DNSSEC scan check - Githubissues

rafaeljusto / shelter

Program to periodically validate and alert domains about DNS or DNSSEC misconfiguration

GNU General Public License v2.0

8 stars 3 forks source link

DNSSEC scan check #118

Open rafaeljusto opened 10 years ago

rafaeljusto commented 10 years ago

RFC 4035, section 2.2 (last paragraph):

There MUST be an RRSIG for each RRset using at least one DNSKEY of each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset itself MUST be signed by each algorithm appearing in the DS RRset located at the delegating parent (if any).

Zone must be signed with at least one key of each algorithm that appears in the keyset. We should check the RRSIGs from the keyset and from the SOA record.

rafaeljusto commented 10 years ago

The difficult here is checking the RRSIGs from the SOA record. Two solutions:

Store the SOA response from the nameserver's check (will make the code uglier)
New query in DS check for the SOA record (one more network IO will make scan slower)

Thinking on a way to make solution 1 without an ugly code.