diff --git a/validate-my-dns.py b/validate-my-dns.py index 723c2a5..906d6b3 100644 --- a/validate-my-dns.py +++ b/validate-my-dns.py @@ -1,5 +1,7 @@ #!/usr/bin/env python3 +REGISTRY_PATH = "../registry" + import hashlib import base64 import struct @@ -25,7 +27,6 @@ except ImportError: import dns.exception import binascii -REGISTRY_PATH = "../registry" # step1: @@ -42,6 +43,24 @@ def get_domain_by_mntner(mntner): # domains dict containing dns objects and inet(6)nums if they have nserver specified domains = {} + + + def _parse_nserver(line): + nserver = line[20:].split(" ") + # handle edge case where + if "\t" in nserver[0]: + nserver = nserver[0].split("\t") + # ignore registry-sync nservers + if "registry-sync.dn42" in nserver[0]: + return + + # nserver should be defined in an other dns file + if len(nserver) == 1: + return [nserver[0], None] + # nserver is defined in this file + elif len(nserver) == 2: + return nserver + # read dns files for domain in dns_files: with open(domain) as d: @@ -51,24 +70,13 @@ def get_domain_by_mntner(mntner): for line in d.readlines(): line = line.replace("\n", "") if line.startswith("nserver"): - nserver = line[20:].split(" ") - # handle edge case where - if "\t" in nserver[0]: - nserver = nserver[0].split("\t") - # ignore registry-sync nservers - if "registry-sync.dn42" in nserver[0]: - break - # nserver should be defined in an other dns file - if len(nserver) == 1: - domains[domain_name]["nserver"][nserver[0]] = None - # nserver is defined in this file - elif len(nserver) == 2: - if nserver[0] not in domains[domain_name]["nserver"]: - domains[domain_name]["nserver"][nserver[0]] = [ - nserver[1]] - else: - domains[domain_name]["nserver"][nserver[0]].append( - nserver[1]) + _tmp = _parse_nserver(line) + if _tmp == "break": break + if _tmp[0] in domains[domain_name]["nserver"]: + domains[domain_name]["nserver"][_tmp[0]].append(_tmp[1]) + else: + domains[domain_name]["nserver"][_tmp[0] + ] = [_tmp[1]] elif line.startswith("ds-rdata:"): domains[domain_name]["ds-rdata"].append(line[20:].lower()) @@ -95,22 +103,12 @@ def get_domain_by_mntner(mntner): # TODO: implement creation of multiple zones for every /24 within print(f"WARN: currently only ipv4 subnets with length >=24 or 16 or 8 are possible to be checked: relavent inetnum {line}") elif line.startswith("nserver"): - nserver = line[20:].split(" ") - # handle edge case where - if "\t" in nserver[0]: - nserver = nserver[0].split("\t") - # ignore registry-sync nservers - if "registry-sync.dn42" in nserver[0]: - break - # nserver should be defined in an other dns file - if len(nserver) == 1: - _nserver[nserver[0]] = None - # nserver is defined in this file - elif len(nserver) == 2: - if nserver[0] not in _nserver: - _nserver[nserver[0]] = [nserver[1]] - else: - _nserver[nserver[0]].append(nserver[1]) + _tmp = _parse_nserver(line) + if _tmp == "break": break + if _tmp[0] in _nserver: + _nserver[_tmp[0]].append(_tmp[1]) + else: + _nserver[_tmp[0]] = _tmp[1] elif line.startswith("ds-rdata:"): _ds_rdata.append(line[20:].lower()) @@ -138,24 +136,12 @@ def get_domain_by_mntner(mntner): break _domain_name = _digit1 + "." + _domain_name elif line.startswith("nserver"): - nserver = line[20:].split(" ") - - # handle edge case where - if "\t" in nserver[0]: - nserver = nserver[0].split("\t") - # ignore registry-sync nservers - if "registry-sync.dn42" in nserver[0]: - break - - # nserver should be defined in an other dns file - if len(nserver) == 1: - _nserver[nserver[0]] = None - # nserver is defined in this file - elif len(nserver) == 2: - if nserver[0] not in _nserver: - _nserver[nserver[0]] = [nserver[1]] - else: - _nserver[nserver[0]].append(nserver[1]) + _tmp = _parse_nserver(line) + if _tmp == "break": break + if _tmp[0] in _nserver: + _nserver[_tmp[0]].append(_tmp[1]) + else: + _nserver[_tmp[0]] = _tmp[1] elif line.startswith("ds-rdata:"): _ds_rdata.append(line[20:].lower()) @@ -191,19 +177,19 @@ def get_dnskey(domain_name, nserver): try: request = dns.message.make_query( domain_name, dns.rdatatype.DNSKEY, want_dnssec=False) - response = dns.query.udp(request, nserver, timeout=2) + response = dns.query.udp_with_fallback(request, nserver, timeout=2) except dns.exception.Timeout: print(f"WARN: querying {nserver} for {domain_name} timed out") return False except dns.query.UnexpectedSource as e: print(f"ERROR: server replied with different different ip than requested: error: {e}") return False - if response.rcode() != 0: + if response[0].rcode() != 0: # HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD) print( - f"WARN: query for a DNSKEY on {domain_name} failed on {nserver}, returncode: {response.rcode()}") + f"WARN: query for a DNSKEY on {domain_name} failed on {nserver}, returncode: {response[0].rcode()}") return False - return [dnskey.to_text().split("IN DNSKEY ")[1] for dnskey in response.answer] + return [dnskey.to_text().split("IN DNSKEY ")[1] for dnskey in response[0].answer] # if not nserver: # # drill: use DNSSEC, fallback to tcp, for $domain # drill_cmd = subprocess.Popen( @@ -335,7 +321,7 @@ def check_dnssec(domain_name, domain_data): domain_name, dns.rdatatype.SOA, want_dnssec=False) try: # send the query - dns.query.udp(request, nsaddr, timeout=2) + dns.query.udp_with_fallback(request, nsaddr, timeout=2) # if it timed out: tell the user except dns.exception.Timeout: print( @@ -349,15 +335,15 @@ def check_dnssec(domain_name, domain_data): # get DNSKEY for zone request = dns.message.make_query( domain_name, dns.rdatatype.DNSKEY, want_dnssec=True) - response = dns.query.udp(request, nsaddr, timeout=2) + response = dns.query.udp_with_fallback(request, nsaddr, timeout=2) - if response.rcode() != 0: + if response[0].rcode() != 0: # HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD) print( - f"WARN: query for a DNSKEY on {domain_name} failed on {nserver} ({nsaddr}), returncode: {response.rcode()}") + f"WARN: query for a DNSKEY on {domain_name} failed on {nserver} ({nsaddr}), returncode: {response[0].rcode()}") continue # answer should contain two RRSET: DNSKEY and RRSIG(DNSKEY) - answer = response.answer + answer = response[0].answer if len(answer) != 2: # SOMETHING WENT WRONG print(