From 89c8b2ce6a7f29dd6e309e262a41c282b96d3eb9 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Wed, 6 Jul 2016 15:52:33 +0200 Subject: [PATCH] check-zone: warn on mismatch between algo and NSEC Closes #3267 --- pdns/dbdnsseckeeper.cc | 2 +- pdns/pdnsutil.cc | 21 ++++++++++++++++++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 644c78251..c7217c7f9 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -448,7 +448,7 @@ DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const DNSName& zone, bool useCache) dpk.d_flags = kd.flags; dpk.d_algorithm = dkrc.d_algorithm; - if(dpk.d_algorithm == 5 && getNSEC3PARAM(zone)) // XXX Needs to go, see #3267 + if(dpk.d_algorithm == 5 && getNSEC3PARAM(zone)) dpk.d_algorithm+=2; KeyMetaData kmd; diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index 85c7d6fbf..a56feb906 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -408,9 +408,24 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone, const vect DNSResourceRecord rr; uint64_t numrecords=0, numerrors=0, numwarnings=0; - if (haveNSEC3 && isSecure && zone.wirelength() > 222) { - numerrors++; - cout<<"[Error] zone '" << zone << "' has NSEC3 semantics but is too long to have the hash prepended. Zone name is " << zone.wirelength() << " bytes long, whereas the maximum is 222 bytes." << endl; + if (haveNSEC3) { + if(isSecure && zone.wirelength() > 222) { + numerrors++; + cout<<"[Error] zone '" << zone << "' has NSEC3 semantics but is too long to have the hash prepended. Zone name is " << zone.wirelength() << " bytes long, whereas the maximum is 222 bytes." << endl; + } + + vector dbkeyset; + B.getDomainKeys(zone, 0, dbkeyset); + + for(DNSBackend::KeyData& kd : dbkeyset) { + DNSKEYRecordContent dkrc; + shared_ptr(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)); + + if(dkrc.d_algorithm == 5) { + cout<<"[Warning] zone '"<