diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index f711f5823f..6035d72286 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -168,4 +168,7 @@ ns.managed-future A 10.53.0.3 revkey NS ns.revkey ns.revkey A 10.53.0.3 +extrabadkey NS ns3.extrabadkey +ns3.extrabadkey A 10.53.0.3 + dname-at-apex-nsec3 NS ns3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 318c31edad..1330d1112d 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -62,7 +62,7 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \ ttlpatch split-dnssec split-smart expired expiring upper lower \ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ dnskey-nsec3-unknown managed-future revkey \ - dname-at-apex-nsec3 occluded; do + dname-at-apex-nsec3 occluded extrabadkey; do cp "../ns3/dsset-$subdomain.example." . done diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 680cff58d5..3536046319 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -84,6 +84,12 @@ zone "insecure2.example" { allow-update { any; }; }; +zone "extrabadkey.example" { + type primary; + file "extrabadkey.example.db.signed"; + allow-update { any; }; +}; + zone "insecure.nsec3.example" { type primary; file "insecure.nsec3.example.db"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 14fc709bfb..57a7e47f2f 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -673,3 +673,34 @@ $DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}." cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" "$SIGNER" -P -o "$zone" "$zonefile" >/dev/null + +# +# +# +zone=extrabadkey.example. +infile=template.db.in +zonefile=extrabadkey.example.db + +# Add KSK and ZSK that we will mangle to RSAMD5 +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -O full -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Mangle the signatures to RSAMD5 and save them for future use +sed -ne "s/\(IN[[:space:]]*RRSIG[[:space:]]*[A-Z]*\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /p" <"$zonefile.signed" >"$zonefile.signed.rsamd5" + +# Now add normal KSK and ZSK to the zone file +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" + +# Mangle the DNSKEY algorithm numbers and add them to the signed zone file +cat "$ksk.key" "$zsk.key" | sed -e "s/\(IN[[:space:]]*DNSKEY[[:space:]]*[0-9]* 3\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /" >>"$zonefile" + +# Sign normally +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Add the mangled signatures to signed zone file +cat "$zonefile.signed.rsamd5" >>"$zonefile.signed" +rm "$zonefile.signed.rsamd5" diff --git a/bin/tests/system/dnssec/ns3/template.db.in b/bin/tests/system/dnssec/ns3/template.db.in new file mode 100644 index 0000000000..f603e448ff --- /dev/null +++ b/bin/tests/system/dnssec/ns3/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +a.b A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 05f7d769fd..738bc6603c 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4631,5 +4631,16 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "checking extra-bad-algorithm positive validation ($n)" +ret=0 +dig_with_opts +noauth a.extrabadkey.example. @10.53.0.3 A >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.extrabadkey.example. @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +digcomp --lc dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index 579e89aa0e..8ce5de630c 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -101,6 +101,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/example.bk", "ns3/expired.example.db", "ns3/expiring.example.db", + "ns3/extrabadkey.example.db", "ns3/future.example.db", "ns3/keyless.example.db", "ns3/kskonly.example.db", diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 12b2aed57c..809b7be911 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1176,7 +1176,13 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) { goto done; } dst_key_free(&val->key); - } else { + } else if (result != DST_R_UNSUPPORTEDALG) { + /* + * We can encounter unsupported algorithm when the zone + * is signed with both supported and unsupported + * algorithm at the same time. Stop looking in all + * other failure cases. + */ break; } dns_rdata_reset(&rdata);