Subject: Suggested enhancement to dnssec-checkds
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Disposition: inline
X-RT-Interface: Web
Message-ID: <rt-4.2.8-41149-1486758522-1913.0-0-0@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 2147

I need to verify a DS RRset against a master file offline in advance
of publication of the DS records at the parent.  I've modified
dnssec-checkds as shown below to do this.  I expect that this may be
useful to others, and hope it can be considered for inclusion in future
release.

Best regards,

Niall O'Reilly

-- diff output follows

niall@ns:~/zones$ diff -u /usr/sbin/dnssec-checkds ~/bin/new-dnssec-checkdns
--- /usr/sbin/dnssec-checkds	2016-11-17 23:31:25.000000000 +0000
+++ /home/niall/bin/new-dnssec-checkdns	2017-02-08 15:32:45.600498090 +0000
@@ -174,10 +174,14 @@
 # Generate a set of expected DS records from the DNSKEY RRset,
 # and report on congruency.
 ############################################################################
-def checkds(zone, masterfile = None):
+def checkds(zone, masterfile = None, dssetfile = None):
     dslist=[]
-    fp=os.popen("%s +noall +answer -t ds -q %s" %
-                (shellquote(args.dig), shellquote(zone)))
+    if dssetfile:
+        fp=open(dssetfile)
+        print('Reading DS RRset from file: ' + dssetfile)
+    else:
+        fp=os.popen("%s +noall +answer -t ds -q %s" %
+                    (shellquote(args.dig), shellquote(zone)))
     for line in fp:
         dslist.append(DSRR(line))
     dslist = sorted(dslist, key=lambda ds: (ds.keyid, ds.keyalg, ds.hashalg))
@@ -296,6 +300,8 @@
                         help='zone master file')
     parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,
                         help='DLV lookaside zone')
+    parser.add_argument('-p', '--prepared', dest='dssetfile', type=str,
+                        help='prepared DSset file')
     parser.add_argument('-d', '--dig', dest='dig',
                         default=os.path.join(prefix(bindir), 'dig'),
                         type=str, help='path to \'dig\'')
@@ -319,7 +325,7 @@
     if args.lookaside:
         found = checkdlv(args.zone, args.lookaside, args.masterfile)
     else:
-        found = checkds(args.zone, args.masterfile)
+        found = checkds(args.zone, args.masterfile, args.dssetfile)

     exit(0 if found else 1)

niall@ns:~/zones$

-- ends