Support for NSEC3 in dnssec-policy

Implement support for NSEC3 in dnssec-policy.  Store the configuration
in kasp objects. When configuring a zone, call 'dns_zone_setnsec3param'
to queue an nsec3param event. This will ensure that any previous
chains will be removed and a chain according to the dnssec-policy is
created.

Add tests for dnssec-policy zones that uses the new 'nsec3param'
option, as well as changing to new values, changing to NSEC, and
changing from NSEC.

bin/named/server.c

@@ -73,6 +73,7 @@
 #include <dns/lib.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
+#include <dns/nsec3.h>
 #include <dns/nta.h>
 #include <dns/order.h>
 #include <dns/peer.h>

bin/named/zoneconf.c

@@ -1560,7 +1560,23 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		bool allow = false, maint = false;
 		bool sigvalinsecs;
 
-		if (kasp) {
+		if (kasp != NULL) {
+			if (dns_kasp_nsec3(kasp)) {
+				result = dns_zone_setnsec3param(
+					zone, 1, dns_kasp_nsec3flags(kasp),
+					dns_kasp_nsec3iter(kasp),
+					dns_kasp_nsec3saltlen(kasp),
+					dns_kasp_nsec3salt(kasp), true);
+			} else {
+				unsigned char *salt;
+				DE_CONST("-", salt);
+				result = dns_zone_setnsec3param(zone, 0, 0, 0,
+								0, salt, true);
+			}
+			INSIST(result == ISC_R_SUCCESS);
+		}
+
+		if (kasp != NULL) {
 			seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp);
 		} else {
 			obj = NULL;
@@ -1571,7 +1587,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		}
 		dns_zone_setkeyvalidityinterval(zone, seconds);
 
-		if (kasp) {
+		if (kasp != NULL) {
 			seconds = (uint32_t)dns_kasp_sigvalidity(kasp);
 			dns_zone_setsigvalidityinterval(zone, seconds);
 			seconds = (uint32_t)dns_kasp_sigrefresh(kasp);

bin/tests/system/Makefile.am

@@ -121,6 +121,7 @@ TESTS +=			\
 	mkeys			\
 	names			\
 	notify			\
+	nsec3			\
 	nslookup		\
 	padding			\
 	pending			\

bin/tests/system/conf.sh.common

@@ -97,6 +97,7 @@ mirror
 mkeys
 names
 notify
+nsec3
 nslookup
 nsupdate
 padding

bin/tests/system/nsec3/clean.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f dig.out.* rndc.signing.*
+rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
+

bin/tests/system/nsec3/ns3/named.conf.in

@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+	// no need to change configuration: if no 'nsec3param' is set,
+	// NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+	nsec3param;
+};
+
+dnssec-policy "nsec3-other" {
+	nsec3param iterations 11 optout yes salt "deadbeef";
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+	type primary;
+	file "nsec-to-nsec3.kasp.db";
+	dnssec-policy "nsec";
+};
+
+/* This zone uses the default NSEC3 settings. */
+zone "nsec3.kasp" {
+	type primary;
+	file "nsec3.kasp.db";
+	dnssec-policy "nsec3";
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+	type primary;
+	file "nsec3-other.kasp.db";
+	dnssec-policy "nsec3-other";
+};
+
+/* The zone will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+	type primary;
+	file "nsec3-change.kasp.db";
+	dnssec-policy "nsec3";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+	type primary;
+	file "nsec3-to-nsec.kasp.db";
+	dnssec-policy "nsec3";
+};

bin/tests/system/nsec3/ns3/named2.conf.in

@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+	// no need to change configuration: if no 'nsec3param' is set,
+	// NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+	nsec3param;
+};
+
+dnssec-policy "nsec3-other" {
+	nsec3param iterations 11 optout yes salt "deadbeef";
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+	type primary;
+	file "nsec-to-nsec3.kasp.db";
+	//dnssec-policy "nsec";
+	dnssec-policy "nsec3";
+};
+
+/* This zone uses the default NSEC3 settings. */
+zone "nsec3.kasp" {
+	type primary;
+	file "nsec3.kasp.db";
+	dnssec-policy "nsec3";
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+	type primary;
+	file "nsec3-other.kasp.db";
+	dnssec-policy "nsec3-other";
+};
+
+/* The zone will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+	type primary;
+	file "nsec3-change.kasp.db";
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec3-other";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+	type primary;
+	file "nsec3-to-nsec.kasp.db";
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec";
+};

bin/tests/system/nsec3/ns3/setup.sh

@@ -0,0 +1,28 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+setup() {
+	zone="$1"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+	cp template.db.in "$zonefile"
+}
+
+for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec
+do
+	setup "${zn}.kasp"
+done

bin/tests/system/nsec3/ns3/template.db.in

@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+

bin/tests/system/nsec3/setup.sh

@@ -0,0 +1,24 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns3/named.conf.in ns3/named.conf
+
+(
+	cd ns3
+	$SHELL setup.sh
+)

bin/tests/system/nsec3/tests.sh

@@ -0,0 +1,244 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+# Log errors and increment $ret.
+log_error() {
+	echo_i "error: $1"
+	ret=$((ret+1))
+}
+
+# Call dig with default options.
+dig_with_opts() {
+	$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+# Call rndc.
+rndccmd() {
+    "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+}
+
+# Set server key-directory ($1) and address ($2) for testing nsec3.
+set_server() {
+	DIR=$1
+	SERVER=$2
+}
+# Set zone name ($1) and policy ($2) for testing nsec3.
+set_zone_policy() {
+	ZONE=$1
+	POLICY=$2
+}
+# Set expected NSEC3 parameters: flags ($1), iterations ($2), and salt ($3).
+set_nsec3param() {
+	FLAGS=$1
+	ITERATIONS=$2
+	SALT=$3
+}
+
+# The apex NSEC3PARAM record indicates that it is signed.
+_wait_for_nsec3param() {
+	dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1
+	grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+        return 0
+}
+# The apex NSEC record indicates that it is signed.
+_wait_for_nsec() {
+	dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC > "dig.out.test$n.wait" || return 1
+	grep "NS SOA" "dig.out.test$n.wait" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" > /dev/null && return 1
+        return 0
+}
+
+# Wait for the zone to be signed.
+wait_for_zone_is_signed() {
+	n=$((n+1))
+	ret=0
+	echo_i "wait for ${ZONE} to be signed ($n)"
+
+	if [ "$1" = "nsec3" ]; then
+		retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed"
+	else
+		retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed"
+	fi
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Test: dnssec-verify zone $1.
+dnssec_verify()
+{
+	n=$((n+1))
+	echo_i "dnssec-verify zone ${ZONE} ($n)"
+	ret=0
+	dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.test$n.axfr || log_error "dig ${ZONE} AXFR failed"
+	$VERIFY -z -o "$ZONE" dig.out.test$n.axfr > /dev/null || log_error "dnssec verify zone $ZONE failed"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Test: check NSEC in answers
+_check_nsec_nsec3param()
+{
+	dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+	grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1
+	return 0
+}
+
+_check_nsec_nxdomain()
+{
+	dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+	grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+	grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1
+	return 0
+}
+
+check_nsec()
+{
+	n=$((n+1))
+	echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+	n=$((n+1))
+	echo_i "check NXDOMAIN response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Test: check NSEC3 parameters in answers
+_check_nsec3_nsec3param()
+{
+	dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+	grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1
+	return 0
+}
+
+_check_nsec3_nxdomain()
+{
+	dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+	grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+	return 0
+}
+
+check_nsec3()
+{
+	n=$((n+1))
+	echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+	n=$((n+1))
+	echo_i "check NSEC3 response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+start_time="$(TZ=UTC date +%s)"
+status=0
+n=0
+
+# Zone: nsec-to-nsec3.kasp.
+set_zone_policy "nsec-to-nsec3.kasp" "nsec"
+set_server "ns3" "10.53.0.3"
+echo_i "initial check zone ${ZONE}"
+check_nsec
+dnssec_verify
+
+# Zone: nsec3.kasp.
+set_zone_policy "nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "-"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-change.kasp.
+set_zone_policy "nsec3-change.kasp" "nsec3"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-to-nsec.kasp.
+set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-other.kasp.
+set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_nsec3param "1" "11" "DEADBEEF"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+
+# Reconfig named.
+echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+
+
+# Zone: nsec-to-nsec3.kasp. (reconfigured)
+set_zone_policy "nsec-to-nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "-"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3.kasp. (same)
+set_zone_policy "nsec3.kasp" "nsec3"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-change.kasp. (reconfigured)
+set_zone_policy "nsec3-change.kasp" "nsec3-other"
+set_nsec3param "1" "11" "DEADBEEF"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-to-nsec.kasp. (reconfigured)
+set_zone_policy "nsec3-to-nsec.kasp" "nsec"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec
+dnssec_verify
+
+# Zone: nsec3-other.kasp. (same)
+set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_nsec3param "1" "11" "DEADBEEF"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Using rndc signing -nsec3param
+set_zone_policy "nsec3-change.kasp" "nsec3-other"
+echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
+rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
+grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail"
+check_nsec3
+dnssec_verify
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
+

lib/dns/include/dns/kasp.h

@@ -50,6 +50,14 @@ struct dns_kasp_key {
 	uint8_t	 role;
 };
 
+struct dns_kasp_nsec3param {
+	unsigned char salt[255];
+	uint8_t	      saltlen;
+	uint8_t	      algorithm;
+	uint8_t	      iterations;
+	bool	      optout;
+};
+
 /* Stores a DNSSEC policy */
 struct dns_kasp {
 	unsigned int magic;
@@ -75,6 +83,10 @@ struct dns_kasp {
 	dns_kasp_keylist_t keys;
 	dns_ttl_t	   dnskey_ttl;
 
+	/* Configuration: Denial of existence */
+	bool		      nsec3;
+	dns_kasp_nsec3param_t nsec3param;
+
 	/* Configuration: Timings */
 	uint32_t publish_safety;
 	uint32_t retire_safety;
@@ -86,8 +98,6 @@ struct dns_kasp {
 	/* Parent settings */
 	dns_ttl_t parent_ds_ttl;
 	uint32_t  parent_propagation_delay;
-
-	/* TODO: The rest of the KASP configuration */
 };
 
 #define DNS_KASP_MAGIC	     ISC_MAGIC('K', 'A', 'S', 'P')
@@ -604,6 +614,94 @@ dns_kasp_key_zsk(dns_kasp_key_t *key);
  *
  */
 
+bool
+dns_kasp_nsec3(dns_kasp_t *kasp);
+/*%<
+ * Return true if NSEC3 chain should be used.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, frozen kasp.
+ *
+ */
+
+uint8_t
+dns_kasp_nsec3iter(dns_kasp_t *kasp);
+/*%<
+ * The number of NSEC3 iterations to use.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, frozen kasp.
+ *\li  'kasp->nsec3' is true.
+ *
+ */
+
+uint8_t
+dns_kasp_nsec3flags(dns_kasp_t *kasp);
+/*%<
+ * The NSEC3 flags field value.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, frozen kasp.
+ *\li  'kasp->nsec3' is true.
+ *
+ */
+
+uint8_t
+dns_kasp_nsec3saltlen(dns_kasp_t *kasp);
+/*%<
+ * The NSEC3 salt length.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, frozen kasp.
+ *\li  'kasp->nsec3' is true.
+ *
+ */
+
+unsigned char *
+dns_kasp_nsec3salt(dns_kasp_t *kasp);
+/*%<
+ * The NSEC3 salt used.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, frozen kasp.
+ *\li  'kasp->nsec3' is true.
+ *
+ */
+
+void
+dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3);
+/*%<
+ * Set to use NSEC3 if 'nsec3' is 'true', otherwise policy will use NSEC.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, unfrozen kasp.
+ *
+ */
+
+isc_result_t
+dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
+		       const char *salt);
+/*%<
+ * Set the desired NSEC3 parameters.
+ *
+ * Requires:
+ *
+ *\li  'kasp' is a valid, unfrozen kasp.
+ *\li  'kasp->nsec3' is true.
+ *
+ * Returns:
+ *
+ *\li  ISC_R_SUCCESS, if NSEC3 parameters are set.
+ *\li  Error, if isc_hex_decodestring() fails.
+ *
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_KASP_H */

lib/dns/include/dns/types.h

@@ -94,8 +94,9 @@ typedef struct dns_kasp		   dns_kasp_t;
 typedef ISC_LIST(dns_kasp_t) dns_kasplist_t;
 typedef struct dns_kasp_key dns_kasp_key_t;
 typedef ISC_LIST(dns_kasp_key_t) dns_kasp_keylist_t;
-typedef uint16_t	   dns_keyflags_t;
-typedef struct dns_keynode dns_keynode_t;
+typedef struct dns_kasp_nsec3param dns_kasp_nsec3param_t;
+typedef uint16_t		   dns_keyflags_t;
+typedef struct dns_keynode	   dns_keynode_t;
 typedef ISC_LIST(dns_keynode_t) dns_keynodelist_t;
 typedef struct dns_keytable	   dns_keytable_t;
 typedef uint16_t		   dns_keytag_t;

lib/dns/kasp.c

@@ -14,7 +14,9 @@
 #include <string.h>
 
 #include <isc/assertions.h>
+#include <isc/buffer.h>
 #include <isc/file.h>
+#include <isc/hex.h>
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/util.h>
@@ -58,7 +60,7 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 	kasp->parent_ds_ttl = DNS_KASP_DS_TTL;
 	kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY;
 
-	/* TODO: The rest of the KASP configuration */
+	kasp->nsec3 = false;
 
 	kasp->magic = DNS_KASP_MAGIC;
 	*kaspp = kasp;
@@ -446,3 +448,83 @@ dns_kasp_key_zsk(dns_kasp_key_t *key) {
 
 	return (key->role & DNS_KASP_KEY_ROLE_ZSK);
 }
+
+uint8_t
+dns_kasp_nsec3iter(dns_kasp_t *kasp) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(kasp->frozen);
+	REQUIRE(kasp->nsec3);
+
+	return (kasp->nsec3param.iterations);
+}
+
+uint8_t
+dns_kasp_nsec3flags(dns_kasp_t *kasp) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(kasp->frozen);
+	REQUIRE(kasp->nsec3);
+
+	if (kasp->nsec3param.optout) {
+		return (0x01);
+	}
+	return (0x00);
+}
+
+uint8_t
+dns_kasp_nsec3saltlen(dns_kasp_t *kasp) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(kasp->frozen);
+	REQUIRE(kasp->nsec3);
+
+	return (kasp->nsec3param.saltlen);
+}
+
+unsigned char *
+dns_kasp_nsec3salt(dns_kasp_t *kasp) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(kasp->frozen);
+	REQUIRE(kasp->nsec3);
+
+	return kasp->nsec3param.salt;
+}
+
+bool
+dns_kasp_nsec3(dns_kasp_t *kasp) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(kasp->frozen);
+
+	return kasp->nsec3;
+}
+
+void
+dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3) {
+	REQUIRE(kasp != NULL);
+	REQUIRE(!kasp->frozen);
+
+	kasp->nsec3 = nsec3;
+}
+
+isc_result_t
+dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
+		       const char *salt) {
+	isc_buffer_t buf;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	REQUIRE(kasp != NULL);
+	REQUIRE(!kasp->frozen);
+	REQUIRE(kasp->nsec3);
+
+	kasp->nsec3param.iterations = iter;
+	kasp->nsec3param.optout = optout;
+	kasp->nsec3param.saltlen = 0;
+
+	if (salt != NULL && strcmp(salt, "-") != 0) {
+		isc_buffer_init(&buf, kasp->nsec3param.salt,
+				sizeof(kasp->nsec3param.salt));
+		ret = isc_hex_decodestring(salt, &buf);
+		if (ret == ISC_R_SUCCESS) {
+			kasp->nsec3param.saltlen = isc_buffer_usedlength(&buf);
+		}
+	}
+	return (ret);
+}

lib/dns/win32/libdns.def.in

@@ -436,11 +436,18 @@ dns_kasp_key_size
 dns_kasp_key_zsk
 dns_kasp_keylist_empty
 dns_kasp_keys
+dns_kasp_nsec3
+dns_kasp_nsec3flags
+dns_kasp_nsec3iter
+dns_kasp_nsec3salt
+dns_kasp_nsec3saltlen
 dns_kasp_parentpropagationdelay
 dns_kasp_publishsafety
 dns_kasp_retiresafety
 dns_kasp_setdnskeyttl
 dns_kasp_setdsttl
+dns_kasp_setnsec3
+dns_kasp_setnsec3param
 dns_kasp_setparentpropagationdelay
 dns_kasp_setpublishsafety
 dns_kasp_setretiresafety

lib/dns/zone.c

@@ -9260,12 +9260,16 @@ zone_sign(dns_zone_t *zone) {
 						   DNS_ZONEOPT_DNSKEYKSKONLY);
 
 	/* Determine which type of chain to build */
-	CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
-				 &build_nsec3));
-
-	/* If neither chain is found, default to NSEC */
-	if (!build_nsec && !build_nsec3) {
-		build_nsec = true;
+	if (kasp != NULL) {
+		build_nsec3 = dns_kasp_nsec3(kasp);
+		build_nsec = !build_nsec3;
+	} else {
+		CHECK(dns_private_chains(db, version, zone->privatetype,
+					 &build_nsec, &build_nsec3));
+		/* If neither chain is found, default to NSEC */
+		if (!build_nsec && !build_nsec3) {
+			build_nsec = true;
+		}
 	}
 
 	while (signing != NULL && nodes-- > 0 && signatures > 0) {
@@ -21097,6 +21101,7 @@ dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
 	if (hash == 0) {
 		np->length = 0;
 		np->nsec = true;
+		dnssec_log(zone, ISC_LOG_DEBUG(3), "setnsec3param:nsec");
 	} else {
 		param.common.rdclass = zone->rdclass;
 		param.common.rdtype = dns_rdatatype_nsec3param;
@@ -21115,6 +21120,31 @@ dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
 					 np->data, sizeof(np->data));
 		np->length = prdata.length;
 		np->nsec = false;
+
+		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+			unsigned char text[255 * 2 + 1];
+			isc_buffer_t buf;
+			isc_result_t ret;
+			isc_region_t r;
+
+			r.base = salt;
+			r.length = (unsigned int)saltlen;
+			if (saltlen > 0) {
+				isc_buffer_init(&buf, text, sizeof(text));
+				ret = isc_hex_totext(&r, 2, "", &buf);
+				if (ret == ISC_R_SUCCESS) {
+					text[saltlen * 2] = 0;
+				} else {
+					text[0] = 0;
+				}
+			} else {
+				text[0] = '-';
+				text[1] = 0;
+			}
+			dnssec_log(zone, ISC_LOG_DEBUG(3),
+				   "setnsec3param:nsec3 %u %u %u %s", hash,
+				   flags, iter, text);
+		}
 	}
 
 	/*

lib/isccfg/kaspconf.c

@@ -29,6 +29,8 @@
 #include <isccfg/kaspconf.h>
 #include <isccfg/namedconf.h>
 
+#define DEFAULT_NSEC3PARAM_ITER 5
+
 /*
  * Utility function for getting a configuration option.
  */
@@ -163,6 +165,34 @@ cleanup:
 	return (result);
 }
 
+static isc_result_t
+cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp) {
+	const cfg_obj_t *obj = NULL;
+	const char *salt = NULL;
+	uint8_t iter = DEFAULT_NSEC3PARAM_ITER;
+	bool optout = false;
+
+	/* How many iterations. */
+	obj = cfg_tuple_get(config, "iterations");
+	if (cfg_obj_isuint32(obj)) {
+		iter = cfg_obj_asuint32(obj);
+	}
+
+	/* Opt-out? */
+	obj = cfg_tuple_get(config, "optout");
+	if (cfg_obj_isboolean(obj)) {
+		optout = cfg_obj_asboolean(obj);
+	}
+
+	/* Salt */
+	obj = cfg_tuple_get(config, "salt");
+	if (cfg_obj_isstring(obj)) {
+		salt = cfg_obj_asstring(obj);
+	}
+
+	return dns_kasp_setnsec3param(kasp, iter, optout, salt);
+}
+
 isc_result_t
 cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx,
 		    dns_kasplist_t *kasplist, dns_kasp_t **kaspp) {
@@ -170,6 +200,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx,
 	const cfg_obj_t *maps[2];
 	const cfg_obj_t *koptions = NULL;
 	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *nsec3 = NULL;
 	const cfg_listelt_t *element = NULL;
 	const char *kaspname = NULL;
 	dns_kasp_t *kasp = NULL;
@@ -245,6 +276,18 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx,
 	}
 	INSIST(!(dns_kasp_keylist_empty(kasp)));
 
+	/* Configuration: NSEC3 */
+	(void)confget(maps, "nsec3param", &nsec3);
+	if (nsec3 == NULL) {
+		dns_kasp_setnsec3(kasp, false);
+	} else {
+		dns_kasp_setnsec3(kasp, true);
+		result = cfg_nsec3param_fromconfig(nsec3, kasp);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+	}
+
 	/* Configuration: Zone settings */
 	dns_kasp_setzonemaxttl(
 		kasp, get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL));
@@ -259,8 +302,6 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx,
 		kasp, get_duration(maps, "parent-propagation-delay",
 				   DNS_KASP_PARENT_PROPDELAY));
 
-	/* TODO: Rest of the configuration */
-
 	/* Append it to the list for future lookups. */
 	ISC_LIST_APPEND(*kasplist, kasp, link);
 	INSIST(!(ISC_LIST_EMPTY(*kasplist)));

util/copyrights

@@ -603,6 +603,10 @@
 ./bin/tests/system/notify/ns4/named.port.in	X	2014,2018,2019,2020
 ./bin/tests/system/notify/setup.sh		SH	2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
 ./bin/tests/system/notify/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020
+./bin/tests/system/nsec3/clean.sh		SH	2020
+./bin/tests/system/nsec3/ns3/setup.sh		SH	2020
+./bin/tests/system/nsec3/setup.sh		SH	2020
+./bin/tests/system/nsec3/tests.sh		SH	2020
 ./bin/tests/system/nslookup/clean.sh		SH	2014,2015,2016,2018,2019,2020
 ./bin/tests/system/nslookup/setup.sh		SH	2014,2016,2018,2019,2020
 ./bin/tests/system/nslookup/tests.sh		SH	2014,2016,2018,2019,2020