Use signer name when disabling DNSSEC algorithms

When disabling algorithms, use the signer name to determine if the algorithm is disabled or not. This allows for algorithms to be cleanly disabled on a zone level basis. Previously, just using the records owner name, "disable-algorithms" could impact resolution of names that where not disabled. This does now mean that "disable-algorithms" can not be used to disable part of a zone anymore. (cherry picked from commit a0945f6337)
2026-05-28 04:34:54 -04:00 · 2025-08-07 14:37:33 +10:00 · 2025-08-07 14:37:33 +10:00 · 2554a724d4
commit 2554a724d4
parent d2f551140c
8 changed files with 60 additions and 4 deletions
--- a/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in
@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+			A	10.53.0.4
+ns3			A	10.53.0.3
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@ -91,6 +91,12 @@ zone "secure.example" {
 	allow-update { any; };
 };

+zone "badalg.secure.example" {
+	type primary;
+	file "badalg.secure.example.db.signed";
+	allow-update { any; };
+};
+
 zone "bogus.example" {
 	type primary;
 	file "bogus.example.db.signed";
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@ -30,7 +30,9 @@ g			A	10.0.0.7
 z			A	10.0.0.26
 a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 x			CNAME	a
-badalg			A	10.53.0.4
+
+badalg			NS	ns3.badalg
+ns3.badalg		A	10.53.0.3

 private			NS	ns.private
 ns.private		A	10.53.0.2
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@ -77,6 +77,19 @@ done

 echo_i "ns3/sign.sh: example zones"

+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for it.
+zone=badalg.secure.example.
+infile=badalg.secure.example.db.in
+zonefile=badalg.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
 zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
@ -85,7 +98,7 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n
 dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
 keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")

-cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
+cat "$infile" dsset-badalg.secure.example. "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"

 "$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
 cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -3757,6 +3757,16 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

+echo_i "check that DS records are still treated as secure at the disable-algorithm name ($n)"
+ret=0
+dig_with_opts @10.53.0.4 badalg.secure.example DS >dig.out.ns4.test$n || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 echo_i "checking EDE code 1 for bad alg mnemonic ($n)"
 ret=0
 dig_with_opts @10.53.0.4 badalg.secure.example >dig.out.ns4.test$n || ret=1
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@ -79,6 +79,7 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/NSEC3",
        "ns3/auto-nsec.example.db",
        "ns3/auto-nsec3.example.db",
+        "ns3/badalg.secure.example.db",
        "ns3/badds.example.db",
        "ns3/bogus.example.db",
        "ns3/disabled.managed.db",
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -1679,7 +1679,8 @@ validate_answer_process(void *arg) {
 	 * At this point we could check that the signature algorithm
 	 * was known and "sufficiently good".
 	 */
-	if (!dns_resolver_algorithm_supported(val->view->resolver, val->name,
+	if (!dns_resolver_algorithm_supported(val->view->resolver,
+					      &val->siginfo->signer,
 					      val->siginfo->algorithm))
 	{
 		if (val->unsupported_algorithm == 0) {
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -2504,7 +2504,8 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if (!dns_resolver_algorithm_supported(client->view->resolver,
-						      name, rrsig.algorithm))
+						      &rrsig.signer,
+						      rrsig.algorithm))
 		{
 			char txt[DNS_NAME_FORMATSIZE + 32];
 			isc_buffer_t buffer;