line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Zonemaster::Engine::Test::DNSSEC; |
2
|
|
|
|
|
|
|
|
3
|
26
|
|
|
26
|
|
97854
|
use version; our $VERSION = version->declare("v1.0.7"); |
|
26
|
|
|
|
|
68
|
|
|
26
|
|
|
|
|
204
|
|
4
|
|
|
|
|
|
|
|
5
|
|
|
|
|
|
|
### |
6
|
|
|
|
|
|
|
### This test module implements DNSSEC tests. |
7
|
|
|
|
|
|
|
### |
8
|
|
|
|
|
|
|
|
9
|
26
|
|
|
26
|
|
2434
|
use strict; |
|
26
|
|
|
|
|
63
|
|
|
26
|
|
|
|
|
559
|
|
10
|
26
|
|
|
26
|
|
134
|
use warnings; |
|
26
|
|
|
|
|
55
|
|
|
26
|
|
|
|
|
682
|
|
11
|
|
|
|
|
|
|
|
12
|
26
|
|
|
26
|
|
470
|
use 5.014002; |
|
26
|
|
|
|
|
94
|
|
13
|
|
|
|
|
|
|
|
14
|
26
|
|
|
26
|
|
143
|
use Zonemaster::Engine; |
|
26
|
|
|
|
|
65
|
|
|
26
|
|
|
|
|
542
|
|
15
|
26
|
|
|
26
|
|
156
|
use Zonemaster::Engine::Util; |
|
26
|
|
|
|
|
63
|
|
|
26
|
|
|
|
|
1757
|
|
16
|
26
|
|
|
26
|
|
158
|
use Zonemaster::Engine::Constants qw[:algo :soa]; |
|
26
|
|
|
|
|
54
|
|
|
26
|
|
|
|
|
4848
|
|
17
|
26
|
|
|
26
|
|
178
|
use List::Util qw[min]; |
|
26
|
|
|
|
|
53
|
|
|
26
|
|
|
|
|
1363
|
|
18
|
26
|
|
|
26
|
|
143
|
use List::MoreUtils qw[none]; |
|
26
|
|
|
|
|
56
|
|
|
26
|
|
|
|
|
211
|
|
19
|
|
|
|
|
|
|
|
20
|
26
|
|
|
26
|
|
15928
|
use Carp; |
|
26
|
|
|
|
|
52
|
|
|
26
|
|
|
|
|
109807
|
|
21
|
|
|
|
|
|
|
|
22
|
|
|
|
|
|
|
### Table fetched from IANA on 2017-03-09 |
23
|
|
|
|
|
|
|
Readonly::Hash our %algo_properties => ( |
24
|
|
|
|
|
|
|
0 => { |
25
|
|
|
|
|
|
|
status => $ALGO_STATUS_RESERVED, |
26
|
|
|
|
|
|
|
description => q{Reserved}, |
27
|
|
|
|
|
|
|
}, |
28
|
|
|
|
|
|
|
1 => { |
29
|
|
|
|
|
|
|
status => $ALGO_STATUS_DEPRECATED, |
30
|
|
|
|
|
|
|
description => q{RSA/MD5}, |
31
|
|
|
|
|
|
|
mnemonic => q{RSAMD5}, |
32
|
|
|
|
|
|
|
}, |
33
|
|
|
|
|
|
|
2 => { |
34
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
35
|
|
|
|
|
|
|
description => q{Diffie-Hellman}, |
36
|
|
|
|
|
|
|
mnemonic => q{DH}, |
37
|
|
|
|
|
|
|
}, |
38
|
|
|
|
|
|
|
3 => { |
39
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
40
|
|
|
|
|
|
|
description => q{DSA/SHA1}, |
41
|
|
|
|
|
|
|
mnemonic => q{DSA}, |
42
|
|
|
|
|
|
|
}, |
43
|
|
|
|
|
|
|
4 => { |
44
|
|
|
|
|
|
|
status => $ALGO_STATUS_RESERVED, |
45
|
|
|
|
|
|
|
description => q{Reserved}, |
46
|
|
|
|
|
|
|
}, |
47
|
|
|
|
|
|
|
5 => { |
48
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
49
|
|
|
|
|
|
|
description => q{RSA/SHA1}, |
50
|
|
|
|
|
|
|
mnemonic => q{RSASHA1}, |
51
|
|
|
|
|
|
|
}, |
52
|
|
|
|
|
|
|
6 => { |
53
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
54
|
|
|
|
|
|
|
description => q{DSA-NSEC3-SHA1}, |
55
|
|
|
|
|
|
|
mnemonic => q{DSA-NSEC3-SHA1}, |
56
|
|
|
|
|
|
|
}, |
57
|
|
|
|
|
|
|
7 => { |
58
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
59
|
|
|
|
|
|
|
description => q{RSASHA1-NSEC3-SHA1}, |
60
|
|
|
|
|
|
|
mnemonic => q{RSASHA1-NSEC3-SHA1}, |
61
|
|
|
|
|
|
|
}, |
62
|
|
|
|
|
|
|
8 => { |
63
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
64
|
|
|
|
|
|
|
description => q{RSA/SHA-256}, |
65
|
|
|
|
|
|
|
mnemonic => q{RSA/SHA256}, |
66
|
|
|
|
|
|
|
}, |
67
|
|
|
|
|
|
|
9 => { |
68
|
|
|
|
|
|
|
status => $ALGO_STATUS_RESERVED, |
69
|
|
|
|
|
|
|
description => q{Reserved}, |
70
|
|
|
|
|
|
|
}, |
71
|
|
|
|
|
|
|
10 => { |
72
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
73
|
|
|
|
|
|
|
description => q{RSA/SHA-512}, |
74
|
|
|
|
|
|
|
mnemonic => q{RSA/SHA512}, |
75
|
|
|
|
|
|
|
}, |
76
|
|
|
|
|
|
|
11 => { |
77
|
|
|
|
|
|
|
status => $ALGO_STATUS_RESERVED, |
78
|
|
|
|
|
|
|
description => q{Reserved}, |
79
|
|
|
|
|
|
|
}, |
80
|
|
|
|
|
|
|
12 => { |
81
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
82
|
|
|
|
|
|
|
description => q{GOST R 34.10-2001}, |
83
|
|
|
|
|
|
|
mnemonic => q{ECC-GOST}, |
84
|
|
|
|
|
|
|
}, |
85
|
|
|
|
|
|
|
13 => { |
86
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
87
|
|
|
|
|
|
|
description => q{ECDSA Curve P-256 with SHA-256}, |
88
|
|
|
|
|
|
|
mnemonic => q{ECDSAP256SHA256}, |
89
|
|
|
|
|
|
|
}, |
90
|
|
|
|
|
|
|
14 => { |
91
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
92
|
|
|
|
|
|
|
description => q{ECDSA Curve P-384 with SHA-384}, |
93
|
|
|
|
|
|
|
mnemonic => q{ECDSAP384SHA384}, |
94
|
|
|
|
|
|
|
}, |
95
|
|
|
|
|
|
|
15 => { |
96
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
97
|
|
|
|
|
|
|
description => q{Ed25519}, |
98
|
|
|
|
|
|
|
mnemonic => q{Ed25519}, |
99
|
|
|
|
|
|
|
}, |
100
|
|
|
|
|
|
|
16 => { |
101
|
|
|
|
|
|
|
status => $ALGO_STATUS_VALID, |
102
|
|
|
|
|
|
|
description => q{Ed448}, |
103
|
|
|
|
|
|
|
mnemonic => q{Ed448}, |
104
|
|
|
|
|
|
|
}, |
105
|
|
|
|
|
|
|
( |
106
|
|
|
|
|
|
|
map { $_ => { status => $ALGO_STATUS_UNASSIGNED, description => q{Unassigned}, } } ( 17 .. 122 ) |
107
|
|
|
|
|
|
|
), |
108
|
|
|
|
|
|
|
( |
109
|
|
|
|
|
|
|
map { $_ => { status => $ALGO_STATUS_RESERVED, description => q{Reserved}, } } ( 123 .. 251 ) |
110
|
|
|
|
|
|
|
), |
111
|
|
|
|
|
|
|
252 => { |
112
|
|
|
|
|
|
|
status => $ALGO_STATUS_RESERVED, |
113
|
|
|
|
|
|
|
description => q{Reserved for Indirect Keys}, |
114
|
|
|
|
|
|
|
mnemonic => q{INDIRECT}, |
115
|
|
|
|
|
|
|
}, |
116
|
|
|
|
|
|
|
253 => { |
117
|
|
|
|
|
|
|
status => $ALGO_STATUS_PRIVATE, |
118
|
|
|
|
|
|
|
description => q{private algorithm}, |
119
|
|
|
|
|
|
|
mnemonic => q{PRIVATEDNS}, |
120
|
|
|
|
|
|
|
}, |
121
|
|
|
|
|
|
|
254 => { |
122
|
|
|
|
|
|
|
status => $ALGO_STATUS_PRIVATE, |
123
|
|
|
|
|
|
|
description => q{private algorithm OID}, |
124
|
|
|
|
|
|
|
mnemonic => q{PRIVATEOID}, |
125
|
|
|
|
|
|
|
}, |
126
|
|
|
|
|
|
|
255 => { |
127
|
|
|
|
|
|
|
status => $ALGO_STATUS_RESERVED, |
128
|
|
|
|
|
|
|
description => q{Reserved}, |
129
|
|
|
|
|
|
|
}, |
130
|
|
|
|
|
|
|
); |
131
|
|
|
|
|
|
|
|
132
|
|
|
|
|
|
|
### |
133
|
|
|
|
|
|
|
### Entry points |
134
|
|
|
|
|
|
|
### |
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
sub all { |
137
|
12
|
|
|
12
|
1
|
37
|
my ( $class, $zone ) = @_; |
138
|
12
|
|
|
|
|
25
|
my @results; |
139
|
|
|
|
|
|
|
|
140
|
12
|
100
|
|
|
|
45
|
if ( Zonemaster::Engine->config->should_run('dnssec07') ) { |
141
|
3
|
|
|
|
|
17
|
push @results, $class->dnssec07( $zone ); |
142
|
|
|
|
|
|
|
} |
143
|
|
|
|
|
|
|
|
144
|
12
|
50
|
66
|
|
|
51
|
if ( Zonemaster::Engine->config->should_run('dnssec07') and grep { $_->tag eq 'NEITHER_DNSKEY_NOR_DS' } @results ) { |
|
3
|
|
|
|
|
80
|
|
145
|
0
|
|
|
|
|
0
|
push @results, |
146
|
|
|
|
|
|
|
info( |
147
|
|
|
|
|
|
|
NOT_SIGNED => { |
148
|
|
|
|
|
|
|
zone => q{} . $zone->name |
149
|
|
|
|
|
|
|
} |
150
|
|
|
|
|
|
|
); |
151
|
|
|
|
|
|
|
|
152
|
|
|
|
|
|
|
} else { |
153
|
|
|
|
|
|
|
|
154
|
12
|
100
|
|
|
|
50
|
if ( Zonemaster::Engine->config->should_run('dnssec01') ) { |
155
|
3
|
|
|
|
|
19
|
push @results, $class->dnssec01( $zone ); |
156
|
|
|
|
|
|
|
} |
157
|
|
|
|
|
|
|
|
158
|
12
|
100
|
|
8
|
|
131
|
if ( none { $_->tag eq 'NO_DS' } @results ) { |
|
8
|
|
|
|
|
215
|
|
159
|
11
|
100
|
|
|
|
45
|
if ( Zonemaster::Engine->config->should_run('dnssec02') ) { |
160
|
2
|
|
|
|
|
12
|
push @results, $class->dnssec02( $zone ); |
161
|
|
|
|
|
|
|
} |
162
|
|
|
|
|
|
|
} |
163
|
|
|
|
|
|
|
|
164
|
12
|
100
|
|
|
|
71
|
if ( Zonemaster::Engine->config->should_run('dnssec03') ) { |
165
|
3
|
|
|
|
|
15
|
push @results, $class->dnssec03( $zone ); |
166
|
|
|
|
|
|
|
} |
167
|
|
|
|
|
|
|
|
168
|
12
|
100
|
|
|
|
43
|
if ( Zonemaster::Engine->config->should_run('dnssec04') ) { |
169
|
3
|
|
|
|
|
15
|
push @results, $class->dnssec04( $zone ); |
170
|
|
|
|
|
|
|
} |
171
|
|
|
|
|
|
|
|
172
|
12
|
100
|
|
|
|
50
|
if ( Zonemaster::Engine->config->should_run('dnssec05') ) { |
173
|
3
|
|
|
|
|
17
|
push @results, $class->dnssec05( $zone ); |
174
|
|
|
|
|
|
|
} |
175
|
|
|
|
|
|
|
|
176
|
12
|
100
|
|
|
|
43
|
if ( grep { $_->tag eq q{DNSKEY_BUT_NOT_DS} or $_->tag eq q{DNSKEY_AND_DS} } @results ) { |
|
51
|
100
|
|
|
|
1223
|
|
177
|
3
|
100
|
|
|
|
14
|
if ( Zonemaster::Engine->config->should_run('dnssec06') ) { |
178
|
2
|
|
|
|
|
10
|
push @results, $class->dnssec06( $zone ); |
179
|
|
|
|
|
|
|
} |
180
|
|
|
|
|
|
|
} |
181
|
|
|
|
|
|
|
else { |
182
|
9
|
|
|
|
|
45
|
push @results, |
183
|
|
|
|
|
|
|
info( ADDITIONAL_DNSKEY_SKIPPED => {} ); |
184
|
|
|
|
|
|
|
} |
185
|
|
|
|
|
|
|
|
186
|
12
|
100
|
|
|
|
259
|
if ( Zonemaster::Engine->config->should_run('dnssec08') ) { |
187
|
3
|
|
|
|
|
20
|
push @results, $class->dnssec08( $zone ); |
188
|
|
|
|
|
|
|
} |
189
|
|
|
|
|
|
|
|
190
|
12
|
100
|
|
|
|
51
|
if ( Zonemaster::Engine->config->should_run('dnssec09') ) { |
191
|
3
|
|
|
|
|
16
|
push @results, $class->dnssec09( $zone ); |
192
|
|
|
|
|
|
|
} |
193
|
|
|
|
|
|
|
|
194
|
12
|
100
|
|
|
|
43
|
if ( Zonemaster::Engine->config->should_run('dnssec10') ) { |
195
|
3
|
|
|
|
|
21
|
push @results, $class->dnssec10( $zone ); |
196
|
|
|
|
|
|
|
} |
197
|
|
|
|
|
|
|
|
198
|
12
|
100
|
|
|
|
46
|
if ( Zonemaster::Engine->config->should_run('dnssec11') ) { |
199
|
3
|
|
|
|
|
23
|
push @results, $class->dnssec11( $zone ); |
200
|
|
|
|
|
|
|
} |
201
|
|
|
|
|
|
|
|
202
|
|
|
|
|
|
|
} |
203
|
|
|
|
|
|
|
|
204
|
12
|
|
|
|
|
78
|
return @results; |
205
|
|
|
|
|
|
|
} ## end sub all |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
### |
208
|
|
|
|
|
|
|
### Metadata Exposure |
209
|
|
|
|
|
|
|
### |
210
|
|
|
|
|
|
|
|
211
|
|
|
|
|
|
|
sub metadata { |
212
|
64
|
|
|
64
|
1
|
190
|
my ( $class ) = @_; |
213
|
|
|
|
|
|
|
|
214
|
|
|
|
|
|
|
return { |
215
|
64
|
|
|
|
|
1350
|
dnssec01 => [ |
216
|
|
|
|
|
|
|
qw( |
217
|
|
|
|
|
|
|
DS_DIGTYPE_OK |
218
|
|
|
|
|
|
|
DS_DIGTYPE_NOT_OK |
219
|
|
|
|
|
|
|
NO_DS |
220
|
|
|
|
|
|
|
) |
221
|
|
|
|
|
|
|
], |
222
|
|
|
|
|
|
|
dnssec02 => [ |
223
|
|
|
|
|
|
|
qw( |
224
|
|
|
|
|
|
|
NO_DS |
225
|
|
|
|
|
|
|
DS_FOUND |
226
|
|
|
|
|
|
|
NO_DNSKEY |
227
|
|
|
|
|
|
|
DS_RFC4509_NOT_VALID |
228
|
|
|
|
|
|
|
COMMON_KEYTAGS |
229
|
|
|
|
|
|
|
DS_MATCHES_DNSKEY |
230
|
|
|
|
|
|
|
DS_DOES_NOT_MATCH_DNSKEY |
231
|
|
|
|
|
|
|
DS_MATCH_FOUND |
232
|
|
|
|
|
|
|
DS_MATCH_NOT_FOUND |
233
|
|
|
|
|
|
|
NO_COMMON_KEYTAGS |
234
|
|
|
|
|
|
|
) |
235
|
|
|
|
|
|
|
], |
236
|
|
|
|
|
|
|
dnssec03 => [ |
237
|
|
|
|
|
|
|
qw( |
238
|
|
|
|
|
|
|
NO_NSEC3PARAM |
239
|
|
|
|
|
|
|
NO_DNSKEY |
240
|
|
|
|
|
|
|
MANY_ITERATIONS |
241
|
|
|
|
|
|
|
TOO_MANY_ITERATIONS |
242
|
|
|
|
|
|
|
ITERATIONS_OK |
243
|
|
|
|
|
|
|
) |
244
|
|
|
|
|
|
|
], |
245
|
|
|
|
|
|
|
dnssec04 => [ |
246
|
|
|
|
|
|
|
qw( |
247
|
|
|
|
|
|
|
RRSIG_EXPIRATION |
248
|
|
|
|
|
|
|
RRSIG_EXPIRED |
249
|
|
|
|
|
|
|
REMAINING_SHORT |
250
|
|
|
|
|
|
|
REMAINING_LONG |
251
|
|
|
|
|
|
|
DURATION_LONG |
252
|
|
|
|
|
|
|
DURATION_OK |
253
|
|
|
|
|
|
|
) |
254
|
|
|
|
|
|
|
], |
255
|
|
|
|
|
|
|
dnssec05 => [ |
256
|
|
|
|
|
|
|
qw( |
257
|
|
|
|
|
|
|
ALGORITHM_DEPRECATED |
258
|
|
|
|
|
|
|
ALGORITHM_RESERVED |
259
|
|
|
|
|
|
|
ALGORITHM_UNASSIGNED |
260
|
|
|
|
|
|
|
ALGORITHM_PRIVATE |
261
|
|
|
|
|
|
|
ALGORITHM_OK |
262
|
|
|
|
|
|
|
ALGORITHM_UNKNOWN |
263
|
|
|
|
|
|
|
KEY_DETAILS |
264
|
|
|
|
|
|
|
) |
265
|
|
|
|
|
|
|
], |
266
|
|
|
|
|
|
|
dnssec06 => [ |
267
|
|
|
|
|
|
|
qw( |
268
|
|
|
|
|
|
|
EXTRA_PROCESSING_OK |
269
|
|
|
|
|
|
|
EXTRA_PROCESSING_BROKEN |
270
|
|
|
|
|
|
|
) |
271
|
|
|
|
|
|
|
], |
272
|
|
|
|
|
|
|
dnssec07 => [ |
273
|
|
|
|
|
|
|
qw( |
274
|
|
|
|
|
|
|
ADDITIONAL_DNSKEY_SKIPPED |
275
|
|
|
|
|
|
|
DNSKEY_BUT_NOT_DS |
276
|
|
|
|
|
|
|
DNSKEY_AND_DS |
277
|
|
|
|
|
|
|
NEITHER_DNSKEY_NOR_DS |
278
|
|
|
|
|
|
|
DS_BUT_NOT_DNSKEY |
279
|
|
|
|
|
|
|
) |
280
|
|
|
|
|
|
|
], |
281
|
|
|
|
|
|
|
dnssec08 => [ |
282
|
|
|
|
|
|
|
qw( |
283
|
|
|
|
|
|
|
DNSKEY_SIGNATURE_OK |
284
|
|
|
|
|
|
|
DNSKEY_SIGNATURE_NOT_OK |
285
|
|
|
|
|
|
|
DNSKEY_SIGNED |
286
|
|
|
|
|
|
|
DNSKEY_NOT_SIGNED |
287
|
|
|
|
|
|
|
NO_KEYS_OR_NO_SIGS |
288
|
|
|
|
|
|
|
) |
289
|
|
|
|
|
|
|
], |
290
|
|
|
|
|
|
|
dnssec09 => [ |
291
|
|
|
|
|
|
|
qw( |
292
|
|
|
|
|
|
|
NO_KEYS_OR_NO_SIGS_OR_NO_SOA |
293
|
|
|
|
|
|
|
SOA_SIGNATURE_OK |
294
|
|
|
|
|
|
|
SOA_SIGNATURE_NOT_OK |
295
|
|
|
|
|
|
|
SOA_SIGNED |
296
|
|
|
|
|
|
|
SOA_NOT_SIGNED |
297
|
|
|
|
|
|
|
) |
298
|
|
|
|
|
|
|
], |
299
|
|
|
|
|
|
|
dnssec10 => [ |
300
|
|
|
|
|
|
|
qw( |
301
|
|
|
|
|
|
|
INVALID_NAME_RCODE |
302
|
|
|
|
|
|
|
NSEC_COVERS |
303
|
|
|
|
|
|
|
NSEC_COVERS_NOT |
304
|
|
|
|
|
|
|
NSEC_SIG_VERIFY_ERROR |
305
|
|
|
|
|
|
|
NSEC_SIGNED |
306
|
|
|
|
|
|
|
NSEC_NOT_SIGNED |
307
|
|
|
|
|
|
|
HAS_NSEC |
308
|
|
|
|
|
|
|
NSEC3_COVERS |
309
|
|
|
|
|
|
|
NSEC3_COVERS_NOT |
310
|
|
|
|
|
|
|
NSEC3_SIG_VERIFY_ERROR |
311
|
|
|
|
|
|
|
NSEC3_SIGNED |
312
|
|
|
|
|
|
|
NSEC3_NOT_SIGNED |
313
|
|
|
|
|
|
|
HAS_NSEC3 |
314
|
|
|
|
|
|
|
HAS_NSEC3_OPTOUT ) |
315
|
|
|
|
|
|
|
], |
316
|
|
|
|
|
|
|
dnssec11 => [ |
317
|
|
|
|
|
|
|
qw( |
318
|
|
|
|
|
|
|
DELEGATION_NOT_SIGNED |
319
|
|
|
|
|
|
|
DELEGATION_SIGNED |
320
|
|
|
|
|
|
|
), |
321
|
|
|
|
|
|
|
], |
322
|
|
|
|
|
|
|
}; |
323
|
|
|
|
|
|
|
} ## end sub metadata |
324
|
|
|
|
|
|
|
|
325
|
|
|
|
|
|
|
sub translation { |
326
|
|
|
|
|
|
|
return { |
327
|
1
|
|
|
1
|
1
|
52
|
"ADDITIONAL_DNSKEY_SKIPPED" => "No DNSKEYs found. Additional tests skipped.", |
328
|
|
|
|
|
|
|
"ALGORITHM_DEPRECATED" => |
329
|
|
|
|
|
|
|
"The DNSKEY with tag {keytag} uses deprecated algorithm number {algorithm}/({description}).", |
330
|
|
|
|
|
|
|
"ALGORITHM_OK" => |
331
|
|
|
|
|
|
|
"The DNSKEY with tag {keytag} uses algorithm number {algorithm}/({description}), which is OK.", |
332
|
|
|
|
|
|
|
"ALGORITHM_RESERVED" => |
333
|
|
|
|
|
|
|
"The DNSKEY with tag {keytag} uses reserved algorithm number {algorithm}/({description}).", |
334
|
|
|
|
|
|
|
"ALGORITHM_UNASSIGNED" => |
335
|
|
|
|
|
|
|
"The DNSKEY with tag {keytag} uses unassigned algorithm number {algorithm}/({description}).", |
336
|
|
|
|
|
|
|
"ALGORITHM_PRIVATE" => |
337
|
|
|
|
|
|
|
"The DNSKEY with tag {keytag} uses private algorithm number {algorithm}/({description}).", |
338
|
|
|
|
|
|
|
"ALGORITHM_UNKNOWN" => "The DNSKEY with tag {keytag} uses unknown algorithm number {algorithm}.", |
339
|
|
|
|
|
|
|
"COMMON_KEYTAGS" => "There are both DS and DNSKEY records with key tags {keytags}.", |
340
|
|
|
|
|
|
|
"DNSKEY_AND_DS" => "{parent} sent a DS record, and {child} a DNSKEY record.", |
341
|
|
|
|
|
|
|
"DNSKEY_BUT_NOT_DS" => "{child} sent a DNSKEY record, but {parent} did not send a DS record.", |
342
|
|
|
|
|
|
|
"DNSKEY_NOT_SIGNED" => "The apex DNSKEY RRset was not correctly signed.", |
343
|
|
|
|
|
|
|
"DNSKEY_SIGNATURE_NOT_OK" => "Signature for DNSKEY with tag {signature} failed to verify with error '{error}'.", |
344
|
|
|
|
|
|
|
"DNSKEY_SIGNATURE_OK" => "A signature for DNSKEY with tag {signature} was correctly signed.", |
345
|
|
|
|
|
|
|
"DNSKEY_SIGNED" => "The apex DNSKEY RRset was correcly signed.", |
346
|
|
|
|
|
|
|
"DS_BUT_NOT_DNSKEY" => "{parent} sent a DS record, but {child} did not send a DNSKEY record.", |
347
|
|
|
|
|
|
|
"DS_DIGTYPE_NOT_OK" => "DS record with keytag {keytag} uses forbidden digest type {digtype}.", |
348
|
|
|
|
|
|
|
"DS_DIGTYPE_OK" => "DS record with keytag {keytag} uses digest type {digtype}, which is OK.", |
349
|
|
|
|
|
|
|
"DS_DOES_NOT_MATCH_DNSKEY" => "DS record with keytag {keytag} and digest type {digtype} does not match the DNSKEY with the same tag.", |
350
|
|
|
|
|
|
|
"DS_FOUND" => "Found DS records with tags {keytags}.", |
351
|
|
|
|
|
|
|
"DS_MATCHES_DNSKEY" => "DS record with keytag {keytag} and digest type {digtype} matches the DNSKEY with the same tag.", |
352
|
|
|
|
|
|
|
"DS_MATCH_FOUND" => "At least one DS record with a matching DNSKEY record was found.", |
353
|
|
|
|
|
|
|
"DS_MATCH_NOT_FOUND" => "No DS record with a matching DNSKEY record was found.", |
354
|
|
|
|
|
|
|
"DS_RFC4509_NOT_VALID" => "Existing DS with digest type 2, while they do not match DNSKEY records, prevent use of DS with digest type 1 (RFC4509, section 3).", |
355
|
|
|
|
|
|
|
"DURATION_LONG" => |
356
|
|
|
|
|
|
|
"RRSIG with keytag {tag} and covering type(s) {types} has a duration of {duration} seconds, which is too long.", |
357
|
|
|
|
|
|
|
"DURATION_OK" => |
358
|
|
|
|
|
|
|
"RRSIG with keytag {tag} and covering type(s) {types} has a duration of {duration} seconds, which is just fine.", |
359
|
|
|
|
|
|
|
"RRSIG_EXPIRATION" => |
360
|
|
|
|
|
|
|
"RRSIG with keytag {tag} and covering type(s) {types} expires at : {date}.", |
361
|
|
|
|
|
|
|
"RRSIG_EXPIRED" => |
362
|
|
|
|
|
|
|
"RRSIG with keytag {tag} and covering type(s) {types} has already expired (expiration is: {expiration}).", |
363
|
|
|
|
|
|
|
"REMAINING_SHORT" => |
364
|
|
|
|
|
|
|
"RRSIG with keytag {tag} and covering type(s) {types} has a remaining validity of {duration} seconds, which is too short.", |
365
|
|
|
|
|
|
|
"REMAINING_LONG" => |
366
|
|
|
|
|
|
|
"RRSIG with keytag {tag} and covering type(s) {types} has a remaining validity of {duration} seconds, which is too long.", |
367
|
|
|
|
|
|
|
"EXTRA_PROCESSING_BROKEN" => "Server at {server} sent {keys} DNSKEY records, and {sigs} RRSIG records.", |
368
|
|
|
|
|
|
|
"EXTRA_PROCESSING_OK" => "Server at {server} sent {keys} DNSKEY records and {sigs} RRSIG records.", |
369
|
|
|
|
|
|
|
"HAS_NSEC" => "The zone has NSEC records.", |
370
|
|
|
|
|
|
|
"HAS_NSEC3" => "The zone has NSEC3 records.", |
371
|
|
|
|
|
|
|
"HAS_NSEC3_OPTOUT" => "The zone has NSEC3 opt-out records.", |
372
|
|
|
|
|
|
|
"INVALID_NAME_RCODE" => "When asked for the name {name}, which must not exist, the response had RCODE {rcode}.", |
373
|
|
|
|
|
|
|
"ITERATIONS_OK" => "The number of NSEC3 iterations is {count}, which is OK.", |
374
|
|
|
|
|
|
|
"KEY_DETAILS" => "Key with keytag {keytag} details : Size = {keysize}, Flags ({sep}, {rfc5011}).", |
375
|
|
|
|
|
|
|
"MANY_ITERATIONS" => "The number of NSEC3 iterations is {count}, which is on the high side.", |
376
|
|
|
|
|
|
|
"NEITHER_DNSKEY_NOR_DS" => "There are neither DS nor DNSKEY records for the zone.", |
377
|
|
|
|
|
|
|
"NOT_SIGNED" => "The zone is not signed with DNSSEC.", |
378
|
|
|
|
|
|
|
"NO_COMMON_KEYTAGS" => "No DS record had a DNSKEY with a matching keytag.", |
379
|
|
|
|
|
|
|
"NO_DNSKEY" => "No DNSKEYs were returned.", |
380
|
|
|
|
|
|
|
"NO_DS" => "{from} returned no DS records for {zone}.", |
381
|
|
|
|
|
|
|
"NO_KEYS_OR_NO_SIGS" => |
382
|
|
|
|
|
|
|
"Cannot test DNSKEY signatures, because we got {keys} DNSKEY records and {sigs} RRSIG records.", |
383
|
|
|
|
|
|
|
"NO_KEYS_OR_NO_SIGS_OR_NO_SOA" => |
384
|
|
|
|
|
|
|
"Cannot test SOA signatures, because we got {keys} DNSKEY records, {sigs} RRSIG records and {soas} SOA records.", |
385
|
|
|
|
|
|
|
"NO_NSEC3PARAM" => "{server} returned no NSEC3PARAM records.", |
386
|
|
|
|
|
|
|
"NSEC3_SIG_VERIFY_ERROR" => "Trying to verify NSEC3 RRset with RRSIG {sig} gave error '{error}'.", |
387
|
|
|
|
|
|
|
"NSEC3_COVERS" => "NSEC3 record covers {name}.", |
388
|
|
|
|
|
|
|
"NSEC3_COVERS_NOT" => "NSEC3 record does not cover {name}.", |
389
|
|
|
|
|
|
|
"NSEC3_NOT_SIGNED" => "No signature correctly signed the NSEC3 RRset.", |
390
|
|
|
|
|
|
|
"NSEC3_SIGNED" => "At least one signature correctly signed the NSEC3 RRset.", |
391
|
|
|
|
|
|
|
"NSEC_COVERS" => "NSEC covers {name}.", |
392
|
|
|
|
|
|
|
"NSEC_COVERS_NOT" => "NSEC does not cover {name}.", |
393
|
|
|
|
|
|
|
"NSEC_NOT_SIGNED" => "No signature correctly signed the NSEC RRset.", |
394
|
|
|
|
|
|
|
"NSEC_SIGNED" => "At least one signature correctly signed the NSEC RRset.", |
395
|
|
|
|
|
|
|
"NSEC_SIG_VERIFY_ERROR" => "Trying to verify NSEC RRset with RRSIG {sig} gave error '{error}'.", |
396
|
|
|
|
|
|
|
"SOA_NOT_SIGNED" => "No RRSIG correctly signed the SOA RRset.", |
397
|
|
|
|
|
|
|
"SOA_SIGNATURE_NOT_OK" => "Trying to verify SOA RRset with signature {signature} gave error '{error}'.", |
398
|
|
|
|
|
|
|
"SOA_SIGNATURE_OK" => "RRSIG {signature} correctly signs SOA RRset.", |
399
|
|
|
|
|
|
|
"SOA_SIGNED" => "At least one RRSIG correctly signs the SOA RRset.", |
400
|
|
|
|
|
|
|
"TOO_MANY_ITERATIONS" => |
401
|
|
|
|
|
|
|
"The number of NSEC3 iterations is {count}, which is too high for key length {keylength}.", |
402
|
|
|
|
|
|
|
"DELEGATION_NOT_SIGNED" => "Delegation from parent to child is not properly signed {reason}.", |
403
|
|
|
|
|
|
|
"DELEGATION_SIGNED" => "Delegation from parent to child is properly signed.", |
404
|
|
|
|
|
|
|
}; |
405
|
|
|
|
|
|
|
} ## end sub translation |
406
|
|
|
|
|
|
|
|
407
|
|
|
|
|
|
|
sub policy { |
408
|
|
|
|
|
|
|
return { |
409
|
150
|
|
|
150
|
1
|
5698
|
"ADDITIONAL_DNSKEY_SKIPPED" => "DEBUG", |
410
|
|
|
|
|
|
|
"ALGORITHM_DEPRECATED" => "WARNING", |
411
|
|
|
|
|
|
|
"ALGORITHM_OK" => "INFO", |
412
|
|
|
|
|
|
|
"ALGORITHM_RESERVED" => "ERROR", |
413
|
|
|
|
|
|
|
"ALGORITHM_UNASSIGNED" => "ERROR", |
414
|
|
|
|
|
|
|
"COMMON_KEYTAGS" => "INFO", |
415
|
|
|
|
|
|
|
"DNSKEY_AND_DS" => "DEBUG", |
416
|
|
|
|
|
|
|
"DNSKEY_BUT_NOT_DS" => "WARNING", |
417
|
|
|
|
|
|
|
"DNSKEY_NOT_SIGNED" => "ERROR", |
418
|
|
|
|
|
|
|
"DNSKEY_SIGNATURE_NOT_OK" => "ERROR", |
419
|
|
|
|
|
|
|
"DNSKEY_SIGNATURE_OK" => "DEBUG", |
420
|
|
|
|
|
|
|
"DNSKEY_SIGNED" => "DEBUG", |
421
|
|
|
|
|
|
|
"DS_BUT_NOT_DNSKEY" => "ERROR", |
422
|
|
|
|
|
|
|
"DS_DIGTYPE_NOT_OK" => "ERROR", |
423
|
|
|
|
|
|
|
"DS_DIGTYPE_OK" => "DEBUG", |
424
|
|
|
|
|
|
|
"DS_DOES_NOT_MATCH_DNSKEY" => "ERROR", |
425
|
|
|
|
|
|
|
"DS_FOUND" => "INFO", |
426
|
|
|
|
|
|
|
"DS_MATCHES_DNSKEY" => "INFO", |
427
|
|
|
|
|
|
|
"DS_MATCH_FOUND" => "INFO", |
428
|
|
|
|
|
|
|
"DS_MATCH_NOT_FOUND" => "ERROR", |
429
|
|
|
|
|
|
|
"DS_RFC4509_NOT_VALID" => "ERROR", |
430
|
|
|
|
|
|
|
"DURATION_LONG" => "WARNING", |
431
|
|
|
|
|
|
|
"DURATION_OK" => "DEBUG", |
432
|
|
|
|
|
|
|
"EXTRA_PROCESSING_BROKEN" => "ERROR", |
433
|
|
|
|
|
|
|
"EXTRA_PROCESSING_OK" => "DEBUG", |
434
|
|
|
|
|
|
|
"HAS_NSEC" => "INFO", |
435
|
|
|
|
|
|
|
"HAS_NSEC3" => "INFO", |
436
|
|
|
|
|
|
|
"HAS_NSEC3_OPTOUT" => "INFO", |
437
|
|
|
|
|
|
|
"INVALID_NAME_RCODE" => "NOTICE", |
438
|
|
|
|
|
|
|
"ITERATIONS_OK" => "DEBUG", |
439
|
|
|
|
|
|
|
"KEY_DETAILS" => "DEBUG", |
440
|
|
|
|
|
|
|
"MANY_ITERATIONS" => "NOTICE", |
441
|
|
|
|
|
|
|
"NEITHER_DNSKEY_NOR_DS" => "NOTICE", |
442
|
|
|
|
|
|
|
"NOT_SIGNED" => "NOTICE", |
443
|
|
|
|
|
|
|
"NO_COMMON_KEYTAGS" => "ERROR", |
444
|
|
|
|
|
|
|
"NO_DNSKEY" => "ERROR", |
445
|
|
|
|
|
|
|
"NO_DS" => "NOTICE", |
446
|
|
|
|
|
|
|
"NO_KEYS_OR_NO_SIGS" => "DEBUG", |
447
|
|
|
|
|
|
|
"NO_KEYS_OR_NO_SIGS_OR_NO_SOA" => "DEBUG", |
448
|
|
|
|
|
|
|
"NO_NSEC3PARAM" => "DEBUG", |
449
|
|
|
|
|
|
|
"NSEC3_SIG_VERIFY_ERROR" => "ERROR", |
450
|
|
|
|
|
|
|
"NSEC3_COVERS" => "DEBUG", |
451
|
|
|
|
|
|
|
"NSEC3_COVERS_NOT" => "WARNING", |
452
|
|
|
|
|
|
|
"NSEC3_NOT_SIGNED" => "ERROR", |
453
|
|
|
|
|
|
|
"NSEC3_SIGNED" => "DEBUG", |
454
|
|
|
|
|
|
|
"NSEC_COVERS" => "DEBUG", |
455
|
|
|
|
|
|
|
"NSEC_COVERS_NOT" => "WARNING", |
456
|
|
|
|
|
|
|
"NSEC_NOT_SIGNED" => "ERROR", |
457
|
|
|
|
|
|
|
"NSEC_SIGNED" => "DEBUG", |
458
|
|
|
|
|
|
|
"NSEC_SIG_VERIFY_ERROR" => "ERROR", |
459
|
|
|
|
|
|
|
"REMAINING_LONG" => "WARNING", |
460
|
|
|
|
|
|
|
"REMAINING_SHORT" => "WARNING", |
461
|
|
|
|
|
|
|
"RRSIG_EXPIRATION" => "INFO", |
462
|
|
|
|
|
|
|
"RRSIG_EXPIRED" => "ERROR", |
463
|
|
|
|
|
|
|
"SOA_NOT_SIGNED" => "ERROR", |
464
|
|
|
|
|
|
|
"SOA_SIGNATURE_NOT_OK" => "ERROR", |
465
|
|
|
|
|
|
|
"SOA_SIGNATURE_OK" => "DEBUG", |
466
|
|
|
|
|
|
|
"SOA_SIGNED" => "DEBUG", |
467
|
|
|
|
|
|
|
"TOO_MANY_ITERATIONS" => "WARNING", |
468
|
|
|
|
|
|
|
"DELEGATION_NOT_SIGNED" => "NOTICE", |
469
|
|
|
|
|
|
|
"DELEGATION_SIGNED" => "INFO", |
470
|
|
|
|
|
|
|
}; |
471
|
|
|
|
|
|
|
} ## end sub policy |
472
|
|
|
|
|
|
|
|
473
|
|
|
|
|
|
|
sub version { |
474
|
74
|
|
|
74
|
1
|
875
|
return "$Zonemaster::Engine::Test::DNSSEC::VERSION"; |
475
|
|
|
|
|
|
|
} |
476
|
|
|
|
|
|
|
|
477
|
|
|
|
|
|
|
### |
478
|
|
|
|
|
|
|
### Tests |
479
|
|
|
|
|
|
|
### |
480
|
|
|
|
|
|
|
|
481
|
|
|
|
|
|
|
sub dnssec01 { |
482
|
7
|
|
|
7
|
1
|
26
|
my ( $class, $zone ) = @_; |
483
|
7
|
|
|
|
|
16
|
my @results; |
484
|
|
|
|
|
|
|
|
485
|
7
|
|
|
|
|
49
|
my %type = ( 1 => 'SHA-1', 2 => 'SHA-256', 3 => 'GOST R 34.11-94', 4 => 'SHA-384' ); |
486
|
|
|
|
|
|
|
|
487
|
7
|
50
|
|
|
|
199
|
return if not $zone->parent; |
488
|
7
|
|
|
|
|
170
|
my $ds_p = $zone->parent->query_one( $zone->name, 'DS', { dnssec => 1 } ); |
489
|
7
|
50
|
|
|
|
32
|
die "No response from parent nameservers" if not $ds_p; |
490
|
7
|
|
|
|
|
33
|
my @ds = $ds_p->get_records( 'DS', 'answer' ); |
491
|
|
|
|
|
|
|
|
492
|
7
|
100
|
|
|
|
26
|
if ( @ds == 0 ) { |
493
|
2
|
|
|
|
|
53
|
push @results, |
494
|
|
|
|
|
|
|
info( |
495
|
|
|
|
|
|
|
NO_DS => { |
496
|
|
|
|
|
|
|
zone => q{} . $zone->name, |
497
|
|
|
|
|
|
|
from => $ds_p->answerfrom |
498
|
|
|
|
|
|
|
} |
499
|
|
|
|
|
|
|
); |
500
|
|
|
|
|
|
|
} |
501
|
|
|
|
|
|
|
else { |
502
|
5
|
|
|
|
|
14
|
foreach my $ds ( @ds ) { |
503
|
8
|
100
|
|
|
|
47
|
if ( $type{ $ds->digtype } ) { |
504
|
|
|
|
|
|
|
push @results, |
505
|
|
|
|
|
|
|
info( |
506
|
|
|
|
|
|
|
DS_DIGTYPE_OK => { |
507
|
|
|
|
|
|
|
keytag => $ds->keytag, |
508
|
6
|
|
|
|
|
45
|
digtype => $type{ $ds->digtype }, |
509
|
|
|
|
|
|
|
} |
510
|
|
|
|
|
|
|
); |
511
|
|
|
|
|
|
|
} |
512
|
|
|
|
|
|
|
else { |
513
|
2
|
|
|
|
|
17
|
push @results, |
514
|
|
|
|
|
|
|
info( |
515
|
|
|
|
|
|
|
DS_DIGTYPE_NOT_OK => { |
516
|
|
|
|
|
|
|
keytag => $ds->keytag, |
517
|
|
|
|
|
|
|
digtype => $ds->digtype |
518
|
|
|
|
|
|
|
} |
519
|
|
|
|
|
|
|
); |
520
|
|
|
|
|
|
|
} |
521
|
|
|
|
|
|
|
} ## end foreach my $ds ( @ds ) |
522
|
|
|
|
|
|
|
} ## end else [ if ( @ds == 0 ) ] |
523
|
|
|
|
|
|
|
|
524
|
7
|
|
|
|
|
58
|
return @results; |
525
|
|
|
|
|
|
|
} ## end sub dnssec01 |
526
|
|
|
|
|
|
|
|
527
|
|
|
|
|
|
|
sub dnssec02 { |
528
|
9
|
|
|
9
|
1
|
27
|
my ( $class, $zone ) = @_; |
529
|
9
|
|
|
|
|
17
|
my @results; |
530
|
|
|
|
|
|
|
|
531
|
9
|
50
|
|
|
|
268
|
return if not $zone->parent; |
532
|
|
|
|
|
|
|
|
533
|
|
|
|
|
|
|
# 1. Retrieve the DS RR set from the parent zone. If there are no DS RR present, exit the test |
534
|
9
|
|
|
|
|
257
|
my $ds_p = $zone->parent->query_one( $zone->name, 'DS', { dnssec => 1 } ); |
535
|
9
|
50
|
|
|
|
40
|
die "No response from parent nameservers" if not $ds_p; |
536
|
9
|
|
|
|
|
44
|
my %ds = map { $_->keytag => $_ } $ds_p->get_records( 'DS', 'answer' ); |
|
14
|
|
|
|
|
65
|
|
537
|
|
|
|
|
|
|
|
538
|
9
|
100
|
|
|
|
63
|
if ( scalar( keys %ds ) == 0 ) { |
539
|
2
|
|
|
|
|
53
|
push @results, |
540
|
|
|
|
|
|
|
info( |
541
|
|
|
|
|
|
|
NO_DS => { |
542
|
|
|
|
|
|
|
zone => q{} . $zone->name, |
543
|
|
|
|
|
|
|
from => $ds_p->answerfrom, |
544
|
|
|
|
|
|
|
} |
545
|
|
|
|
|
|
|
); |
546
|
|
|
|
|
|
|
} |
547
|
|
|
|
|
|
|
else { |
548
|
|
|
|
|
|
|
push @results, |
549
|
|
|
|
|
|
|
info( |
550
|
|
|
|
|
|
|
DS_FOUND => { |
551
|
7
|
|
|
|
|
29
|
keytags => join( q{:}, map { $_->keytag } values %ds ), |
|
7
|
|
|
|
|
61
|
|
552
|
|
|
|
|
|
|
} |
553
|
|
|
|
|
|
|
); |
554
|
|
|
|
|
|
|
|
555
|
|
|
|
|
|
|
# 2. Retrieve the DNSKEY RR set from the child zone. If there are no DNSKEY RR present, then the test case fail |
556
|
7
|
|
|
|
|
200
|
my $dnskey_p = $zone->query_one( $zone->name, 'DNSKEY', { dnssec => 1 } ); |
557
|
|
|
|
|
|
|
|
558
|
7
|
|
|
|
|
23
|
my %dnskey; |
559
|
7
|
50
|
|
|
|
44
|
%dnskey = map { $_->keytag => $_ } $dnskey_p->get_records( 'DNSKEY', 'answer' ) if $dnskey_p; |
|
12
|
|
|
|
|
73
|
|
560
|
7
|
100
|
|
|
|
36
|
if ( scalar( keys %dnskey ) == 0 ) { |
561
|
1
|
|
|
|
|
6
|
push @results, |
562
|
|
|
|
|
|
|
info( NO_DNSKEY => {} ); |
563
|
1
|
|
|
|
|
15
|
return @results; |
564
|
|
|
|
|
|
|
} |
565
|
|
|
|
|
|
|
|
566
|
|
|
|
|
|
|
# Pick out keys with a tag that a DS has using a hash slice |
567
|
6
|
|
|
|
|
15
|
my @common = grep { exists $ds{$_->keytag} } values %dnskey; |
|
12
|
|
|
|
|
55
|
|
568
|
6
|
100
|
|
|
|
19
|
if ( @common ) { |
569
|
|
|
|
|
|
|
push @results, |
570
|
|
|
|
|
|
|
info( |
571
|
|
|
|
|
|
|
COMMON_KEYTAGS => { |
572
|
5
|
|
|
|
|
17
|
keytags => join( q{:}, map { $_->keytag } @common ), |
|
5
|
|
|
|
|
45
|
|
573
|
|
|
|
|
|
|
} |
574
|
|
|
|
|
|
|
); |
575
|
|
|
|
|
|
|
|
576
|
5
|
|
|
|
|
13
|
my $found = 0; |
577
|
5
|
|
|
|
|
11
|
my $rfc4509_compliant = 1; |
578
|
|
|
|
|
|
|
# 4. Match all DS RR with type digest algorithm â2â with DNSKEY RR from the child. If no DS RRs with algorithm 2 matches a |
579
|
|
|
|
|
|
|
# DNSKEY RR from the child, this test case fails. |
580
|
5
|
|
|
|
|
19
|
my %ds_digtype2 = map { $_->keytag => $_ } grep { $_->digtype == 2 } $ds_p->get_records( 'DS', 'answer' ); |
|
5
|
|
|
|
|
28
|
|
|
10
|
|
|
|
|
36
|
|
581
|
5
|
50
|
|
|
|
28
|
if ( scalar( keys %ds_digtype2 ) >= 1 ) { |
582
|
5
|
|
|
|
|
12
|
@common = grep { exists $ds_digtype2{$_->keytag} } values %dnskey; |
|
10
|
|
|
|
|
54
|
|
583
|
|
|
|
|
|
|
|
584
|
5
|
|
|
|
|
16
|
foreach my $key ( @common ) { |
585
|
5
|
100
|
|
|
|
184
|
if ( $ds_digtype2{ $key->keytag }->verify( $key ) ) { |
586
|
3
|
|
|
|
|
26
|
push @results, |
587
|
|
|
|
|
|
|
info( |
588
|
|
|
|
|
|
|
DS_MATCHES_DNSKEY => { |
589
|
|
|
|
|
|
|
keytag => $key->keytag, |
590
|
|
|
|
|
|
|
digtype => 2, |
591
|
|
|
|
|
|
|
} |
592
|
|
|
|
|
|
|
); |
593
|
3
|
|
|
|
|
13
|
$found = 1; |
594
|
|
|
|
|
|
|
} |
595
|
|
|
|
|
|
|
else { |
596
|
2
|
|
|
|
|
113
|
push @results, |
597
|
|
|
|
|
|
|
info( |
598
|
|
|
|
|
|
|
DS_DOES_NOT_MATCH_DNSKEY => { |
599
|
|
|
|
|
|
|
keytag => $key->keytag, |
600
|
|
|
|
|
|
|
digtype => 2, |
601
|
|
|
|
|
|
|
} |
602
|
|
|
|
|
|
|
); |
603
|
|
|
|
|
|
|
} |
604
|
|
|
|
|
|
|
} |
605
|
|
|
|
|
|
|
|
606
|
5
|
100
|
|
|
|
20
|
if ( not grep { $_->tag eq q{DS_MATCHES_DNSKEY} } @results ) { |
|
15
|
|
|
|
|
383
|
|
607
|
2
|
|
|
|
|
4
|
$rfc4509_compliant = 0; |
608
|
2
|
|
|
|
|
8
|
push @results, |
609
|
|
|
|
|
|
|
info( DS_RFC4509_NOT_VALID => {} ); |
610
|
|
|
|
|
|
|
} |
611
|
|
|
|
|
|
|
|
612
|
|
|
|
|
|
|
} |
613
|
|
|
|
|
|
|
|
614
|
|
|
|
|
|
|
# 5. Match all DS RR with type digest algorithm â1â with DNSKEY RR from the child. If no DS RRs with algorithm 1 matches a |
615
|
|
|
|
|
|
|
# DNSKEY RR from the child, this test case fails. |
616
|
5
|
|
|
|
|
243
|
my %ds_digtype1 = map { $_->keytag => $_ } grep { $_->digtype == 1 } $ds_p->get_records( 'DS', 'answer' ); |
|
5
|
|
|
|
|
24
|
|
|
10
|
|
|
|
|
33
|
|
617
|
5
|
|
|
|
|
22
|
@common = grep { exists $ds_digtype1{$_->keytag} } values %dnskey; |
|
10
|
|
|
|
|
48
|
|
618
|
5
|
|
|
|
|
14
|
foreach my $key ( @common ) { |
619
|
5
|
100
|
|
|
|
125
|
if ( $ds_digtype1{ $key->keytag }->verify( $key ) ) { |
620
|
3
|
|
|
|
|
24
|
push @results, |
621
|
|
|
|
|
|
|
info( |
622
|
|
|
|
|
|
|
DS_MATCHES_DNSKEY => { |
623
|
|
|
|
|
|
|
keytag => $key->keytag, |
624
|
|
|
|
|
|
|
digtype => 1, |
625
|
|
|
|
|
|
|
} |
626
|
|
|
|
|
|
|
); |
627
|
3
|
|
|
|
|
9
|
$found = 1; |
628
|
|
|
|
|
|
|
} |
629
|
|
|
|
|
|
|
else { |
630
|
2
|
|
|
|
|
13
|
push @results, |
631
|
|
|
|
|
|
|
info( |
632
|
|
|
|
|
|
|
DS_DOES_NOT_MATCH_DNSKEY => { |
633
|
|
|
|
|
|
|
keytag => $key->keytag, |
634
|
|
|
|
|
|
|
digtype => 1, |
635
|
|
|
|
|
|
|
} |
636
|
|
|
|
|
|
|
); |
637
|
|
|
|
|
|
|
} |
638
|
|
|
|
|
|
|
} |
639
|
|
|
|
|
|
|
|
640
|
5
|
100
|
|
|
|
17
|
if ( $found ) { |
641
|
3
|
|
|
|
|
12
|
push @results, |
642
|
|
|
|
|
|
|
info( DS_MATCH_FOUND => {} ); |
643
|
|
|
|
|
|
|
} |
644
|
|
|
|
|
|
|
else { |
645
|
2
|
|
|
|
|
8
|
push @results, |
646
|
|
|
|
|
|
|
info( DS_MATCH_NOT_FOUND => {} ); |
647
|
|
|
|
|
|
|
} |
648
|
|
|
|
|
|
|
} ## end if ( @common ) |
649
|
|
|
|
|
|
|
else { |
650
|
|
|
|
|
|
|
# 3. If no Key Tag from the DS RR matches any Key Tag from the DNSKEY RR, this test case fails |
651
|
1
|
|
|
|
|
9
|
push @results, |
652
|
|
|
|
|
|
|
info( |
653
|
|
|
|
|
|
|
NO_COMMON_KEYTAGS => { |
654
|
|
|
|
|
|
|
dstags => join( q{:}, keys %ds ), |
655
|
|
|
|
|
|
|
dnskeytags => join( q{:}, keys %dnskey ), |
656
|
|
|
|
|
|
|
} |
657
|
|
|
|
|
|
|
); |
658
|
|
|
|
|
|
|
} |
659
|
|
|
|
|
|
|
} ## end else [ if ( scalar( keys %ds ...))] |
660
|
|
|
|
|
|
|
|
661
|
8
|
|
|
|
|
53
|
return @results; |
662
|
|
|
|
|
|
|
} ## end sub dnssec02 |
663
|
|
|
|
|
|
|
|
664
|
|
|
|
|
|
|
sub dnssec03 { |
665
|
9
|
|
|
9
|
1
|
26
|
my ( $self, $zone ) = @_; |
666
|
9
|
|
|
|
|
19
|
my @results; |
667
|
|
|
|
|
|
|
|
668
|
9
|
|
|
|
|
239
|
my $param_p = $zone->query_one( $zone->name, 'NSEC3PARAM', { dnssec => 1 } ); |
669
|
|
|
|
|
|
|
|
670
|
9
|
|
|
|
|
34
|
my @nsec3params; |
671
|
9
|
50
|
|
|
|
60
|
@nsec3params = $param_p->get_records( 'NSEC3PARAM', 'answer' ) if $param_p; |
672
|
|
|
|
|
|
|
|
673
|
9
|
100
|
|
|
|
36
|
if ( @nsec3params == 0 ) { |
674
|
3
|
50
|
|
|
|
20
|
push @results, |
675
|
|
|
|
|
|
|
info( |
676
|
|
|
|
|
|
|
NO_NSEC3PARAM => { |
677
|
|
|
|
|
|
|
server => ( $param_p ? $param_p->answerfrom : '<no response>' ), |
678
|
|
|
|
|
|
|
} |
679
|
|
|
|
|
|
|
); |
680
|
|
|
|
|
|
|
} |
681
|
|
|
|
|
|
|
else { |
682
|
6
|
|
|
|
|
179
|
my $dk_p = $zone->query_one( $zone->name, 'DNSKEY', { dnssec => 1 } ); |
683
|
|
|
|
|
|
|
|
684
|
6
|
|
|
|
|
45
|
my @dnskey; |
685
|
6
|
50
|
|
|
|
80
|
@dnskey = $dk_p->get_records( 'DNSKEY', 'answer' ) if $dk_p; |
686
|
|
|
|
|
|
|
|
687
|
6
|
|
|
|
|
17
|
my $min_len = 0; |
688
|
6
|
50
|
|
|
|
25
|
if ( @dnskey ) { |
689
|
6
|
|
|
|
|
16
|
$min_len = min map { $_->keysize } @dnskey; |
|
15
|
|
|
|
|
246
|
|
690
|
|
|
|
|
|
|
# Do rounding as per RFC5155 section 10.3 |
691
|
6
|
100
|
|
|
|
29
|
if ($min_len > 2048) { |
|
|
100
|
|
|
|
|
|
692
|
1
|
|
|
|
|
2
|
$min_len = 4096; |
693
|
|
|
|
|
|
|
} |
694
|
|
|
|
|
|
|
elsif ($min_len > 1024) { |
695
|
1
|
|
|
|
|
3
|
$min_len = 2048; |
696
|
|
|
|
|
|
|
} |
697
|
|
|
|
|
|
|
else { |
698
|
4
|
|
|
|
|
11
|
$min_len = 1024; |
699
|
|
|
|
|
|
|
} |
700
|
|
|
|
|
|
|
} |
701
|
|
|
|
|
|
|
else { |
702
|
0
|
|
|
|
|
0
|
push @results, |
703
|
|
|
|
|
|
|
info( NO_DNSKEY => {} ); |
704
|
|
|
|
|
|
|
} |
705
|
|
|
|
|
|
|
|
706
|
6
|
|
|
|
|
21
|
foreach my $n3p ( @nsec3params ) { |
707
|
6
|
|
|
|
|
34
|
my $iter = $n3p->iterations; |
708
|
6
|
100
|
|
|
|
24
|
if ( $iter > 100 ) { |
|
|
50
|
|
|
|
|
|
709
|
4
|
|
|
|
|
29
|
push @results, |
710
|
|
|
|
|
|
|
info( |
711
|
|
|
|
|
|
|
MANY_ITERATIONS => { |
712
|
|
|
|
|
|
|
count => $iter, |
713
|
|
|
|
|
|
|
} |
714
|
|
|
|
|
|
|
); |
715
|
4
|
100
|
66
|
|
|
113
|
if ( ( $min_len >= 4096 and $iter > 2500 ) |
|
|
|
100
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
|
66
|
|
|
|
|
716
|
|
|
|
|
|
|
or ( $min_len < 4096 and $min_len >= 2048 and $iter > 500 ) |
717
|
|
|
|
|
|
|
or ( $min_len < 2048 and $min_len >= 1024 and $iter > 150 ) ) |
718
|
|
|
|
|
|
|
{ |
719
|
1
|
|
|
|
|
5
|
push @results, |
720
|
|
|
|
|
|
|
info( |
721
|
|
|
|
|
|
|
TOO_MANY_ITERATIONS => { |
722
|
|
|
|
|
|
|
count => $iter, |
723
|
|
|
|
|
|
|
keylength => $min_len, |
724
|
|
|
|
|
|
|
} |
725
|
|
|
|
|
|
|
); |
726
|
|
|
|
|
|
|
} |
727
|
|
|
|
|
|
|
} ## end if ( $iter > 100 ) |
728
|
|
|
|
|
|
|
elsif ( $min_len > 0 ) |
729
|
|
|
|
|
|
|
{ |
730
|
2
|
|
|
|
|
10
|
push @results, |
731
|
|
|
|
|
|
|
info( |
732
|
|
|
|
|
|
|
ITERATIONS_OK => { |
733
|
|
|
|
|
|
|
count => $iter, |
734
|
|
|
|
|
|
|
} |
735
|
|
|
|
|
|
|
); |
736
|
|
|
|
|
|
|
} |
737
|
|
|
|
|
|
|
} ## end foreach my $n3p ( @nsec3params) |
738
|
|
|
|
|
|
|
} ## end else [ if ( @nsec3params == 0)] |
739
|
|
|
|
|
|
|
|
740
|
9
|
|
|
|
|
52
|
return @results; |
741
|
|
|
|
|
|
|
} ## end sub dnssec03 |
742
|
|
|
|
|
|
|
|
743
|
|
|
|
|
|
|
sub dnssec04 { |
744
|
6
|
|
|
6
|
1
|
20
|
my ( $self, $zone ) = @_; |
745
|
6
|
|
|
|
|
12
|
my @results; |
746
|
|
|
|
|
|
|
|
747
|
6
|
|
|
|
|
153
|
my $key_p = $zone->query_one( $zone->name, 'DNSKEY', { dnssec => 1 } ); |
748
|
6
|
50
|
|
|
|
27
|
if ( not $key_p ) { |
749
|
0
|
|
|
|
|
0
|
return; |
750
|
|
|
|
|
|
|
} |
751
|
6
|
|
|
|
|
25
|
my @keys = $key_p->get_records( 'DNSKEY', 'answer' ); |
752
|
6
|
|
|
|
|
22
|
my @key_sigs = $key_p->get_records( 'RRSIG', 'answer' ); |
753
|
|
|
|
|
|
|
|
754
|
6
|
|
|
|
|
156
|
my $soa_p = $zone->query_one( $zone->name, 'SOA', { dnssec => 1 } ); |
755
|
6
|
50
|
|
|
|
25
|
if ( not $soa_p ) { |
756
|
0
|
|
|
|
|
0
|
return; |
757
|
|
|
|
|
|
|
} |
758
|
6
|
|
|
|
|
25
|
my @soas = $soa_p->get_records( 'SOA', 'answer' ); |
759
|
6
|
|
|
|
|
25
|
my @soa_sigs = $soa_p->get_records( 'RRSIG', 'answer' ); |
760
|
|
|
|
|
|
|
|
761
|
6
|
|
|
|
|
22
|
foreach my $sig ( @key_sigs, @soa_sigs ) { |
762
|
17
|
|
|
|
|
88
|
my $duration = $sig->expiration - $sig->inception; |
763
|
17
|
|
|
|
|
69
|
my $remaining = $sig->expiration - int( $key_p->timestamp ); |
764
|
17
|
|
|
|
|
467
|
push @results, |
765
|
|
|
|
|
|
|
info( |
766
|
|
|
|
|
|
|
RRSIG_EXPIRATION => { |
767
|
|
|
|
|
|
|
date => scalar( gmtime($sig->expiration) ), |
768
|
|
|
|
|
|
|
tag => $sig->keytag, |
769
|
|
|
|
|
|
|
types => $sig->typecovered, |
770
|
|
|
|
|
|
|
} |
771
|
|
|
|
|
|
|
); |
772
|
17
|
50
|
|
|
|
95
|
if ( $remaining < 0 ) { # already expired |
|
|
50
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
773
|
0
|
|
|
|
|
0
|
push @results, |
774
|
|
|
|
|
|
|
info( |
775
|
|
|
|
|
|
|
RRSIG_EXPIRED => { |
776
|
|
|
|
|
|
|
expiration => $sig->expiration, |
777
|
|
|
|
|
|
|
tag => $sig->keytag, |
778
|
|
|
|
|
|
|
types => $sig->typecovered, |
779
|
|
|
|
|
|
|
} |
780
|
|
|
|
|
|
|
); |
781
|
|
|
|
|
|
|
} |
782
|
|
|
|
|
|
|
elsif ( $remaining < ( $DURATION_12_HOURS_IN_SECONDS ) ) { |
783
|
0
|
|
|
|
|
0
|
push @results, |
784
|
|
|
|
|
|
|
info( |
785
|
|
|
|
|
|
|
REMAINING_SHORT => { |
786
|
|
|
|
|
|
|
duration => $remaining, |
787
|
|
|
|
|
|
|
tag => $sig->keytag, |
788
|
|
|
|
|
|
|
types => $sig->typecovered, |
789
|
|
|
|
|
|
|
} |
790
|
|
|
|
|
|
|
); |
791
|
|
|
|
|
|
|
} |
792
|
|
|
|
|
|
|
elsif ( $remaining > ( $DURATION_180_DAYS_IN_SECONDS ) ) { |
793
|
3
|
|
|
|
|
50
|
push @results, |
794
|
|
|
|
|
|
|
info( |
795
|
|
|
|
|
|
|
REMAINING_LONG => { |
796
|
|
|
|
|
|
|
duration => $remaining, |
797
|
|
|
|
|
|
|
tag => $sig->keytag, |
798
|
|
|
|
|
|
|
types => $sig->typecovered, |
799
|
|
|
|
|
|
|
} |
800
|
|
|
|
|
|
|
); |
801
|
|
|
|
|
|
|
} |
802
|
|
|
|
|
|
|
elsif ( $duration > ( $DURATION_180_DAYS_IN_SECONDS ) ) { |
803
|
3
|
|
|
|
|
54
|
push @results, |
804
|
|
|
|
|
|
|
info( |
805
|
|
|
|
|
|
|
DURATION_LONG => { |
806
|
|
|
|
|
|
|
duration => $duration, |
807
|
|
|
|
|
|
|
tag => $sig->keytag, |
808
|
|
|
|
|
|
|
types => $sig->typecovered, |
809
|
|
|
|
|
|
|
} |
810
|
|
|
|
|
|
|
); |
811
|
|
|
|
|
|
|
} |
812
|
|
|
|
|
|
|
else { |
813
|
11
|
|
|
|
|
279
|
push @results, |
814
|
|
|
|
|
|
|
info( |
815
|
|
|
|
|
|
|
DURATION_OK => { |
816
|
|
|
|
|
|
|
duration => $duration, |
817
|
|
|
|
|
|
|
tag => $sig->keytag, |
818
|
|
|
|
|
|
|
types => $sig->typecovered, |
819
|
|
|
|
|
|
|
} |
820
|
|
|
|
|
|
|
); |
821
|
|
|
|
|
|
|
} |
822
|
|
|
|
|
|
|
} ## end foreach my $sig ( @key_sigs...) |
823
|
|
|
|
|
|
|
|
824
|
6
|
|
|
|
|
94
|
return @results; |
825
|
|
|
|
|
|
|
} ## end sub dnssec04 |
826
|
|
|
|
|
|
|
|
827
|
|
|
|
|
|
|
sub dnssec05 { |
828
|
12
|
|
|
12
|
1
|
40
|
my ( $self, $zone ) = @_; |
829
|
12
|
|
|
|
|
27
|
my @results; |
830
|
|
|
|
|
|
|
|
831
|
12
|
|
|
|
|
311
|
my $key_p = $zone->query_one( $zone->name, 'DNSKEY', { dnssec => 1 } ); |
832
|
12
|
50
|
|
|
|
76
|
if ( not $key_p ) { |
833
|
0
|
|
|
|
|
0
|
return; |
834
|
|
|
|
|
|
|
} |
835
|
12
|
|
|
|
|
62
|
my @keys = $key_p->get_records( 'DNSKEY', 'answer' ); |
836
|
|
|
|
|
|
|
|
837
|
12
|
|
|
|
|
50
|
foreach my $key ( @keys ) { |
838
|
25
|
|
|
|
|
117
|
my $algo = $key->algorithm; |
839
|
25
|
100
|
|
|
|
150
|
if ( $algo_properties{$algo}{status} == $ALGO_STATUS_DEPRECATED ) { |
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
840
|
|
|
|
|
|
|
push @results, |
841
|
|
|
|
|
|
|
info( |
842
|
|
|
|
|
|
|
ALGORITHM_DEPRECATED => { |
843
|
|
|
|
|
|
|
algorithm => $algo, |
844
|
|
|
|
|
|
|
keytag => $key->keytag, |
845
|
|
|
|
|
|
|
description => $algo_properties{$algo}{description}, |
846
|
|
|
|
|
|
|
} |
847
|
4
|
|
|
|
|
81
|
); |
848
|
|
|
|
|
|
|
} |
849
|
|
|
|
|
|
|
elsif ( $algo_properties{$algo}{status} == $ALGO_STATUS_RESERVED ) { |
850
|
|
|
|
|
|
|
push @results, |
851
|
|
|
|
|
|
|
info( |
852
|
|
|
|
|
|
|
ALGORITHM_RESERVED => { |
853
|
|
|
|
|
|
|
algorithm => $algo, |
854
|
|
|
|
|
|
|
keytag => $key->keytag, |
855
|
|
|
|
|
|
|
description => $algo_properties{$algo}{description}, |
856
|
|
|
|
|
|
|
} |
857
|
4
|
|
|
|
|
126
|
); |
858
|
|
|
|
|
|
|
} |
859
|
|
|
|
|
|
|
elsif ( $algo_properties{$algo}{status} == $ALGO_STATUS_UNASSIGNED ) { |
860
|
|
|
|
|
|
|
push @results, |
861
|
|
|
|
|
|
|
info( |
862
|
|
|
|
|
|
|
ALGORITHM_UNASSIGNED => { |
863
|
|
|
|
|
|
|
algorithm => $algo, |
864
|
|
|
|
|
|
|
keytag => $key->keytag, |
865
|
|
|
|
|
|
|
description => $algo_properties{$algo}{description}, |
866
|
|
|
|
|
|
|
} |
867
|
4
|
|
|
|
|
186
|
); |
868
|
|
|
|
|
|
|
} |
869
|
|
|
|
|
|
|
elsif ( $algo_properties{$algo}{status} == $ALGO_STATUS_PRIVATE ) { |
870
|
|
|
|
|
|
|
push @results, |
871
|
|
|
|
|
|
|
info( |
872
|
|
|
|
|
|
|
ALGORITHM_PRIVATE => { |
873
|
|
|
|
|
|
|
algorithm => $algo, |
874
|
|
|
|
|
|
|
keytag => $key->keytag, |
875
|
|
|
|
|
|
|
description => $algo_properties{$algo}{description}, |
876
|
|
|
|
|
|
|
} |
877
|
4
|
|
|
|
|
201
|
); |
878
|
|
|
|
|
|
|
} |
879
|
|
|
|
|
|
|
elsif ( $algo_properties{$algo}{status} == $ALGO_STATUS_VALID ) { |
880
|
|
|
|
|
|
|
push @results, |
881
|
|
|
|
|
|
|
info( |
882
|
|
|
|
|
|
|
ALGORITHM_OK => { |
883
|
|
|
|
|
|
|
algorithm => $algo, |
884
|
|
|
|
|
|
|
keytag => $key->keytag, |
885
|
|
|
|
|
|
|
description => $algo_properties{$algo}{description}, |
886
|
|
|
|
|
|
|
} |
887
|
9
|
|
|
|
|
568
|
); |
888
|
9
|
50
|
|
|
|
82
|
if ( $key->flags & 256 ) { # This is a Key |
889
|
9
|
100
|
|
|
|
122
|
push @results, |
|
|
50
|
|
|
|
|
|
890
|
|
|
|
|
|
|
info( |
891
|
|
|
|
|
|
|
KEY_DETAILS => { |
892
|
|
|
|
|
|
|
keytag => $key->keytag, |
893
|
|
|
|
|
|
|
keysize => $key->keysize, |
894
|
|
|
|
|
|
|
sep => $key->flags & 1 ? q{SEP bit set} : q{SEP bit *not* set}, |
895
|
|
|
|
|
|
|
rfc5011 => $key->flags & 128 ? q{RFC 5011 revocation bit set} : q{RFC 5011 revocation bit *not* set}, |
896
|
|
|
|
|
|
|
} |
897
|
|
|
|
|
|
|
); |
898
|
|
|
|
|
|
|
} |
899
|
|
|
|
|
|
|
} |
900
|
|
|
|
|
|
|
else { |
901
|
0
|
|
|
|
|
0
|
push @results, |
902
|
|
|
|
|
|
|
info( |
903
|
|
|
|
|
|
|
ALGORITHM_UNKNOWN => { |
904
|
|
|
|
|
|
|
algorithm => $algo, |
905
|
|
|
|
|
|
|
keytag => $key->keytag, |
906
|
|
|
|
|
|
|
} |
907
|
|
|
|
|
|
|
); |
908
|
|
|
|
|
|
|
} |
909
|
|
|
|
|
|
|
} ## end foreach my $key ( @keys ) |
910
|
|
|
|
|
|
|
|
911
|
12
|
|
|
|
|
93
|
return @results; |
912
|
|
|
|
|
|
|
} ## end sub dnssec05 |
913
|
|
|
|
|
|
|
|
914
|
|
|
|
|
|
|
sub dnssec06 { |
915
|
7
|
|
|
7
|
1
|
28
|
my ( $self, $zone ) = @_; |
916
|
7
|
|
|
|
|
37
|
my @results; |
917
|
|
|
|
|
|
|
|
918
|
7
|
|
|
|
|
183
|
my $key_aref = $zone->query_all( $zone->name, 'DNSKEY', { dnssec => 1 } ); |
919
|
7
|
|
|
|
|
23
|
foreach my $key_p ( @{$key_aref} ) { |
|
7
|
|
|
|
|
26
|
|
920
|
22
|
100
|
|
|
|
62
|
next if not $key_p; |
921
|
|
|
|
|
|
|
|
922
|
21
|
|
|
|
|
74
|
my @keys = $key_p->get_records( 'DNSKEY', 'answer' ); |
923
|
21
|
|
|
|
|
57
|
my @sigs = $key_p->get_records( 'RRSIG', 'answer' ); |
924
|
21
|
100
|
66
|
|
|
113
|
if ( @sigs > 0 and @keys > 0 ) { |
|
|
50
|
33
|
|
|
|
|
|
|
|
33
|
|
|
|
|
925
|
13
|
|
|
|
|
43
|
push @results, |
926
|
|
|
|
|
|
|
info( |
927
|
|
|
|
|
|
|
EXTRA_PROCESSING_OK => { |
928
|
|
|
|
|
|
|
server => $key_p->answerfrom, |
929
|
|
|
|
|
|
|
keys => scalar( @keys ), |
930
|
|
|
|
|
|
|
sigs => scalar( @sigs ), |
931
|
|
|
|
|
|
|
} |
932
|
|
|
|
|
|
|
); |
933
|
|
|
|
|
|
|
} |
934
|
|
|
|
|
|
|
elsif ( $key_p->rcode eq q{NOERROR} and ( @sigs == 0 or @keys == 0 ) ) { |
935
|
8
|
|
|
|
|
137
|
push @results, |
936
|
|
|
|
|
|
|
info( |
937
|
|
|
|
|
|
|
EXTRA_PROCESSING_BROKEN => { |
938
|
|
|
|
|
|
|
server => $key_p->answerfrom, |
939
|
|
|
|
|
|
|
keys => scalar( @keys ), |
940
|
|
|
|
|
|
|
sigs => scalar( @sigs ) |
941
|
|
|
|
|
|
|
} |
942
|
|
|
|
|
|
|
); |
943
|
|
|
|
|
|
|
} |
944
|
|
|
|
|
|
|
} ## end foreach my $key_p ( @{$key_aref...}) |
945
|
|
|
|
|
|
|
|
946
|
7
|
|
|
|
|
34
|
return @results; |
947
|
|
|
|
|
|
|
} ## end sub dnssec06 |
948
|
|
|
|
|
|
|
|
949
|
|
|
|
|
|
|
sub dnssec07 { |
950
|
11
|
|
|
11
|
1
|
42
|
my ( $self, $zone ) = @_; |
951
|
11
|
|
|
|
|
24
|
my @results; |
952
|
|
|
|
|
|
|
|
953
|
11
|
50
|
|
|
|
349
|
return if not $zone->parent; |
954
|
11
|
|
|
|
|
339
|
my $key_p = $zone->query_one( $zone->name, 'DNSKEY', { dnssec => 1 } ); |
955
|
11
|
50
|
|
|
|
52
|
if ( not $key_p ) { |
956
|
0
|
|
|
|
|
0
|
return; |
957
|
|
|
|
|
|
|
} |
958
|
11
|
|
|
|
|
56
|
my ( $dnskey ) = $key_p->get_records( 'DNSKEY', 'answer' ); |
959
|
|
|
|
|
|
|
|
960
|
11
|
|
|
|
|
617
|
my $ds_p = $zone->parent->query_one( $zone->name, 'DS', { dnssec => 1 } ); |
961
|
11
|
50
|
|
|
|
51
|
if ( not $ds_p ) { |
962
|
0
|
|
|
|
|
0
|
return; |
963
|
|
|
|
|
|
|
} |
964
|
11
|
|
|
|
|
52
|
my ( $ds ) = $ds_p->get_records( 'DS', 'answer' ); |
965
|
|
|
|
|
|
|
|
966
|
11
|
100
|
100
|
|
|
212
|
if ( $dnskey and not $ds ) { |
|
|
100
|
66
|
|
|
|
|
|
|
100
|
66
|
|
|
|
|
967
|
3
|
|
|
|
|
124
|
push @results, |
968
|
|
|
|
|
|
|
info( |
969
|
|
|
|
|
|
|
DNSKEY_BUT_NOT_DS => { |
970
|
|
|
|
|
|
|
child => $key_p->answerfrom, |
971
|
|
|
|
|
|
|
parent => $ds_p->answerfrom, |
972
|
|
|
|
|
|
|
} |
973
|
|
|
|
|
|
|
); |
974
|
|
|
|
|
|
|
} |
975
|
|
|
|
|
|
|
elsif ( $dnskey and $ds ) { |
976
|
4
|
|
|
|
|
432
|
push @results, |
977
|
|
|
|
|
|
|
info( |
978
|
|
|
|
|
|
|
DNSKEY_AND_DS => { |
979
|
|
|
|
|
|
|
child => $key_p->answerfrom, |
980
|
|
|
|
|
|
|
parent => $ds_p->answerfrom, |
981
|
|
|
|
|
|
|
} |
982
|
|
|
|
|
|
|
); |
983
|
|
|
|
|
|
|
} |
984
|
|
|
|
|
|
|
elsif ( not $dnskey and $ds ) { |
985
|
2
|
|
|
|
|
154
|
push @results, |
986
|
|
|
|
|
|
|
info( |
987
|
|
|
|
|
|
|
DS_BUT_NOT_DNSKEY => { |
988
|
|
|
|
|
|
|
child => $key_p->answerfrom, |
989
|
|
|
|
|
|
|
parent => $ds_p->answerfrom, |
990
|
|
|
|
|
|
|
} |
991
|
|
|
|
|
|
|
); |
992
|
|
|
|
|
|
|
} |
993
|
|
|
|
|
|
|
else { |
994
|
2
|
|
|
|
|
12
|
push @results, |
995
|
|
|
|
|
|
|
info( |
996
|
|
|
|
|
|
|
NEITHER_DNSKEY_NOR_DS => { |
997
|
|
|
|
|
|
|
child => $key_p->answerfrom, |
998
|
|
|
|
|
|
|
parent => $ds_p->answerfrom, |
999
|
|
|
|
|
|
|
} |
1000
|
|
|
|
|
|
|
); |
1001
|
|
|
|
|
|
|
} |
1002
|
|
|
|
|
|
|
|
1003
|
11
|
|
|
|
|
75
|
return @results; |
1004
|
|
|
|
|
|
|
} ## end sub dnssec07 |
1005
|
|
|
|
|
|
|
|
1006
|
|
|
|
|
|
|
sub dnssec08 { |
1007
|
8
|
|
|
8
|
1
|
28
|
my ( $self, $zone ) = @_; |
1008
|
8
|
|
|
|
|
18
|
my @results; |
1009
|
|
|
|
|
|
|
|
1010
|
8
|
|
|
|
|
228
|
my $key_p = $zone->query_one( $zone->name, 'DNSKEY', { dnssec => 1 } ); |
1011
|
8
|
50
|
|
|
|
41
|
if ( not $key_p ) { |
1012
|
0
|
|
|
|
|
0
|
return; |
1013
|
|
|
|
|
|
|
} |
1014
|
8
|
|
|
|
|
37
|
my @dnskeys = $key_p->get_records( 'DNSKEY', 'answer' ); |
1015
|
8
|
|
|
|
|
33
|
my @sigs = $key_p->get_records( 'RRSIG', 'answer' ); |
1016
|
|
|
|
|
|
|
|
1017
|
8
|
100
|
100
|
|
|
53
|
if ( @dnskeys == 0 or @sigs == 0 ) { |
1018
|
2
|
|
|
|
|
14
|
push @results, |
1019
|
|
|
|
|
|
|
info( |
1020
|
|
|
|
|
|
|
NO_KEYS_OR_NO_SIGS => { |
1021
|
|
|
|
|
|
|
keys => scalar( @dnskeys ), |
1022
|
|
|
|
|
|
|
sigs => scalar( @sigs ), |
1023
|
|
|
|
|
|
|
} |
1024
|
|
|
|
|
|
|
); |
1025
|
2
|
|
|
|
|
14
|
return @results; |
1026
|
|
|
|
|
|
|
} |
1027
|
|
|
|
|
|
|
|
1028
|
6
|
|
|
|
|
17
|
my $ok = 0; |
1029
|
6
|
|
|
|
|
21
|
foreach my $sig ( @sigs ) { |
1030
|
11
|
|
|
|
|
23
|
my $msg = q{}; |
1031
|
11
|
|
|
|
|
44
|
my $time = $key_p->timestamp; |
1032
|
11
|
100
|
|
|
|
1930
|
if ( $sig->verify_time( \@dnskeys, \@dnskeys, $time, $msg ) ) { |
1033
|
8
|
|
|
|
|
73
|
push @results, |
1034
|
|
|
|
|
|
|
info( |
1035
|
|
|
|
|
|
|
DNSKEY_SIGNATURE_OK => { |
1036
|
|
|
|
|
|
|
signature => $sig->keytag, |
1037
|
|
|
|
|
|
|
} |
1038
|
|
|
|
|
|
|
); |
1039
|
8
|
|
|
|
|
42
|
$ok = $sig->keytag; |
1040
|
|
|
|
|
|
|
} |
1041
|
|
|
|
|
|
|
else { |
1042
|
3
|
50
|
33
|
|
|
27
|
if ($sig->algorithm == 12 and $msg =~ /Unknown cryptographic algorithm/) { |
1043
|
0
|
|
|
|
|
0
|
$msg = 'no GOST support'; |
1044
|
|
|
|
|
|
|
} |
1045
|
3
|
|
|
|
|
25
|
push @results, |
1046
|
|
|
|
|
|
|
info( |
1047
|
|
|
|
|
|
|
DNSKEY_SIGNATURE_NOT_OK => { |
1048
|
|
|
|
|
|
|
signature => $sig->keytag, |
1049
|
|
|
|
|
|
|
error => $msg, |
1050
|
|
|
|
|
|
|
time => $time, |
1051
|
|
|
|
|
|
|
} |
1052
|
|
|
|
|
|
|
); |
1053
|
|
|
|
|
|
|
} |
1054
|
|
|
|
|
|
|
} ## end foreach my $sig ( @sigs ) |
1055
|
|
|
|
|
|
|
|
1056
|
6
|
100
|
|
|
|
24
|
if ( $ok ) { |
1057
|
5
|
|
|
|
|
23
|
push @results, |
1058
|
|
|
|
|
|
|
info( |
1059
|
|
|
|
|
|
|
DNSKEY_SIGNED => { |
1060
|
|
|
|
|
|
|
keytag => $ok, |
1061
|
|
|
|
|
|
|
} |
1062
|
|
|
|
|
|
|
); |
1063
|
|
|
|
|
|
|
} |
1064
|
|
|
|
|
|
|
else { |
1065
|
1
|
|
|
|
|
4
|
push @results, |
1066
|
|
|
|
|
|
|
info( DNSKEY_NOT_SIGNED => {} ); |
1067
|
|
|
|
|
|
|
} |
1068
|
|
|
|
|
|
|
|
1069
|
6
|
|
|
|
|
59
|
return @results; |
1070
|
|
|
|
|
|
|
} ## end sub dnssec08 |
1071
|
|
|
|
|
|
|
|
1072
|
|
|
|
|
|
|
sub dnssec09 { |
1073
|
6
|
|
|
6
|
1
|
21
|
my ( $self, $zone ) = @_; |
1074
|
6
|
|
|
|
|
14
|
my @results; |
1075
|
|
|
|
|
|
|
|
1076
|
6
|
|
|
|
|
172
|
my $key_p = $zone->query_one( $zone->name, 'DNSKEY', { dnssec => 1 } ); |
1077
|
6
|
50
|
|
|
|
29
|
if ( not $key_p ) { |
1078
|
0
|
|
|
|
|
0
|
return; |
1079
|
|
|
|
|
|
|
} |
1080
|
6
|
|
|
|
|
31
|
my @dnskeys = $key_p->get_records( 'DNSKEY', 'answer' ); |
1081
|
|
|
|
|
|
|
|
1082
|
6
|
|
|
|
|
167
|
my $soa_p = $zone->query_one( $zone->name, 'SOA', { dnssec => 1 } ); |
1083
|
6
|
50
|
|
|
|
27
|
if ( not $soa_p ) { |
1084
|
0
|
|
|
|
|
0
|
return; |
1085
|
|
|
|
|
|
|
} |
1086
|
6
|
|
|
|
|
32
|
my @soa = $soa_p->get_records( 'SOA', 'answer' ); |
1087
|
6
|
|
|
|
|
28
|
my @sigs = $soa_p->get_records( 'RRSIG', 'answer' ); |
1088
|
|
|
|
|
|
|
|
1089
|
6
|
50
|
66
|
|
|
57
|
if ( @dnskeys == 0 or @sigs == 0 or @soa == 0 ) { |
|
|
|
66
|
|
|
|
|
1090
|
1
|
|
|
|
|
9
|
push @results, |
1091
|
|
|
|
|
|
|
info( |
1092
|
|
|
|
|
|
|
NO_KEYS_OR_NO_SIGS_OR_NO_SOA => { |
1093
|
|
|
|
|
|
|
keys => scalar( @dnskeys ), |
1094
|
|
|
|
|
|
|
sigs => scalar( @sigs ), |
1095
|
|
|
|
|
|
|
soas => scalar( @soa ), |
1096
|
|
|
|
|
|
|
} |
1097
|
|
|
|
|
|
|
); |
1098
|
1
|
|
|
|
|
9
|
return @results; |
1099
|
|
|
|
|
|
|
} |
1100
|
|
|
|
|
|
|
|
1101
|
5
|
|
|
|
|
14
|
my $ok = 0; |
1102
|
5
|
|
|
|
|
14
|
foreach my $sig ( @sigs ) { |
1103
|
5
|
|
|
|
|
13
|
my $msg = q{}; |
1104
|
5
|
|
|
|
|
21
|
my $time = $soa_p->timestamp; |
1105
|
5
|
100
|
|
|
|
712
|
if ( $sig->verify_time( \@soa, \@dnskeys, $time, $msg ) ) { |
1106
|
4
|
|
|
|
|
37
|
push @results, |
1107
|
|
|
|
|
|
|
info( |
1108
|
|
|
|
|
|
|
SOA_SIGNATURE_OK => { |
1109
|
|
|
|
|
|
|
signature => $sig->keytag, |
1110
|
|
|
|
|
|
|
} |
1111
|
|
|
|
|
|
|
); |
1112
|
4
|
|
|
|
|
23
|
$ok = $sig->keytag; |
1113
|
|
|
|
|
|
|
} |
1114
|
|
|
|
|
|
|
else { |
1115
|
1
|
50
|
33
|
|
|
10
|
if ($sig->algorithm == 12 and $msg =~ /Unknown cryptographic algorithm/) { |
1116
|
0
|
|
|
|
|
0
|
$msg = 'no GOST support'; |
1117
|
|
|
|
|
|
|
} |
1118
|
1
|
|
|
|
|
11
|
push @results, |
1119
|
|
|
|
|
|
|
info( |
1120
|
|
|
|
|
|
|
SOA_SIGNATURE_NOT_OK => { |
1121
|
|
|
|
|
|
|
signature => $sig->keytag, |
1122
|
|
|
|
|
|
|
error => $msg, |
1123
|
|
|
|
|
|
|
} |
1124
|
|
|
|
|
|
|
); |
1125
|
|
|
|
|
|
|
} |
1126
|
|
|
|
|
|
|
} ## end foreach my $sig ( @sigs ) |
1127
|
|
|
|
|
|
|
|
1128
|
5
|
100
|
|
|
|
23
|
if ( $ok ) { |
1129
|
4
|
|
|
|
|
21
|
push @results, |
1130
|
|
|
|
|
|
|
info( |
1131
|
|
|
|
|
|
|
SOA_SIGNED => { |
1132
|
|
|
|
|
|
|
keytag => $ok, |
1133
|
|
|
|
|
|
|
} |
1134
|
|
|
|
|
|
|
); |
1135
|
|
|
|
|
|
|
} |
1136
|
|
|
|
|
|
|
else { |
1137
|
1
|
|
|
|
|
4
|
push @results, |
1138
|
|
|
|
|
|
|
info( SOA_NOT_SIGNED => {} ); |
1139
|
|
|
|
|
|
|
} |
1140
|
|
|
|
|
|
|
|
1141
|
5
|
|
|
|
|
48
|
return @results; |
1142
|
|
|
|
|
|
|
} ## end sub dnssec09 |
1143
|
|
|
|
|
|
|
|
1144
|
|
|
|
|
|
|
sub dnssec10 { |
1145
|
9
|
|
|
9
|
1
|
30
|
my ( $self, $zone ) = @_; |
1146
|
9
|
|
|
|
|
20
|
my @results; |
1147
|
|
|
|
|
|
|
|
1148
|
9
|
|
|
|
|
251
|
my $key_p = $zone->query_one( $zone->name, 'DNSKEY', { dnssec => 1 } ); |
1149
|
9
|
50
|
|
|
|
45
|
if ( not $key_p ) { |
1150
|
0
|
|
|
|
|
0
|
return; |
1151
|
|
|
|
|
|
|
} |
1152
|
9
|
|
|
|
|
43
|
my @dnskeys = $key_p->get_records( 'DNSKEY', 'answer' ); |
1153
|
|
|
|
|
|
|
|
1154
|
9
|
|
|
|
|
251
|
my $name = $zone->name->prepend( 'xx--example' ); |
1155
|
9
|
|
|
|
|
53
|
my $test_p = $zone->query_one( $name, 'A', { dnssec => 1 } ); |
1156
|
9
|
50
|
|
|
|
42
|
if ( not $test_p ) { |
1157
|
0
|
|
|
|
|
0
|
return; |
1158
|
|
|
|
|
|
|
} |
1159
|
|
|
|
|
|
|
|
1160
|
9
|
50
|
33
|
|
|
45
|
if ( $test_p->rcode ne 'NXDOMAIN' and $test_p->rcode ne 'NOERROR' ) { |
1161
|
0
|
|
|
|
|
0
|
push @results, |
1162
|
|
|
|
|
|
|
info( |
1163
|
|
|
|
|
|
|
INVALID_NAME_RCODE => { |
1164
|
|
|
|
|
|
|
name => $name, |
1165
|
|
|
|
|
|
|
rcode => $test_p->rcode, |
1166
|
|
|
|
|
|
|
} |
1167
|
|
|
|
|
|
|
); |
1168
|
0
|
|
|
|
|
0
|
return @results; |
1169
|
|
|
|
|
|
|
} |
1170
|
|
|
|
|
|
|
|
1171
|
9
|
|
|
|
|
172
|
my @nsec = $test_p->get_records( 'NSEC', 'authority' ); |
1172
|
9
|
100
|
|
|
|
37
|
if ( @nsec ) { |
1173
|
3
|
|
|
|
|
12
|
push @results, info( HAS_NSEC => {} ); |
1174
|
3
|
|
|
|
|
8
|
my $covered = 0; |
1175
|
3
|
|
|
|
|
10
|
foreach my $nsec ( @nsec ) { |
1176
|
|
|
|
|
|
|
|
1177
|
6
|
100
|
|
|
|
23
|
if ( $nsec->covers( $name ) ) { |
1178
|
3
|
|
|
|
|
6
|
$covered = 1; |
1179
|
|
|
|
|
|
|
|
1180
|
3
|
|
|
|
|
20
|
my @sigs = grep { $_->typecovered eq 'NSEC' } $test_p->get_records_for_name( 'RRSIG', $nsec->name ); |
|
3
|
|
|
|
|
31
|
|
1181
|
3
|
|
|
|
|
15
|
my $ok = 0; |
1182
|
3
|
|
|
|
|
8
|
foreach my $sig ( @sigs ) { |
1183
|
3
|
|
|
|
|
7
|
my $msg = q{}; |
1184
|
3
|
50
|
|
|
|
14
|
if (@dnskeys == 0) { |
|
|
50
|
|
|
|
|
|
1185
|
0
|
|
|
|
|
0
|
push @results, info( NSEC_SIG_VERIFY_ERROR => { error => 'DNSKEY missing', sig => $sig->keytag } ); |
1186
|
|
|
|
|
|
|
} |
1187
|
|
|
|
|
|
|
elsif ( |
1188
|
|
|
|
|
|
|
$sig->verify_time( |
1189
|
6
|
|
|
|
|
18
|
[ grep { name( $_->name ) eq name( $sig->name ) } @nsec ], |
1190
|
|
|
|
|
|
|
\@dnskeys, $test_p->timestamp, $msg |
1191
|
|
|
|
|
|
|
) |
1192
|
|
|
|
|
|
|
) |
1193
|
|
|
|
|
|
|
{ |
1194
|
3
|
|
|
|
|
413
|
$ok = 1; |
1195
|
|
|
|
|
|
|
} |
1196
|
|
|
|
|
|
|
else { |
1197
|
0
|
0
|
0
|
|
|
0
|
if ($sig->algorithm == 12 and $msg =~ /Unknown cryptographic algorithm/) { |
1198
|
0
|
|
|
|
|
0
|
$msg = 'no GOST support'; |
1199
|
|
|
|
|
|
|
} |
1200
|
0
|
|
|
|
|
0
|
push @results, |
1201
|
|
|
|
|
|
|
info( |
1202
|
|
|
|
|
|
|
NSEC_SIG_VERIFY_ERROR => { |
1203
|
|
|
|
|
|
|
error => $msg, |
1204
|
|
|
|
|
|
|
sig => $sig->keytag, |
1205
|
|
|
|
|
|
|
} |
1206
|
|
|
|
|
|
|
); |
1207
|
|
|
|
|
|
|
} |
1208
|
|
|
|
|
|
|
|
1209
|
3
|
50
|
|
|
|
16
|
if ( $ok ) { |
1210
|
3
|
|
|
|
|
15
|
push @results, |
1211
|
|
|
|
|
|
|
info( NSEC_SIGNED => {} ); |
1212
|
|
|
|
|
|
|
} |
1213
|
|
|
|
|
|
|
else { |
1214
|
0
|
|
|
|
|
0
|
push @results, |
1215
|
|
|
|
|
|
|
info( NSEC_NOT_SIGNED => {} ); |
1216
|
|
|
|
|
|
|
} |
1217
|
|
|
|
|
|
|
} ## end foreach my $sig ( @sigs ) |
1218
|
|
|
|
|
|
|
} ## end if ( $nsec->covers( $name...)) |
1219
|
|
|
|
|
|
|
} ## end foreach my $nsec ( @nsec ) |
1220
|
3
|
50
|
|
|
|
16
|
if ( $covered ) { |
1221
|
3
|
|
|
|
|
22
|
push @results, |
1222
|
|
|
|
|
|
|
info( |
1223
|
|
|
|
|
|
|
NSEC_COVERS => { |
1224
|
|
|
|
|
|
|
name => $name, |
1225
|
|
|
|
|
|
|
} |
1226
|
|
|
|
|
|
|
); |
1227
|
|
|
|
|
|
|
} |
1228
|
|
|
|
|
|
|
else { |
1229
|
0
|
|
|
|
|
0
|
push @results, |
1230
|
|
|
|
|
|
|
info( |
1231
|
|
|
|
|
|
|
NSEC_COVERS_NOT => { |
1232
|
|
|
|
|
|
|
name => $name, |
1233
|
|
|
|
|
|
|
} |
1234
|
|
|
|
|
|
|
); |
1235
|
|
|
|
|
|
|
} |
1236
|
|
|
|
|
|
|
} ## end if ( @nsec ) |
1237
|
|
|
|
|
|
|
|
1238
|
9
|
|
|
|
|
37
|
my @nsec3 = $test_p->get_records( 'NSEC3', 'authority' ); |
1239
|
9
|
100
|
|
|
|
35
|
if ( @nsec3 ) { |
1240
|
6
|
|
|
|
|
16
|
my $covered = 0; |
1241
|
6
|
|
|
|
|
14
|
my $opt_out = 0; |
1242
|
6
|
|
|
|
|
30
|
push @results, info( HAS_NSEC3 => {} ); |
1243
|
6
|
|
|
|
|
23
|
foreach my $nsec3 ( @nsec3 ) { |
1244
|
17
|
100
|
|
|
|
83
|
if ( $nsec3->optout ) { |
1245
|
14
|
|
|
|
|
25
|
$opt_out = 1; |
1246
|
|
|
|
|
|
|
} |
1247
|
17
|
100
|
|
|
|
62
|
if ( $nsec3->covers( $name ) ) { |
1248
|
6
|
|
|
|
|
15
|
$covered = 1; |
1249
|
|
|
|
|
|
|
|
1250
|
6
|
|
|
|
|
36
|
my @sigs = grep { $_->typecovered eq 'NSEC3' } $test_p->get_records_for_name( 'RRSIG', $nsec3->name ); |
|
6
|
|
|
|
|
68
|
|
1251
|
6
|
|
|
|
|
45
|
my $ok = 0; |
1252
|
6
|
|
|
|
|
17
|
foreach my $sig ( @sigs ) { |
1253
|
6
|
|
|
|
|
14
|
my $msg = q{}; |
1254
|
6
|
100
|
|
|
|
17
|
if ( |
1255
|
|
|
|
|
|
|
$sig->verify_time( |
1256
|
17
|
|
|
|
|
49
|
[ grep { name( $_->name ) eq name( $sig->name ) } @nsec3 ], |
1257
|
|
|
|
|
|
|
\@dnskeys, $test_p->timestamp, $msg |
1258
|
|
|
|
|
|
|
) |
1259
|
|
|
|
|
|
|
) |
1260
|
|
|
|
|
|
|
{ |
1261
|
5
|
|
|
|
|
907
|
$ok = 1; |
1262
|
|
|
|
|
|
|
} |
1263
|
|
|
|
|
|
|
else { |
1264
|
1
|
50
|
33
|
|
|
205
|
if ($sig->algorithm == 12 and $msg =~ /Unknown cryptographic algorithm/) { |
1265
|
0
|
|
|
|
|
0
|
$msg = 'no GOST support'; |
1266
|
|
|
|
|
|
|
} |
1267
|
1
|
|
|
|
|
9
|
push @results, |
1268
|
|
|
|
|
|
|
info( |
1269
|
|
|
|
|
|
|
NSEC3_SIG_VERIFY_ERROR => { |
1270
|
|
|
|
|
|
|
sig => $sig->keytag, |
1271
|
|
|
|
|
|
|
error => $msg, |
1272
|
|
|
|
|
|
|
} |
1273
|
|
|
|
|
|
|
); |
1274
|
|
|
|
|
|
|
} |
1275
|
6
|
100
|
|
|
|
24
|
if ( $ok ) { |
1276
|
5
|
|
|
|
|
23
|
push @results, |
1277
|
|
|
|
|
|
|
info( NSEC3_SIGNED => {} ); |
1278
|
|
|
|
|
|
|
} |
1279
|
|
|
|
|
|
|
else { |
1280
|
1
|
|
|
|
|
5
|
push @results, |
1281
|
|
|
|
|
|
|
info( NSE3C_NOT_SIGNED => {} ); |
1282
|
|
|
|
|
|
|
} |
1283
|
|
|
|
|
|
|
} ## end foreach my $sig ( @sigs ) |
1284
|
|
|
|
|
|
|
} ## end if ( $nsec3->covers( $name...)) |
1285
|
|
|
|
|
|
|
} ## end foreach my $nsec3 ( @nsec3 ) |
1286
|
6
|
50
|
|
|
|
26
|
if ( $covered ) { |
1287
|
6
|
|
|
|
|
31
|
push @results, |
1288
|
|
|
|
|
|
|
info( |
1289
|
|
|
|
|
|
|
NSEC3_COVERS => { |
1290
|
|
|
|
|
|
|
name => $name, |
1291
|
|
|
|
|
|
|
} |
1292
|
|
|
|
|
|
|
); |
1293
|
|
|
|
|
|
|
} |
1294
|
|
|
|
|
|
|
else { |
1295
|
0
|
|
|
|
|
0
|
push @results, |
1296
|
|
|
|
|
|
|
info( |
1297
|
|
|
|
|
|
|
NSEC3_COVERS_NOT => { |
1298
|
|
|
|
|
|
|
name => $name, |
1299
|
|
|
|
|
|
|
} |
1300
|
|
|
|
|
|
|
); |
1301
|
|
|
|
|
|
|
} |
1302
|
6
|
100
|
|
|
|
26
|
if ( $opt_out ) { |
1303
|
5
|
|
|
|
|
20
|
push @results, info( HAS_NSEC3_OPTOUT => {} ); |
1304
|
|
|
|
|
|
|
} |
1305
|
|
|
|
|
|
|
} ## end if ( @nsec3 ) |
1306
|
|
|
|
|
|
|
|
1307
|
9
|
|
|
|
|
112
|
return @results; |
1308
|
|
|
|
|
|
|
} ## end sub dnssec10 |
1309
|
|
|
|
|
|
|
|
1310
|
|
|
|
|
|
|
### The error reporting in dnssec11 is deliberately simple, since the point of |
1311
|
|
|
|
|
|
|
### the test case is to give a pass/fail test for the delegation step from the |
1312
|
|
|
|
|
|
|
### parent as a whole. |
1313
|
|
|
|
|
|
|
sub dnssec11 { |
1314
|
9
|
|
|
9
|
1
|
32
|
my ( $class, $zone ) = @_; |
1315
|
9
|
|
|
|
|
22
|
my @results; |
1316
|
|
|
|
|
|
|
|
1317
|
9
|
|
|
|
|
254
|
my $ds_p = $zone->parent->query_auth( $zone->name->string, 'DS' ); |
1318
|
9
|
50
|
|
|
|
44
|
if ( not $ds_p ) { |
1319
|
0
|
|
|
|
|
0
|
return info( DELEGATION_NOT_SIGNED => { keytag => 'none', reason => 'no_ds_packet' } ); |
1320
|
|
|
|
|
|
|
} |
1321
|
|
|
|
|
|
|
|
1322
|
9
|
|
|
|
|
252
|
my $dnskey_p = $zone->query_auth( $zone->name->string, 'DNSKEY', { dnssec => 1 } ); |
1323
|
9
|
50
|
|
|
|
42
|
if ( not $dnskey_p ) { |
1324
|
0
|
|
|
|
|
0
|
return info( DELEGATION_NOT_SIGNED => { keytag => 'none', reason => 'no_dnskey_packet' } ); |
1325
|
|
|
|
|
|
|
} |
1326
|
|
|
|
|
|
|
|
1327
|
9
|
|
|
|
|
254
|
my %ds = map { $_->keytag => $_ } $ds_p->get_records_for_name( 'DS', $zone->name->string ); |
|
14
|
|
|
|
|
82
|
|
1328
|
9
|
|
|
|
|
257
|
my %dnskey = map { $_->keytag => $_ } $dnskey_p->get_records_for_name( 'DNSKEY', $zone->name->string ); |
|
13
|
|
|
|
|
90
|
|
1329
|
9
|
|
|
|
|
249
|
my %rrsig = map { $_->keytag => $_ } $dnskey_p->get_records_for_name( 'RRSIG', $zone->name->string ); |
|
11
|
|
|
|
|
54
|
|
1330
|
|
|
|
|
|
|
|
1331
|
9
|
|
|
|
|
25
|
my $pass = 0; |
1332
|
9
|
|
|
|
|
17
|
my @fail; |
1333
|
9
|
100
|
|
|
|
37
|
if ( scalar( keys %ds ) > 0 ) { |
1334
|
7
|
|
|
|
|
27
|
foreach my $tag ( keys %ds ) { |
1335
|
7
|
|
|
|
|
19
|
my $ds = $ds{$tag}; |
1336
|
7
|
|
|
|
|
17
|
my $key = $dnskey{$tag}; |
1337
|
7
|
|
|
|
|
14
|
my $sig = $rrsig{$tag}; |
1338
|
|
|
|
|
|
|
|
1339
|
7
|
100
|
|
|
|
30
|
if ( $key ) { |
1340
|
5
|
50
|
|
|
|
267
|
if ( $ds->verify( $key ) ) { |
1341
|
5
|
50
|
|
|
|
132
|
if ( $sig ) { |
1342
|
5
|
|
|
|
|
152
|
my $msg = ''; |
1343
|
5
|
|
|
|
|
43
|
my $ok = |
1344
|
|
|
|
|
|
|
$sig->verify_time( [ values %dnskey ], [ values %dnskey ], $dnskey_p->timestamp, $msg ); |
1345
|
5
|
50
|
|
|
|
1636
|
if ( $ok ) { |
1346
|
5
|
|
|
|
|
24
|
$pass = $tag; |
1347
|
|
|
|
|
|
|
} |
1348
|
|
|
|
|
|
|
else { |
1349
|
0
|
0
|
0
|
|
|
0
|
if ($sig->algorithm == 12 and $msg =~ /Unknown cryptographic algorithm/) { |
1350
|
0
|
|
|
|
|
0
|
$msg = 'no GOST support'; |
1351
|
|
|
|
|
|
|
} |
1352
|
0
|
|
|
|
|
0
|
push @fail, "signature: $msg" ; |
1353
|
|
|
|
|
|
|
} |
1354
|
|
|
|
|
|
|
} |
1355
|
|
|
|
|
|
|
else { |
1356
|
0
|
|
|
|
|
0
|
push @fail, 'no_signature'; |
1357
|
|
|
|
|
|
|
} |
1358
|
|
|
|
|
|
|
} |
1359
|
|
|
|
|
|
|
else { |
1360
|
0
|
|
|
|
|
0
|
push @fail, 'dnskey_no_match'; |
1361
|
|
|
|
|
|
|
} |
1362
|
|
|
|
|
|
|
} ## end if ( $key ) |
1363
|
|
|
|
|
|
|
else { |
1364
|
2
|
|
|
|
|
7
|
push @fail, 'no_dnskey'; |
1365
|
|
|
|
|
|
|
} |
1366
|
|
|
|
|
|
|
} ## end foreach my $tag ( keys %ds ) |
1367
|
|
|
|
|
|
|
} ## end if ( scalar( keys %ds ...)) |
1368
|
|
|
|
|
|
|
else { |
1369
|
2
|
|
|
|
|
7
|
push @fail, 'no_ds'; |
1370
|
|
|
|
|
|
|
} |
1371
|
|
|
|
|
|
|
|
1372
|
9
|
100
|
|
|
|
29
|
if ($pass) { |
1373
|
5
|
|
|
|
|
48
|
push @results, info( DELEGATION_SIGNED => { keytag => $pass } ) |
1374
|
|
|
|
|
|
|
} else { |
1375
|
4
|
|
|
|
|
33
|
push @results, info( DELEGATION_NOT_SIGNED => { keytag => 'info', reason => join(';', @fail) } ) |
1376
|
|
|
|
|
|
|
} |
1377
|
|
|
|
|
|
|
|
1378
|
9
|
|
|
|
|
96
|
return @results; |
1379
|
|
|
|
|
|
|
} ## end sub dnssec11 |
1380
|
|
|
|
|
|
|
|
1381
|
|
|
|
|
|
|
1; |
1382
|
|
|
|
|
|
|
|
1383
|
|
|
|
|
|
|
=head1 NAME |
1384
|
|
|
|
|
|
|
|
1385
|
|
|
|
|
|
|
Zonemaster::Engine::Test::DNSSEC - dnssec module showing the expected structure of Zonemaster test modules |
1386
|
|
|
|
|
|
|
|
1387
|
|
|
|
|
|
|
=head1 SYNOPSIS |
1388
|
|
|
|
|
|
|
|
1389
|
|
|
|
|
|
|
my @results = Zonemaster::Engine::Test::DNSSEC->all($zone); |
1390
|
|
|
|
|
|
|
|
1391
|
|
|
|
|
|
|
=head1 METHODS |
1392
|
|
|
|
|
|
|
|
1393
|
|
|
|
|
|
|
=over |
1394
|
|
|
|
|
|
|
|
1395
|
|
|
|
|
|
|
=item all($zone) |
1396
|
|
|
|
|
|
|
|
1397
|
|
|
|
|
|
|
Runs the default set of tests and returns a list of log entries made by the tests. |
1398
|
|
|
|
|
|
|
|
1399
|
|
|
|
|
|
|
=item metadata() |
1400
|
|
|
|
|
|
|
|
1401
|
|
|
|
|
|
|
Returns a reference to a hash, the keys of which are the names of all test methods in the module, and the corresponding values are references to |
1402
|
|
|
|
|
|
|
lists with all the tags that the method can use in log entries. |
1403
|
|
|
|
|
|
|
|
1404
|
|
|
|
|
|
|
=item translation() |
1405
|
|
|
|
|
|
|
|
1406
|
|
|
|
|
|
|
Returns a reference to a nested hash, where the outermost keys are language |
1407
|
|
|
|
|
|
|
codes, the keys below that are message tags and their values are translation |
1408
|
|
|
|
|
|
|
strings. |
1409
|
|
|
|
|
|
|
|
1410
|
|
|
|
|
|
|
=item policy() |
1411
|
|
|
|
|
|
|
|
1412
|
|
|
|
|
|
|
Returns a reference to a hash with the default policy for the module. The keys |
1413
|
|
|
|
|
|
|
are message tags, and the corresponding values are their default log levels. |
1414
|
|
|
|
|
|
|
|
1415
|
|
|
|
|
|
|
=item version() |
1416
|
|
|
|
|
|
|
|
1417
|
|
|
|
|
|
|
Returns a version string for the module. |
1418
|
|
|
|
|
|
|
|
1419
|
|
|
|
|
|
|
=back |
1420
|
|
|
|
|
|
|
|
1421
|
|
|
|
|
|
|
=head1 TESTS |
1422
|
|
|
|
|
|
|
|
1423
|
|
|
|
|
|
|
=over |
1424
|
|
|
|
|
|
|
|
1425
|
|
|
|
|
|
|
=item dnssec01($zone) |
1426
|
|
|
|
|
|
|
|
1427
|
|
|
|
|
|
|
Verifies that all DS records have digest types registered with IANA. |
1428
|
|
|
|
|
|
|
|
1429
|
|
|
|
|
|
|
=item dnssec02($zone) |
1430
|
|
|
|
|
|
|
|
1431
|
|
|
|
|
|
|
Verifies that all DS records have a matching DNSKEY. |
1432
|
|
|
|
|
|
|
|
1433
|
|
|
|
|
|
|
=item dnssec03($zone) |
1434
|
|
|
|
|
|
|
|
1435
|
|
|
|
|
|
|
Check iteration counts for NSEC3. |
1436
|
|
|
|
|
|
|
|
1437
|
|
|
|
|
|
|
=item dnssec04($zone) |
1438
|
|
|
|
|
|
|
|
1439
|
|
|
|
|
|
|
Checks the durations of the signatures for the DNSKEY and SOA RRsets. |
1440
|
|
|
|
|
|
|
|
1441
|
|
|
|
|
|
|
=item dnssec05($zone) |
1442
|
|
|
|
|
|
|
|
1443
|
|
|
|
|
|
|
Check DNSKEY algorithms. |
1444
|
|
|
|
|
|
|
|
1445
|
|
|
|
|
|
|
=item dnssec06($zone) |
1446
|
|
|
|
|
|
|
|
1447
|
|
|
|
|
|
|
Check for DNSSEC extra processing at child nameservers. |
1448
|
|
|
|
|
|
|
|
1449
|
|
|
|
|
|
|
=item dnssec07($zone) |
1450
|
|
|
|
|
|
|
|
1451
|
|
|
|
|
|
|
Check that both DS and DNSKEY are present. |
1452
|
|
|
|
|
|
|
|
1453
|
|
|
|
|
|
|
=item dnssec08($zone) |
1454
|
|
|
|
|
|
|
|
1455
|
|
|
|
|
|
|
Check that the DNSKEY RRset is signed. |
1456
|
|
|
|
|
|
|
|
1457
|
|
|
|
|
|
|
=item dnssec09($zone) |
1458
|
|
|
|
|
|
|
|
1459
|
|
|
|
|
|
|
Check that the SOA RRset is signed. |
1460
|
|
|
|
|
|
|
|
1461
|
|
|
|
|
|
|
=item dnssec10($zone) |
1462
|
|
|
|
|
|
|
|
1463
|
|
|
|
|
|
|
Check for the presence of either NSEC or NSEC3, with proper coverage and signatures. |
1464
|
|
|
|
|
|
|
|
1465
|
|
|
|
|
|
|
=item dnssec11($zone) |
1466
|
|
|
|
|
|
|
|
1467
|
|
|
|
|
|
|
Check that the delegation step from parent is properly signed. |
1468
|
|
|
|
|
|
|
|
1469
|
|
|
|
|
|
|
=back |
1470
|
|
|
|
|
|
|
|
1471
|
|
|
|
|
|
|
=cut |