Merge pull request '[validate-my-dns] check and fix ordering' (#6072) from lare/registry:validate-dns/check-and-fix-ordering into master

Reviewed-on: https://git.dn42.dev/dn42/registry/pulls/6072
Reviewed-by: schema-checker <schema-checker@noreply.dn42.dev>

validate-my-dns.py

@@ -309,7 +309,7 @@ def get_soa(domain_name, nserver):
         for key in dnskey.to_text().split("\n"):
             if not "IN SOA " in key:
                 print(f"ERROR: CNAME returned for SOA: THIS SHOULD NOT BE USED")
-                summary[domain_name][SUMMARY.WRONG_NS] += 1
+                summary[domain_name][SUMMARY.WRONG_SOA] += 1
                 errors += 1
                 break
             else:
@@ -539,11 +539,20 @@ def check_dnssec(domain_name, domain_data):
                 print(
                     f"INFO:  query for {domain_name} SOA on {nserver} ({nsaddr}) succeded, not checking DNSSEC")
                 continue
-            # get DNSKEY for zone
+            # get DNSKEY for zone (with DNSSEC)
+            try:
                 request = dns.message.make_query(
                     domain_name, dns.rdatatype.DNSKEY, want_dnssec=True)
                 response = dns.query.udp_with_fallback(
                     request, nsaddr, timeout=TIMEOUT)
+            except dns.exception.Timeout:
+                print(
+                   f"WARN:  querying {nserver} ({nsaddr}) for DNSKEY {domain_name} timed out")
+                summary[domain_name][SUMMARY.TIMEOUT] += 1
+                continue
+            except Exception as e:
+                _handle_unknown_error(e, nserver=f"{nserver} ({nsaddr})", domain_name=domain_name)
+                continue
 
             if response[0].rcode() != 0:
                 # HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)
@@ -562,20 +571,16 @@ def check_dnssec(domain_name, domain_data):
             # the DNSKEY should be self signed, validate it
             name = dns.name.from_text(domain_name)
             try:
-                # print(f"DEBUG: answer[0]: {answer[0]}")
+                #print(f"DEBUG: answer[0]: '{answer[0].rdtype}' {answer[0]}")
-                # print(f"DEBUG: answer[1]: {answer[1]}")
+                #print(f"DEBUG: answer[1]: '{answer[1].rdtype}' {answer[1]}")
-                try:
+                rec, sig = answer if answer[0].rdtype != dns.rdatatype.RRSIG else answer[::-1]
-                    dns.dnssec.validate(
+                
-                        answer[0], answer[1], {name: answer[0]})
+                dns.dnssec.validate(rec, sig, {name: rec})
-                # it raises an AttributeError if the records are in the wrong order
-                except AttributeError as e:
-                    dns.dnssec.validate(
-                        answer[1], answer[0], {name: answer[0]})
 
             except dns.dnssec.ValidationFailure as e:
                 # BE SUSPICIOUS
                 print(
-                        f"WARN:  DNSSEC validation failed on {domain_name} failed on {nserver} ({nsaddr}), error: '{e}', answer: {answer}")
+                        f"WARN:  DNSSEC validation failed for {domain_name} on {nserver} ({nsaddr}), error: '{e}', answer: {answer}")
                 summary[domain_name][SUMMARY.DNSSEC_FAIL] += 1
                 errors += 1
             except AttributeError as e:
@@ -584,7 +589,7 @@ def check_dnssec(domain_name, domain_data):
             else:
                 # WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com
                 print(
-                    f"INFO:  DNSSEC validation succeded on {domain_name} failed on {nserver} ({nsaddr})")
+                    f"INFO:  DNSSEC validation succeded for {domain_name} on {nserver} ({nsaddr})")
                 summary[domain_name][SUMMARY.SUCCESS] += 1
                 success = True