Permalink
Browse files

pdnssec check-zone, check for missing NS at apex and records in unlik…

…ely places
  • Loading branch information...
1 parent bcf9daf commit 08f3452fc325412d03e63ce45e524f29f0de4629 @mind04 mind04 committed with mind04 Sep 29, 2013
Showing with 25 additions and 0 deletions.
  1. +25 −0 pdns/pdnssec.cc
View
@@ -340,6 +340,8 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
DNSResourceRecord rr;
uint64_t numrecords=0, numerrors=0, numwarnings=0;
+
+ bool hasNsAtApex = false;
set<string> records, cnames, noncnames;
map<string, unsigned int> ttl;
@@ -383,6 +385,24 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
continue;
}
+ if(pdns_iequals(rr.qname, zone)) {
+ if (rr.qtype.getCode() == QType::NS) {
+ hasNsAtApex=true;
+ } else if (rr.qtype.getCode() == QType::DS) {
+ cout<<"[Warning] DS at apex in zone '"<<zone<<"', should no be here."<<endl;
+ numwarnings++;
+ }
+ } else {
+ if (rr.qtype.getCode() == QType::SOA) {
+ cout<<"[Error] SOA record not at apex '"<<rr.qname<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone<<"'"<<endl;
+ numerrors++;
+ continue;
+ } else if (rr.qtype.getCode() == QType::DNSKEY) {
+ cout<<"[Warning] DNSKEY record not at apex '"<<rr.qname<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone<<"', should not be here."<<endl;
+ numwarnings++;
+ }
+ }
+
if (rr.qtype.getCode() == QType::CNAME) {
if (!cnames.count(toLower(rr.qname)))
cnames.insert(toLower(rr.qname));
@@ -482,6 +502,11 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
}
}
+ if(!hasNsAtApex) {
+ cout<<"[Error] No NS record at zone apex in zone '"<<zone<<"'"<<endl;
+ numerrors++;
+ }
+
cout<<"Checked "<<numrecords<<" records of '"<<zone<<"', "<<numerrors<<" errors, "<<numwarnings<<" warnings."<<endl;
return numerrors;
}

0 comments on commit 08f3452

Please sign in to comment.