Initial commit
This commit is contained in:
commit
eea7e4e459
22 changed files with 2520 additions and 0 deletions
42
checker/rules_dnssec.go
Normal file
42
checker/rules_dnssec.go
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
package checker
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
sdk "git.happydns.org/checker-sdk-go/checker"
|
||||
)
|
||||
|
||||
type cnameDnssecRule struct{}
|
||||
|
||||
func (cnameDnssecRule) Name() string { return "cname_dnssec" }
|
||||
func (cnameDnssecRule) Description() string {
|
||||
return "Verifies that, in a DNSSEC-signed zone, the CNAME at Owner carries an RRSIG."
|
||||
}
|
||||
|
||||
func (cnameDnssecRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
||||
data, errState := loadAlias(ctx, obs)
|
||||
if errState != nil {
|
||||
return errState
|
||||
}
|
||||
if !apexKnown(data) {
|
||||
return skipped("apex lookup failed")
|
||||
}
|
||||
if !data.ZoneSigned {
|
||||
return skipped("zone not DNSSEC-signed")
|
||||
}
|
||||
if !data.OwnerHasCNAME {
|
||||
return skipped("owner has no CNAME")
|
||||
}
|
||||
if !data.CNAMESigCheckDone {
|
||||
return skipped("DO-bit CNAME probe did not complete")
|
||||
}
|
||||
if data.CNAMESigned {
|
||||
return okState(data.Owner, fmt.Sprintf("CNAME at %s is DNSSEC-signed", data.Owner))
|
||||
}
|
||||
return []sdk.CheckState{withHint(sdk.CheckState{
|
||||
Status: sdk.StatusCrit,
|
||||
Subject: data.Owner,
|
||||
Message: fmt.Sprintf("zone %s is DNSSEC-signed but CNAME at %s has no RRSIG", data.Apex, data.Owner),
|
||||
}, "Re-sign the zone or verify your signer covers the alias RRset; unsigned answers in a signed zone SERVFAIL at validating resolvers.")}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue