Skip to content

dnssec-check: add new package#26941

Open
liuyuf78fk wants to merge 1 commit into
openwrt:masterfrom
liuyuf78fk:dnssec-check
Open

dnssec-check: add new package#26941
liuyuf78fk wants to merge 1 commit into
openwrt:masterfrom
liuyuf78fk:dnssec-check

Conversation

@liuyuf78fk

Copy link
Copy Markdown
Contributor

This adds a lightweight tool to check whether the current DNS resolver supports DNSSEC validation. The tool uses dig for DNS queries and supports configuring two reference domains for testing via UCI:

  • secure domain (default: nic.cz)
  • broken domain (default: dnssec-failed.org)

It determines DNSSEC support based on these queries and reports severity levels: secure, medium, insecure.

@liuyuf78fk

liuyuf78fk commented Jul 8, 2025

Copy link
Copy Markdown
Contributor Author

Functional Test Report: dnssec-check

This report demonstrates how dnssec-check works under different resolver configurations, verifying its logic in classifying DNSSEC support levels.

Test Environment

  • Device Model: Redmi AX6
  • Target Platform: qualcommax/ipq807x
  • Firmware Version: OpenWrt SNAPSHOT r30287-604355e8c4
  • Kernel Version: 6.12.35

Case 1: Secure (Local resolver validates DNSSEC)

/etc/resolv.conf:
nameserver 1.1.1.1
nameserver 2606:4700:4700::1111

$ dnssec-check
[INFO] Loaded configuration from UCI.
[*] Querying nic.cz ...
[*] Querying dnssec-failed.org ...
Parsed nic.cz: AD=true, Status=NOERROR
Parsed dnssec-failed.org: AD=false, Status=SERVFAIL
-> Severity level: secure

Explanation: The local resolver successfully performs full DNSSEC validation.


Case 2: Medium (Upstream validates, local does not)

/etc/resolv.conf:
nameserver 127.0.0.1 #(DNSSEC not enabled)

If the upstream DNS server is:
1.1.1.1

$ dnssec-check
[INFO] Loaded configuration from UCI.
[*] Querying nic.cz ...
[*] Querying dnssec-failed.org ...
Parsed nic.cz: AD=false, Status=NOERROR
Parsed dnssec-failed.org: AD=false, Status=SERVFAIL
-> Severity level: medium

Explanation: The local resolver does not validate DNSSEC, but the upstream resolver blocks domains that fail DNSSEC validation.


Case 3: Insecure (Neither local nor upstream validates DNSSEC)

/etc/resolv.conf:
nameserver 127.0.0.1 #(DNSSEC not enabled)

If the upstream DNS server is:
192.168.137.1 #(DNSSEC not enabled)

$ dnssec-check
[INFO] Loaded configuration from UCI.
[*] Querying nic.cz ...
[*] Querying dnssec-failed.org ...
Parsed nic.cz: AD=false, Status=NOERROR
Parsed dnssec-failed.org: AD=false, Status=NOERROR
-> Severity level: insecure

Explanation: Both the local and upstream resolvers return unsigned responses without blocking invalid domains.


Summary

The tool accurately distinguishes between the following DNSSEC support levels:

  • secure: local DNSSEC validation is active
  • medium: upstream DNSSEC validation is active, but local is not
  • insecure: no DNSSEC validation at any level

This tool might assist OpenWrt users with elementary DNSSEC validation.

@BKPepe BKPepe requested a review from Copilot July 9, 2025 06:42

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds a minimal DNSSEC validation tool that queries two reference domains and reports support level via UCI.

  • Introduces a UCI defaults script to populate /etc/config/dnssec-check
  • Adds a Makefile to build and install the binary and defaults file

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
files/dnssec-check.defaults New script to initialize UCI configuration with defaults
Makefile Package build/install rules and metadata for dnssec-check
Comments suppressed due to low confidence (2)

net/dnssec-check/Makefile:25

  • [nitpick] The new DNSSEC validation tool currently lacks any automated tests. Consider adding a test suite to verify secure, medium, and insecure outcomes against known domains to ensure future changes don’t break core logic.
define Package/dnssec-check

net/dnssec-check/Makefile:34

  • [nitpick] Package description is in the Makefile, but the repository’s README or other user-facing docs aren’t updated to explain how to configure and run the tool. Adding usage examples and config details would help new users.
define Package/dnssec-check/description

@liuyuf78fk liuyuf78fk force-pushed the dnssec-check branch 7 times, most recently from 98b570d to a3e5b0a Compare July 10, 2025 20:18
@liuyuf78fk

liuyuf78fk commented Jul 12, 2025

Copy link
Copy Markdown
Contributor Author

Hello, I'd like to check if anything is missing from this PR. Happy to update based on suggestions 😊.

My home OpenWrt device has DNSSEC enabled in its DNS resolver. Here's the output of running dnssec-check:
dnssec-check

This screenshot shows my current UCI settings for dnssec-check on my OpenWrt router:
uci-show

Here's the system info from my OpenWrt router, showing the environment where I tested the package:
system-board

I’m happy to maintain this package and keep it updated if accepted.

@liuyuf78fk liuyuf78fk changed the title dnssec-check: add simple DNSSEC validation tool dnssec-check: add new package Jul 16, 2025
@liuyuf78fk liuyuf78fk force-pushed the dnssec-check branch 6 times, most recently from 104e565 to ddc699c Compare July 30, 2025 12:39
@liuyuf78fk liuyuf78fk force-pushed the dnssec-check branch 4 times, most recently from 7787662 to 5a18d2f Compare August 2, 2025 09:10

@wehagy wehagy left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You know how this works, it's maintained by the community. Hopefully, someone will review it eventually. Unfortunately, it's me this time 😅.

Anyway, you need to fix the build so I can check if the package is working.

Comment thread net/dnssec-check/Makefile Outdated
Comment on lines +1 to +6
#
# Copyright (C) 2025 Liu Yu <f78fk@live.com>
#
# This is free software, licensed under the GNU General Public License v2.0 or later.
# See /LICENSE for more information.
#

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#
# Copyright (C) 2025 Liu Yu <f78fk@live.com>
#
# This is free software, licensed under the GNU General Public License v2.0 or later.
# See /LICENSE for more information.
#
# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2025 Liu Yu <f78fk@live.com>

Comment thread net/dnssec-check/Makefile Outdated
Comment thread net/dnssec-check/Makefile Outdated
Comment on lines +18 to +19
PKG_LICENSE:=GPL-2.0-or-later
PKG_MAINTAINER:=Liu Yu <f78fk@live.com>

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
PKG_LICENSE:=GPL-2.0-or-later
PKG_MAINTAINER:=Liu Yu <f78fk@live.com>
PKG_MAINTAINER:=Liu Yu <f78fk@live.com>
PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=LICENSE

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leave uci-defaults alone, use a plain config and apk/opkg will take care for this for you.

One more suggestion, you don't want to maintain the config file in your repo? IHMO you have full control there, but is up to you as a maintainer to decide.

Comment thread net/dnssec-check/Makefile
@liuyuf78fk

liuyuf78fk commented Aug 5, 2025

Copy link
Copy Markdown
Contributor Author

You know how this works, it's maintained by the community. Hopefully, someone will review it eventually. Unfortunately, it's me this time 😅.

Anyway, you need to fix the build so I can check if the package is working.

Thank you for your review. I’ve updated the package according to your suggestions and tested it on the amd64 platform — it works well.

The build errors on other platforms are due to a dependency on bind-dig, which currently fails to build on the OpenWrt main branch. However, this issue has already been fixed in the following PR:
#27095
e40f5d5

@liuyuf78fk liuyuf78fk force-pushed the dnssec-check branch 2 times, most recently from 783352e to b92ff16 Compare August 5, 2025 19:44
@GeorgeSapkin GeorgeSapkin requested a review from wehagy August 30, 2025 21:13
@wehagy wehagy self-assigned this Sep 11, 2025
@GeorgeSapkin GeorgeSapkin force-pushed the dnssec-check branch 2 times, most recently from a8d77ad to 3988eb4 Compare April 23, 2026 06:38
@BKPepe BKPepe force-pushed the dnssec-check branch 2 times, most recently from ae55f7b to 5721043 Compare May 10, 2026 11:07
@liuyuf78fk

Copy link
Copy Markdown
Contributor Author

Updated the PKG_HASH to match the official source and rebased onto master.

Also manually verified on real hardware:

  • Device: Nokia Bell XG-140G-TF
  • Arch: ARMv8 (Airoha AN7581)
  • Firmware: OpenWrt SNAPSHOT (Kernel 6.12.80)

@openwrt-ai openwrt-ai left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the current diff (single commit a5f34ec, only net/dnssec-check/Makefile — the C source now ships in the external release tarball). Verified tag v1.0.2 exists in the source repo, matching PKG_VERSION. CI reports no checks on the head commit yet, so nothing to ground there. One inline comment on the link flags.


Generated by Claude Code

Comment thread net/dnssec-check/Makefile Outdated
Comment on lines +36 to +38
$(TARGET_CC) $(TARGET_CFLAGS) \
-o $(PKG_BUILD_DIR)/dnssec-check \
$(PKG_BUILD_DIR)/dnssec-check.c -luci

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The link command omits $(TARGET_LDFLAGS). OpenWrt puts its target link-time settings (staging -L paths and the default hardening flags such as RELRO/-z now) into TARGET_LDFLAGS, so linking -luci without it produces a binary that misses those flags and deviates from the in-tree convention — e.g. package/network/utils/rssileds/Makefile and package/utils/bsdiff/Makefile both pass $(TARGET_LDFLAGS) on the compile+link line.

Suggested change
$(TARGET_CC) $(TARGET_CFLAGS) \
-o $(PKG_BUILD_DIR)/dnssec-check \
$(PKG_BUILD_DIR)/dnssec-check.c -luci
$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_LDFLAGS) \
-o $(PKG_BUILD_DIR)/dnssec-check \
$(PKG_BUILD_DIR)/dnssec-check.c -luci

Generated by Claude Code

This adds a lightweight tool to check whether the current DNS resolver
supports DNSSEC validation. The tool uses dig for DNS queries and
supports configuring two reference domains for testing via UCI:
- secure domain (default: nic.cz)
- broken domain (default: dnssec-failed.org)

It determines DNSSEC support based on these queries and reports
severity levels: secure, medium, insecure.

Co-authored-by: Wesley Gimenes <wehagy+github@gmail.com>
Signed-off-by: Liu Yu <f78fk@live.com>

@openwrt-ai openwrt-ai left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 new commit; no new issues found.

The Build/Compile line now passes $(TARGET_LDFLAGS), which addresses my previous comment about the missing target link flags. The remainder of net/dnssec-check/Makefile is unchanged. CI reports no checks on the head commit yet, so nothing to ground there.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants