Check for signed zone with no signatures from above

[mrimann]

If you eg. configure a Domain to be DNSSEC signed on your nameservers, but don't have the keys defined in the domain registry (either not yet, or they got removed), then the script currently says something like

WARNING: Zone foobar.tld seems to be unsigned (= resolvable, but no DNSSEC involved at all)

Which is not completely correct, because DNSSEC is involved, but not from top down, but only in the DNS zone itself.

Goal of this task would be to differentiate those two scenarios better:

• no keys/signatures in the registry + zone not signed on the nameserver (= show the same message as now)
• no keys/signatures in the registry + zone is signed (= show different message)

[mrimann]

@gryphius Any comments on this one?

[gryphius]

"no keys/signatures in the registry + zone is signed" is called an "island of security". This is pretty common. People want to test signing their zones first without causing any problems if something in the signing process goes wrong. Resolvers can validate these zones with locally configured trust anchors only.

I'd suggest you check for both DNSKEY and DS records and...

• DNSKEY and DS : zone is signed and we can validate top down from the root
• DNSKEY but no DS: island of security, script can not validate the zone unless a local trust anchor is configured in the validating resolver. But you can still check RRSIG expiration times etc (which was the original idea of this script iirc)
• DS but no DNSKEY: validation failure, all validating resolvers will treat this as BOGUS
• neither DS nor DNSKEY: FeelsBadMan

[gryphius]

also, it should configurable per zone if the zone is supposed to be an island of security or not. in case the DS gets removed without the zone administrators knowledge (because someone from marketing with access to the registrar GUI screwed up ;-) ) we want to be alerted, but when our zone is in testing mode and we deliberately don't have a DS in the parent then all is good.