Add check for signed zone with no signatures from above

Fixes #6
mrimann · Jul 29, 2017 · 68a88e6 · 68a88e6
1 parent 4352814
commit 68a88e6
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -6,6 +6,7 @@ It covers the following cases:
 
 - Resolver that doesn't validate DNSSEC signatures: emits a WARNING since the environment for the other check is broken and needs to be fixed first (which doesn't imply the signatures of that zone to be broken). This test is executed against the zone `dnssec-failed.org` but you can override this and provide your own always-failing zone
 - Unsigned zones: will emit a WARNING, as we expect this check to only be actively executed against DNSSEC enabled/signed zones
+- Signed zones without signatures from the registry (e.g. DNSSEC signatures enabled on the DNS server, but no keys set for the zone at the registrar): emits a WARNING, as we consider this a problem, because in fact this zone is not secured by DNSSEC in that situation
 - Broken signature: will emit a CRITICAL, independent of whether the zone could be resolvable on a resolver without DNSSEC validation
 - Expiry date of the RRSIG answer: the remaining lifetime is calculated and depending on the remaining % of the total lifetime, an alert can be generated
   - emits a CRITICAL if the remaining percentage is < 10%

diff --git a/check_dnssec_expiry.sh b/check_dnssec_expiry.sh
@@ -81,14 +81,32 @@ if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
 	fi
 fi
 
-# Check if the domain is DNSSEC signed at all
+# Check if the domain is DNSSEC signed at all - This check is done in multiple parts, see below:
 # (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
+
+# get first authoritive nameserver for the zone to check if it delivers DNSKEY ansers for that zone
+firstAuthoritiveNameserver=$( dig NS $zone @$resolver +short | head -n1 )
+
+# check if the parent authoritive server says the zone is signed
+checkZoneHasSignaturesFromAbove=$( dig @$firstAuthoritiveNameserver DNSKEY $zone +short )
+
+# check if the zone itself seems to be signed at all
 checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short )
+
+
+# now check if the zone itself is signed, but the authoritive nameserver doesn't know that
+if [[ ! -z $checkZoneHasSignaturesFromAbove ]] && [[ -z $checkZoneItselfIsSignedAtAll ]]; then
+	echo "WARNING: Zone $zone seems to be signed itself, but has no keys set at the registry (= resolvable, but no DNSSEC involved at all)"
+	exit 1
+fi
+
+# check if the zone itself is not signed at all
 if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
 	echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
 	exit 1
 fi
 
+
 # Get the RRSIG entry and extract the date out of it
 expiryDateOfSignature=$( dig @$resolver SOA $zone +dnssec | grep RRSIG | awk '{print $9}')
 checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}')