[dns-operations] Checking for signatures of a certain DNSKEY within a zone

Wed Jul 7 20:59:41 UTC 2021

Hi Tony!

Am 06.07.2021 um 18:00 schrieb Tony Finch:
> Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>>
>>    dig ... axfr | grep RRSIG | grep $KEYID
>>
>> This worked fine for long time but when having keys with the same keyid this
>> obviously does not work anymore.
> 
> If it is one of your zones then your key management software should ensure
> that all the key IDs are different, i.e. if there is an ID collision when
> generating a key, throw it away and regenerate it. This is important for
> verification performance (and, I would guess, less risk of encountering
> bugs).

Indeed, I was thinking too complex. I just implemented it as you 
suggested and it works. Problem solved. Thanks

reards
Klaus

PS: Also thank for for the Perl code - I archived it. I am afraid I will 
need it some day ;-)

>> So I want to change my code to additionally check if the signature can
>> be verified with the respective public key. Are there any tools (bash,
>> php ...)  which accepts single RRSIG RR and single DNSKEY RR and does
>> the validation?
> 
> Each signature covers the entire RRset, so you need all the DNSKEY
> records.
> 
> Dunno if there's an easier tool, but it's not too bad with Net::DNS.
> I tried this out with ac.uk which is signed with both zsk and ksk, and
> cam.ac.uk which is signed with just ksk.
> 
>          #!/usr/bin/perl
> 
>          use 5.10.0;
> 
>          use warnings;
>          use strict;
> 
>          use Net::DNS;
>          use Net::DNS::SEC;
>          use Net::DNS::SEC::Keyset;
> 
>          my (@key, at sig);
> 
>          my $resolver = Net::DNS::Resolver->new();
>          $resolver->dnssec(1);
> 
>          my $reply = $resolver->send(@ARGV, 'DNSKEY')
>              or die $resolver->errorstring;
> 
>          for my $rr ($reply->answer) {
>                  push @sig, $rr if $rr->type eq 'RRSIG';
>                  push @key, $rr if $rr->type eq 'DNSKEY';
>          }
> 
>          for my $rr (@key, @sig) {
>                  $rr->print;
>          }
> 
>          die "no DNSKEY RRset found" unless @key;
>          die "no RRSIG(DNSKEY) found" unless @sig;
> 
>          my $keyset = Net::DNS::SEC::Keyset->new(\@key, \@sig)
>              or die Net::DNS::SEC::Keyset->keyset_err;
> 
>          for my $key (@key) {
>                  my $id = $key->keytag;
>                  my $ok = $keyset->verify($id);
>                  my $err = Net::DNS::SEC::Keyset->keyset_err;
>                  printf "key %d %s verify %s %s\n",
>                      $id, $key->sep ? "ksk" : "zsk",
>                      $ok ? "ok" : "fail", $err;
>          }
> 
> Tony.
> 