Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add DNSSEC Validation #441

Open
phillip-stephens opened this issue Sep 12, 2024 · 3 comments · May be fixed by #470
Open

Add DNSSEC Validation #441

phillip-stephens opened this issue Sep 12, 2024 · 3 comments · May be fixed by #470
Assignees
Milestone

Comments

@phillip-stephens
Copy link
Contributor

phillip-stephens commented Sep 12, 2024

Describe the feature requested
Add DNSSEC record validation to ZDNS. We currently have the --dnssec CLI flag to request DNSSEC RRSIG records. The ask here is to verify these signatures going up to the root of trust.

This feature should:

  • Add a new --validate-dnssec CLI flag
  • Make use of the Resolver.cache to avoid duplicating lookups
  • Add integration tests to integration_tests.py for DNSSEC validation
  • At the moment, we are only concerned with existence cases; i.e. NSEC(3) is out of scope.

Test Cases

  • Positive Test Cases (from internetsociety.org
    • Cloudflare.com
    • internetsociety.org
    • dnssec-tools.org
    • dnssec-deployment.org
  • Negative Test Cases
    • dnssec-failed.org
    • rhybar.cz
  • ./zdns A dnssec-tools.org internetsociety.org --validate-dnssec
    • Check Wireshark for 0 duplicate DNS queries

Output
WIP - open to suggestions
Currently thinking we return the same information as ./zdns --dnssec but 2 additional per module fields

  • dnssec-validation-passed: true/false
  • dnssec-validation-failed-reason: "Signature of Cloudflare.com did not validate using the .com signing key"
@phillip-stephens
Copy link
Contributor Author

This is a 3rd party library that performs the DNSSEC validation. It can serve as a good starting point, but needs to be tightly integrated with ZDNS so we can leverage the Cache and avoid duplicating lookups.

@phillip-stephens
Copy link
Contributor Author

@zakird Do you think just returning if DNSSEC validation passed and if it failed the reason in the JSON output is sufficient?

I suppose on the other end of the spectrum is returning all DNSKEY records up to the root in addition to if validation passed so the caller has every relevant piece of info on the DNSSEC validation process but that seems like something IMO the caller wouldn't usually care about.

@zakird
Copy link
Member

zakird commented Sep 12, 2024 via email

@zakird zakird added this to the Version 2.2 milestone Oct 14, 2024
@developStorm developStorm linked a pull request Nov 1, 2024 that will close this issue
6 tasks
@developStorm developStorm linked a pull request Nov 1, 2024 that will close this issue
6 tasks
@zakird zakird modified the milestones: Version 2.2, Version 2.0 Nov 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants