dnssec-check: add new package #26941
Conversation
Functional Test Report: dnssec-checkThis report demonstrates how Test Environment
Case 1: Secure (Local resolver validates DNSSEC)/etc/resolv.conf: $ dnssec-check Explanation: The local resolver successfully performs full DNSSEC validation. Case 2: Medium (Upstream validates, local does not)/etc/resolv.conf: If the upstream DNS server is: $ dnssec-check Explanation: The local resolver does not validate DNSSEC, but the upstream resolver blocks domains that fail DNSSEC validation. Case 3: Insecure (Neither local nor upstream validates DNSSEC)/etc/resolv.conf: If the upstream DNS server is: $ dnssec-check Explanation: Both the local and upstream resolvers return unsigned responses without blocking invalid domains. SummaryThe tool accurately distinguishes between the following DNSSEC support levels:
This tool might assist OpenWrt users with elementary DNSSEC validation. |
There was a problem hiding this comment.
Pull Request Overview
Adds a minimal DNSSEC validation tool that queries two reference domains and reports support level via UCI.
- Introduces a UCI defaults script to populate
/etc/config/dnssec-check - Adds a Makefile to build and install the binary and defaults file
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| files/dnssec-check.defaults | New script to initialize UCI configuration with defaults |
| Makefile | Package build/install rules and metadata for dnssec-check |
Comments suppressed due to low confidence (2)
net/dnssec-check/Makefile:25
- [nitpick] The new DNSSEC validation tool currently lacks any automated tests. Consider adding a test suite to verify secure, medium, and insecure outcomes against known domains to ensure future changes don’t break core logic.
define Package/dnssec-check
net/dnssec-check/Makefile:34
- [nitpick] Package description is in the Makefile, but the repository’s README or other user-facing docs aren’t updated to explain how to configure and run the tool. Adding usage examples and config details would help new users.
define Package/dnssec-check/description
liuyuf78fk
force-pushed
the
dnssec-check
branch
7 times, most recently
from
98b570d to
a3e5b0a
Compare
|
Hello, I'd like to check if anything is missing from this PR. Happy to update based on suggestions 😊. My home OpenWrt device has DNSSEC enabled in its DNS resolver. Here's the output of running dnssec-check: This screenshot shows my current UCI settings for dnssec-check on my OpenWrt router: Here's the system info from my OpenWrt router, showing the environment where I tested the package: I’m happy to maintain this package and keep it updated if accepted. |
liuyuf78fk
changed the title
liuyuf78fk
force-pushed
the
dnssec-check
branch
6 times, most recently
from
104e565 to
ddc699c
Compare
liuyuf78fk
force-pushed
the
dnssec-check
branch
4 times, most recently
from
7787662 to
5a18d2f
Compare
wehagy
left a comment
wehagy
left a comment
There was a problem hiding this comment.
You know how this works, it's maintained by the community. Hopefully, someone will review it eventually. Unfortunately, it's me this time 😅.
Anyway, you need to fix the build so I can check if the package is working.
net/dnssec-check/Makefile
Outdated
| # | ||
| # Copyright (C) 2025 Liu Yu <[email protected]> | ||
| # | ||
| # This is free software, licensed under the GNU General Public License v2.0 or later. | ||
| # See /LICENSE for more information. | ||
| # |
There was a problem hiding this comment.
| # | |
| # Copyright (C) 2025 Liu Yu <[email protected]> | |
| # | |
| # This is free software, licensed under the GNU General Public License v2.0 or later. | |
| # See /LICENSE for more information. | |
| # | |
| # SPDX-License-Identifier: GPL-2.0-only | |
| # | |
| # Copyright (C) 2025 Liu Yu <[email protected]> |
| PKG_RELEASE:=1 | ||
|
|
||
| PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz | ||
| PKG_SOURCE_URL:=https://github.com/liuyuf78fk/$(PKG_NAME)/releases/download/v$(PKG_VERSION) |
There was a problem hiding this comment.
| PKG_SOURCE_URL:=https://github.com/liuyuf78fk/$(PKG_NAME)/releases/download/v$(PKG_VERSION) | |
| PKG_SOURCE_URL:=https://codeload.github.com/liuyuf78fk/dnssec-check/tar.gz/v$(PKG_VERSION)? |
net/dnssec-check/Makefile
Outdated
| PKG_LICENSE:=GPL-2.0-or-later | ||
| PKG_MAINTAINER:=Liu Yu <[email protected]> |
There was a problem hiding this comment.
| PKG_LICENSE:=GPL-2.0-or-later | |
| PKG_MAINTAINER:=Liu Yu <[email protected]> | |
| PKG_MAINTAINER:=Liu Yu <[email protected]> | |
| PKG_LICENSE:=GPL-2.0-or-later | |
| PKG_LICENSE_FILES:=LICENSE |
There was a problem hiding this comment.
Leave uci-defaults alone, use a plain config and apk/opkg will take care for this for you.
One more suggestion, you don't want to maintain the config file in your repo? IHMO you have full control there, but is up to you as a maintainer to decide.
|
|
||
| define Package/dnssec-check/install | ||
| $(INSTALL_DIR) $(1)/usr/bin | ||
| $(INSTALL_BIN) $(PKG_BUILD_DIR)/dnssec-check $(1)/usr/bin/ | ||
|
|
||
| $(INSTALL_DIR) $(1)/etc/uci-defaults | ||
| $(INSTALL_BIN) ./files/dnssec-check.defaults $(1)/etc/uci-defaults/99-dnssec-check | ||
| endef |
There was a problem hiding this comment.
| define Package/dnssec-check/install | |
| $(INSTALL_DIR) $(1)/usr/bin | |
| $(INSTALL_BIN) $(PKG_BUILD_DIR)/dnssec-check $(1)/usr/bin/ | |
| $(INSTALL_DIR) $(1)/etc/uci-defaults | |
| $(INSTALL_BIN) ./files/dnssec-check.defaults $(1)/etc/uci-defaults/99-dnssec-check | |
| endef | |
| define Package/dnssec-check/conffiles | |
| /etc/config/dnssec-check | |
| endef | |
| define Package/dnssec-check/install | |
| $(INSTALL_DIR) $(1)/usr/bin | |
| $(INSTALL_BIN) $(PKG_BUILD_DIR)/dnssec-check $(1)/usr/bin/ | |
| $(INSTALL_DIR) $(1)/etc/config | |
| $(INSTALL_CONF) ./files/dnssec-check.conf $(1)/etc/config/dnssec-check | |
| endef |
Leave uci-defaults alone.
liuyuf78fk
force-pushed
the
dnssec-check
branch
from
5a18d2f to
f97851f
Compare
Thank you for your review. I’ve updated the package according to your suggestions and tested it on the amd64 platform — it works well. The build errors on other platforms are due to a dependency on bind-dig, which currently fails to build on the OpenWrt main branch. However, this issue has already been fixed in the following PR: |
liuyuf78fk
force-pushed
the
dnssec-check
branch
2 times, most recently
from
783352e to
b92ff16
Compare
wehagy
force-pushed
the
dnssec-check
branch
from
b92ff16 to
c82ae53
Compare
This adds a lightweight tool to check whether the current DNS resolver supports DNSSEC validation. The tool uses dig for DNS queries and supports configuring two reference domains for testing via UCI: - secure domain (default: nic.cz) - broken domain (default: dnssec-failed.org) It determines DNSSEC support based on these queries and reports severity levels: secure, medium, insecure. Signed-off-by: Liu Yu <[email protected]>
liuyuf78fk
force-pushed
the
dnssec-check
branch
from
c82ae53 to
b2d5799
Compare
3 participants
This adds a lightweight tool to check whether the current DNS resolver supports DNSSEC validation. The tool uses dig for DNS queries and supports configuring two reference domains for testing via UCI:
It determines DNSSEC support based on these queries and reports severity levels: secure, medium, insecure.