#!/bin/env python ''' Check whether the authoritative nameservers returned for all puzzle managed domains belong to the list of pitc_nameservers and fail if one does not. usage: ./dnsverify.py [-v] ''' import sys import yaml from dns import resolver # list of puzzle authoritative name servers pitc_nameservers = [ 'ns1.dnsimple.com.', 'ns2.dnsimple.com.', 'ns3.dnsimple.com.', 'ns4.dnsimple.com.', 'ns5.dnsmadeeasy.com.', 'ns6.dnsmadeeasy.com.', 'ns7.dnsmadeeasy.com.' ] # list of puzzle managed zone files pitc_domains = [ 'puzzle.ch.yaml', 'puzzle.yaml', 'nonpuzzle.yaml' ] # configure opendns resolver resolver = resolver.Resolver() resolver.nameservers = ['208.67.222.222','208.67.220.220'] def get_authoritative_ns(domains, verbose=False): ''' dsc: Query the domains and return the authoritative name server. arg: [list], domain to query ret: [str], nameserver ''' for domain in domains: answers = resolver.resolve(domain,'NS') for server in answers: if not verify_authoritative_ns(str(server)): print("ERROR: {} got answer from {}, not managed by puzzle".format(domain, server), file=sys.stderr) return False elif verbose: print("{} got answer from {}".format(domain, server)) return True def get_domains(filenames): ''' dsc: Loads domain names from a list of yaml files. arg: [list], filenames ret: [list], arbitrary list of domain names ''' domains = [] for file in filenames: with open(file, 'r') as zone_file: yaml_data = yaml.safe_load(zone_file) yaml_list = list(yaml_data.get('zones')) domains.extend(yaml_list) return domains def verify_authoritative_ns(nameserver): ''' dsc: Verifies if the authoritative NS belongs to the puzzle managed NS. arg: [str], nameserver ret: [boolean], true if ok; false if nok. ''' if nameserver in pitc_nameservers: return True return False if __name__ == '__main__': VERBOSE = False if '-v' in sys.argv: VERBOSE = True dns = get_domains(pitc_domains) if not get_authoritative_ns(dns, VERBOSE): sys.exit(1) sys.exit(0)