From 8cd2877dba2a633edacf78531a5fb96979b992e5 Mon Sep 17 00:00:00 2001 From: lare Date: Mon, 9 Feb 2026 11:50:36 +0100 Subject: [PATCH] [validate-my-dns]: reorder answer if RRSIG is before the actual record(s) --- validate-my-dns.py | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/validate-my-dns.py b/validate-my-dns.py index 381ddd9ec..28e246bf8 100755 --- a/validate-my-dns.py +++ b/validate-my-dns.py @@ -309,7 +309,7 @@ def get_soa(domain_name, nserver): for key in dnskey.to_text().split("\n"): if not "IN SOA " in key: print(f"ERROR: CNAME returned for SOA: THIS SHOULD NOT BE USED") - summary[domain_name][SUMMARY.WRONG_NS] += 1 + summary[domain_name][SUMMARY.WRONG_SOA] += 1 errors += 1 break else: @@ -539,11 +539,20 @@ def check_dnssec(domain_name, domain_data): print( f"INFO: query for {domain_name} SOA on {nserver} ({nsaddr}) succeded, not checking DNSSEC") continue - # get DNSKEY for zone - request = dns.message.make_query( - domain_name, dns.rdatatype.DNSKEY, want_dnssec=True) - response = dns.query.udp_with_fallback( - request, nsaddr, timeout=TIMEOUT) + # get DNSKEY for zone (with DNSSEC) + try: + request = dns.message.make_query( + domain_name, dns.rdatatype.DNSKEY, want_dnssec=True) + response = dns.query.udp_with_fallback( + request, nsaddr, timeout=TIMEOUT) + except dns.exception.Timeout: + print( + f"WARN: querying {nserver} ({nsaddr}) for DNSKEY {domain_name} timed out") + summary[domain_name][SUMMARY.TIMEOUT] += 1 + continue + except Exception as e: + _handle_unknown_error(e, nserver=f"{nserver} ({nsaddr})", domain_name=domain_name) + continue if response[0].rcode() != 0: # HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD) @@ -562,20 +571,16 @@ def check_dnssec(domain_name, domain_data): # the DNSKEY should be self signed, validate it name = dns.name.from_text(domain_name) try: - # print(f"DEBUG: answer[0]: {answer[0]}") - # print(f"DEBUG: answer[1]: {answer[1]}") - try: - dns.dnssec.validate( - answer[0], answer[1], {name: answer[0]}) - # it raises an AttributeError if the records are in the wrong order - except AttributeError as e: - dns.dnssec.validate( - answer[1], answer[0], {name: answer[0]}) + #print(f"DEBUG: answer[0]: '{answer[0].rdtype}' {answer[0]}") + #print(f"DEBUG: answer[1]: '{answer[1].rdtype}' {answer[1]}") + rec, sig = answer if answer[0].rdtype != dns.rdatatype.RRSIG else answer[::-1] + + dns.dnssec.validate(rec, sig, {name: rec}) except dns.dnssec.ValidationFailure as e: # BE SUSPICIOUS print( - f"WARN: DNSSEC validation failed on {domain_name} failed on {nserver} ({nsaddr}), error: '{e}', answer: {answer}") + f"WARN: DNSSEC validation failed for {domain_name} on {nserver} ({nsaddr}), error: '{e}', answer: {answer}") summary[domain_name][SUMMARY.DNSSEC_FAIL] += 1 errors += 1 except AttributeError as e: @@ -584,7 +589,7 @@ def check_dnssec(domain_name, domain_data): else: # WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com print( - f"INFO: DNSSEC validation succeded on {domain_name} failed on {nserver} ({nsaddr})") + f"INFO: DNSSEC validation succeded for {domain_name} on {nserver} ({nsaddr})") summary[domain_name][SUMMARY.SUCCESS] += 1 success = True