWSAGWezV3KEvnOucstJUEQi3ds9aR2AeNHcfFRtSYI0ONF9EwdotJZb+uXXGWrfTOIQ681LA7746FqoAdxf20R0= +Exponent2: QlFS3Iqzglc60d14vXEGJeXCZpxm3zJmARCzIN+nYBPIZo/FEFEP38PZAtaxb3RsMBtt4rYkvX6nY8AYnTRzy/ntFcDvTl8RL9GOTcQ5gKI48EBZQdyJ63WUoyFNpSkWCDuTUW10X3i9mNMZJsnufh0t9O0sl55rbVue/Frfp80= +Coefficient: aLnGdfeRJ3nSjmbby8IDkJ+W+gFGOHd3XAMDSNP9D8kn6B3JyAfY6FDSg0+Bh+F80PFNGsESkYimXlWr3B6NlC0Gq99hPSV8yU2pYHq3TPVB0tWOAkNVIXM9icEH9wshCQH7wD7cPDWvhhgcgo64nYOGYeK6sjTL7XDtRanvbP8= +Created: 20150630133112 +Publish: 20150630133112 +Activate: 20150630133112 diff --git a/t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.key b/t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.key new file mode 100644 index 0000000..f678616 --- /dev/null +++ b/t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.key @@ -0,0 +1,5 @@ +; This is a zone-signing key, keyid 64232, for example.sec. +; Created: 20150630133105 (Tue Jun 30 15:31:05 2015) +; Publish: 20150630133105 (Tue Jun 30 15:31:05 2015) +; Activate: 20150630133105 (Tue Jun 30 15:31:05 2015) +example.sec. IN DNSKEY 256 3 7 AwEAAaMBYu1QXBi6AII33FKwWpHhOkGMhcVcIWJ73npEFjvDe0jJfLjk ghnij4tMfDI8MPIZ6xwVLYsEshxsDNEJJGdZ1dUvfJDxSCv8Wp0a2Iff xQ5NDRHSpUw27yJoQfI5gUqvor+wGTNCUWx2OU0Y1BOy1whHtVbDl1gt 1R6/8mOZ diff --git a/t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.private b/t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.private new file mode 100644 index 0000000..f9686b7 --- /dev/null +++ b/t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.private @@ -0,0 +1,13 @@ +Private-key-format: v1.3 +Algorithm: 7 (NSEC3RSASHA1) +Modulus: owFi7VBcGLoAgjfcUrBakeE6QYyFxVwhYnveekQWO8N7SMl8uOSCGeKPi0x8Mjww8hnrHBUtiwSyHGwM0QkkZ1nV1S98kPFIK/xanRrYh9/FDk0NEdKlTDbvImhB8jmBSq+iv7AZM0JRbHY5TRjUE7LXCEe1VsOXWC3VHr/yY5k= +PublicExponent: AQAB +PrivateExponent: ATf/b1rMdXreihq00QF0i+atMtREI8eekEfwz+U2bVf20gJ/pjo/JsZk4FvACfgdPZIoCdu2rXVph4DfT6jL1t7sDY/9mfcMd2Zge6eB8Kat3QpdDu4qClgkXFTYFLj2lQ5Bm/b+YbQ8fiPlZovp7YGFodmsjfnNvbT7UiOiSKE= +Prime1: 1wNWdr5FIrew1NTzpbeClZr5NIIoRBpEPsSDCBZpbRDZ944LcjWgrJpVlG1klkp/cR/zcSzrq+637rva30jglQ== +Prime2: whQSB4wqB87wyYrewJLU5qFY5Up/YiZ0iyD4m4OIQMk/K7eXtuqFuSOP4xTR4WAWHIyRixa1F85/eh7y6+9h9Q== +Exponent1: XjHZJEYw9Yex0VvFrdjaPX5aJJXM3CEButnOabGf2Cckxl4VR6CU1mj6iv7trSXP9RhBR1idmoIHVHA57832jQ== +Exponent2: dtzn9etoSoP5gNYmevbyoZWr5jJsNeardhJpcIVsS5F1uQamSob0A2G+XCuCJ3A72pxU/0SXAM+dz2NpEAr6iQ== +Coefficient: egVfeiBCmggrVDolCSvAIg+XEb+YmLcD1SLT5qFLuqCtPKWGDx9lGMbqbx5s2gzeeoAPL1r34pohHNLMCqCNdw== +Created: 20150630133105 +Publish: 20150630133105 +Activate: 20150630133105 diff --git a/t/issues/41-ksk-policy-check/dsset-example.sec. b/t/issues/41-ksk-policy-check/dsset-example.sec. new file mode 100644 index 0000000..ca12ed4 --- /dev/null +++ b/t/issues/41-ksk-policy-check/dsset-example.sec. @@ -0,0 +1,2 @@ +example.sec. IN DS 7686 7 1 51B9CD8F901235705C6D353ADA23736AE954B4DE +example.sec. IN DS 7686 7 2 9EC80B8BAD67C66954B8FE726E06CA7840282C7F444BE51A916ED11C 36908A3F diff --git a/t/issues/41-ksk-policy-check/example.sec b/t/issues/41-ksk-policy-check/example.sec new file mode 100644 index 0000000..67ef41a --- /dev/null +++ b/t/issues/41-ksk-policy-check/example.sec @@ -0,0 +1,12 @@ +$TTL 1d +@ IN SOA ns.example.sec. hostmaster.example.sec. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + IN NS ns1.example.net. +subA IN NS ns1.example.net. +subb IN NS ns1.example.net. +subC IN NS ns1.example.net. +myMX IN MX 5 mx.example.net. diff --git a/t/issues/41-ksk-policy-check/example.sec.signed b/t/issues/41-ksk-policy-check/example.sec.signed new file mode 100644 index 0000000..70e9edd --- /dev/null +++ b/t/issues/41-ksk-policy-check/example.sec.signed @@ -0,0 +1,131 @@ +; File written on Tue Jun 30 15:31:27 2015 +; dnssec_signzone version 9.9.7 +example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( + 1 ; serial + 604800 ; refresh (1 week) + 86400 ; retry (1 day) + 2419200 ; expire (4 weeks) + 604800 ; minimum (1 week) + ) + 86400 RRSIG SOA 7 2 86400 ( + 20150730123127 20150630123127 64232 example.sec. + b1Qs5d/0a4IDAvFPVvDKqWpir4189XoPOD4E + 804eiNXRLP2ShkEUBPil44+6Ikwup5Im24XU + PLnmStjUFHVniicvwbwT/IY4etXR4xNoBHUc + BU8LiADPpZGfJ1tC/s/IHLcPbX21OltyYzi0 + ++z9gxZGy4vCG5gYCH0vm+Q96fY= ) + 86400 NS ns1.example.net. + 86400 RRSIG NS 7 2 86400 ( + 20150730123127 20150630123127 64232 example.sec. + gyqsk3xSnKefnjTOVzJS4sdDFiJ5cPEupSkP + +LGXGRDGrclY6V9mkfddQz3MkeCCjujvQNAi + NpZllyzFj221se5bHLAVydkT0jhl2jgp8bsL + DBk15FGa7SXcwtpXn5rkDvR1/wmS7M/aYnrY + 3j5dTSSsOlZQLENWBEtct9QSNbU= ) + 86400 DNSKEY 256 3 7 ( + AwEAAaMBYu1QXBi6AII33FKwWpHhOkGMhcVc + IWJ73npEFjvDe0jJfLjkghnij4tMfDI8MPIZ + 6xwVLYsEshxsDNEJJGdZ1dUvfJDxSCv8Wp0a + 2IffxQ5NDRHSpUw27yJoQfI5gUqvor+wGTNC + UWx2OU0Y1BOy1whHtVbDl1gt1R6/8mOZ + ) ; ZSK; alg = NSEC3RSASHA1; key id = 64232 + 86400 DNSKEY 257 3 7 ( + AwEAAciLWglw17dt8EDAN88BrQYCIaGPifC4 + pxrizfz3S1cC4XbSyRW5loj5SSHVveUmmIV9 + 0MTEOhGCDUVq/qiYG7NgTNHn3YiqyRU3sirw + 4SACFiwln/ejxFDpQkeAbZMCzU8FQhTIB1K9 + y7QRiLacI6naULzgP3h4PsdQSQmw3/TWy973 + M+lHzwkgVq6ML42L18rGG0sn1KQDNSs/6sd9 + dcRjPo7uJ2OuUsnbu/5N3vWYLciSBUnY27FU + vbFLkVIq072wjUMIb0Xc2EgYGRFKyV2MMckL + voD7vPclBE0Krv9fO/B2/KXsbObTgz4m5iQN + F45QLU02kmvwB4iyIzIk9O0= + ) ; KSK; alg = NSEC3RSASHA1; key id = 7686 + 86400 RRSIG DNSKEY 7 2 86400 ( + 20150730123127 20150630123127 7686 example.sec. + YQ42WBCr7e4MR51W+d6Awkxdff7tTNiA1qfJ + wsst0UiNXKAv504YRcS6B34u4CfG59lWWtcd + +xBHU7Zuox5nehsLEkFAneD1YrJLkgVw03nZ + NzDNWFvlxfQ2/tJ7vGbjKG2cEwUnbJKl+Kcl + JTAc5JzZegfM75M0Z4Yi9NiDjicpHbaICtKJ + 5WZ6T5nVFo1nl2xCq2CiXiR1+jGKARUW+btO + NzHMApLQszDo7CMgvYJoHy0CHAV1Uc7Ka4zO + P3dVYkwu1Puk+gixhNUqo+UhKgLB2JUYdci7 + cQ1JR9RzqEXzyZgGpLmXCOEOc8KD2c2dDN5L + uvOV40OrWhST/bAQ+Q== ) + 86400 RRSIG DNSKEY 7 2 86400 ( + 20150730123127 20150630123127 64232 example.sec. + lKX35bocQ1iR4VTW0Es+2bZ2qX1ON7OGU1fO + Pb0ZqueG2GYgI63VE4Jv3WeOmGg/Tkjvsdb6 + bMHVuVpxHvQKRqqzfaQmY7nzoDe53LfSJewj + p2TvdhvpPRroEZGXXPmVl46R/p+jlYMJd47T + o0oqB/BvQPUS61a5NThagGq6vJM= ) + 0 NSEC3PARAM 1 0 10 - + 0 RRSIG NSEC3PARAM 7 2 0 ( + 20150730123127 20150630123127 64232 example.sec. + hNJlc3JuGYBpnYEZQrhqNwrIL2fBegnnR4ii + TOW+0Km2maqF5ZZMxBZ7x54gW4T0amXXz89+ + uE+l02eknf/FgM81FFOrQvJul0toOzKW9g67 + e2VwQAwcw7g6H06cSsypXM/h9wvsNQpoSdx0 + rq6qU2ruYM9NmJf+xUzUk38AFUw= ) +subA.example.sec. 86400 IN NS ns1.example.net. +subb.example.sec. 86400 IN NS ns1.example.net. +subC.example.sec. 86400 IN NS ns1.example.net. +93GL7KF6D2G7J2PSLEO2CIA70A3MM4KQ.example.sec. 604800 IN NSEC3 1 0 10 - ( + CSLD6RFNKVSKA73DGNI0EOM95Q8DKGBQ + NS ) + 604800 RRSIG NSEC3 7 3 604800 ( + 20150730123127 20150630123127 64232 example.sec. + JRhyC3PbmnvYBkXzV5GmIBnj5LJTnrVeC1t3 + v6t6o+3udfPZRecHw2cApf/Oed8H9jCeox77 + vA13/fLXui635CYAcqXYxVgO4g0au1d1S6lo + N2Pw96JXDNhIqyVBVj1Ii2ZOQLWXZ8YgZRQ6 + lxgww8m0QGC8FjEnzR8z2liSG88= ) +3ED4GMVJJ0FT4TCFDKNFQ5EPEFSDBPNM.example.sec. 604800 IN NSEC3 1 0 10 - ( + 93GL7KF6D2G7J2PSLEO2CIA70A3MM4KQ + NS ) + 604800 RRSIG NSEC3 7 3 604800 ( + 20150730123127 20150630123127 64232 example.sec. + B9L5NrHjO/J6FDmv7DjT1xq/f8jiB2WTEXSl + bFeUVcTivoyvdyfNNTH+YlzJesqTtQ9GaEPQ + ouzw7XbdyvtJ//GD+vrO/7XwfrVmkckQgEVl + zPm70TksAkwLzj0uY6WBIGIPq/KJMM14f6El + ct5w2KtgvF9sazFP+KMchU5Be3Q= ) +myMX.example.sec. 86400 IN MX 5 mx.example.net. + 86400 RRSIG MX 7 3 86400 ( + 20150730123127 20150630123127 64232 example.sec. + lh8vFwFg77gLtLyXbzqzYSlebkzn3yAlXHU2 + /hgiyUWYcuZa5E33Ul+ZrUJPCGLaUQs3X+yL + p/uk6LP2dnMaf/X1mow/tyYNtIdn0MhTYNqs + WmYV1Ga/NSoErtoHYoNgeqV1w0Q/nfhipMdX + RekpxVR6RUUt2d3LS8UIH+pEYd8= ) +CSLD6RFNKVSKA73DGNI0EOM95Q8DKGBQ.example.sec. 604800 IN NSEC3 1 0 10 - ( + JC1M8I9IPBEENK9RDGMN9LQKAMMSQEVV + MX RRSIG ) + 604800 RRSIG NSEC3 7 3 604800 ( + 20150730123127 20150630123127 64232 example.sec. + menCNV7RkbVWmfhuPfoYHfHCEtvQmVb3+p/x + WYVymu5hXUPQ2+K4Ns0jQ+om4GuTmXmm1DYY + IjIXv4jthJoD6jydqN6Hr+tr0ewxr6mHXj3I + RizTBuw4zcgPUrIRVQStkMtwyjN4Nlznhg7I + txZ14uH1G4U1DgkR2oC6YZsSqi8= ) +JC1M8I9IPBEENK9RDGMN9LQKAMMSQEVV.example.sec. 604800 IN NSEC3 1 0 10 - ( + NLF2NKFTCGVVRC4C941FOOCD00TPI9DV + NS SOA RRSIG DNSKEY NSEC3PARAM ) + 604800 RRSIG NSEC3 7 3 604800 ( + 20150730123127 20150630123127 64232 example.sec. + ggLIoKQYmI9GeBkSccVdE87G1QQwGGO0HlrN + dg9Ah5QiWWjZ5icSOU4vyEm0XiqkFCrGEAq0 + 9L4HMOFuELMa28dAhVxOvZldbXizXUSCbWCS + miYFLOIKcQ9IcmzeEgg+uJzHdAyYSSK2Jb+0 + YYuoXOhiZwzluj+u2i6kbf6wDY4= ) +NLF2NKFTCGVVRC4C941FOOCD00TPI9DV.example.sec. 604800 IN NSEC3 1 0 10 - ( + 3ED4GMVJJ0FT4TCFDKNFQ5EPEFSDBPNM + NS ) + 604800 RRSIG NSEC3 7 3 604800 ( + 20150730123127 20150630123127 64232 example.sec. + buRQJjfJDIbRFZFr8s7odGSxqnrSHXXN/AAu + tbG1k2L7WD+DGYFiRnR5Uia/C2oL186PqBtT + R8oDKf/4zr5qOsZz9xYabaBqG98JVXwPTiFk + JBoc7sFcwGJ16hj9Zey05aNs1h5RZm6BL8W0 + 9bRF3qIezckG0VA+U7ASTLNH4ME= ) diff --git a/t/test.pl b/t/test.pl index 6e6f652..16fd266 100644 --- a/t/test.pl +++ b/t/test.pl @@ -227,6 +227,19 @@ run('./validns', @threads, '-t1345815800', 't/issues/25-nsec/example.sec.signed'); is(rc, 0, 'issue 25 did not come back'); +# issue 41: https://github.com/tobez/validns/issues/41 +run('./validns', @threads, '-t1345815800', '-pksk-exists', 't/issues/25-nsec/example.sec.signed'); +isnt(rc, 0, 'KSK policy check fails'); +@e = split /\n/, stderr; +like(shift @e, qr/\bNo KSK found\b/, "KSK policy check produces expected error output"); +is(+@e, 0, "no unaccounted errors for KSK policy check"); + +run('./validns', @threads, '-t1435671103', '-pksk-exists', 't/issues/41-ksk-policy-check/example.sec.signed'); +is(rc, 0, 'signed zone with KSK parses ok when KSK policy check is active'); + +run('./validns', @threads, '-pksk-exists', 't/zones/galaxyplus.org'); +is(rc, 0, 'unsigned zone ignores KSK policy checks'); + # issue 26: https://github.com/tobez/validns/issues/26 run('./validns', @threads, '-t1349357570', 't/issues/26-spurios-glue/example.sec.signed.no-optout'); is(rc, 0, 'issue 26 did not come back (NSEC3 NO optout)'); diff --git a/usage.mdwn b/usage.mdwn index 64ecd9d..51f5295 100644 --- a/usage.mdwn +++ b/usage.mdwn @@ -48,6 +48,7 @@ Coming soon. - ns-alias - rp-txt-exists - tlsa-host + - ksk-exists - all -n *N* @@ -130,6 +131,7 @@ Other basic checks include: - TXT domain name mentioned in RP record must have a corresponding TXT record if it is within the zone - domain name of a TLSA record must be a proper prefixed DNS name +- a KSK key must exist in a signed zone # BUGS diff --git a/validns.1 b/validns.1 index 52d8ad9..cf1312b 100644 --- a/validns.1 +++ b/validns.1 @@ -1,4 +1,4 @@ -.TH VALIDNS 1 "April 2011" +.TH "VALIDNS" "1" "April 2011" "" "" .SH NAME .PP validns \- DNS and DSNSEC zone file validator @@ -53,6 +53,8 @@ rp\-txt\-exists .IP \[bu] 2 tlsa\-host .IP \[bu] 2 +ksk\-exists +.IP \[bu] 2 all .RE .TP @@ -178,6 +180,8 @@ TXT domain name mentioned in RP record must have a corresponding TXT record if it is within the zone .IP \[bu] 2 domain name of a TLSA record must be a proper prefixed DNS name +.IP \[bu] 2 +a KSK key must exist in a signed zone .SH BUGS .IP \[bu] 2 textual segments in \f[I]TXT\f[] and \f[I]HINFO\f[] must be enclosed in