message system refactoring; retry queries if they timeout; search for…

… more RR types
fabian-hk · Mar 28, 2020 · ff5079c · ff5079c
1 parent 9142661
commit ff5079c
Show file tree

Hide file tree

Showing 8 changed files with 38 additions and 41 deletions.
diff --git a/dnssec_scanner/__init__.py b/dnssec_scanner/__init__.py
@@ -123,6 +123,11 @@ def find_records(self, zone: Zone) -> Set[int]:
             dns.rdatatype.AAAA,
             dns.rdatatype.MX,
             dns.rdatatype.CNAME,
+            dns.rdatatype.PTR,
+            dns.rdatatype.WKS,
+            dns.rdatatype.HINFO,
+            dns.rdatatype.MINFO,
+            dns.rdatatype.TXT,
         ]
 
         # ask with ANY for all existing records

diff --git a/dnssec_scanner/cli_interface.py → dnssec_scanner/cli.py b/dnssec_scanner/cli_interface.py → dnssec_scanner/cli.py
diff --git a/dnssec_scanner/nsec/__init__.py b/dnssec_scanner/nsec/__init__.py
@@ -36,9 +36,9 @@ def proof_none_existence(
 
     if validated and check_ds:
         msg = f"{zone.name} zone: Successfully proved that {zone.child_name} does not support DNSSEC"
-        result.append_log(msg)
+        result.logs.append(msg)
     elif not validated and check_ds:
         msg = f"{zone.name} zone: Could not proof that {zone.child_name} does not support DNSSEC"
-        result.append_errors(msg)
+        result.errors.append(msg)
 
     return validated
diff --git a/dnssec_scanner/nsec/nsec.py b/dnssec_scanner/nsec/nsec.py
@@ -25,14 +25,14 @@ def nsec_proof_of_none_existence(
         if nsec_utils.compare_canonical_order(name, qname) == 0:
             if dns.rdatatype.DS not in nsec_utils.nsec_window_to_array(nsec):
                 msg = f"{zone.name} zone: Prove successful that the DS record does not exist"
-                result.append_log(msg)
+                result.logs.append(msg)
             else:
                 msg = f"{zone.name} zone: DS record does exist"
-                result.append_errors(msg)
+                result.errors.append(msg)
                 success = False
         else:
             msg = f"{zone.name} zone: NSEC owner name and QNAME is not the same"
-            result.append_errors(msg)
+            result.errors.append(msg)
             success = False
     else:
         # Prove that the domain name does not exist
@@ -49,7 +49,7 @@ def nsec_proof_of_none_existence(
                 msg = (
                     f"{zone.name} zone: Found NSEC that {result.domain} does not exist"
                 )
-                result.append_log(msg)
+                result.logs.append(msg)
                 validated["rr"] = True
             elif (
                     qname.is_subdomain(name)
@@ -59,20 +59,20 @@ def nsec_proof_of_none_existence(
             ):
                 # check that there was no possible wildcard expansion
                 msg = f"{zone.name} zone: Found NSEC that no wildcard expansion for {result.domain} is possible"
-                result.append_log(msg)
+                result.logs.append(msg)
                 validated["w"] = True
             else:
                 msg = f"{zone.name} zone: Found useless NSEC for {result.domain}"
-                result.append_warning(msg)
+                result.warnings.append(msg)
 
         if not validated["rr"]:
             msg = f"{zone.name} zone: Could not find a NSEC that covers the name {result.domain}"
-            result.append_errors(msg)
+            result.errors.append(msg)
             success = False
 
         if not validated["w"]:
             msg = f"{zone.name} zone: Could not validate that there is no wildcard for the name {result.domain}"
-            result.append_errors(msg)
+            result.errors.append(msg)
             success = False
 
     return success
diff --git a/dnssec_scanner/nsec/nsec3.py b/dnssec_scanner/nsec/nsec3.py
@@ -42,20 +42,20 @@ def nsec3_proof_of_none_existence(
     )
     if status:
         msg = f"{zone.name} zone: Found closest encloser {closest_encloser}"
-        result.append_log(msg)
+        result.logs.append(msg)
     else:
         msg = f"{zone.name} zone: Could not find closest encloser for {qname.to_text()}"
-        result.append_errors(msg)
+        result.errors.append(msg)
     success &= status
 
     # check if the next closer name is covered by an NSEC3 record
     status = check_next_closer_name(nsec3s, nsec3param.items[0], next_closer_name)
     if status:
         msg = f"{zone.name} zone: Found NSEC3 that covers the next closer name {next_closer_name}"
-        result.append_log(msg)
+        result.logs.append(msg)
     else:
         msg = f"{zone.name} zone: Could not find a NSEC3 record that covers the next closer name"
-        result.append_errors(msg)
+        result.errors.append(msg)
     success &= status
 
     if not check_ds:

diff --git a/dnssec_scanner/utils.py b/dnssec_scanner/utils.py
@@ -1,14 +1,18 @@
 from __future__ import annotations
 from typing import Optional, List, Tuple
 from enum import Enum
-from tabulate import tabulate
-from textwrap import TextWrapper
 from dataclasses import dataclass
 
+from tabulate import tabulate
+from textwrap import TextWrapper
 import dns
+import logging
 
 from .messages import Message
 
+logging.basicConfig(level=logging.INFO)
+log = logging.getLogger("dnssec_scanner")
+
 
 class Key(Enum):
     KSK = 257
@@ -68,18 +72,6 @@ def compute_batch(self, msgs: List[Message]) -> bool:
 
         return success
 
-    def append_log(self, msg: str):
-        self.logs.append(msg)
-        self.logs = remove_dup(self.logs)
-
-    def append_warning(self, msg: str):
-        self.warnings.append(msg)
-        self.warnings = remove_dup(self.warnings)
-
-    def append_errors(self, msg: str):
-        self.errors.append(msg)
-        self.errors = remove_dup(self.errors)
-
     def __str__(self):
         width = 80
         wrapper = TextWrapper(width=width, replace_whitespace=False)
@@ -124,9 +116,17 @@ def __str__(self):
         return f"{self.name} @{self.ip}"
 
 
-def dns_query(domain: str, ip: str, type: int) -> dns.message.Message:
-    request = dns.message.make_query(domain, type, want_dnssec=True, payload=16384)
-    return dns.query.udp(request, ip, timeout=10)
+def dns_query(
+        domain: str, ip: str, type: int, tries: Optional[int] = 0
+) -> dns.message.Message:
+    try:
+        request = dns.message.make_query(domain, type, want_dnssec=True, payload=16384)
+        return dns.query.udp(request, ip, timeout=1)
+    except TimeoutError as e:
+        log.warning("Query timeout")
+        if tries < 5:
+            dns_query(domain, ip, type, tries + 1)
+        raise e
 
 
 def get_rr_by_type(
@@ -202,14 +202,6 @@ def digest_algorithm(algo: int) -> str:
     return ""
 
 
-def remove_dup(l: List[any]) -> List[any]:
-    r = []
-    for i in l:
-        if i not in r:
-            r.append(i)
-    return r
-
-
 def expand_string(s: str, width: int) -> str:
     l = width - len(s)
     for _ in range(l):

diff --git a/run.py b/run.py
@@ -1,4 +1,4 @@
-from dnssec_scanner.cli_interface import main
+from dnssec_scanner.cli import main
 
 if __name__ == "__main__":
     main()
diff --git a/setup.py b/setup.py
@@ -30,6 +30,6 @@
         "ecdsa",
     ],
     entry_points={
-        "console_scripts": ["dnssec-scanner=dnssec_scanner.cli_interface:main"]
+        "console_scripts": ["dnssec-scanner=dnssec_scanner.cli:main"]
     },
 )