From 14abc1a3e753135c929af4260bc7c60fd66c95bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 1 Nov 2025 12:00:59 +0100 Subject: [PATCH 1/2] Add a system test with one good and one bad algorithm The case where there would be one supported algorithm and one already unsupported (like RSAMD5 or RSASHA1) was missing. (cherry picked from commit488d7bfc75f2988c6e461b8677bc0e27e58bd82e) --- bin/tests/system/dnssec/ns2/example.db.in | 3 +++ bin/tests/system/dnssec/ns2/sign.sh | 2 +- bin/tests/system/dnssec/ns3/named.conf.in | 6 +++++ bin/tests/system/dnssec/ns3/sign.sh | 31 ++++++++++++++++++++++ bin/tests/system/dnssec/ns3/template.db.in | 27 +++++++++++++++++++ bin/tests/system/dnssec/tests.sh | 11 ++++++++ bin/tests/system/dnssec/tests_sh_dnssec.py | 1 + 7 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/dnssec/ns3/template.db.in diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index f711f5823f..6035d72286 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -168,4 +168,7 @@ ns.managed-future A 10.53.0.3 revkey NS ns.revkey ns.revkey A 10.53.0.3 +extrabadkey NS ns3.extrabadkey +ns3.extrabadkey A 10.53.0.3 + dname-at-apex-nsec3 NS ns3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 318c31edad..1330d1112d 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -62,7 +62,7 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \ ttlpatch split-dnssec split-smart expired expiring upper lower \ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ dnskey-nsec3-unknown managed-future revkey \ - dname-at-apex-nsec3 occluded; do + dname-at-apex-nsec3 occluded extrabadkey; do cp "../ns3/dsset-$subdomain.example." . done diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 680cff58d5..3536046319 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -84,6 +84,12 @@ zone "insecure2.example" { allow-update { any; }; }; +zone "extrabadkey.example" { + type primary; + file "extrabadkey.example.db.signed"; + allow-update { any; }; +}; + zone "insecure.nsec3.example" { type primary; file "insecure.nsec3.example.db"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 14fc709bfb..57a7e47f2f 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -673,3 +673,34 @@ $DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}." cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile" "$SIGNER" -P -o "$zone" "$zonefile" >/dev/null + +# +# +# +zone=extrabadkey.example. +infile=template.db.in +zonefile=extrabadkey.example.db + +# Add KSK and ZSK that we will mangle to RSAMD5 +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -O full -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Mangle the signatures to RSAMD5 and save them for future use +sed -ne "s/\(IN[[:space:]]*RRSIG[[:space:]]*[A-Z]*\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /p" <"$zonefile.signed" >"$zonefile.signed.rsamd5" + +# Now add normal KSK and ZSK to the zone file +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" + +# Mangle the DNSKEY algorithm numbers and add them to the signed zone file +cat "$ksk.key" "$zsk.key" | sed -e "s/\(IN[[:space:]]*DNSKEY[[:space:]]*[0-9]* 3\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /" >>"$zonefile" + +# Sign normally +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Add the mangled signatures to signed zone file +cat "$zonefile.signed.rsamd5" >>"$zonefile.signed" +rm "$zonefile.signed.rsamd5" diff --git a/bin/tests/system/dnssec/ns3/template.db.in b/bin/tests/system/dnssec/ns3/template.db.in new file mode 100644 index 0000000000..f603e448ff --- /dev/null +++ b/bin/tests/system/dnssec/ns3/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +a.b A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 05f7d769fd..738bc6603c 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4631,5 +4631,16 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "checking extra-bad-algorithm positive validation ($n)" +ret=0 +dig_with_opts +noauth a.extrabadkey.example. @10.53.0.3 A >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.extrabadkey.example. @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +digcomp --lc dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index 579e89aa0e..8ce5de630c 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -101,6 +101,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/example.bk", "ns3/expired.example.db", "ns3/expiring.example.db", + "ns3/extrabadkey.example.db", "ns3/future.example.db", "ns3/keyless.example.db", "ns3/kskonly.example.db", From e47f8104669ca9d3c608e2c6a76357326d482799 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 4 Nov 2025 02:09:38 +0100 Subject: [PATCH 2/2] Skip unsupported algorithms when looking for signing key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When looking for a signing key in select_signing_key(), the result code indicating unsupported algorithm would abort the search. Instead, skip such keys and continue searching for the right key. Co-Authored-By: Aram Sargsyan Co-Authored-By: Petr Menšík (cherry picked from commit a94a7c1a1e6eecbead995a08bace33d23899a5da) --- lib/dns/validator.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 12b2aed57c..809b7be911 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1176,7 +1176,13 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) { goto done; } dst_key_free(&val->key); - } else { + } else if (result != DST_R_UNSUPPORTEDALG) { + /* + * We can encounter unsupported algorithm when the zone + * is signed with both supported and unsupported + * algorithm at the same time. Stop looking in all + * other failure cases. + */ break; } dns_rdata_reset(&rdata);