kzonecheck - add DNSSEC zone check

I would find it useful if kzonecheck could check DNSSEC zone records:

• checking completeness of signatures
• checking if signatures valid now (optional now + N-days)
• checking completeness of NSEC/NSEC3 chain
• checking if every signature has a valid DNSKEY in the zone
• ...

assigned to @fsiroky

mentioned in merge request !665 (merged)

Hi @stirnimann,

I have looked into this issue and found it being partially implemented (NSEC/NSEC3 chain, signatures valid now)

Please let me know if new checks are satisfying.

Thank you.

I noticed the following smaller issues:

• improve error output for NSEC3 errors. e.g.: incoherent NSEC3 chain/missing NSEC3: output should list with both hashed and plain text hostname as this simplifies finding the error
• kzonecheck usage typo: --der should be --dir
• I had problems using kzonecheck --dir because it required a sub path of keymgr --dir. e.g. keymgr --dir /tmp is equal to kzonecheck --dir /tmp/kasp/
• typo in error "wrong NSEC3 TLL" should be "wrong Original TTL in NSEC3"
• For NSEC3 incorrect type bitmap the error is "incorrect type bitmap in NSEC". Should be NSEC3.

I also noticed some checks which are missing and I think they would be useful:

• NSEC3 checks
• bad iterations
• bad salt
• bad hash algorithm value
• bad flags (not 1 or 0)
• RRSIG
• invalid signature
• expiration/inception time does not match signature
• bad key tag (e.g. signer key not found)
• bad algorithm value
• DS
• bad hash length
• bad or unsupported digest type

From the above list, I think validating the signatures is the most useful check missing.

Thank you for this list.

I removed the key check as I was told not to use kasp in kzonecheck. Also the whole list is implemented.

Except missing NSEC3 as I think it is impossible to find hashed hostname (if really needed I might add generating for the error message).

Also NSEC3 iterations are compared to NSEC3PARAM error, should I try to add maximal iterations for different key lengths or is this enough?

As RRSIGs go, kzonecheck wont give you details, so if its really important to know detail such as for example if algorithm is wrong, let me know and I will try figure something out.

As before, you can find current version in kzonecheck branch.

Sorry for not responding so far. I did not have time to provide feedback to this. Will look at it next week! Thank you, Daniel

Hi Filip, I get a build error (or better test error):

make[2]: Entering directory `/builddir/build/BUILD/knot/tests'
../libtap/runtests -s . \
...
test_zonedb.....................ok
test_semantic_check.............FAILED 95, 99, 103
Failed Set                 Fail/Total (%) Skip Stat  Failing Tests
-------------------------- -------------- ---- ----  ------------------------
test_semantic_check           3/120    2%    0    0  95, 99, 103
Failed 3/3419 tests, 99.91% okay, 1 test skipped.
Files=61,  Tests=3419,  9.87 seconds (4.86 usr + 2.27 sys = 7.12 CPU)

Should I disable this tests for the build or does it need fixing?

HI,

that is odd. It didnt fail for me nor in pipeline. May I ask, how do you configure knot and what system do you use? And for now you can probably skip it.

Or try reset the repository if you didnt do so yet (Im not sure If I didnt force push)

It happend on

• Red Hat Enterprise Linux Server release 7.3 (Maipo)
• CentOS Linux release 7.2.1511 (Core)

and I cloned the repo to build it

git clone https://gitlab.labs.nic.cz/labs/knot.git
cd knot
git fetch origin
git checkout -b kzonecheck origin/kzonecheck
autoreconf -if
./configure
make
make check

I will use kzonecheck without using "make check"

Thank you, I will look into it.

@stirnimann Could you manually execute ./tests/test_semantic_check?

$ ./tests/test_semantic_check 
Failed to run semantic checks (failed).
ok 1 - cname_extra_01.zone - program return code
ok 2 - cname_extra_01.zone - check fatal
ok 3 - cname_extra_01.zone - check message
ok 4 - cname_extra_01.zone - number of found errors
Failed to run semantic checks (failed).
ok 5 - cname_extra_02.signed - program return code
ok 6 - cname_extra_02.signed - check fatal
ok 7 - cname_extra_02.signed - check message
ok 8 - cname_extra_02.signed - number of found errors
Failed to run semantic checks (failed).
ok 9 - cname_multiple.zone - program return code
ok 10 - cname_multiple.zone - check fatal
ok 11 - cname_multiple.zone - check message
ok 12 - cname_multiple.zone - number of found errors
Failed to run semantic checks (failed).
ok 13 - dname_children.zone - program return code
ok 14 - dname_children.zone - check fatal
ok 15 - dname_children.zone - check message
ok 16 - dname_children.zone - number of found errors
Failed to run semantic checks (failed).
ok 17 - dname_children.zone - program return code
ok 18 - dname_children.zone - check fatal
ok 19 - dname_children.zone - check message
ok 20 - dname_children.zone - number of found errors
ok 21 - missing_ns.zone - program return code
ok 22 - missing_ns.zone - check fatal
ok 23 - missing_ns.zone - check message
ok 24 - missing_ns.zone - number of found errors
ok 25 - missing_glue_01.zone - program return code
ok 26 - missing_glue_01.zone - check fatal
ok 27 - missing_glue_01.zone - check message
ok 28 - missing_glue_01.zone - number of found errors
ok 29 - missing_glue_02.zone - program return code
ok 30 - missing_glue_02.zone - check fatal
ok 31 - missing_glue_02.zone - check message
ok 32 - missing_glue_02.zone - number of found errors
ok 33 - missing_glue_03.zone - program return code
ok 34 - missing_glue_03.zone - check fatal
ok 35 - missing_glue_03.zone - check message
ok 36 - missing_glue_03.zone - number of found errors
ok 37 - different_signer_name.signed - program return code
ok 38 - different_signer_name.signed - check fatal
ok 39 - different_signer_name.signed - check message
ok 40 - different_signer_name.signed - number of found errors
ok 41 - no_rrsig.signed - program return code
ok 42 - no_rrsig.signed - check fatal
ok 43 - no_rrsig.signed - check message
ok 44 - no_rrsig.signed - number of found errors
ok 45 - no_rrsig_with_delegation.signed - program return code
ok 46 - no_rrsig_with_delegation.signed - check fatal
ok 47 - no_rrsig_with_delegation.signed - check message
ok 48 - no_rrsig_with_delegation.signed - number of found errors
ok 49 - nsec_broken_chain_01.signed - program return code
ok 50 - nsec_broken_chain_01.signed - check fatal
ok 51 - nsec_broken_chain_01.signed - check message
ok 52 - nsec_broken_chain_01.signed - number of found errors
ok 53 - nsec_broken_chain_02.signed - program return code
ok 54 - nsec_broken_chain_02.signed - check fatal
ok 55 - nsec_broken_chain_02.signed - check message
ok 56 - nsec_broken_chain_02.signed - number of found errors
ok 57 - nsec_missing.signed - program return code
ok 58 - nsec_missing.signed - check fatal
ok 59 - nsec_missing.signed - check message
ok 60 - nsec_missing.signed - number of found errors
ok 61 - nsec_multiple.signed - program return code
ok 62 - nsec_multiple.signed - check fatal
ok 63 - nsec_multiple.signed - check message
ok 64 - nsec_multiple.signed - number of found errors
ok 65 - nsec_wrong_bitmap_01.signed - program return code
ok 66 - nsec_wrong_bitmap_01.signed - check fatal
ok 67 - nsec_wrong_bitmap_01.signed - check message
ok 68 - nsec_wrong_bitmap_01.signed - number of found errors
ok 69 - nsec_wrong_bitmap_02.signed - program return code
ok 70 - nsec_wrong_bitmap_02.signed - check fatal
ok 71 - nsec_wrong_bitmap_02.signed - check message
ok 72 - nsec_wrong_bitmap_02.signed - number of found errors
ok 73 - nsec3_missing.signed - program return code
ok 74 - nsec3_missing.signed - check fatal
ok 75 - nsec3_missing.signed - check message
ok 76 - nsec3_missing.signed - number of found errors
ok 77 - nsec3_wrong_bitmap_01.signed - program return code
ok 78 - nsec3_wrong_bitmap_01.signed - check fatal
ok 79 - nsec3_wrong_bitmap_01.signed - check message
ok 80 - nsec3_wrong_bitmap_01.signed - number of found errors
ok 81 - nsec3_wrong_bitmap_02.signed - program return code
ok 82 - nsec3_wrong_bitmap_02.signed - check fatal
ok 83 - nsec3_wrong_bitmap_02.signed - check message
ok 84 - nsec3_wrong_bitmap_02.signed - number of found errors
ok 85 - nsec3_ds.signed - program return code
ok 86 - nsec3_ds.signed - check fatal
ok 87 - nsec3_ds.signed - check message
ok 88 - nsec3_ds.signed - number of found errors
ok 89 - nsec3_optout.signed - program return code
ok 90 - nsec3_optout.signed - check fatal
ok 91 - nsec3_optout.signed - check message
ok 92 - nsec3_optout.signed - number of found errors
ok 93 - nsec3_chain_01.signed - program return code
ok 94 - nsec3_chain_01.signed - check fatal
grep: Unmatched ) or \)
not ok 95 - nsec3_chain_01.signed - check message
ok 96 - nsec3_chain_01.signed - number of found errors
ok 97 - nsec3_chain_02.signed - program return code
ok 98 - nsec3_chain_02.signed - check fatal
grep: Unmatched ) or \)
not ok 99 - nsec3_chain_02.signed - check message
ok 100 - nsec3_chain_02.signed - number of found errors
ok 101 - nsec3_chain_03.signed - program return code
ok 102 - nsec3_chain_03.signed - check fatal
grep: Unmatched ) or \)
not ok 103 - nsec3_chain_03.signed - check message
ok 104 - nsec3_chain_03.signed - number of found errors
ok 105 - rrsig_signed.signed - program return code
ok 106 - rrsig_signed.signed - check fatal
ok 107 - rrsig_signed.signed - check message
ok 108 - rrsig_signed.signed - number of found errors
ok 109 - rrsig_ttl.signed - program return code
ok 110 - rrsig_ttl.signed - check fatal
ok 111 - rrsig_ttl.signed - check message
ok 112 - rrsig_ttl.signed - number of found errors
ok 113 - rrsig_rdata_ttl.signed - program return code
ok 114 - rrsig_rdata_ttl.signed - check fatal
ok 115 - rrsig_rdata_ttl.signed - check message
ok 116 - rrsig_rdata_ttl.signed - number of found errors
ok 117 - no_error_delegaton_bitmap.signed - correct zone, without error
ok 118 - no_error_nsec3_delegation.signed - correct zone, without error
ok 119 - no_error_nsec3_optout.signed - correct zone, without error
ok 120 - no_error_wildcard_glue.zone - correct zone, without error
1..120
# Looks like you failed 3 tests of 120

Thank you, this looks really cool. I have to admit that I currently test manually only. I guess, I will implement some test cases so that I can provide faster and more in-depth feedback in the future.

I removed the key check as I was told not to use kasp in kzonecheck. Also the whole list is implemented.

I actually like it without the kasp dependency a lot more as well as it allows kzonecheck to be used in more use-cases.

Also NSEC3 iterations are compared to NSEC3PARAM error, should I try to add maximal iterations for different key lengths or is this enough?

Looks good to me.

Some additional feedback below:

• I got the impression that the NSEC3 opt-out flag is not checked. To be honest, my spec understanding is not very good in this regard and I'm not sure if mixed usage of NSEC3 opt-out/not-using-opt-out is even valid. So, this is just an observation for the moment.
• So called "duplicate" signatures of a DNSKEY which is not found in the zone are reported as an error. However, I believe this should be accepted. If at least one signature can be verified with a DNSKEY published in the zone, then it's ok. The reason this might happen is if someone is doing an algorithm rollover and he is using the "conservative" approach where he published RRSIG with the new algorithm before publishing the DNSKEY.
• If we have KSK and ZSK and the DNSKEY RR is only signed by the ZSK, then this is not shown as an error. I believe this is correct as it's "valid" to use the ZSK as a trust anchor in the parent zone. I just wanted to mention this as some people might disagree.
• If a signature exists for a non-existing RR this is shown as an error. I would propose that you ignore this error-condition. You should only check signatures for which there are records. Obsolete signature are not used by a nameserver anyway and cause no harm. If you really want, you could make it optionally with a "strict" validation or something like that.

1. opt-out is ignored to my knowledge. kzonecheck only check if other flags are 0 (therefore if flag > 1)
2. on it
3. will add warning/notice
4. I wasn’t able to reproduce this behaviour, could you give me an example zone?

Attached file for 4. 8.example.com.signed

kzonecheck -o 8.example.com 8.example.com.signed
record 'ftp.8.example.com': missing NSEC

ERROR SUMMARY:
	Count	Error
	1	missing NSEC

Note, this is a real problem for some version of BIND. e.g. BIND 9.10.3-P4/BIND 9.9.8-P4 have this fix https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=832ab79d1f8bc4edf638780b306888da30ac3a1e

@stirnimann Hello, could you please try this branch again before I merge it to master? I have refactored some parts of semantic checks. Thanks

closed via commit f75c625f

closed via merge request !665 (merged)

mentioned in commit f75c625f

@dsalzman thank you, looks good to me. some small comments below:

Building

• Noticed that ./configure --disable-daemon also disabled kzonecheck. I had expected it to be part of utilities.

Usage

• If the -t <timestamp> is not given in full YYYYMMDDHHmmSS format, the current UNIX timestamp is used. I had wrongly expected that using YYYYMMDDHH would result in YYYYMMDDHH0000. I can understand if my assumption is wrong but I think it is an error to not inform the user that the given malformed timestamp is unused. Maybe just break and show an error for invalid input?

Man Page

• In knot.conf.5 on semantic-checks: is the second bullet point not a sub issue of broken NSEC chain and therefore already covered by the first bullet point?
• Broken or non-cyclic NSEC(3) chain
• Missing NSEC records at authoritative nodes

Check Coverage

• Just an observation: I noticed that the issue mentioned in https://gitlab.labs.nic.cz/knot/knot-dns/issues/501#note_44655 is shown as an error. I'm ok with that.

reopened

changed milestone to %next

changed milestone to %2.8.0

@stirnimann thanks for the feedback!

Building: kzonecheck is not part of the utilities intentionally as it would add some dependencies (liburcu) to the utilities - semantic checks are shared with the server :-/

Usage: the problem is that the program cannot distinguish YYYYMMDDHH from timestamp. This idea is based on https://tools.ietf.org/html/rfc4034#section-3.2

Man Page: I have slightly reduced and reworded the list of checks.

Check Coverage: I didn't want to ignore orphaned RRSIGs. Because it could indicate that something is wrong (dnssec-signzone in this case :-)).

closed

added ~4 feature utilities labels

removed milestone