Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add DNSSEC Validation #441

Open
phillip-stephens opened this issue Sep 12, 2024 · 3 comments · May be fixed by #470
Open

Add DNSSEC Validation #441

phillip-stephens opened this issue Sep 12, 2024 · 3 comments · May be fixed by #470
Assignees
@developStorm
Labels
enhancement
Milestone
Version 2.2

Comments

@phillip-stephens
Copy link
Contributor

phillip-stephens commented Sep 12, 2024
edited by developStorm
Loading

Describe the feature requested
Add DNSSEC record validation to ZDNS. We currently have the --dnssec CLI flag to request DNSSEC RRSIG records. The ask here is to verify these signatures going up to the root of trust.

This feature should:

  • Add a new --validate-dnssec CLI flag
  • Make use of the Resolver.cache to avoid duplicating lookups
  • Add integration tests to integration_tests.py for DNSSEC validation
  • At the moment, we are only concerned with existence cases; i.e. NSEC(3) is out of scope.

Test Cases

  • Positive Test Cases (from internetsociety.org
    • Cloudflare.com
    • internetsociety.org
    • dnssec-tools.org
    • dnssec-deployment.org
  • Negative Test Cases
    • dnssec-failed.org
    • rhybar.cz
  • ./zdns A dnssec-tools.org internetsociety.org --validate-dnssec
    • Check Wireshark for 0 duplicate DNS queries

Output
WIP - open to suggestions
Currently thinking we return the same information as ./zdns --dnssec but 2 additional per module fields

  • dnssec-validation-passed: true/false
  • dnssec-validation-failed-reason: "Signature of Cloudflare.com did not validate using the .com signing key"
@phillip-stephens
Copy link
Contributor Author

This is a 3rd party library that performs the DNSSEC validation. It can serve as a good starting point, but needs to be tightly integrated with ZDNS so we can leverage the Cache and avoid duplicating lookups.

@phillip-stephens
Copy link
Contributor Author

@zakird Do you think just returning if DNSSEC validation passed and if it failed the reason in the JSON output is sufficient?

I suppose on the other end of the spectrum is returning all DNSKEY records up to the root in addition to if validation passed so the caller has every relevant piece of info on the DNSSEC validation process but that seems like something IMO the caller wouldn't usually care about.

@zakird
Copy link
Member

zakird commented Sep 12, 2024 via email

@zakird zakird added this to the Version 2.2 milestone Oct 14, 2024
@developStorm developStorm linked a pull request Nov 1, 2024 that will close this issue
Draft
7 tasks
@developStorm developStorm linked a pull request Nov 1, 2024 that will close this issue
feat: DNSSEC Validation #470
Draft
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@developStorm developStorm

Labels
enhancement
Projects
None yet
Milestone
Version 2.2
Development

Successfully merging a pull request may close this issue.

feat: DNSSEC Validation zmap/zdns
3 participants
@zakird @phillip-stephens @developStorm