zdns icon indicating copy to clipboard operation
zdns copied to clipboard

Published 20 hours ago verified publisher icon zmap

Add DNSSEC Validation

Open phillip-stephens opened this issue 1 year ago • 3 comments

Describe the feature requested Add DNSSEC record validation to ZDNS. We currently have the --dnssec CLI flag to request DNSSEC RRSIG records. The ask here is to verify these signatures going up to the root of trust.

This feature should:

  • Add a new --validate-dnssec CLI flag
  • Make use of the Resolver.cache to avoid duplicating lookups
  • Add integration tests to integration_tests.py for DNSSEC validation
  • At the moment, we are only concerned with existence cases; i.e. NSEC(3) is out of scope.

Test Cases

  • Positive Test Cases (from internetsociety.org
    • Cloudflare.com
    • internetsociety.org
    • dnssec-tools.org
    • dnssec-deployment.org
  • Negative Test Cases
    • dnssec-failed.org
    • rhybar.cz
  • ./zdns A dnssec-tools.org internetsociety.org --validate-dnssec
    • Check Wireshark for 0 duplicate DNS queries

Output WIP - open to suggestions Currently thinking we return the same information as ./zdns --dnssec but 2 additional per module fields

  • dnssec-validation-passed: true/false
  • dnssec-validation-failed-reason: "Signature of Cloudflare.com did not validate using the .com signing key"

phillip-stephens avatar Sep 12 '24 17:09 phillip-stephens

This is a 3rd party library that performs the DNSSEC validation. It can serve as a good starting point, but needs to be tightly integrated with ZDNS so we can leverage the Cache and avoid duplicating lookups.

phillip-stephens avatar Sep 12 '24 18:09 phillip-stephens

@zakird Do you think just returning if DNSSEC validation passed and if it failed the reason in the JSON output is sufficient?

I suppose on the other end of the spectrum is returning all DNSKEY records up to the root in addition to if validation passed so the caller has every relevant piece of info on the DNSSEC validation process but that seems like something IMO the caller wouldn't usually care about.

phillip-stephens avatar Sep 12 '24 18:09 phillip-stephens

I would make these different verbosity levels since we have that option.

On Thu, Sep 12, 2024 at 2:07 PM Phillip Stephens @.***> wrote:

@zakird https://github.com/zakird Do you think just returning if DNSSEC validation passed and if it failed the reason in the JSON output is sufficient?

I suppose on the other end of the spectrum is returning all DNSKEY records up to the root in addition to if validation passed so the caller has every relevant piece of info on the DNSSEC validation process but that seems like something IMO the caller wouldn't usually care about.

— Reply to this email directly, view it on GitHub https://github.com/zmap/zdns/issues/441#issuecomment-2346932969, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABREUH6TBVKB6QCHN27GELZWHJ5FAVCNFSM6AAAAABODZI66GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBWHEZTEOJWHE . You are receiving this because you were mentioned.Message ID: @.***>

zakird avatar Sep 12 '24 18:09 zakird