netexternal.cgi: Show DNSSEC status

The netexternal.cgi has been extended to show what type
of DNSSEC support the upstream nameservers offer.

config/rootfiles/core/80/filelists/files

@@ -6,6 +6,7 @@ etc/rc.d/init.d/dnsmasq
 etc/rc.d/init.d/networking/red.up/30-ddns
 srv/web/ipfire/cgi-bin/ddns.cgi
 srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
+srv/web/ipfire/cgi-bin/netexternal.cgi
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/routing.cgi
 usr/sbin/dhcrelay

doc/language_issues.es

@@ -663,6 +663,10 @@ WARNING: untranslated string: dnsforward edit an entry
 WARNING: untranslated string: dnsforward entries
 WARNING: untranslated string: dnsforward forward_server
 WARNING: untranslated string: dnsforward zone
+WARNING: untranslated string: dnssec aware
+WARNING: untranslated string: dnssec information
+WARNING: untranslated string: dnssec not supported
+WARNING: untranslated string: dnssec validating
 WARNING: untranslated string: downlink
 WARNING: untranslated string: download tls-auth key
 WARNING: untranslated string: dpd delay
@@ -874,6 +878,7 @@ WARNING: untranslated string: modem sim information
 WARNING: untranslated string: modem status
 WARNING: untranslated string: monitor interface
 WARNING: untranslated string: most preferred
+WARNING: untranslated string: nameserver
 WARNING: untranslated string: no hardware random number generator
 WARNING: untranslated string: not a valid dh key
 WARNING: untranslated string: notice

doc/language_issues.fr

@@ -674,6 +674,10 @@ WARNING: untranslated string: dnsforward edit an entry
 WARNING: untranslated string: dnsforward entries
 WARNING: untranslated string: dnsforward forward_server
 WARNING: untranslated string: dnsforward zone
+WARNING: untranslated string: dnssec aware
+WARNING: untranslated string: dnssec information
+WARNING: untranslated string: dnssec not supported
+WARNING: untranslated string: dnssec validating
 WARNING: untranslated string: downlink
 WARNING: untranslated string: download tls-auth key
 WARNING: untranslated string: dpd delay
@@ -885,6 +889,7 @@ WARNING: untranslated string: modem sim information
 WARNING: untranslated string: modem status
 WARNING: untranslated string: monitor interface
 WARNING: untranslated string: most preferred
+WARNING: untranslated string: nameserver
 WARNING: untranslated string: no hardware random number generator
 WARNING: untranslated string: not a valid dh key
 WARNING: untranslated string: notice

doc/language_issues.nl

@@ -671,6 +671,10 @@ WARNING: untranslated string: dh key warn
 WARNING: untranslated string: dh key warn1
 WARNING: untranslated string: dh parameter
 WARNING: untranslated string: dns servers
+WARNING: untranslated string: dnssec aware
+WARNING: untranslated string: dnssec information
+WARNING: untranslated string: dnssec not supported
+WARNING: untranslated string: dnssec validating
 WARNING: untranslated string: download tls-auth key
 WARNING: untranslated string: drop outgoing
 WARNING: untranslated string: firewall logs country
@@ -693,6 +697,7 @@ WARNING: untranslated string: modem no connection message
 WARNING: untranslated string: modem sim information
 WARNING: untranslated string: modem status
 WARNING: untranslated string: monitor interface
+WARNING: untranslated string: nameserver
 WARNING: untranslated string: not a valid dh key
 WARNING: untranslated string: ovpn crypt options
 WARNING: untranslated string: ovpn dh

doc/language_issues.pl

@@ -663,6 +663,10 @@ WARNING: untranslated string: dnsforward edit an entry
 WARNING: untranslated string: dnsforward entries
 WARNING: untranslated string: dnsforward forward_server
 WARNING: untranslated string: dnsforward zone
+WARNING: untranslated string: dnssec aware
+WARNING: untranslated string: dnssec information
+WARNING: untranslated string: dnssec not supported
+WARNING: untranslated string: dnssec validating
 WARNING: untranslated string: downlink
 WARNING: untranslated string: download tls-auth key
 WARNING: untranslated string: dpd delay
@@ -874,6 +878,7 @@ WARNING: untranslated string: modem sim information
 WARNING: untranslated string: modem status
 WARNING: untranslated string: monitor interface
 WARNING: untranslated string: most preferred
+WARNING: untranslated string: nameserver
 WARNING: untranslated string: no hardware random number generator
 WARNING: untranslated string: not a valid dh key
 WARNING: untranslated string: notice

doc/language_issues.ru

@@ -668,6 +668,10 @@ WARNING: untranslated string: dnsforward edit an entry
 WARNING: untranslated string: dnsforward entries
 WARNING: untranslated string: dnsforward forward_server
 WARNING: untranslated string: dnsforward zone
+WARNING: untranslated string: dnssec aware
+WARNING: untranslated string: dnssec information
+WARNING: untranslated string: dnssec not supported
+WARNING: untranslated string: dnssec validating
 WARNING: untranslated string: downlink
 WARNING: untranslated string: download tls-auth key
 WARNING: untranslated string: dpd delay
@@ -870,6 +874,7 @@ WARNING: untranslated string: modem sim information
 WARNING: untranslated string: modem status
 WARNING: untranslated string: monitor interface
 WARNING: untranslated string: most preferred
+WARNING: untranslated string: nameserver
 WARNING: untranslated string: no hardware random number generator
 WARNING: untranslated string: not a valid dh key
 WARNING: untranslated string: notice

doc/language_issues.tr

@@ -672,6 +672,10 @@ WARNING: untranslated string: dh key move failed
 WARNING: untranslated string: dh key warn
 WARNING: untranslated string: dh key warn1
 WARNING: untranslated string: dh parameter
+WARNING: untranslated string: dnssec aware
+WARNING: untranslated string: dnssec information
+WARNING: untranslated string: dnssec not supported
+WARNING: untranslated string: dnssec validating
 WARNING: untranslated string: download tls-auth key
 WARNING: untranslated string: firewall logs country
 WARNING: untranslated string: fwhost err hostip
@@ -693,6 +697,7 @@ WARNING: untranslated string: modem no connection message
 WARNING: untranslated string: modem sim information
 WARNING: untranslated string: modem status
 WARNING: untranslated string: monitor interface
+WARNING: untranslated string: nameserver
 WARNING: untranslated string: not a valid dh key
 WARNING: untranslated string: ovpn crypt options
 WARNING: untranslated string: ovpn dh

doc/language_missings

@@ -94,6 +94,10 @@
 < dnsforward entries
 < dnsforward forward_server
 < dnsforward zone
+< dnssec aware
+< dnssec information
+< dnssec not supported
+< dnssec validating
 < dns servers
 < downlink
 < download dh parameter
@@ -351,6 +355,7 @@
 < monitor interface
 < most preferred
 < MTU settings
+< nameserver
 < never
 < no hardware random number generator
 < not a valid dh key
@@ -620,6 +625,10 @@
 < dnsforward entries
 < dnsforward forward_server
 < dnsforward zone
+< dnssec aware
+< dnssec information
+< dnssec not supported
+< dnssec validating
 < dns servers
 < downlink
 < download dh parameter
@@ -877,6 +886,7 @@
 < monitor interface
 < most preferred
 < MTU settings
+< nameserver
 < never
 < no hardware random number generator
 < not a valid dh key
@@ -1138,6 +1148,10 @@
 < dnsforward entries
 < dnsforward forward_server
 < dnsforward zone
+< dnssec aware
+< dnssec information
+< dnssec not supported
+< dnssec validating
 < dns servers
 < downlink
 < download dh parameter
@@ -1387,6 +1401,7 @@
 < monitor interface
 < most preferred
 < MTU settings
+< nameserver
 < never
 < no hardware random number generator
 < not a valid dh key
@@ -1635,6 +1650,10 @@
 < dnsforward entries
 < dnsforward forward_server
 < dnsforward zone
+< dnssec aware
+< dnssec information
+< dnssec not supported
+< dnssec validating
 < dns servers
 < downlink
 < download dh parameter
@@ -1889,6 +1908,7 @@
 < month-graph
 < most preferred
 < MTU settings
+< nameserver
 < never
 < no hardware random number generator
 < not a valid dh key

html/cgi-bin/netexternal.cgi

@@ -76,6 +76,82 @@ if ( $querry[0] ne~ ""){
 		&Header::closebox();
 	}
 
+	## DNSSEC
+	my @nameservers = ();
+	foreach my $f ("${General::swroot}/red/dns1", "${General::swroot}/red/dns2") {
+		open(DNS, "<$f");
+		my $nameserver = <DNS>;
+		close(DNS);
+
+		chomp($nameserver);
+		if ($nameserver) {
+			push(@nameservers, $nameserver);
+		}
+	}
+
+	&Header::openbox('100%', 'center', $Lang::tr{'dnssec information'});
+
+	print <<END;
+		<table class="tbl" width='66%'>
+			<thead>
+				<tr>
+					<th align="center">
+						<strong>$Lang::tr{'nameserver'}</strong>
+					</th>
+					<th align="center">
+						<strong>$Lang::tr{'status'}</strong>
+					</th>
+				</tr>
+			</thead>
+			<tbody>
+END
+
+	my $id = 0;
+	for my $nameserver (@nameservers) {
+		my $status = &check_dnssec($nameserver, "ping.ipfire.org");
+
+		my $colour = "";
+		my $message = "";
+
+		# DNSSEC Not supported
+		if ($status == 0) {
+			$message = $Lang::tr{'dnssec not supported'};
+			$colour = ${Header::colourred};
+
+		# DNSSEC Aware
+		} elsif ($status == 1) {
+			$message = $Lang::tr{'dnssec aware'};
+			$colour = ${Header::colouryellow};
+
+		# DNSSEC Validating
+		} elsif ($status == 2) {
+			$message = $Lang::tr{'dnssec validating'};
+			$colour = ${Header::colourgreen};
+
+		# Error
+		} else {
+			$colour = ${Header::colourred};
+		}
+
+		my $table_colour = ($id++ % 2) ? $color{'color22'} : $color{'color20'};
+
+		print <<END;
+			<tr bgcolor="$table_colour">
+				<td>$nameserver</td>
+				<td bgcolor="$colour" align="center">
+					<font color='white'><strong>$message</strong></font>
+				</td>
+			</tr>
+END
+	}
+
+	print <<END;
+			</tbody>
+		</table>
+END
+
+	&Header::closebox();
+
 	if ( $netsettings{'CONFIG_TYPE'} =~ /^(1|2|3|4)$/  && $netsettings{'RED_TYPE'} eq "DHCP"){
 
 		&Header::openbox('100%', 'left', "RED $Lang::tr{'dhcp configuration'}");
@@ -161,4 +237,33 @@ END
 
 	&Header::closebigbox();
 	&Header::closepage();
-}	
+}
+
+sub check_dnssec($$) {
+	my $nameserver = shift;
+	my $record = shift;
+
+	my @command = ("dig", "+dnssec", $record, "\@$nameserver");
+
+	my @output = qx(@command);
+	my $output = join("", @output);
+
+	my $status = 0;
+	if ($output =~ m/status: (\w+)/) {
+		$status = ($1 eq "NOERROR");
+
+		if (!$status) {
+			return -1;
+		}
+	}
+
+	my @flags = ();
+	if ($output =~ m/flags: (.*);/) {
+		@flags = split(/ /, $1);
+	}
+
+	my $aware = ($output =~ m/RRSIG/);
+	my $validating = ("ad" ~~ @flags);
+
+	return $aware + $validating;
+}

langs/de/cgi-bin/de.pl

@@ -750,6 +750,10 @@
 'dnsforward entries' => 'Aktuelle Einträge',
 'dnsforward forward_server' => 'DNS-Server',
 'dnsforward zone' => 'Zone',
+'dnssec aware' => 'DNSSEC-aware',
+'dnssec information' => 'DNSSEC-Informationen',
+'dnssec not supported' => 'DNSSEC wird nicht unterstützt',
+'dnssec validating' => 'DNSSEC-validierend',
 'do not log this port list' => 'Verwerfe diese Port-Liste kurz bevor sie protokolliert werden (reduziert Protokollgröße)',
 'dod' => 'Dial-on-Demand-Modus',
 'dod for dns' => 'Dial-on-Demand für DNS:',
@@ -1523,6 +1527,7 @@
 'name is invalid' => 'Name ist ungültig',
 'name must only contain characters' => 'Name darf nur Buchstaben enthalten.',
 'name too long' => 'Der volle Benutzername oder der System Hostname ist zu lang',
+'nameserver' => 'Nameserver',
 'nat-traversal' => 'Nat Traversal:',
 'needreboot' => 'Ein Update benötigt einen Neustart',
 'net' => 'Netz',

langs/en/cgi-bin/en.pl

@@ -775,6 +775,10 @@
 'dnsforward entries' => 'Current entries',
 'dnsforward forward_server' => 'Nameserver',
 'dnsforward zone' => 'Zone',
+'dnssec aware' => 'DNSSEC Aware',
+'dnssec information' => 'DNSSEC Information',
+'dnssec not supported' => 'DNSSEC Not supported',
+'dnssec validating' => 'DNSSEC Validating',
 'do not log this port list' => 'Drop this port list just before they are logged (reduces log size)',
 'dod' => 'Dial on Demand',
 'dod for dns' => 'Dial on Demand for DNS:',
@@ -1553,6 +1557,7 @@
 'name is invalid' => 'Name is invalid',
 'name must only contain characters' => 'Name must only contain characters.',
 'name too long' => 'User\'s full name or system hostname is too long',
+'nameserver' => 'Nameserver',
 'nat-traversal' => 'Nat Traversal:',
 'needreboot' => 'An update requires a restart',
 'net' => 'Net',