diff options
| author | Casey Deccio <casey@deccio.net> | 2017-06-29 01:00:36 +0300 |
|---|---|---|
| committer | Casey Deccio <casey@deccio.net> | 2017-06-29 09:45:52 +0300 |
| commit | cf7c7780c675f7dea243bc85ecaa11598cbfd7cc (patch) | |
| tree | 36eef422341808f54fb5f312a0719b2deffe0321 | |
| parent | ee03e5e351b528ddc069da7212ff54924b2e615f (diff) | |
Correct trust anchor errors
Errors associated with bad trust anchor configurations should show up as
zone errors, not problems with DNSKEYs.
| -rw-r--r-- | dnsviz/analysis/errors.py | 14 | ||||
| -rw-r--r-- | dnsviz/analysis/offline.py | 18 |
2 files changed, 15 insertions, 17 deletions
diff --git a/dnsviz/analysis/errors.py b/dnsviz/analysis/errors.py index 06dcf84..691f88c 100644 --- a/dnsviz/analysis/errors.py +++ b/dnsviz/analysis/errors.py @@ -1754,15 +1754,19 @@ class DNSKEYNotAtZoneApex(DNSKEYError): code = 'DNSKEY_NOT_AT_ZONE_APEX' required_params = ['zone', 'name'] -class TrustAnchorNotSigning(DNSKEYError): +class TrustAnchorError(DomainNameAnalysisError): + pass + +class NoTrustAnchorSigning(TrustAnchorError): ''' - >>> e = TrustAnchorNotSigning() + >>> e = NoTrustAnchorSigning(zone='foo.baz.') >>> e.description - 'The key was designated as a trust anchor but was not found signing the RRset.' + 'One or more keys were designated as trust anchors for foo.baz., but none were found signing the DNSKEY RRset.' ''' _abstract = False - description_template = "The key was designated as a trust anchor but was not found signing the RRset." - code = 'TRUST_ANCHOR_NOT_SIGNING' + description_template = "One or more keys were designated as trust anchors for %(zone)s, but none were found signing the DNSKEY RRset." + code = 'NO_TRUST_ANCHOR_SIGNING' + required_params = ['zone'] class RevokedNotSigning(DNSKEYError): ''' diff --git a/dnsviz/analysis/offline.py b/dnsviz/analysis/offline.py index 9d27dfb..2a38a3d 100644 --- a/dnsviz/analysis/offline.py +++ b/dnsviz/analysis/offline.py @@ -2133,8 +2133,7 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis): return trusted_keys_rdata = set([k for z, k in trusted_keys if z == self.name]) - trusted_keys_existing = set() - trusted_keys_not_self_signing = set() + trusted_keys_self_signing = set() # buid a list of responsive servers bailiwick_map, default_bailiwick = self.get_bailiwick_mapping() @@ -2146,10 +2145,8 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis): # any errors point to their own servers_clients value for dnskey in self.get_dnskeys(): - if dnskey.rdata in trusted_keys_rdata: - trusted_keys_existing.add(dnskey) - if dnskey not in self.ksks: - trusted_keys_not_self_signing.add(dnskey) + if dnskey.rdata in trusted_keys_rdata and dnskey in self.ksks: + trusted_keys_self_signing.add(dnskey) if dnskey in self.revoked_keys and dnskey not in self.ksks: err = Errors.RevokedNotSigning() err.servers_clients = dnskey.servers_clients @@ -2170,18 +2167,15 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis): # if the key is shown to be signing anything other than the # DNSKEY RRset, or if it associated with a DS or trust anchor, # then mark it as an error; otherwise, mark it as a warning. - if dnskey in self.zsks or dnskey in self.dnskey_with_ds or dnskey in trusted_keys_existing: + if dnskey in self.zsks or dnskey in self.dnskey_with_ds or dnskey.rdata in trusted_keys_rdata: dnskey.errors.append(err) else: dnskey.warnings.append(err) for (server,client,response) in servers_clients_without: err.add_server_client(server, client, response) - if not trusted_keys_existing.difference(trusted_keys_not_self_signing): - for dnskey in trusted_keys_not_self_signing: - err = Errors.TrustAnchorNotSigning() - err.servers_clients = dnskey.servers_clients - dnskey.errors.append(err) + if trusted_keys_rdata and not trusted_keys_self_signing: + self.zone_errors.append(Errors.NoTrustAnchorSigning(zone=fmt.humanize_name(self.zone.name))) def populate_response_component_status(self, G): response_component_status = {} |