metebalci / digsec Goto Github PK

per https://datatracker.ietf.org/doc/html/rfc3597

validate command gives warning when ZSK is not in DS, does it have to be a warning ? because there is nothing wrong with this configuration if KSK is in DS

as in pull request #37

It would be really Nice To Have (TM) a validate_third_level_domain.sh

I assume it could parse it as a 3 level and call validate_second_level_domain.sh for the first two, and just do the incremental on the third.

I have a usecase that needs a validate_third_level_domain.sh to retrieve TXT.

Thanks for the great software.

Hi, I'm trying to install digsec-0.6 with pip and I get this error:

$ pip install digsec DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support Defaulting to user installation because normal site-packages is not writeable Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple Collecting digsec Using cached digsec-0.6.tar.gz (18 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python2 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-uakLGm/digsec/setup.py'"'"'; __file__='"'"'/tmp/pip-install-uakLGm/digsec/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-WD63ZX cwd: /tmp/pip-install-uakLGm/digsec/ Complete output (23 lines): Traceback (most recent call last): File "<string>", line 1, in <module> File "/tmp/pip-install-uakLGm/digsec/setup.py", line 3, in <module> setup() File "/usr/lib/python2.7/dist-packages/setuptools/__init__.py", line 145, in setup return distutils.core.setup(**attrs) File "/usr/lib/python2.7/distutils/core.py", line 124, in setup dist.parse_config_files() File "/usr/lib/python2.7/dist-packages/setuptools/dist.py", line 705, in parse_config_files ignore_option_errors=ignore_option_errors) File "/usr/lib/python2.7/dist-packages/setuptools/config.py", line 120, in parse_configuration meta.parse() File "/usr/lib/python2.7/dist-packages/setuptools/config.py", line 425, in parse section_parser_method(section_options) File "/usr/lib/python2.7/dist-packages/setuptools/config.py", line 398, in parse_section self[name] = value File "/usr/lib/python2.7/dist-packages/setuptools/config.py", line 183, in __setitem__ value = parser(value) File "/usr/lib/python2.7/dist-packages/setuptools/config.py", line 513, in _parse_version version = self._parse_attr(value, self.package_dir) File "/usr/lib/python2.7/dist-packages/setuptools/config.py", line 349, in _parse_attr value = getattr(module, attr_name) AttributeError: 'module' object has no attribute 'DIGSEC_VERSION' ---------------------------------------- ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.

Am I wrong?

Thanks in advance.

Could you add an option to use TCP? For those behind TCP only firewalls.

It's often on 53/tcp but if you could add a port option, so much the better.

I can't figure out the syntax to set an alternate port, even after studying the copious documentation (tuonge firmly in cheek :-).

It would be nice to have a stable known TXT message in a DNSsec server at the second and third level. I noticed on https://metebalci.com/about/

I use Hover as my domain registrar and Google Cloud Platform for DNS.
Hover and DNS@Google Cloud Platform supports DNSSEC, and DNSSEC is enabled for this zone (metebalci.com) as well.

Could you create a test message on both https://metebalci.com/ and https://www.metebalci.com/ that we could use as targets for testing?

Thanks.

There's an unfinished code block in query.py at line 123

    if len(at) > 0:
        server_and_port = at[0][1:].split(':')
        if len(server_and_port) == 1:
            server = server_and_port[0]
            port = 53

needs completing with:

        else:
            server = server_and_port[0]
            port = int(server_and_port[1])

name is shown as metebalci.com, but it should be metebalci.com. because root has empty label

You're downloading security files with urllib.request.urlopen which uses the default ssl. create_default_context which defaults to SSLContext(PROTOCOL_TLS) which I think is TLSv1 - not even tlsv1.1 and lets the server choose the cipher (at least in python 3.9).

I think you want to make a ssl.SSLContext with PROTOCOL_TLSv1_2 and also provide a a CAfile in PEM explicitly, to get tlsv1.2 at least. And then even possibly tune the ciphers to get tlsv1.3. Then you give that context to urllib.request.urlopen as a context keyword, along with the cafile keyword.

I expect that PROTOCOL_TLS is susceptible to TLS downgrade attacks - I'm pretty sure I've seen anything less that tls1.3 get downgraded.

I got this error on kryptonit.org

INFO: validating answers
INFO: validating org DS with . DNSKEY
OK RRSIG (DS, RSASHA256) with DNSKEY (18733, RSASHA256)
INFO: validating . DNSKEY with . DS (trust anchor)
OK RRSIG (DNSKEY, RSASHA256) with DNSKEY (20326, RSASHA256)
OK DNSKEY (20326, RSASHA256) with DS (SHA-256)
INFO: validating org DNSKEY with org DS
OK RRSIG (DNSKEY, RSASHA256) with DNSKEY (26974, RSASHA256)
OK DNSKEY (26974, RSASHA256) with DS (SHA-256)
DBUG: validating kryptonit.org DNSKEY with kryptonit.org DS
OK RRSIG (DNSKEY, ECDSAP256SHA256) with DNSKEY (53376, ECDSAP256SHA256)
Error: multiple DS with keytag: 53376

I know it's a tool for experts, but documentation a few of the most common errors in the except: clauses of ___main__.py would help people like me who have never used DNSsec before.

It might also go in a testsuite to make sure you are raising errors on know bad domains.

You can make the digisec module into a package by adding a __main__.py

Then you can run digisec just by running python3 -m digisec
like many Python packages. At the same time you can squelch the Python
error tracebacks for expected errors, and print the traceback for unexpected errors.

# -*- mode: python; py-indent-offset: 4; coding: utf-8 -*-

import sys
import traceback

import rsa
from ecdsa import BadSignatureError

from .scripts import main

def imain():
    try:
        i = main()
    except KeyboardInterrupt:
        i = 0
    except (BadSignatureError, rsa.pkcs1.VerificationError) as e:
        # these errors are expected so don't print a traceback
        print(f"SignatureError: {e}")
        i = 2
    except Exception as e:
        # these errors are unexpected
        # OSError: [Errno 98] Address already in use
        # comm.py, line 14, in send_recv        
        print(f"Error: {e}")
        print(traceback.format_exc())
        i = 1
    return i
        
if __name__ == '__main__':
    sys.exit(imain())

Also all python file are expected to start with a coding line to declare their encoding
https://peps.python.org/pep-0263/ The one I used adds info for emacs and other editors.

add things like https://peps.python.org/pep-0263/

Your code is great and is just what I need, but a little basic documentation would help people like me who have never used DNSSEC. Some more explanation in the validate_second_level_domain.sh script of the steps, and the importance of the order of the sequence of steps, would help a lot.

The script is a sequence of steps so it would be nice to make sure the sequence is in strictly required order: maybe it is as I don't know DNSSEC, but the least 2 validations seem to me should come earlier.

If it's in strict order, you can add a set -e at the top of the file to make it exit on first error.

But if rr=TXT then many domains have no TXT and the script fails in validating with Error: file does not exist: so you could check the existence of the files in bash and gracefully exit in the case of TXT (and any other cases that it's not required),

Also in the case of TXT, it's the one case where you want to see the text, so could your script special case TXT at least and give the user-friendly rendition of the contents? There's no documentation to tell me how to do that.

so download only converts trust anchor to a DS record

confirm validate is working with single key (CSK), more info: https://bind9.readthedocs.io/en/latest/dnssec-guide.html#dnssec-keys

it is a must per RFC 8624

per RFC 5115, "This specification allocates two new DNSKEY algorithm identifiers for this purpose. Algorithm 6, DSA-NSEC3-SHA1 is an alias for algorithm 3, DSA. Algorithm 7, RSASHA1-NSEC3-SHA1 is an alias for algorithm 5, RSASHA1. These are not new algorithms, they are additional identifiers for the existing algorithms."

If you made a little testsuite bash file in scripts, you could show how it works on good sites, and there are known bad DNSSEC sites do that you could test it failing too. Even a few sites for some specific examples of what you are usually looking for would help show it's usage.

It would also test your code in case you don't like pylint :-)

Thanks for the code - it's great.

A common error is BadSignatureError: and if you get one in your scripts you get an ugly and not very useful Python traceback.

You could change your main in scripts.py to be called iMain and add this at the bottom:

    return 0
def main():
    try:
        i = iMain()
    except KeyboardInterrupt:
        i = 0
    except BadSignatureError:
        # explain what's going on                                               
        print(f"BadSignatureError: {e}")
        i = 2
    except Exception as e:
        print(f"Error: {e}")
        i = 1
    return i

if __name__ == '__main__':
    sys.exit(main())

You need to run pylint on your code as a part of release QA:

************* Module digsec.algorithms
algorithms.py:59:11: E0602: Undefined variable 'BadSignatureError' (undefined-variable)
algorithms.py:72:11: E0602: Undefined variable 'BadSignatureError' (undefined-variable)
************* Module digsec.messages
messages.py:250:4: E0213: Method 'from_packet' should have "self" as first argument (no-self-argument))

from_packet needs a staticmethod and BadSignatureError needs adding to the from ecdsa import

Your code is great and is just what I need, but a little basic documentation would help people like me who have never used DNSSEC. Some more explanation in the validate_second_level_domain.sh script of the steps, and the importance of the order of the sequence of steps, would help a lot.

Maybe an edge case, but canonical_rrset in validate.py

    canonical_rrset = map(lambda rr: rr.canonical_l1(rrsig.original_ttl),
                          rrset)

sometimes contain None which throws an error on the next line in:

lambda x: binascii.hexlify(x.rdata)

I changed rrset to filter(bool, rrset) to squelch this - am I wrong?

Further down after for rr in rrset: I added if not rr: continue but that may be
overkill if the first change is made.

The help.py has not been updated for recent changes: +tcp port ...

Your timeout is too short, at least for me. I think it's 1 second.

Either increase it globally or add a timeout=10 in validate_second_level_domain.sh
on the commands that take it, in which case you demo what commands take a timeout.

consisting all/many types of errors, e.g. signature expired, wrong, multiple DS

One more suggestion: Don't always bind to the same port. There's no need and I assume it would stop 2 instances running at the same time (untested).

In comm.py: around line 42

sock.bind(('', 0)) # 0 selects a free port

to

sock.bind(('', random.randrange(4000, 40000)))

with an import random at the top.