From: Pieter Lexis Date: Thu, 28 May 2015 20:20:15 +0000 (+0200) Subject: pdnssec: Check if records exist for TLSA hosts X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~47^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2e5f62255c3297736b17ae9c15c6570bad55c033;p=pdns pdnssec: Check if records exist for TLSA hosts When a record _443._tcp.www.example.com.|TLSA exists and no record for www.example.com., we emit a warning. Similarly, when *.example.com. _does_ exist, we emit a warning, as www.example.com. becomes an empty non-terminal at that point. --- diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc index 030296284..758ef2d28 100644 --- a/pdns/pdnssec.cc +++ b/pdns/pdnssec.cc @@ -439,7 +439,7 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone) bool hasNsAtApex = false; - set cnames, noncnames, glue, checkglue; + set tlsas, cnames, noncnames, glue, checkglue; set records; map ttl; @@ -454,6 +454,8 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone) numrecords++; + if(rr.qtype.getCode() == QType::TLSA) + tlsas.insert(rr.qname); if(rr.qtype.getCode() == QType::SOA) { vectorparts; stringtok(parts, rr.content); @@ -618,6 +620,26 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone) } } + for(const auto &i: tlsas) { + DNSName name = DNSName(i); + name.trimToLabels(name.getRawLabels().size()-2); + if (cnames.find(name) == cnames.end() && noncnames.find(name) == noncnames.end()) { + // No specific record for the name in the TLSA record exists, this + // is already worth emitting a warning. Let's see if a wildcard exist. + cout<<"[Warning] "; + DNSName wcname(name); + wcname.chopOff(); + wcname.prependRawLabel("*"); + if (cnames.find(wcname) != cnames.end() || noncnames.find(wcname) != noncnames.end()) { + cout<<"A wildcard record exist for '"<