roca icon indicating copy to clipboard operation
roca copied to clipboard
verified publisher icon crocs-muni

DNSKEY support

Open Habbie opened this issue 8 years ago • 3 comments

I did some very rough work to verify that the DNSKEYs for the root zone and the TLDs are not affected. Unless I made a mistake in my testing, none of them are affected.

It might be nice to add DNSKEY support to roca directly - however I do not have time to work on this right now, so I'm leaving the rough work here in case some enterprising soul wants to pick it up. I suggest labeling this issue with #hacktoberfest.

Script: https://gist.github.com/Habbie/23ef81ac9c4fed95720fe1970adddf23

Usage:

$ dig dnskey powerdns.com | grep DNSKEY | grep -v '^;' | ./convert-dnskey.py  > powerdns.out
awk '{print $1}' < powerdns.out > powerdns.out.txt
python roca/detect.py  powerdns.out.txt

Then, if detect actually detects anything, grep for the modulus in powerdns.out to find the affected DNSKEY.

Habbie avatar Oct 16 '17 14:10 Habbie

thanks for suggestion! will check that

ph4r05 avatar Oct 16 '17 14:10 ph4r05

The script+twoliner above has now been verified to indeed recognize a vulnerable key.

Habbie avatar Nov 04 '17 19:11 Habbie

Thanks for the check. I am also a bit busy now so I won't get to that.

One option is to add this twoliner check to the README.

Another option is to create a new detection file, add it to entry_points in setup.py according to the contribution guidelines.

ph4r05 avatar Nov 05 '17 16:11 ph4r05