Permalink
Browse files

pdnssec: check for glue and delegations in parent zones

  • Loading branch information...
1 parent 10ecb48 commit 561373e085a909940b9e946e3b68266e5f930a87 @mind04 mind04 committed with mind04 May 30, 2015
Showing with 34 additions and 2 deletions.
  1. +34 −2 pdns/pdnssec.cc
View
@@ -414,17 +414,38 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
bool isSecure=dk.isSecuredZone(zone);
bool presigned=dk.isPresigned(zone);
- sd.db->list(zone, sd.domain_id, true);
DNSResourceRecord rr;
uint64_t numrecords=0, numerrors=0, numwarnings=0;
+
+ // Check for delegation in parent zone
+ string parent(zone);
+ while(chopOff(parent)) {
+ SOAData sd_p;
+ if(B.getSOA(parent, sd_p)) {
+ bool ns=false;
+ DNSResourceRecord rr;
+ B.lookup(QType(QType::ANY), zone, NULL, sd_p.domain_id);
+ while(B.get(rr))
+ ns |= (rr.qtype == QType::NS);
+ if (!ns) {
+ cerr<<"[Error] No delegation for zone '"<<zone<<"' in parent '"<<parent<<"'"<<endl;
+ numerrors++;
+ }
+ break;
+ }
+ }
+
+
bool hasNsAtApex = false;
- set<string> records, cnames, noncnames;
+ set<string> records, cnames, noncnames, glue, checkglue;
map<string, unsigned int> ttl;
ostringstream content;
pair<map<string, unsigned int>::iterator,bool> ret;
+ sd.db->list(zone, sd.domain_id, true);
+
while(sd.db->get(rr)) {
if(!rr.qtype.getCode())
continue;
@@ -523,6 +544,10 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
} else if (rr.qtype.getCode() == QType::DNSKEY) {
cout<<"[Warning] DNSKEY record not at apex '"<<rr.qname<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone<<"', should not be here."<<endl;
numwarnings++;
+ } else if (rr.qtype.getCode() == QType::NS && endsOn(rr.content, rr.qname)) {
+ checkglue.insert(toLower(rr.content));
+ } else if (rr.qtype.getCode() == QType::A || rr.qtype.getCode() == QType::AAAA) {
+ glue.insert(toLower(rr.qname));
}
}
@@ -605,6 +630,13 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
numerrors++;
}
+ BOOST_FOREACH(const string& qname, checkglue) {
+ if (!glue.count(qname)) {
+ cerr<<"[Error] Missing glue for '"<<qname<<"' in zone '"<<zone<<"'"<<endl;
+ numerrors++;
+ }
+ }
+
cout<<"Checked "<<numrecords<<" records of '"<<zone<<"', "<<numerrors<<" errors, "<<numwarnings<<" warnings."<<endl;
return numerrors;
}

0 comments on commit 561373e

Please sign in to comment.