pdnssec check-zone, check for missing NS at apex and records in unlikely places

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 52e6bb24a165f71489b7ecd18556615d5f75215d..ddfc784c2cdf9b286389382d6a9fb5938544fc51 100644 (file)
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -340,6 +340,8 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
   DNSResourceRecord rr;
   uint64_t numrecords=0, numerrors=0, numwarnings=0;
 
+
+  bool hasNsAtApex = false;
   set<string> records, cnames, noncnames;
   map<string, unsigned int> ttl;
 
@@ -383,6 +385,24 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
       continue;
     }
 
+    if(pdns_iequals(rr.qname, zone)) {
+      if (rr.qtype.getCode() == QType::NS) {
+        hasNsAtApex=true;
+      } else if (rr.qtype.getCode() == QType::DS) {
+        cout<<"[Warning] DS at apex in zone '"<<zone<<"', should no be here."<<endl;
+        numwarnings++;
+      }
+    } else {
+      if (rr.qtype.getCode() == QType::SOA) {
+        cout<<"[Error] SOA record not at apex '"<<rr.qname<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone<<"'"<<endl;
+        numerrors++;
+        continue;
+      } else if (rr.qtype.getCode() == QType::DNSKEY) {
+        cout<<"[Warning] DNSKEY record not at apex '"<<rr.qname<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone<<"', should not be here."<<endl;
+        numwarnings++;
+      }
+    }
+
     if (rr.qtype.getCode() == QType::CNAME) {
       if (!cnames.count(toLower(rr.qname)))
         cnames.insert(toLower(rr.qname));
@@ -482,6 +502,11 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
     }
   }
 
+  if(!hasNsAtApex) {
+    cout<<"[Error] No NS record at zone apex in zone '"<<zone<<"'"<<endl;
+    numerrors++;
+  }
+
   cout<<"Checked "<<numrecords<<" records of '"<<zone<<"', "<<numerrors<<" errors, "<<numwarnings<<" warnings."<<endl;
   return numerrors;
 }