kzonecheck: option to skip DNSSEC checks

doc/man/kzonecheck.1in

@@ -48,6 +48,9 @@ Please, refer to the \fBsemantic\-checks\fP configuration option in
 Zone origin. If not specified, the origin is determined from the file name
 (possibly removing the \fB\&.zone\fP suffix).
 .TP
+\fB\-d\fP, \fB\-\-dnssec\fP \fBon\fP|\fBoff\fP
+Also check DNSSEC\-related records if present in the zone file.
+.TP
 \fB\-t\fP, \fB\-\-time\fP \fItime\fP
 Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS
 format, or [+/\-]\fItime\fP[unit] format, where unit can be \fBY\fP, \fBM\fP,

doc/man_kzonecheck.rst

@@ -25,6 +25,9 @@ Options
   Zone origin. If not specified, the origin is determined from the file name
   (possibly removing the ``.zone`` suffix).
 
+**-d**, **--dnssec** **on**\|\ **off**
+  Also check DNSSEC-related records if present in the zone file.
+
 **-t**, **--time** *time*
   Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS
   format, or [+/-]\ *time*\ [unit] format, where unit can be **Y**, **M**,

src/utils/kzonecheck/main.c

-/*  Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -19,6 +19,7 @@
 #include <stdio.h>
 
 #include "contrib/time.h"
+#include "contrib/tolower.h"
 #include "libknot/libknot.h"
 #include "knot/common/log.h"
 #include "utils/common/params.h"
@@ -33,6 +34,7 @@ static void print_help(void)
 	       "Parameters:\n"
 	       " -o, --origin <zone_origin>  Zone name.\n"
 	       "                              (default filename without .zone)\n"
+	       " -d, --dnssec <on|off>       Also check DNSSEC-related records.\n"
 	       " -t, --time <timestamp>      Current time specification.\n"
 	       "                              (default current UNIX time)\n"
 	       " -v, --verbose               Enable debug output.\n"
@@ -42,16 +44,32 @@ static void print_help(void)
 	       PROGRAM_NAME);
 }
 
+static bool str2bool(const char *s)
+{
+	switch (knot_tolower(s[0])) {
+	case '1':
+	case 'y':
+	case 't':
+		return true;
+	case 'o':
+		return knot_tolower(s[1]) == 'n';
+	default:
+		return false;
+	}
+}
+
 int main(int argc, char *argv[])
 {
 	const char *origin = NULL;
 	bool verbose = false;
+	bool dnssec = true; // default value for --dnssec
 	knot_time_t check_time = (knot_time_t)time(NULL);
 
 	/* Long options. */
 	struct option opts[] = {
 		{ "origin",  required_argument, NULL, 'o' },
 		{ "time",    required_argument, NULL, 't' },
+		{ "dnssec",  required_argument, NULL, 'd' },
 		{ "verbose", no_argument,       NULL, 'v' },
 		{ "help",    no_argument,       NULL, 'h' },
 		{ "version", no_argument,       NULL, 'V' },
@@ -63,7 +81,7 @@ int main(int argc, char *argv[])
 
 	/* Parse command line arguments */
 	int opt = 0;
-	while ((opt = getopt_long(argc, argv, "o:t:vVh", opts, NULL)) != -1) {
+	while ((opt = getopt_long(argc, argv, "o:t:d:vVh", opts, NULL)) != -1) {
 		switch (opt) {
 		case 'o':
 			origin = optarg;
@@ -77,6 +95,9 @@ int main(int argc, char *argv[])
 		case 'V':
 			print_version(PROGRAM_NAME);
 			return EXIT_SUCCESS;
+		case 'd':
+			dnssec = str2bool(optarg);
+			break;
 		case 't':
 			if (knot_time_parse("YMDhms|#|+-#U|+-#",
 			                    optarg, &check_time) != KNOT_EOK) {
@@ -124,7 +145,7 @@ int main(int argc, char *argv[])
 
 	knot_dname_t *dname = knot_dname_from_str_alloc(zonename);
 	free(zonename);
-	int ret = zone_check(filename, dname, stdout, (time_t)check_time);
+	int ret = zone_check(filename, dname, stdout, dnssec, (time_t)check_time);
 	knot_dname_free(dname, NULL);
 
 	log_close();

src/utils/kzonecheck/zone_check.c

@@ -63,7 +63,7 @@ static void print_statistics(err_handler_stats_t *stats)
 }
 
 int zone_check(const char *zone_file, const knot_dname_t *zone_name,
-               FILE *outfile, time_t time)
+               FILE *outfile, bool dnssec, time_t time)
 {
 	err_handler_stats_t stats = {
 		.handler = { .cb = err_callback },
@@ -71,7 +71,7 @@ int zone_check(const char *zone_file, const knot_dname_t *zone_name,
 	};
 
 	zloader_t zl;
-	int ret = zonefile_open(&zl, zone_file, zone_name, true, time);
+	int ret = zonefile_open(&zl, zone_file, zone_name, dnssec, time);
 	if (ret != KNOT_EOK) {
 		return ret;
 	}

src/utils/kzonecheck/zone_check.h

-/*  Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -19,4 +19,4 @@
 #include "libknot/libknot.h"
 
 int zone_check(const char *zone_file, const knot_dname_t *zone_name,
-               FILE *outfile, time_t time);
+               FILE *outfile, bool dnssec, time_t time);

tests/knot/test_semantic_check.in

@@ -36,6 +36,13 @@ test_correct()
 	ok "$1 - correct zone, without error" test $? -eq 0
 }
 
+#param zonefile
+test_correct_no_dnssec()
+{
+	$KZONECHECK -o example.com -d off "$DATA/$1" > /dev/null
+	ok "$1 - correct zone, without error" test $? -eq 0
+}
+
 if [ ! -x $KZONECHECK ]; then
 	skip_all "kzonecheck is missing or is not executable"
 fi
@@ -137,4 +144,37 @@ test_correct "cdnskey.cds"
 test_correct "cdnskey.delete.both"
 test_correct "dname_apex_nsec3.signed"
 
+test_correct_no_dnssec "no_rrsig.signed"
+test_correct_no_dnssec "no_rrsig_with_delegation.signed"
+test_correct_no_dnssec "nsec_broken_chain_01.signed"
+test_correct_no_dnssec "nsec_broken_chain_02.signed"
+test_correct_no_dnssec "nsec_missing.signed"
+test_correct_no_dnssec "nsec_multiple.signed"
+test_correct_no_dnssec "nsec_wrong_bitmap_01.signed"
+test_correct_no_dnssec "nsec_wrong_bitmap_02.signed"
+test_correct_no_dnssec "nsec3_missing.signed"
+test_correct_no_dnssec "nsec3_wrong_bitmap_01.signed"
+test_correct_no_dnssec "nsec3_wrong_bitmap_02.signed"
+test_correct_no_dnssec "nsec3_ds.signed"
+test_correct_no_dnssec "nsec3_optout.signed"
+test_correct_no_dnssec "nsec3_chain_01.signed"
+test_correct_no_dnssec "nsec3_chain_02.signed"
+test_correct_no_dnssec "nsec3_chain_03.signed"
+test_correct_no_dnssec "nsec3_param_invalid.signed"
+test_correct_no_dnssec "rrsig_signed.signed"
+test_correct_no_dnssec "rrsig_rdata_ttl.signed"
+test_correct_no_dnssec "duplicate.signature"
+test_correct_no_dnssec "missing.signed"
+test_correct_no_dnssec "dnskey_param_error.signed"
+test_correct_no_dnssec "invalid_ds.signed"
+test_correct_no_dnssec "cdnskey.invalid"
+test_correct_no_dnssec "cdnskey.invalid.param"
+test_correct_no_dnssec "cdnskey.nocds"
+test_correct_no_dnssec "cdnskey.nocdnskey"
+test_correct_no_dnssec "cdnskey.nodnskey"
+test_correct_no_dnssec "cdnskey.orphan.cds"
+test_correct_no_dnssec "cdnskey.orphan.cdnskey"
+test_correct_no_dnssec "cdnskey.delete.invalid.cds"
+test_correct_no_dnssec "cdnskey.delete.invalid.cdnskey"
+
 rm $LOG