[validate-my-dns]: reorder answer if RRSIG is before the actual record(s)

2026-02-14 07:02:18 +08:00 · 2026-02-09 11:50:36 +01:00 · 2026-02-09 11:50:36 +01:00 · 8cd2877dba
commit 8cd2877dba
parent ce8882f23f
1 changed files with 22 additions and 17 deletions
--- a/validate-my-dns.py
+++ b/validate-my-dns.py
@ -309,7 +309,7 @@ def get_soa(domain_name, nserver):
        for key in dnskey.to_text().split("\n"):
            if not "IN SOA " in key:
                print(f"ERROR: CNAME returned for SOA: THIS SHOULD NOT BE USED")
-                summary[domain_name][SUMMARY.WRONG_NS] += 1
+                summary[domain_name][SUMMARY.WRONG_SOA] += 1
                errors += 1
                break
            else:
@ -539,11 +539,20 @@ def check_dnssec(domain_name, domain_data):
                print(
                    f"INFO:  query for {domain_name} SOA on {nserver} ({nsaddr}) succeded, not checking DNSSEC")
                continue
-            # get DNSKEY for zone
-            request = dns.message.make_query(
-                domain_name, dns.rdatatype.DNSKEY, want_dnssec=True)
-            response = dns.query.udp_with_fallback(
-                request, nsaddr, timeout=TIMEOUT)
+            # get DNSKEY for zone (with DNSSEC)
+            try:
+                request = dns.message.make_query(
+                    domain_name, dns.rdatatype.DNSKEY, want_dnssec=True)
+                response = dns.query.udp_with_fallback(
+                    request, nsaddr, timeout=TIMEOUT)
+            except dns.exception.Timeout:
+                print(
+                   f"WARN:  querying {nserver} ({nsaddr}) for DNSKEY {domain_name} timed out")
+                summary[domain_name][SUMMARY.TIMEOUT] += 1
+                continue
+            except Exception as e:
+                _handle_unknown_error(e, nserver=f"{nserver} ({nsaddr})", domain_name=domain_name)
+                continue

            if response[0].rcode() != 0:
                # HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)
@ -562,20 +571,16 @@ def check_dnssec(domain_name, domain_data):
            # the DNSKEY should be self signed, validate it
            name = dns.name.from_text(domain_name)
            try:
-                # print(f"DEBUG: answer[0]: {answer[0]}")
-                # print(f"DEBUG: answer[1]: {answer[1]}")
-                try:
-                    dns.dnssec.validate(
-                        answer[0], answer[1], {name: answer[0]})
-                # it raises an AttributeError if the records are in the wrong order
-                except AttributeError as e:
-                    dns.dnssec.validate(
-                        answer[1], answer[0], {name: answer[0]})
+                #print(f"DEBUG: answer[0]: '{answer[0].rdtype}' {answer[0]}")
+                #print(f"DEBUG: answer[1]: '{answer[1].rdtype}' {answer[1]}")
+                rec, sig = answer if answer[0].rdtype != dns.rdatatype.RRSIG else answer[::-1]
+                
+                dns.dnssec.validate(rec, sig, {name: rec})

            except dns.dnssec.ValidationFailure as e:
                # BE SUSPICIOUS
                print(
-                        f"WARN:  DNSSEC validation failed on {domain_name} failed on {nserver} ({nsaddr}), error: '{e}', answer: {answer}")
+                        f"WARN:  DNSSEC validation failed for {domain_name} on {nserver} ({nsaddr}), error: '{e}', answer: {answer}")
                summary[domain_name][SUMMARY.DNSSEC_FAIL] += 1
                errors += 1
            except AttributeError as e:
@ -584,7 +589,7 @@ def check_dnssec(domain_name, domain_data):
            else:
                # WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com
                print(
-                    f"INFO:  DNSSEC validation succeded on {domain_name} failed on {nserver} ({nsaddr})")
+                    f"INFO:  DNSSEC validation succeded for {domain_name} on {nserver} ({nsaddr})")
                summary[domain_name][SUMMARY.SUCCESS] += 1
                success = True