-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathzone_discover.py
More file actions
executable file
·65 lines (54 loc) · 2.15 KB
/
Copy pathzone_discover.py
File metadata and controls
executable file
·65 lines (54 loc) · 2.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/env python3
# Copyright (c) 2025-2026 Tim Riker
# SPDX-License-Identifier: MIT
"""Utility to walk CNAME chain and discover authoritative zone via SOA for a name.
Usage:
./zone_discover.py <fqdn> [--credentials credentials.yaml]
It will:
1. Follow any CNAME chain to a terminal target using TSIG if configured.
2. Walk up labels performing SOA (then NS) lookups to determine zone apex.
3. Print the original name, CNAME-resolved target (if different), and zone.
Requires dnspython (listed in requirements.txt).
"""
import sys
import os
import yaml
import argparse
from dns_rfc2136 import resolve_cname_target, discover_zone_for_name
def load_yaml(path):
with open(path, 'r') as f:
return yaml.safe_load(f)
def main():
parser = argparse.ArgumentParser(
description='Discover DNS zone for a given FQDN',
epilog='Example: %(prog)s _acme-challenge.example.com'
)
parser.add_argument('fqdn', help='Fully qualified domain name to look up')
parser.add_argument('--credentials', default=os.path.join(os.path.dirname(__file__), 'credentials.yaml'),
help='Path to credentials file with TSIG configuration (default: %(default)s)')
args = parser.parse_args()
fqdn = args.fqdn.rstrip('.')
# Try to load TSIG credentials
server = None
key_name = None
key = None
algorithm = None
try:
if os.path.exists(args.credentials):
creds = load_yaml(args.credentials)
rfc2136 = creds.get('rfc2136', {})
server = rfc2136.get('server')
key_name = rfc2136.get('key_name')
key = rfc2136.get('key')
algorithm = rfc2136.get('algorithm')
if server and key_name and key:
print(f"Using TSIG authentication with key: {key_name}")
except Exception as e:
print(f"Warning: Could not load TSIG credentials: {e}")
target = resolve_cname_target(fqdn, server, key_name, key, algorithm)
zone = discover_zone_for_name(target, server, key_name, key, algorithm)
print(f"Original: {fqdn}")
print(f"Target: {target}")
print(f"Zone: {zone}")
if __name__ == "__main__":
main()