From 5241c1b09b6ed406c44903e64ce4572b2fb5e7cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 1 Nov 2025 12:00:59 +0100 Subject: [PATCH] Add a system test with one good and one bad algorithm The case where there would be one supported algorithm and one already unsupported (like RSAMD5 or RSASHA1) was missing. (cherry picked from commit488d7bfc75f2988c6e461b8677bc0e27e58bd82e) --- bin/tests/system/dnssec/ns2/example.db.in | 4 +++ bin/tests/system/dnssec/ns2/sign.sh | 3 ++- bin/tests/system/dnssec/ns3/named.conf.in | 6 +++++ bin/tests/system/dnssec/ns3/sign.sh | 31 ++++++++++++++++++++++ bin/tests/system/dnssec/ns3/template.db.in | 27 +++++++++++++++++++ bin/tests/system/dnssec/tests.sh | 11 ++++++++ bin/tests/system/dnssec/tests_sh_dnssec.py | 1 + 7 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/dnssec/ns3/template.db.in diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 72e3c1fffa..78298c538d 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -180,4 +180,8 @@ ns.rsasha1 A 10.53.0.3 rsasha1-1024 NS ns.rsasha1-1024 ns.rsasha1-1024 A 10.53.0.3 +; A secure subdomain with extra bad key +extrabadkey NS ns3.extrabadkey +ns3.extrabadkey A 10.53.0.3 + dname-at-apex-nsec3 NS ns3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 501d6a3899..634bbc16a8 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -63,7 +63,8 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \ ttlpatch split-dnssec split-smart expired expiring upper lower \ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ dnskey-nsec3-unknown managed-future future revkey \ - dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024; do + dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \ + extrabadkey; do cp "../ns3/dsset-$subdomain.example." . done diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 5eba816b79..cce50264e9 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -133,6 +133,12 @@ zone "insecure2.example" { allow-update { any; }; }; +zone "extrabadkey.example" { + type primary; + file "extrabadkey.example.db.signed"; + allow-update { any; }; +}; + zone "insecure.nsec3.example" { type primary; file "insecure.nsec3.example.db"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 350a504a13..7488053d3c 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -726,3 +726,34 @@ zone=rsasha1-1024.example zonefile=rsasha1-1024.example.db awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" \ | $DSFROMKEY -f - "$zone" >"dsset-${zone}." + +# +# +# +zone=extrabadkey.example. +infile=template.db.in +zonefile=extrabadkey.example.db + +# Add KSK and ZSK that we will mangle to RSAMD5 +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -O full -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Mangle the signatures to RSAMD5 and save them for future use +sed -ne "s/\(IN[[:space:]]*RRSIG[[:space:]]*[A-Z]*\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /p" <"$zonefile.signed" >"$zonefile.signed.rsamd5" + +# Now add normal KSK and ZSK to the zone file +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" + +# Mangle the DNSKEY algorithm numbers and add them to the signed zone file +cat "$ksk.key" "$zsk.key" | sed -e "s/\(IN[[:space:]]*DNSKEY[[:space:]]*[0-9]* 3\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /" >>"$zonefile" + +# Sign normally +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Add the mangled signatures to signed zone file +cat "$zonefile.signed.rsamd5" >>"$zonefile.signed" +rm "$zonefile.signed.rsamd5" diff --git a/bin/tests/system/dnssec/ns3/template.db.in b/bin/tests/system/dnssec/ns3/template.db.in new file mode 100644 index 0000000000..f603e448ff --- /dev/null +++ b/bin/tests/system/dnssec/ns3/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +a.b A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 991ad54e88..102f113842 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4797,5 +4797,16 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "checking extra-bad-algorithm positive validation ($n)" +ret=0 +dig_with_opts +noauth a.extrabadkey.example. @10.53.0.3 A >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.extrabadkey.example. @10.53.0.4 A >dig.out.ns4.test$n || ret=1 +digcomp --lc dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index 7cd2633fe3..a824ee7ef9 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -100,6 +100,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/example.bk", "ns3/expired.example.db", "ns3/expiring.example.db", + "ns3/extrabadkey.example.db", "ns3/future.example.db", "ns3/keyless.example.db", "ns3/kskonly.example.db",