Add drill trace option in dnssec boefje #2979
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
underdarknl
reviewed
May 24, 2024
| "Unknown cryptographic algorithm", | ||
| "DNSSEC signature has expired", | ||
| ] | ||
| for result_line in reversed(result.splitlines()): |
There was a problem hiding this comment.
Document why we reverse the lines before iterating. I caused me the question the if tree below as I did not see how it would handle the Key lines.
There was a problem hiding this comment.
I added a comment that explains it.
ammar92
approved these changes
May 27, 2024
Checklist for QA:
What works:Looks good! The domain from the ticket also works as expected. Have verified cases for: no dnssec, invalid dnssec and valid dnssec. All cases seem to work as expected. What doesn't work:n/a Bug or feature?:n/a |
underdarknl
approved these changes
May 27, 2024
jpbruinsslot
added a commit
that referenced
this pull request
Jun 11, 2024
* main: (78 commits) Translations update from Hosted Weblate (#3048) Translations update from Hosted Weblate (#3018) Fix empty consumes of boefjes will trigger tasks in scheduler (#3017) Fixes text in secondary menu on scan profile detail page (#3035) chore: Resolves css-issues found by sonarcloud (#3034) Add raw AuthToken SQL migration (#3009) Translations update from Hosted Weblate (#3012) Rewrite xtdb-cli.py with "click" (#2957) Phase out the Repository model from the KATalogus (#2984) Fix merge conflicts in weblate (#3007) Translations update from Hosted Weblate (#2996) Reports: Fix select all OOIs (#2909) Adding IPv6 support to documentation for Docker setups (#2813) Translations update from Hosted Weblate (#2930) User documentation for reports (#2898) Fix task api status code response for malformed id in the scheduler (#2953) Add drill trace option in dnssec boefje (#2979) Updated packages (#2972) Update granian and remove workaround for fixed bug (#2980) Fix typing in boefjes/normalizers (#2933) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
This fixes the linked issue that findings were shown while the DNSSEC check was valid. The trace option is added to the drill command so drill will trace from the root servers down instead of relying on a recursive DNS server. The added value of using this option is that it outputs the keys it find and those will be included in the raw file.
When comparing the results of the old code with the new code I also saw that old code incorrectly reported a self signed signature (which can be tested with dnssec-failed.org) as no DNSSEC instead of invalid DNSSEC
Issue link
Closes #2566
QA
I used the following hostnames to test the changes myself:
Checklist for code reviewers:
Copy-paste the checklist from the docs/source/templates folder into your comment.
Checklist for QA:
Copy-paste the checklist from the docs/source/templates folder into your comment.