[dns-operations] Zone signature validation tools

[Viktor Dukhovni]

On Tue, Feb 09, 2021 at 06:53:33PM +0000, Wessels, Duane via dns-operations wrote:

> > Are there any existing tools which would take a whole zonefile and check
> > the expirations?  In a similar way to (for example) dnssec-verify from
> > Bind.
> 
> YAZVS: Yet Another Zone Validation Script
> 
> https://github.com/verisign/yazvs
> 
> It is designed to also show changes between a new and current zone,
> but you can skip that part with the -x option.

This looks very useful.  Thanks!  I just need to separately enforce the
presence of a couple of expected RRsets, but this is certainly a more
comprehensive validator than the quick-n-dirty script I cobbled together
for my own zones a few years back...

I just Had to install a few new for me Perl dependencies from CPAN, but
otherwise no issues.  I just queried the parent zone for my DS RR and
used that as trust anchor, and the script does the rest:

-- Check of "good" zone:

    $ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org |
        perl yazvs.pl -e 3.14 -a /tmp/dukhovni.org.ds -x /dev/stdin; echo $?
    zone dukhovni.org/IN: loaded serial 2358 (DNSSEC signed)
    OK
    Crypto Validation of dukhovni.org 2358
    ----------------------------------------------------------------------
    OK: Parsed 47 RRs from /dev/stdin
    OK: DS=34314 verifies DNSKEY=34314/SEP
    OK: 1 trusted KSKs found
    OK: Apex DNSKEY RRset validated
    OK: 0 expiring RRSIGs found
    OK: 0 bad RRSIGs found
    OK: 19 good RRSIGs found

    Validation for dukhovni.org 2358 PASSED, 0 problems
    0

-- Check of "corrupted" zone (modified MX RData after signing):

    $ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org |
        perl -pe 's{IN\s+MX\s+(\d+)}{IN MX 9}' |
        perl yazvs.pl -e 3.14 -a /tmp/dukhovni.org.ds -x /dev/stdin; echo $?
    zone dukhovni.org/IN: loaded serial 2358 (DNSSEC signed)
    OK
    Crypto Validation of dukhovni.org 2358
    ----------------------------------------------------------------------
    OK: Parsed 47 RRs from /dev/stdin
    OK: DS=34314 verifies DNSKEY=34314/SEP
    OK: 1 trusted KSKs found
    OK: Apex DNSKEY RRset validated
    OK: 0 expiring RRSIGs found
    PROBLEM: 1 bad RRSIGs found
    OK: 18 good RRSIGs found

    Validation for dukhovni.org 2358 FAILED, 1 problems
    1

-- Check of "expiring" zone (I have one expiring in 5.1 days):

    $ named-compilezone -i local -jD -f raw -o - dukhovni.org dukhovni.org |
        perl yazvs.pl -d -e 5.2 -a /tmp/dukhovni.org.ds -x /dev/stdin; echo $?
    zone dukhovni.org/IN: loaded serial 2358 (DNSSEC signed)
    OK
    DEBUG: Read 1 trust anchors from /tmp/dukhovni.org.ds
    Crypto Validation of dukhovni.org 2358
    ----------------------------------------------------------------------
    OK: Parsed 47 RRs from /dev/stdin
    ...
    OK: Apex DNSKEY RRset validated
    ...
    DEBUG: Time to first RRSIG expiry: 5.1 days
    OK: 0 bad RRSIGs found
    OK: 18 good RRSIGs found

    Validation for dukhovni.org 2358 FAILED, 1 problems
    1

-- 
    Viktor.