dnsverify/dnsverify.py

#!/bin/env python

'''
    Check whether the authoritative nameservers returned for all puzzle managed
    domains belong to the list of pitc_nameservers and fail if one does not.
'''

import sys
import yaml

from dns import resolver

# list of puzzle authoritative name servers
pitc_nameservers = [
                      'ns1.dnsimple.com.',
                      'ns2.dnsimple.com.',
                      'ns3.dnsimple.com.',
                      'ns4.dnsimple.com.',
                      'ns5.dnsmadeeasy.com.',
                      'ns6.dnsmadeeasy.com.',
                      'ns7.dnsmadeeasy.com.'
                   ]

# list of puzzle managed zone files
pitc_domains = [ 'puzzle.ch.yaml', 'puzzle.yaml', 'nonpuzzle.yaml' ]

# configure opendns resolver
resolver = resolver.Resolver()
resolver.nameservers = ['208.67.222.222','208.67.220.220']

def get_authoritative_ns(domains):
    '''
      dsc: Query the domains and return the authoritative name server.
      arg: [list], domain to query
      ret: [str], nameserver
    '''
    for domain in domains:
        answers = resolver.resolve(domain,'NS')
        for server in answers:
            if not verify_authoritative_ns(str(server)):
                print("ERROR: {} got answer from {}, not managed by puzzle".format(domain, server), file=sys.stderr)
                return False
            else:
                #print("{} got answer from {}".format(domain, server))
                pass
    return True

def get_domains(filenames):
    '''
      dsc: Loads domain names from a list of yaml files.
      arg: [list], filenames
      ret: [list], arbitrary list of domain names
    '''
    domains = []
    for file in filenames:
        with open(file, 'r') as zone_file:
            yaml_data = yaml.safe_load(zone_file)
            yaml_list = list(yaml_data.get('zones'))
            domains.extend(yaml_list)
    return domains

def verify_authoritative_ns(nameserver):
    '''
      dsc: Verifies if the authoritative NS belongs to the puzzle managed NS.
      arg: [str], nameserver
      ret: [boolean], true if ok; false if nok.
    '''
    if nameserver in pitc_nameservers:
        return True
    return False

if __name__ == "__main__":
    dns = get_domains(pitc_domains)
    if not get_authoritative_ns(dns):
        sys.exit(1)
    sys.exit(0)