1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
|
# ZCTEST 1.0
# $Id: dnssec.rb,v 1.9 2010/06/25 08:41:04 chabannf Exp $
#
# CONTACT : zonecheck@nic.fr
# AUTHOR : Stephane D'Alu <sdalu@nic.fr>
#
# CREATED : 2002/08/02 13:58:17
# REVISION : $Revision: 1.9 $
# DATE : $Date: 2010/06/25 08:41:04 $
#
# CONTRIBUTORS: (see also CREDITS file)
#
#
# LICENSE : GPL v3
# COPYRIGHT : AFNIC (c) 2003
#
# This file is part of ZoneCheck.
#
# ZoneCheck is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# ZoneCheck is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ZoneCheck; if not, write to the Free Software Foundation,
# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
require 'framework'
require 'time'
module CheckDNSSEC
##
## Check domain NS records
##
class DNSSEC < Test
with_msgcat 'test/dnssec.%s'
#-- Checks --------------------------------------------------
def chk_edns(ns, ip)
# begin
msg = Dnsruby::Message::new(@domain.name, "ANY")
optrr = Dnsruby::RR::OPT.new(4096)
optrr.dnssec_ok = true
msg.add_additional(optrr)
msg.do_caching = false
resolver = Dnsruby::Resolver::new({:nameserver => ip.to_s})
resolver.do_caching = false
resolver.dnssec = false
ret = resolver.send_message(msg)
resolver = nil
return false if ret.nil? || ret.additional.empty?
ret.additional.each { |add|
return true if add.type == "OPT" && add.payloadsize > 1024
}
return false
# rescue Dnsruby::ResolvError, Dnsruby::ResolvTimeout
# return false
# end
end
def chk_has_soa_rrsig(ns, ip)
ret = rrsig(ip,"SOA")
is_not_empty = ! ret.empty?
#return {"dig" => ret.to_s} unless is_not_empty
return is_not_empty
end
def chk_one_dnskey(ns, ip)
! dnskey(ip).empty?
end
def chk_several_dnskey(ns, ip)
dnskey(ip).size >= 2
end
def chk_zsk_and_ksk(ns, ip)
zsk = false
ksk = false
dnskey(ip).each { |key|
zsk = true if key.flags%2 == 1
ksk = true if key.flags%2 == 0
}
#return { "dig" => dnskey(ip) } unless zsk && ksk
return zsk && ksk
end
def chk_algorithm(ns,ip)
rrsig(ip,"SOA").each {|sig|
if [Dnsruby::Algorithms.RSASHA1,
Dnsruby::Algorithms.RSASHA256,
Dnsruby::Algorithms.RSASHA512,
Dnsruby::Algorithms.RSASHA1_NSEC3_SHA1,
Dnsruby::Algorithms.DSA,
Dnsruby::Algorithms.DSA_NSEC3_SHA1].include?(sig.algorithm)
return true
end
}
return {"error" => $mc.get('dnssec:algorithm:unknown')}
end
def chk_key_length(ns,ip)
keys = dnskey(ip)
keys.each {|key|
pkey = key.public_key
case key.algorithm
when Dnsruby::Algorithms.RSASHA1
if key.key_length < 1024 && !(key.sep_key?)
return {"keylength" => key.key_length.to_s,
"algo" => "RSA SHA 1"}
elsif key.key_length < 2048 && key.sep_key?
return {"keylength" => key.key_length.to_s,
"algo" => "RSA SHA 1"}
end
when Dnsruby::Algorithms.RSASHA256
if key.key_length < 1024 && !(key.sep_key?)
return {"keylength" => key.key_length.to_s,
"algo" => "RSA SHA 256"}
elsif key.key_length < 2048 && key.sep_key?
return {"keylength" => key.key_length.to_s,
"algo" => "RSA SHA 256"}
end
when Dnsruby::Algorithms.RSASHA512
if key.key_length < 1024 && !(key.sep_key?)
return {"keylength" => key.key_length.to_s,
"algo" => "RSA SHA 512"}
elsif key.key_length < 2048 && key.sep_key?
return {"keylength" => key.key_length.to_s,
"algo" => "RSA SHA 512"}
end
when Dnsruby::Algorithms.RSASHA1_NSEC3_SHA1
if key.key_length < 1024 && !(key.sep_key?)
return {"keylength" => key.key_length.to_s,
"algo" => "RSA SHA1 NSEC3 SHA1"}
elsif key.key_length < 2048 && key.sep_key?
return {"keylength" => key.key_length.to_s,
"algo" => "RSA SHA1 NSEC3 SHA1"}
end
when Dnsruby::Algorithms.DSA
if key.key_length < 1024 && !(key.sep_key?)
return {"keylength" => key.key_length.to_s,
"algo" => "DSA"}
elsif key.key_length < 2048 && key.sep_key?
return {"keylength" => key.key_length.to_s,
"algo" => "DSA"}
end
when Dnsruby::Algorithms.DSA_NSEC3_SHA1
if key.key_length < 1024 && !(key.sep_key?)
return {"keylength" => key.key_length.to_s,
"algo" => "DSA NSEC3 SHA1"}
elsif key.key_length < 2048 && key.sep_key?
return {"keylength" => key.key_length.to_s,
"algo" => "DSA NSEC3 SHA1"}
end
end
}
true
end
def chk_soa_rrsig_expiration(ns,ip)
sig = rrsig(ip,"SOA")[0]
return true if Time::now.to_i < sig.expiration - 0.1 * (sig.expiration - sig.inception)
{ "date" => Time.at(sig.expiration) }
end
def chk_soa_rrsig_validity_period(ns,ip)
sig = rrsig(ip,"SOA")[0]
min = const('rrsig:validityperiod:min').to_i
max = const('rrsig:validityperiod:max').to_i
return true if (sig.expiration - sig.inception) > min &&
(sig.expiration - sig.inception) > sig.ttl &&
(sig.expiration - sig.inception) < max
{ "period" => (sig.expiration - sig.inception),
"min" => min,
"max" => max,
"ttl" => sig.ttl }
end
def chk_verify_soa_rrsig(ns,ip)
begin
sv = Dnsruby::SingleVerifier::new(Dnsruby::SingleVerifier::VerifierType::ANCHOR)
soa = soa(ip).resource
soa_rrsig = rrsig(ip,"SOA")[0].resource
return false if soa_rrsig.nil?
key = nil
dnskey(ip).each { |keyTemp|
key = keyTemp.resource if keyTemp.resource.key_tag == soa_rrsig.key_tag
}
soa_rrset = Dnsruby::RRSet::new(soa)
soa_rrset.add(soa_rrsig)
return false if key.nil? || soa_rrset.nil?
return sv.verify_rrset(soa_rrset,key)
rescue Dnsruby::VerifyError => e
return false
end
end
def chk_ds_and_dnskey_coherence(ns,ip)
if !(given_ds.nil?)
if !(given_dnskey.nil?)
given_dnskey.name = @domain.name
given_ds.name = @domain.name
new_dnskey = nil
is_in_zone = false
dnskey(ip).each {|keytemp|
if keytemp.key == given_dnskey.key && keytemp.sep_key?
new_dnskey = keytemp
is_in_zone = true
end
}
return false unless is_in_zone && !(new_dnskey.nil?)
dstemp = Dnsruby::RR::DS.new()
dstemp.init_defaults
dstemp.name = @domain.name
dstemp.digest= dstemp.digest_key(new_dnskey,given_ds.digest_type).unpack("H*")[0]
unless (given_ds.digest.upcase == dstemp.digest.upcase)
return false
end
return true
else
dnskey(ip).each {|keytemp|
given_ds.name = @domain.name
dstemp = Dnsruby::RR::DS.from_key(keytemp, given_ds.digest_type)
if (given_ds.digest.upcase == dstemp.digest.upcase)
return true
else
end
}
return false
end
elsif !(given_dnskey.nil?)
given_dnskey.name = @domain.name
dnskey(ip).each {|keytemp|
return true if keytemp.key == given_dnskey.key && keytemp.sep_key?
}
return false
else
return false
end
end
def tst_dnssec_policy(ns,ip)
if is_dnssec_mandatory?
if edns == "never"
raise ArgumentError, 'Conflict between --edns never and --securedelegation, try with --edns always or auto'
end
return "full"
else
unless edns == "never"
begin
ret = rrsig(ip,"SOA")
is_not_empty = ! ret.empty?
return "off" unless is_not_empty
return "lax" if is_not_empty
rescue Dnsruby::ResolvError => e
return "off"
rescue Dnsruby::ResolvTimeout => e
return "off"
end
else
return "off"
end
end
end
def tst_a_ds_or_dnskey_is_given(ns,ip)
if given_ds.nil? && given_dnskey.nil?
return "false"
else
return "true"
end
end
end
end
|
