etc/services - sync with NetBSD-8

[minix.git] / external / bsd / bind / dist / contrib / scripts / check5011.pl

#!/usr/bin/perl

use warnings;
use strict;

use POSIX qw(strftime);
my $now = strftime "%Y%m%d%H%M%S", gmtime;

sub ext8601 ($) {
        my $d = shift;
        $d =~ s{(....)(..)(..)(..)(..)(..)}
               {$1-$2-$3.$4:$5:$6+0000};
        return $d;
}

sub getkey ($$) {
        my $h = shift;
        my $k = shift;
        m{\s+(\d+)\s+(\d+)\s+(\d+)\s+[(]\s*$};
        $k->{flags}     = $1;
        $k->{protocol}  = $2;
        $k->{algorithm} = $3;
        my $data = "(";
        while (<$h>) {
                s{^\s+}{};
                s{\s+$}{};
                last if m{^[)]};
                $data .= $_;
        }
        m{ alg = (\S+); key id = (\d+)};
        $k->{alg}  = $1;
        $k->{id}   = $2;
        $k->{data} = $data;
        return $k;
}

sub fmtkey ($) {
        my $k = shift;
        return sprintf "%16s tag %s", $k->{name}, $k->{id};
}

sub printstatus ($) {
        my $a = shift;
        if ($a->{removehd} ne "19700101000000") {
                printf " untrusted and to be removed at %s\n", ext8601 $a->{removehd};
        } elsif ($a->{addhd} lt $now) {
                printf " trusted\n";
        } else {
                printf " waiting for %s\n", ext8601 $a->{addhd};
        }
}

sub digkeys ($) {
        my $name = shift;
        my $keys;
        open my $d, "-|", qw{dig +multiline DNSKEY}, $name;
        while (<$d>) {
                next unless m{^([a-z0-9.-]*)\s+\d+\s+IN\s+DNSKEY\s+};
                next unless $name eq $1;
                push @$keys, getkey $d, { name => $name };
        }
        return $keys;
}

my $anchor;
my $owner = ".";
while (<>) {
        next unless m{^([a-z0-9.-]*)\s+KEYDATA\s+(\d+)\s+(\d+)\s+(\d+)\s+};
        my $k = getkey *ARGV, {
                name     => $1,
                refresh  => $2,
                addhd    => $3,
                removehd => $4,
        };
        if ($k->{name} eq "") {
                $k->{name} = $owner;
        } else {
                $owner = $k->{name};
        }
        $k->{name} =~ s{[.]*$}{.};
        push @{$anchor->{$k->{name}}}, $k;
}

for my $name (keys %$anchor) {
        my $keys = digkeys $name;
        my $anchors = $anchor->{$name};
        for my $k (@$keys) {
                if ($k->{flags} & 1) {
                        printf "%s %s", fmtkey $k, $k->{alg};
                } else {
                        # ZSK - skipping
                        next;
                }
                if ($k->{flags} & 512) {
                        print " revoked;";
                }
                my $a;
                for my $t (@$anchors) {
                        if ($t->{data} eq $k->{data} and
                            $t->{protocol} eq $k->{protocol} and
                            $t->{algorithm} eq $k->{algorithm}) {
                                $t->{matched} = 1;
                                $a = $t;
                                last;
                        }
                }
                if (not defined $a) {
                        print " no trust anchor\n";
                        next;
                }
                printstatus $a;
        }
        for my $a (@$anchors) {
                next if $a->{matched};
                printf "%s %s missing;", fmtkey $a, $a->{alg};
                printstatus $a;
        }
}

exit;

__END__

=head1 NAME

check5011 - summarize DNSSEC trust anchor status

=head1 SYNOPSIS

check5011 <I<managed-keys.bind>>

=head1 DESCRIPTION

The BIND managed-keys file contains DNSSEC trust anchors
that can be automatically updated according to RFC 5011. The
B<check5011> program reads this file and prints a summary of the
status of the trust anchors. It fetches the corresponding
DNSKEY records using B<dig> and compares them to the trust anchors.

Each key is printed on a line with its name, its tag, and its
algorithm, followed by a summary of its status.

=over

=item C<trusted>

The key is currently trusted.

=item C<waiting for ...>

The key is new, and B<named> is waiting for the "add hold-down" period
to pass before the key will be trusted.

=item C<untrusted and to be removed at ...>

The key was revoked and will be removed at the stated time.

=item C<no trust anchor>

The key is present in the DNS but not in the managed-keys file.

=item C<revoked>

The key has its revoked flag set. This is printed before the key's
trust anchor status which should normally be C<untrusted...> if
B<named> has observed the revocation.

=item C<missing>

There is no DNSKEY record for this trust anchor. This is printed
before the key's trust anchor status.

=back

By default the managed keys are stored in a file called
F<managed-keys.bind> in B<named>'s working directory. This location
can be changed with B<named>'s B<managed-keys-directory> option. If
you are using views the file may be named with the SHA256 hash of a
view name with a F<.mkeys> extension added.

=head1 AUTHOR

=over

=item Written by Tony Finch <fanf2@cam.ac.uk> <dot@dotat.at>

=item at the University of Cambridge Computing Service.

=item You may do anything with this. It has no warranty.

=item L<http://creativecommons.org/publicdomain/zero/1.0/>

=back

=head1 SEE ALSO

dig(1), named(8)

=cut