pyllyukko · March 5, 2025 14:31
diff --git a/dnssec_root_keys.sh b/dnssec_root_keys.sh
 #!/bin/bash

 # dnssec_root_keys.sh
 #
 # mostly copied from https://calomel.org/dns_bind.html, but with different verification and trusted-keys (vs. managed-keys)

 export PATH="/usr/sbin:/sbin:/usr/bin:/bin"
 for PROGRAM in \
  dnssec-dsfromkey \
  gpgsm \
  sed \
  grep \
  wget \
  gawk
 do
  if ! hash "${PROGRAM}" 2>/dev/null
  then
    printf "error: command not found in PATH: %s\n" "${PROGRAM}" >&2
    exit 1
  fi
 done
 unset PROGRAM

 anchors="root-anchors.xml"
 wget -nv -N "https://data.iana.org/root-anchors/${anchors}" https://data.iana.org/root-anchors/root-anchors.p7s

 if ! grep -q '^C2:5A:21:27:12:5E:AB:36:34:83:96:9B:6B:EB:3A:BF:C8:E9:58:3F' ~/.gnupg/trustlist.txt
 then
  echo "[-] you don't have the ICANN Root CA in your trustlist.txt" 1>&2
  exit 1
 fi
 # should be signed with [email protected]
 gpgsm --verify root-anchors.p7s "${anchors}" || {
  echo "[-] S/MIME verification failed!" 1>&2
  exit 1
 }

 # https://tools.ietf.org/html/rfc4034#section-2.1.2
 protocol="3"
 rootkey="root-dnskeys.txt"
 # 256 = ZSK
 # 257 = KSK
 flags="257"
 dig . DNSKEY 1>"${rootkey}"

 # get the SHA-256 digests (2)
 rootkeydigests=($( grep "DNSKEY.*${flags} ${protocol}" "${rootkey}" | dnssec-dsfromkey -2 -f - . | awk '{print$7}' ))
 for rootkeydigest in ${rootkeydigests[*]}
 do
  if [[ ! ${rootkeydigest} =~ ^[0-9A-F]{64}$ ]]
  then
    echo "[-] could not determine root key digest from DNSKEY response!" 1>&2
    rm -v "${rootkey}"
    exit 1
  fi
  echo "[*] checking root key digest ${rootkeydigest}"
  if ! grep -q "^<Digest>${rootkeydigest}</Digest>$" "${anchors}"
  then
    echo "[-] root key digest not found in ${anchors}" 1>&2
    rm -v "${rootkey}"
    exit 1
  fi
 done

 echo "trusted-keys {"
 # https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Algorithms
 while read name ttl class type answer_flags answer_protocol algorithm key
 do
  if [ "${name}" != "." \
    -o "${class}" != "IN" \
    -o "${type}" != "DNSKEY" \
    -o "${answer_flags}" != "${flags}" \
    -o "${answer_protocol}" != "${protocol}" ]
  then
    continue
  fi
  echo "  . ${flags} ${protocol} ${algorithm} \"${key}\";"
 done 0<"${rootkey}"
 echo "}"
 exit 0
	#!/bin/bash

	# dnssec_root_keys.sh
	#
	# mostly copied from https://calomel.org/dns_bind.html, but with different verification and trusted-keys (vs. managed-keys)

	export PATH="/usr/sbin:/sbin:/usr/bin:/bin"
	for PROGRAM in \
	dnssec-dsfromkey \
	gpgsm \
	sed \
	grep \
	wget \
	gawk
	do
	if ! hash "${PROGRAM}" 2>/dev/null
	then
	printf "error: command not found in PATH: %s\n" "${PROGRAM}" >&2
	exit 1
	fi
	done
	unset PROGRAM

	anchors="root-anchors.xml"
	wget -nv -N "https://data.iana.org/root-anchors/${anchors}" https://data.iana.org/root-anchors/root-anchors.p7s

	if ! grep -q '^C2:5A:21:27:12:5E:AB:36:34:83:96:9B:6B:EB:3A:BF:C8:E9:58:3F' ~/.gnupg/trustlist.txt
	then
	echo "[-] you don't have the ICANN Root CA in your trustlist.txt" 1>&2
	exit 1
	fi
	# should be signed with [email protected]
	gpgsm --verify root-anchors.p7s "${anchors}" \|\| {
	echo "[-] S/MIME verification failed!" 1>&2
	exit 1
	}

	# https://tools.ietf.org/html/rfc4034#section-2.1.2
	protocol="3"
	rootkey="root-dnskeys.txt"
	# 256 = ZSK
	# 257 = KSK
	flags="257"
	dig . DNSKEY 1>"${rootkey}"

	# get the SHA-256 digests (2)
	rootkeydigests=($( grep "DNSKEY.*${flags} ${protocol}" "${rootkey}" \| dnssec-dsfromkey -2 -f - . \| awk '{print$7}' ))
	for rootkeydigest in ${rootkeydigests[*]}
	do
	if [[ ! ${rootkeydigest} =~ ^[0-9A-F]{64}$ ]]
	then
	echo "[-] could not determine root key digest from DNSKEY response!" 1>&2
	rm -v "${rootkey}"
	exit 1
	fi
	echo "[*] checking root key digest ${rootkeydigest}"
	if ! grep -q "^<Digest>${rootkeydigest}</Digest>$" "${anchors}"
	then
	echo "[-] root key digest not found in ${anchors}" 1>&2
	rm -v "${rootkey}"
	exit 1
	fi
	done

	echo "trusted-keys {"
	# https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Algorithms
	while read name ttl class type answer_flags answer_protocol algorithm key
	do
	if [ "${name}" != "." \
	-o "${class}" != "IN" \
	-o "${type}" != "DNSKEY" \
	-o "${answer_flags}" != "${flags}" \
	-o "${answer_protocol}" != "${protocol}" ]
	then
	continue
	fi
	echo " . ${flags} ${protocol} ${algorithm} \"${key}\";"
	done 0<"${rootkey}"
	echo "}"
	exit 0