dn42/registry
1
0
Fork 0
mirror of https://git.dn42.dev/dn42/registry.git synced 2026-05-16 12:13:43 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request '[validate-my-dns] check and fix ordering' (#6072) from lare/registry:validate-dns/check-and-fix-ordering into master

Browse source 
Reviewed-on: https://git.dn42.dev/dn42/registry/pulls/6072
Reviewed-by: schema-checker <schema-checker@noreply.dn42.dev>
This commit is contained in:
Simon Marsh 2026-02-09 15:06:50 +00:00
commit d411f0bf40
1 changed files with 22 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

39
validate-my-dns.py
View file

@ -309,7 +309,7 @@ def get_soa(domain_name, nserver):
for key in dnskey.to_text().split("\n"): for key in dnskey.to_text().split("\n"):
if not "IN SOA " in key: if not "IN SOA " in key:
print(f"ERROR: CNAME returned for SOA: THIS SHOULD NOT BE USED") print(f"ERROR: CNAME returned for SOA: THIS SHOULD NOT BE USED")
summary[domain_name][SUMMARY.WRONG_NS] += 1 summary[domain_name][SUMMARY.WRONG_SOA] += 1
errors += 1 errors += 1
break break
else: else:
@ -539,11 +539,20 @@ def check_dnssec(domain_name, domain_data):
print( print(
f"INFO: query for {domain_name} SOA on {nserver} ({nsaddr}) succeded, not checking DNSSEC") f"INFO: query for {domain_name} SOA on {nserver} ({nsaddr}) succeded, not checking DNSSEC")
continue continue
# get DNSKEY for zone # get DNSKEY for zone (with DNSSEC)
request = dns.message.make_query( try:
domain_name, dns.rdatatype.DNSKEY, want_dnssec=True) request = dns.message.make_query(
response = dns.query.udp_with_fallback( domain_name, dns.rdatatype.DNSKEY, want_dnssec=True)
request, nsaddr, timeout=TIMEOUT) response = dns.query.udp_with_fallback(
request, nsaddr, timeout=TIMEOUT)
except dns.exception.Timeout:
print(
f"WARN: querying {nserver} ({nsaddr}) for DNSKEY {domain_name} timed out")
summary[domain_name][SUMMARY.TIMEOUT] += 1
continue
except Exception as e:
_handle_unknown_error(e, nserver=f"{nserver} ({nsaddr})", domain_name=domain_name)
continue
if response[0].rcode() != 0: if response[0].rcode() != 0:
# HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD) # HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)
@ -562,20 +571,16 @@ def check_dnssec(domain_name, domain_data):
# the DNSKEY should be self signed, validate it # the DNSKEY should be self signed, validate it
name = dns.name.from_text(domain_name) name = dns.name.from_text(domain_name)
try: try:
# print(f"DEBUG: answer[0]: {answer[0]}") #print(f"DEBUG: answer[0]: '{answer[0].rdtype}' {answer[0]}")
# print(f"DEBUG: answer[1]: {answer[1]}") #print(f"DEBUG: answer[1]: '{answer[1].rdtype}' {answer[1]}")
try: rec, sig = answer if answer[0].rdtype != dns.rdatatype.RRSIG else answer[::-1]
dns.dnssec.validate(
answer[0], answer[1], {name: answer[0]}) dns.dnssec.validate(rec, sig, {name: rec})
# it raises an AttributeError if the records are in the wrong order
except AttributeError as e:
dns.dnssec.validate(
answer[1], answer[0], {name: answer[0]})
except dns.dnssec.ValidationFailure as e: except dns.dnssec.ValidationFailure as e:
# BE SUSPICIOUS # BE SUSPICIOUS
print( print(
f"WARN: DNSSEC validation failed on {domain_name} failed on {nserver} ({nsaddr}), error: '{e}', answer: {answer}") f"WARN: DNSSEC validation failed for {domain_name} on {nserver} ({nsaddr}), error: '{e}', answer: {answer}")
summary[domain_name][SUMMARY.DNSSEC_FAIL] += 1 summary[domain_name][SUMMARY.DNSSEC_FAIL] += 1
errors += 1 errors += 1
except AttributeError as e: except AttributeError as e:
@ -584,7 +589,7 @@ def check_dnssec(domain_name, domain_data):
else: else:
# WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com # WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com
print( print(
f"INFO: DNSSEC validation succeded on {domain_name} failed on {nserver} ({nsaddr})") f"INFO: DNSSEC validation succeded for {domain_name} on {nserver} ({nsaddr})")
summary[domain_name][SUMMARY.SUCCESS] += 1 summary[domain_name][SUMMARY.SUCCESS] += 1
success = True success = True