Test extended DS digest type support

Add a zone using DS records that embed the private algorithm
identifier in the digest field.  There are 2 DS record for an
unsupported DNSSEC algorithm one of which that doesn't have a
matching DNSKEY.  This zone should validate as insecure as the
validator can establish that both DS records are for unsupported
DNSSEC algorithms.

bin/tests/system/dnssec/ns2/example.db.in

@@ -196,3 +196,6 @@ ns.extradsoid		A	10.53.0.3
 
 extradsunknownoid	NS	ns.extradsunknownoid
 ns.extradsunknownoid	A	10.53.0.3
+
+extended-ds-unknown-oid	NS	ns.extended-ds-unknown-oid
+ns.extended-ds-unknown-oid A	10.53.0.3

bin/tests/system/dnssec/ns2/sign.sh

@@ -66,7 +66,8 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \
   dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
   dnskey-nsec3-unknown managed-future future revkey \
   dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \
-  rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid; do
+  rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid \
+  extended-ds-unknown-oid; do
   cp "../ns3/dsset-$subdomain.example." .
 done
 

bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in

@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a

bin/tests/system/dnssec/ns3/named.conf.in

@@ -459,6 +459,11 @@ zone "extradsunknownoid.example" {
         file "extradsunknownoid.example.db.signed";
 };
 
+zone "extended-ds-unknown-oid.example" {
+        type primary;
+        file "extended-ds-unknown-oid.example.db.signed";
+};
+
 dnssec-policy "siginterval1" {
 	keys {
 		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;

bin/tests/system/dnssec/ns3/sign.sh

@@ -528,6 +528,42 @@ keyname=$("$KEYGEN" -L 300 -q -a RSASHA512OID "$zone")
 # add the resulting DS to the dsset.
 sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -2A -f - "$zone" >>"dsset-${zone}."
 
+#
+# A UNKNOWNOID with an extra DS zone.  Sign the zone using RSASHA512OID
+# then update the OID in the DNSKEY and RRSIGS to the unknown OID
+# 1.2.840.113549.1.1.14.  Add an additional DS with an extended digest
+# type that encoded the DNSKEY's private type identifier which does not
+# match the DNSKEY RRset with using this unknown OID.
+#
+zone=extended-ds-unknown-oid.example
+infile=extended-ds-unknown-oid.example.db.in
+zonefile=extended-ds-unknown-oid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+# Sign with known OID RSASHA512OID
+"$SIGNER" -z -o "$zone" -f "${zonefile}.stage1" "$zonefile" >/dev/null
+
+# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14
+sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"${zonefile}.stage1" >"${zonefile}.stage2"
+
+"$DSFROMKEY" -2A -f "${zonefile}.stage2" "$zone" >"dsset-${zone}."
+tag=$(awk '{print $4}' "dsset-${zone}.")
+
+# Update RRSIG tags
+sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* ${zone}./\1 ${tag} ${zone}./" <"${zonefile}.stage2" >"${zonefile}.signed"
+
+if $FEATURETEST --extended-ds-digest; then
+  # add a DS for a second key with the same algorithm
+  keyname=$("$KEYGEN" -L 300 -q -a RSASHA512OID "$zone")
+
+  # Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14 and
+  # add the resulting DS using digest type SHA-256-PRIVATE to the dsset.
+  sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -a SHA-256-PRIVATE -A -f - "$zone" >>"dsset-${zone}."
+fi
+
 #
 # A zone with the DNSKEY set only signed by the KSK
 #

bin/tests/system/dnssec/tests.sh

@@ -1020,6 +1020,20 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
+if $FEATURETEST --extended-ds-digest; then
+  echo_i "checking positive validation with extra ds using extended digest type for unknown private algorithm succeeds ($n)"
+  ret=0
+  dig_with_opts +noauth a.extended-ds-unknown-oid.example. \
+    @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+  dig_with_opts +noauth a.extended-ds-unknown-oid.example. \
+    @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+  digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+  grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
+  n=$((n + 1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status + ret))
+fi
+
 # Check the bogus domain
 
 echo_i "checking failed validation ($n)"

bin/tests/system/dnssec/tests_sh_dnssec.py

@@ -102,6 +102,9 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/example.bk",
         "ns3/expired.example.db",
         "ns3/expiring.example.db",
+        "ns3/extended-ds-unknown-oid.example.db",
+        "ns3/extended-ds-unknown-oid.example.db.stage1",
+        "ns3/extended-ds-unknown-oid.example.db.stage2",
         "ns3/extradsoid.example.db",
         "ns3/extradsunknownoid.example.db",
         "ns3/extradsunknownoid.example.db.stage1",