upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 14:10:05 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

[9.20] chg: usr: Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1

Browse source 
RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated
by the IETF and should no longer be used for DNSSEC. DS digest type
1 (SHA1) has also been deprecated. Validators are now expected
to treat these algorithms and digest as unknown, resulting in
some zones being treated as insecure when they were previously treated
as secure. Warnings have been added to named and tools when these
algorithms and this digest are being used for signing.

Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated
to a different DNSKEY algorithm. 

Zones with DS or CDS records with digest type 1 (SHA1) should be
updated to use a different digest type (e.g. SHA256) and the digest
type 1 records should be removed.

Related to #5358

Backport of MR !10559

Merge branch 'backport-5358-add-sha1-deprecation-warnings-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10738
This commit is contained in:
Mark Andrews 2025-07-16 09:31:28 +10:00
commit 5aefaa4b97
21 changed files with 800 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.reuse/dep5
View file

@ -32,6 +32,12 @@ Files: **/*.after*
bin/tests/system/checkzone/zones/bad-caa-rr.db
bin/tests/system/checkzone/zones/bad1.db
bin/tests/system/checkzone/zones/crashzone.db
bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db
bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db
bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db
bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db
bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db
bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db
bin/tests/system/dnstap/large-answer.fstrm
bin/tests/system/doth/CA/CA.cfg
bin/tests/system/doth/CA/README

11
bin/dnssec/dnssec-dsfromkey.c
View file

@ -318,6 +318,11 @@ emits(bool showall, bool cds, dns_rdata_t *rdata) {
n = sizeof(dtype) / sizeof(dtype[0]);
for (i = 0; i < n; i++) {
if (dtype[i] == DNS_DSDIGEST_SHA1) {
fprintf(stderr,
"WARNING: DS digest type %u is deprecated\n",
i);
}
if (dtype[i] != 0) {
emit(dtype[i], showall, cds, rdata);
}
@ -336,10 +341,10 @@ usage(void) {
fprintf(stderr, " %s [-h|-V]\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "Options:\n"
" -1: digest algorithm SHA-1\n"
" -1: digest algorithm SHA-1 (deprecated)\n"
" -2: digest algorithm SHA-256\n"
" -a algorithm: digest algorithm (SHA-1, SHA-256 or "
"SHA-384)\n"
" -a algorithm: digest algorithm (SHA-1 "
"(deprecated), SHA-256 or SHA-384)\n"
" -A: include all keys in DS set, not just KSKs (-f "
"only)\n"
" -c class: rdata class for DS set (default IN) (-f "

69
bin/dnssec/dnssec-dsfromkey.rst
View file

@ -32,30 +32,34 @@ Synopsis
Description
~~~~~~~~~~~
The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records
(RRs), or CDS (Child DS) RRs with the :option:`-C` option.
The :program:`dnssec-dsfromkey` command outputs DS (Delegation
Signer) resource records (RRs), or CDS (Child DS) RRs with the
:option:`-C` option.
By default, only KSKs are converted (keys with flags = 257). The
:option:`-A` option includes ZSKs (flags = 256). Revoked keys are never
included.
:option:`-A` option includes ZSKs (flags = 256). Revoked keys are
never included.
The input keys can be specified in a number of ways:
By default, :program:`dnssec-dsfromkey` reads a key file named in the format
``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`.
By default, :program:`dnssec-dsfromkey` reads a key file named in
the format ``Knnnn.+aaa+iiiii.key``, as generated by
:iscman:`dnssec-keygen`.
With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone
file or partial zone file (which can contain just the DNSKEY records).
With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey`
reads keys from a zone file or partial zone file (which can contain
just the DNSKEY records).
With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file,
as generated by :iscman:`dnssec-keygen` :option:`-C`.
With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a
``keyset-`` file, as generated by :iscman:`dnssec-keygen` :option:`-C`.
Options
~~~~~~~
.. option:: -1
This option is an abbreviation for :option:`-a SHA1 <-a>`.
This option is an abbreviation for :option:`-a SHA1 <-a>`. This
digest is deprecated.
.. option:: -2
@ -63,24 +67,26 @@ Options
.. option:: -a algorithm
This option specifies a digest algorithm to use when converting DNSKEY records to
DS records. This option can be repeated, so that multiple DS records
are created for each DNSKEY record.
This option specifies a digest algorithm to use when converting
DNSKEY records to DS records. This option can be repeated, so
that multiple DS records are created for each DNSKEY record.
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
are case-insensitive, and the hyphen may be omitted. If no algorithm
is specified, the default is SHA-256.
The algorithm must be one of SHA-1 (deprecated), SHA-256, or
SHA-384. These values are case-insensitive, and the hyphen may
be omitted. If no algorithm is specified, the default is SHA-256.
.. option:: -A
This option indicates that ZSKs are to be included when generating DS records. Without this option, only
keys which have the KSK flag set are converted to DS records and
printed. This option is only useful in :option:`-f` zone file mode.
This option indicates that ZSKs are to be included when generating
DS records. Without this option, only keys which have the KSK
flag set are converted to DS records and printed. This option
is only useful in :option:`-f` zone file mode.
.. option:: -c class
This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset
or :option:`-f` zone file mode.
This option specifies the DNS class; the default is IN. This
option is only useful in :option:`-s` keyset or :option:`-f`
zone file mode.
.. option:: -C
@ -88,10 +94,10 @@ Options
.. option:: -f file
This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the
DNS domain name of a zone whose master file can be read from
``file``. If the zone name is the same as ``file``, then it may be
omitted.
This option sets zone file mode, in which the final dnsname
argument of :program:`dnssec-dsfromkey` is the DNS domain name
of a zone whose master file can be read from ``file``. If the
zone name is the same as ``file``, then it may be omitted.
If ``file`` is ``-``, then the zone data is read from the standard
input. This makes it possible to use the output of the :iscman:`dig`
@ -105,16 +111,19 @@ Options
.. option:: -K directory
This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
This option tells BIND 9 to look for key files or ``keyset-``
files in ``directory``.
.. option:: -s
This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS
domain name used to locate a ``keyset-`` file.
This option enables keyset mode, in which the final dnsname
argument from :program:`dnssec-dsfromkey` is the DNS domain name
used to locate a ``keyset-`` file.
.. option:: -T TTL
This option specifies the TTL of the DS records. By default the TTL is omitted.
This option specifies the TTL of the DS records. By default the
TTL is omitted.
.. option:: -v level

19
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -58,8 +58,8 @@ usage(void) {
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: \n"
" RSASHA1 |\n"
" NSEC3RSASHA1 |\n"
" RSASHA1 (deprecated) |\n"
" NSEC3RSASHA1 (deprecated) |\n"
" RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384 |\n"
" ED25519 | ED448\n");
@ -582,6 +582,21 @@ main(int argc, char **argv) {
fatal("invalid DNSKEY nametype %s", nametype);
}
switch (alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1: {
char algstr[DNS_SECALG_FORMATSIZE];
dns_secalg_format(alg, algstr, sizeof(algstr));
fprintf(stderr,
"WARNING: DNSKEY algorithm '%s' is deprecated. Please "
"migrate to another algorithm\n",
algstr);
break;
}
default:
break;
}
rdclass = strtoclass(classname);
if (directory == NULL) {

32
bin/dnssec/dnssec-keyfromlabel.rst
View file

@ -41,27 +41,31 @@ Options
.. option:: -a algorithm
This option selects the cryptographic algorithm. The value of ``algorithm`` must
be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
This option selects the cryptographic algorithm. The value of
``algorithm`` must be one of RSASHA1 (deprecated), NSEC3RSASHA1
(deprecated), RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384,
ED25519, or ED448.
These values are case-insensitive. In some cases, abbreviations are
supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3`
option, then NSEC3RSASHA1 is used instead.
These values are case-insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384
for ECDSAP384SHA384. If RSASHA1 (deprecated) is specified along
with the :option:`-3` option, then NSEC3RSASHA1 (deprecated) is
used instead.
This option is mandatory except when using the
:option:`-S` option, which copies the algorithm from the predecessory key.
This option is mandatory except when using the :option:`-S`
option, which copies the algorithm from the predecessory key.
.. versionchanged:: 9.12.0
The default value RSASHA1 for newly generated keys was removed.
The default value RSASHA1 (deprecated) for newly generated
keys was removed.
.. option:: -3
This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
option is used with an algorithm that has both NSEC and NSEC3
versions, then the NSEC3 version is used; for example,
``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
This option uses an NSEC3-capable algorithm to generate a DNSSEC
key. If this option is used with an algorithm that has both NSEC
and NSEC3 versions, then the NSEC3 version is used; for example,
``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1
(deprecated) algorithm.
.. option:: -E engine

33
bin/dnssec/dnssec-keygen.c
View file

@ -152,7 +152,8 @@ usage(void) {
"statement\n");
fprintf(stderr, " -a <algorithm>:\n");
if (!isc_fips_mode()) {
fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n");
fprintf(stderr, " RSASHA1 (deprecated) | NSEC3RSASHA1 "
"(deprecated) |\n");
}
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
@ -160,10 +161,11 @@ usage(void) {
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
if (!isc_fips_mode()) {
fprintf(stderr, " RSASHA1:\t[%d..%d]\n", min_rsa,
MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[%d..%d]\n", min_rsa,
MAX_RSA);
fprintf(stderr, " RSASHA1 (deprecated) :\t[%d..%d]\n",
min_rsa, MAX_RSA);
fprintf(stderr,
" NSEC3RSASHA1 (deprecated) :\t[%d..%d]\n",
min_rsa, MAX_RSA);
}
fprintf(stderr, " RSASHA256:\t[%d..%d]\n", min_rsa, MAX_RSA);
fprintf(stderr, " RSASHA512:\t[%d..%d]\n", min_rsa, MAX_RSA);
@ -502,14 +504,27 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
}
switch (ctx->alg) {
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
dns_secalg_format(ctx->alg, algstr, sizeof(algstr));
fprintf(stderr,
"WARNING: DNSKEY algorithm '%s' is deprecated. Please "
"migrate to another algorithm\n",
algstr);
break;
default:
break;
}
switch (ctx->alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
if (isc_fips_mode()) {
fatal("SHA1 based keys not supported in FIPS mode");
}
FALLTHROUGH;
case DNS_KEYALG_RSASHA256:
case DNS_KEYALG_RSASHA512:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
if (ctx->size != 0 &&
(ctx->size < min_rsa || ctx->size > MAX_RSA))
{

25
bin/dnssec/dnssec-keygen.rst
View file

@ -38,21 +38,24 @@ Options
.. option:: -3
This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
option is used with an algorithm that has both NSEC and NSEC3
versions, then the NSEC3 version is selected; for example,
``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
This option uses an NSEC3-capable algorithm to generate a DNSSEC
key. If this option is used with an algorithm that has both NSEC
and NSEC3 versions, then the NSEC3 version is selected; for
example, ``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1
(deprecated) algorithm.
.. option:: -a algorithm
This option selects the cryptographic algorithm. For DNSSEC keys, the value of
``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
This option selects the cryptographic algorithm. For DNSSEC keys,
the value of ``algorithm`` must be one of RSASHA1 (deprecated),
NSEC3RSASHA1 (deprecated), RSASHA256, RSASHA512, ECDSAP256SHA256,
ECDSAP384SHA384, ED25519, or ED448.
These values are case-insensitive. In some cases, abbreviations are
supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3`
option, NSEC3RSASHA1 is used instead.
These values are case-insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384
for ECDSAP384SHA384. If RSASHA1 (deprecated) is specified along
with the :option:`-3` option, NSEC3RSASHA1 (deprecated) is used
instead.
This parameter *must* be specified except when using the :option:`-S`
option, which copies the algorithm from the predecessor key.

19
bin/tests/system/checkconf/kasp-deprecated-fips.conf Normal file
View file

@ -0,0 +1,19 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy deprecated {
cds-digest-types { sha1; };
keys {
csk lifetime unlimited algorithm ecdsa256;
};
};

20
bin/tests/system/checkconf/kasp-deprecated.conf Normal file
View file

@ -0,0 +1,20 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy deprecated {
cds-digest-types { sha1; };
keys {
csk lifetime unlimited algorithm rsasha1;
csk lifetime unlimited algorithm nsec3rsasha1;
};
};

16
bin/tests/system/checkconf/tests.sh
View file

@ -647,7 +647,7 @@ if [ $RSASHA1_SUPPORTED = 0 ]; then
expect=2
else
conf=kasp-bad-nsec3-iter.conf
expect=3
expect=5
fi
$CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: nsec3 iterations value 1 not allowed, must be zero" <checkconf.out$n >/dev/null || ret=1
@ -726,6 +726,20 @@ if [ $lines -ne 5 ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp deprecated algorithms and digests ($n)"
ret=0
if [ $RSASHA1_SUPPORTED = 0 ]; then
$CHECKCONF kasp-deprecated-fips.conf >checkconf.out$n 2>&1 || ret=1
else
$CHECKCONF kasp-deprecated.conf >checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: DNSSEC algorithm rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: DNSSEC algorithm nsec3rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1
fi
grep "dnssec-policy: deprecated CDS digest-type sha1" checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that a good 'kasp' configuration is accepted ($n)"
ret=0

101
bin/tests/system/checkzone/tests.sh
View file

@ -139,28 +139,28 @@ status=$((status + ret))
echo_i "checking that expirations that loop using serial arithmetic are handled ($n)"
ret=0
q=-q
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
@ -207,10 +207,65 @@ ret=0
echo_i "checking integer overflow is prevented in \$GENERATE ($n)"
$CHECKZONE -D example.com zones/generate-overflow.db >test.out.$n 2>&1 || ret=1
lines=$(grep -c CNAME test.out.$n)
echo $lines
[ "$lines" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "Checking for RSASHA1 deprecated warning ($n)"
ret=0
$CHECKZONE example zones/warn.deprecated.rsasha1.db >test.out.$n || ret=1
grep "deprecated DNSKEY algorithm found: 5 (RSASHA1)" test.out.$n >/dev/null || ret=1
grep "all DNSKEY algorithms found are deprecated" test.out.$n >/dev/null || ret=1
grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "Checking for NSECRSASHA1 deprected warning ($n)"
ret=0
$CHECKZONE example zones/warn.deprecated.nsec3rsasha1.db >test.out.$n || ret=1
grep "deprecated DNSKEY algorithm found: 7 (NSEC3RSASHA1)" test.out.$n >/dev/null || ret=1
grep "all DNSKEY algorithms found are deprecated" test.out.$n >/dev/null || ret=1
grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "Checking for SHA1 CDS digest warning ($n)"
ret=0
$CHECKZONE example zones/warn.deprecated.cds-sha1.db >test.out.$n || ret=1
grep "zone example/IN: deprecated CDS digest type 1 (SHA-1)" test.out.$n >/dev/null || ret=1
grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "Checking for SHA1 DS digest warning ($n)"
ret=0
$CHECKZONE example zones/warn.deprecated.digest-sha1.db >test.out.$n || ret=1
grep "zone example/IN: child.example/DS deprecated digest type 1 (SHA-1)" test.out.$n >/dev/null || ret=1
grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "Checking for RSASHA1 DS algorithm warning ($n)"
ret=0
$CHECKZONE example zones/warn.deprecated.ds-alg.db >test.out.$n || ret=1
grep "zone example/IN: child.example/DS deprecated algorithm 5 (RSASHA1)" test.out.$n >/dev/null || ret=1
grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "Checking for RSASHA1 KEY algorithm warning ($n)"
ret=0
$CHECKZONE example zones/warn.deprecated.key-alg.db >test.out.$n || ret=1
grep "zone example/IN: example/KEY deprecated algorithm 5 (RSASHA1)" test.out.$n >/dev/null || ret=1
grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

44
bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db Normal file
View file

@ -0,0 +1,44 @@
; File written on Wed Jul 2 14:27:34 2025
; dnssec-signzone version 9.21.3-dev
example. 3600 IN SOA . . (
0 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
3600 ; minimum (1 hour)
)
3600 RRSIG SOA 13 1 3600 (
20901231235959 20250630042051 46204 example.
iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP
4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd
PArExFsuaKcWgQ== )
3600 NS .
3600 RRSIG NS 13 1 3600 (
20901231235959 20250630042051 46204 example.
q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb
XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w
t+AfDiT2Mak9Lg== )
3600 NSEC example. NS SOA RRSIG NSEC DNSKEY CDS
3600 RRSIG NSEC 13 1 3600 (
20901231235959 20250702032734 46204 example.
aPkaoO9OMYZwldpUPJeqFZoGCc8XQcmQHig2
zJmp2Qv2QGRH1faoWosYy5jwQskxtpoyE0Eh
yxEoUhHZNCKogQ== )
3600 DNSKEY 256 3 13 (
Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x
joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE
5CT4INCzzeTuZQ==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204
3600 RRSIG DNSKEY 13 1 3600 (
20901231235959 20250630042051 46204 example.
KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx
9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa
OmTOsXrBWly7ng== )
3600 CDS 46204 13 1 (
712DD9926EDF2A5E81E76D3BC5F5637BEA06
2E67 )
3600 RRSIG CDS 13 1 3600 (
20901231235959 20250702032734 46204 example.
nS9qKdj0dfWNe6U0ttuKSMiKMhxLq4Yo6WPT
9j/cmjbaOdKO1DBoDxzZ7G4M34msvBcKq31L
mn8qUlrzSOfD9A== )

51
bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db Normal file
View file

@ -0,0 +1,51 @@
; File written on Mon Jun 30 15:20:51 2025
; dnssec-signzone version 9.21.3-dev
example. 3600 IN SOA . . (
0 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
3600 ; minimum (1 hour)
)
3600 RRSIG SOA 13 1 3600 (
20901231235959 20250630042051 46204 example.
iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP
4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd
PArExFsuaKcWgQ== )
3600 NS .
3600 RRSIG NS 13 1 3600 (
20901231235959 20250630042051 46204 example.
q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb
XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w
t+AfDiT2Mak9Lg== )
3600 NSEC child.example. NS SOA RRSIG NSEC DNSKEY
3600 RRSIG NSEC 13 1 3600 (
20901231235959 20250630042051 46204 example.
jgKjQOGLqw7JY1qsyjWZGxL/47mc9dMeZ7yB
KtrRfFCsT7mCe/lMV3u7FOwM2r9/ta8U9/j2
YRVJGECc6/rdcg== )
3600 DNSKEY 256 3 13 (
Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x
joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE
5CT4INCzzeTuZQ==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204
3600 RRSIG DNSKEY 13 1 3600 (
20901231235959 20250630042051 46204 example.
KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx
9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa
OmTOsXrBWly7ng== )
child.example. 3600 IN NS .
3600 DS 30914 13 1 (
3FFB809FC091FDC931815B50E5DA9C00B5C1
454F )
3600 RRSIG DS 13 2 3600 (
20901231235959 20250630042051 46204 example.
5Y/jx0eePoUztptSLwE9DeY2GlVNVHSr3lF4
R8IajnK7zXs2QtoRIdmKwWZ1um1JICh59Xk7
R/BXFAbO6FMaPA== )
3600 NSEC example. NS DS RRSIG NSEC
3600 RRSIG NSEC 13 2 3600 (
20901231235959 20250630042051 46204 example.
A662/raRKle9b45C5douUufAne7iRtKw0u7C
gcnf3tSrJS+plT3e/jHOE5ZRttkloHSDVhYT
7+Wv86G8MGt+3Q== )

51
bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db Normal file
View file

@ -0,0 +1,51 @@
; File written on Wed Jul 2 12:22:09 2025
; dnssec-signzone version 9.21.3-dev
example. 3600 IN SOA . . (
0 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
3600 ; minimum (1 hour)
)
3600 RRSIG SOA 13 1 3600 (
20901231235959 20250630042051 46204 example.
iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP
4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd
PArExFsuaKcWgQ== )
3600 NS .
3600 RRSIG NS 13 1 3600 (
20901231235959 20250630042051 46204 example.
q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb
XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w
t+AfDiT2Mak9Lg== )
3600 NSEC child.example. NS SOA RRSIG NSEC DNSKEY
3600 RRSIG NSEC 13 1 3600 (
20901231235959 20250630042051 46204 example.
jgKjQOGLqw7JY1qsyjWZGxL/47mc9dMeZ7yB
KtrRfFCsT7mCe/lMV3u7FOwM2r9/ta8U9/j2
YRVJGECc6/rdcg== )
3600 DNSKEY 256 3 13 (
Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x
joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE
5CT4INCzzeTuZQ==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204
3600 RRSIG DNSKEY 13 1 3600 (
20901231235959 20250630042051 46204 example.
KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx
9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa
OmTOsXrBWly7ng== )
child.example. 3600 IN NS .
3600 DS 58246 5 2 (
641AFA5ACB8099E4E571585B7B9A416078FF
79D40D1C2E85F9179E28BF08D61D )
3600 RRSIG DS 13 2 3600 (
20901231235959 20250702012209 46204 example.
g17c5sfC0OAucFLA0n9C5EfPActxuPMpHN6G
spGmkkDUaU5UosWkdcapd20Yb29NaEKvJO3Q
Qn6K53MKtWt7zQ== )
3600 NSEC example. NS DS RRSIG NSEC
3600 RRSIG NSEC 13 2 3600 (
20901231235959 20250630042051 46204 example.
A662/raRKle9b45C5douUufAne7iRtKw0u7C
gcnf3tSrJS+plT3e/jHOE5ZRttkloHSDVhYT
7+Wv86G8MGt+3Q== )

53
bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db Normal file
View file

@ -0,0 +1,53 @@
; File written on Wed Jul 2 16:48:02 2025
; dnssec-signzone version 9.21.3-dev
example. 3600 IN SOA . . (
0 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
3600 ; minimum (1 hour)
)
3600 RRSIG SOA 13 1 3600 (
20901231235959 20250630042051 46204 example.
iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP
4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd
PArExFsuaKcWgQ== )
3600 NS .
3600 RRSIG NS 13 1 3600 (
20901231235959 20250630042051 46204 example.
q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb
XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w
t+AfDiT2Mak9Lg== )
3600 KEY 512 3 5 (
AwEAAZwLHbB7cjvlEt0evebAMsJtuNYXgiyt
qe3lu0RO/ChFdddyHv+O9M1zLrCnWMBSLHad
YHSXfG3BMyMAnBh7om+1pgrHCShlmMaxZ5cC
sug5buS3E8eVRVAf7Qje63owxm2iF3G9kKWY
FgfE+Ml5Uv7etHkmxqAmFb3jYuXzYWfMz1qY
rICsJnw7qcKzNphl71tDvJUYD5pDA7izhzs3
8tdDH8qMQgK/yNU3Q/RAOg2VRvYuwYOteCAx
6RB/z+rtNTKNbphrPrzSsekOurLo1B+AvDct
o/orbilbQ8qdq0cknKlqdMKuYcqQ1BbBMrdV
w1fBTLDwiFwiRBjYazPqPiE=
); alg = RSASHA1 ; key id = 13684
3600 RRSIG KEY 13 1 3600 (
20901231235959 20250702054802 46204 example.
GvfNtx1F8crebI/QrPb2meHplhSpAsIDqJ48
iMg6aT22mGBagR698GS+9ehg0ExMumfIDPSO
k/1wtwRKYqrKow== )
3600 NSEC example. NS SOA KEY RRSIG NSEC DNSKEY
3600 RRSIG NSEC 13 1 3600 (
20901231235959 20250702054802 46204 example.
Nah5tUuwQiiDKWpdgtqPp7LppMOoDUJkyTZB
pAzmbT8UA7kNJN2K5kfkLJgPqWAt4h2P0Ys1
9lkLcXqYUH0x5g== )
3600 DNSKEY 256 3 13 (
Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x
joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE
5CT4INCzzeTuZQ==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204
3600 RRSIG DNSKEY 13 1 3600 (
20901231235959 20250630042051 46204 example.
KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx
9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa
OmTOsXrBWly7ng== )

71
bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db Normal file
View file

@ -0,0 +1,71 @@
; File written on Mon Jun 30 14:55:37 2025
; dnssec-signzone version 9.21.3-dev
example. 3600 IN SOA . . (
0 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
3600 ; minimum (1 hour)
)
3600 RRSIG SOA 7 1 3600 (
20901231235959 20250630035537 41424 example.
oqX2MaQSaMj2YPYWA/8echxn7QHBerVEs426
z8IJ88lv8Ih3Rrsldur6hXCieYI46wK3xOft
p0VMAw9iIK5T49PXnaf7+hdaIJFDTAvuhzco
e1IcdfmS26a6rRZHG8QKNjVjn/Du3J2gbdoB
ubyio+7BY45Mk1S0sb0QzkmfTRZodULfvlW7
BkmC9k0ixU1f1R+k26I0TJHYwH6Tw3O/0nPG
SkUKnIcgqjzXsnUN1XGR+gD9TVF8Hp+JYWCz
5fFTR733OiScIK+Xlon+ydg1GixW1rOR2MOP
lowGJIHeE8nDYEgncKv91wFCp1IRHjgN/6zg
c6JBClYMhe0RS66I6A== )
3600 NS .
3600 RRSIG NS 7 1 3600 (
20901231235959 20250630035411 41424 example.
pQUeJTZvpEPBZOdatA79eUE+qunKTasFyjgT
xB+hpvXujxFqf6FDs/TdfE9jGo5T8Rwb3Gu0
7+uo5ATwKuQL0TywDVm7DMj07iWoXpCGWge9
q+iZ9sVXTzGKbb+1f8w9b/E9qW/s9Uir/tZq
pPWhEgy61ip/pjkcyoIi3wQtffBMckApBgao
Nk6YPi0TSl3W+cQUDkT2BeCoZDHuhuvS+Z3x
URTu5FnqT3YPKJ5xb4N3mr4um4oI9sy+TJIj
yuSW/ie0Bzy8x8ha1capfhlbPsZI6SKe0ldR
vC9dr0gertISQzAnl9GqxFne6Ya5DyYHKye+
khVrRKAu2YIFRWYrOg== )
3600 NSEC example. NS SOA RRSIG NSEC DNSKEY
3600 RRSIG NSEC 7 1 3600 (
20901231235959 20250630035537 41424 example.
IMgNRFY4qWHDFz/gWiXn6jrCSW4Az/5sE7ML
dyJgY8OHtM2Kq+ThRsgZn7gN47T7QJv8Dvc3
oYNRH7R6sjGJBZmfoqfdZmJOrR1bdKhHjhHR
0b3NuXlVAG7eqMu4eJvsKZCUTKxa3+iFStw/
pTsHWEVT9ozMaAfQdzM86Pq6x8VVQCRwuw9g
JWkjt0/4VGA/tTj713o0/7Ju0055wSVnFNvH
XaAW2PG9nRDyFvoOq1lFSFEPm9gXDFfDmTZn
40v+qIer/vPGMkHyizZAbZ0qnM7lwNAhDukz
catwpgsbpMWHrBUgnDCbxpzfl24n7wmHyCUa
ArewJH9UphjytrxHjw== )
3600 DNSKEY 256 3 7 (
AwEAAakdlaNNa6UNEKTh7g0TPBLuEecXezJ2
mz7kaBxIEx7t3IPxWymt5XezCtR7NilHW+zo
d42hzKrtqFilt5SBrsjnWr5ipczEySEYCtOz
Jx0P9xLj8MjCf5D6+elSY4zm9gtqlIo6ryhf
SuCJQ9XZOIFD10/8efr0HYxkc0N4msZhVcuB
yJ650Pjc0EFWEe2yseM+uXZCIc/0Q4OayMJA
5GEJwvq/POH/POU7HlQR5RKzT0babm4Jvmpx
F1jf7gSRL44LgVLl/m4fKjseK1w0shOxhrwc
gAXI5ZMpspN9Mnhy+HNemkw9xyw3XkAtcTuN
yUHvCLEyaklh6latwxFQTLM=
) ; ZSK; alg = NSEC3RSASHA1 ; key id = 41424
3600 RRSIG DNSKEY 7 1 3600 (
20901231235959 20250630035411 41424 example.
G2lr1Q+xjDnefyPbxLTy0yZ8wUg1+GcaBb9H
7YX0FzZroRLTNr8SN2VYge4CbNZkTIC98dmV
TRwoBp4HbrWY5jDGT2oQS1zDc92dz0TuD0Ys
JMI2/IEVpA9wBcqsRssmAwzSuh4dMLqfMkrm
KzWk7CRNxqC1JXJ1MgbRCRuES22HGO3O7ZXZ
HjsFANBQt+7PebgdmAtS61RvztyJE+o6LyaA
qA9qawqYDBi7Lcar/U+arrfg77kQ8BmC+ZZV
toLkus9VsM9GShmMo2/KMu+PYWHKWUuHwRas
v9hSvLh/+b7mymssp/WtmX79a3WXlHovNP2v
Sh2S4RjDq4lFsyqTAA== )

71
bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db Normal file
View file

@ -0,0 +1,71 @@
; File written on Mon Jun 30 14:57:52 2025
; dnssec-signzone version 9.21.3-dev
example. 3600 IN SOA . . (
0 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
3600 ; minimum (1 hour)
)
3600 RRSIG SOA 5 1 3600 (
20901231235959 20250630035752 3495 example.
gq16Xp8iCErMp/R6jdzvws3MMvWAMowfYOa5
K3Dwo3MXUruWhsDa4XjH3CJIk4LtSRDWcVSj
/STy/R4CEvz83/2VMjQ7L73hFZZNVrMHKrLi
SfRhnUueOHiYrv8sLM2ZHy0EYM/gULmcX51j
j0XJlSf9DfkT/nh3ZwqS+lD/RA+1Gg73xVkS
tRh5AZMWAGrjyBMOC0iW9qexqINmM0nR40K7
5L+17OL2Ay/Fp7zliN+g9bAEfgITQlFRO32Y
sZrPRguzavP5xad4m3GOCAQoTQJpnci7id2u
DhIwkh6+7Do3zjZOQy74IvbuPVUS5nVRiEd8
XqF3Z7hHMYWWCEdslw== )
3600 NS .
3600 RRSIG NS 5 1 3600 (
20901231235959 20250630034615 3495 example.
FrY8Bi8StW34PADKfVn2uPDIgDzbhyinoQDw
HjklP8PFXvl2VLhroGZy5EfoGQlC+eOL7Ffb
ZlKMvSOtGHpIIdqWg6GmGBWqCYoC3EoaFVXh
A2SBxOPdcbGbwzVk6MWnrpFRsxwMqX+7vjJg
eB7XVh1tZf90N6Yfswfy/UFf5Qbaj69gE7/7
Eu3lkNNsFr5UVLPU4K4/dzNalllZjZ++w68T
5Y97UmIJH+aXpNndibJU9c25F1/ou5NJLQQN
LxyWXIi1CRaF88sjQwXemO8xutnh2b3ULKI0
pelDtKThLWWYAMhgMnhr5HktL69++cMZiZ4z
3heBavJIPY2QTYOLZw== )
3600 NSEC example. NS SOA RRSIG NSEC DNSKEY
3600 RRSIG NSEC 5 1 3600 (
20901231235959 20250630035752 3495 example.
N5mNbNXTSbLOya8baU6SaGao8bPquA4rO2hb
5mkYjM+wzAJRNKSrViA5Ev7iFJolXKM+NCV3
fpKtT+5v8mqhGZf80H1Z7inmAMX+Gz9B0YfO
yhmSTD7qnIgoxw+W/dFAeBx18XyCRDBRlGyj
2FEqZa46AVuDaYgQoUJLfM4SkOhbsDdDfQV1
uQinjRnhvOQEOd0wYRbqR7S8BMqppnahwyai
lH5tx8qsBVFTR7P8D5UlTfHCBM+d0VI5jXjt
45eCwzqQBTl4ot4Tbc/nGaUvPU5ffkW8fmsk
BygQeKd97xPnzK0tt1KJaYGTiqc3UgUId929
XniHMB6YmxkpIb2qrg== )
3600 DNSKEY 256 3 5 (
AwEAAZmABvQsJBvsRu2fMlU1CtN58u7+yO5x
ioxkg8O2mH29NDFoMKtxZKlk74+hT8m0aAKV
hqEywM9S2NaWEXctv2lF6t/f8E8YJkY+cnLb
iZmxuJmScxce8u32KlX0MiKN2JQHIokDTz7m
2AqUaLTnERyIXNUHJfHx1nzvhhz4G7TV41Pk
U1MSX3gCrgsSQ7IUzLOsyy6iQn4wFml+eXlO
qmypFvjRDhmjXAHms3nSOgDmDu6kF+9R0ccL
Lh4YAEYZlx2UoDigcEtRfMeYQwb76tC7xAkx
EEJAUo+oRkaw2in8kVjpwuXSWF5WlX+Cpie9
o3r+4EpI/IV6z63QO9zqMEE=
) ; ZSK; alg = RSASHA1 ; key id = 3495
3600 RRSIG DNSKEY 5 1 3600 (
20901231235959 20250630034615 3495 example.
gpKH6gf+47UNqMlTdtylpSW/yRNEyPtpj7Tu
Y939pwRPgQcPBscIwcZzezV0r4y2O5xMTKQ1
fQZTidfCwvessYTxYJYSjE1i+pChblLmqY/j
JNjwUv0nH9rs8ZSXRSFiqPsC7tl4jBQsD1N+
UdV3a/rEFCON1C+KirQlrdSq+/bAic0A4afZ
g746kgnLsNCu/FnVucfoOBGaAk6na9dYIt0+
l7IKI+4dg+tHsaGdRVv2h2JXO6g1I2LtCiIB
FlKxFDCrMFV9+xduLFNnNxVsvnK7RtlAAPo5
n4WBinbW5CpGJnc7n/0BknnecqZb63qkQgia
50FJvVZCJ4WTZ+Hh0g== )

2
lib/dns/dnssec.c
View file

@ -409,7 +409,7 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
}
/*
* NS, SOA and DNSSKEY records are signed by their owner.
* NS, SOA and DNSKEY records are signed by their owner.
* DS records are signed by the parent.
*/
switch (set->type) {

2
lib/dns/include/dns/ds.h
View file

@ -23,6 +23,8 @@
#define DNS_DSDIGEST_GOST (3)
#define DNS_DSDIGEST_SHA384 (4)
#define DNS_DSDIGEST_MAX (255)
/*
* Assuming SHA-384 digest type.
*/

184
lib/dns/zone.c
View file

@ -3201,18 +3201,18 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
dns_rdata_mx_t mx;
dns_rdata_ns_t ns;
dns_rdata_in_srv_t srv;
dns_rdata_t rdata;
dns_name_t *name;
dns_name_t *bottom;
isc_result_t result;
bool ok = true, have_spf, have_txt;
int level;
char namebuf[DNS_NAME_FORMATSIZE];
bool logged_algorithm[DST_MAX_ALGS];
bool logged_digest_type[DNS_DSDIGEST_MAX + 1];
name = dns_fixedname_initname(&fixed);
bottom = dns_fixedname_initname(&fixedbottom);
dns_rdataset_init(&rdataset);
dns_rdata_init(&rdata);
result = dns_db_createiterator(db, 0, &dbiterator);
if (result != ISC_R_SUCCESS) {
@ -3238,6 +3238,55 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
dns_dbiterator_pause(dbiterator);
/*
* Check for deprecated KEY algorithms
*/
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_key,
0, 0, &rdataset, NULL);
if (result != ISC_R_SUCCESS) {
goto checkforns;
}
memset(logged_algorithm, 0, sizeof(logged_algorithm));
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset))
{
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_key_t key;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &key, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/*
* If we ever deprecate a private algorithm use
* dst_algorithm_fromdata() here.
*/
switch (key.algorithm) {
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
if (!logged_algorithm[key.algorithm]) {
char algbuf[DNS_SECALG_FORMATSIZE];
dns_name_format(name, namebuf,
sizeof(namebuf));
dns_secalg_format(key.algorithm, algbuf,
sizeof(algbuf));
dnssec_log(zone, ISC_LOG_WARNING,
"%s/KEY deprecated "
"algorithm %u (%s)",
namebuf, key.algorithm,
algbuf);
logged_algorithm[key.algorithm] = true;
}
break;
default:
break;
}
}
dns_rdataset_disassociate(&rdataset);
checkforns:
/*
* Don't check the NS records at the origin.
*/
@ -3250,6 +3299,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
if (result != ISC_R_SUCCESS) {
goto checkfords;
}
/*
* Remember bottom of zone due to NS.
*/
@ -3257,6 +3307,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
result = dns_rdataset_first(&rdataset);
while (result == ISC_R_SUCCESS) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &ns, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
@ -3267,6 +3318,74 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
result = dns_rdataset_next(&rdataset);
}
dns_rdataset_disassociate(&rdataset);
/*
* Check for deprecated DS digest types.
*/
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds,
0, 0, &rdataset, NULL);
if (result != ISC_R_SUCCESS) {
goto next;
}
memset(logged_algorithm, 0, sizeof(logged_algorithm));
memset(logged_digest_type, 0, sizeof(logged_digest_type));
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset))
{
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
dns_rdata_ds_t ds;
result = dns_rdata_tostruct(&rdata, &ds, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
switch (ds.digest_type) {
case DNS_DSDIGEST_SHA1:
case DNS_DSDIGEST_GOST:
if (!logged_digest_type[ds.digest_type]) {
char algbuf[DNS_DSDIGEST_FORMATSIZE];
dns_name_format(name, namebuf,
sizeof(namebuf));
dns_dsdigest_format(ds.digest_type,
algbuf,
sizeof(algbuf));
dnssec_log(zone, ISC_LOG_WARNING,
"%s/DS deprecated digest "
"type %u (%s)",
namebuf, ds.digest_type,
algbuf);
logged_digest_type[ds.digest_type] =
true;
}
break;
}
/*
* If we ever deprecate a private algorithm use
* dst_algorithm_fromdata() here.
*/
switch (ds.algorithm) {
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
if (!logged_algorithm[ds.algorithm]) {
char algbuf[DNS_SECALG_FORMATSIZE];
dns_name_format(name, namebuf,
sizeof(namebuf));
dns_secalg_format(ds.algorithm, algbuf,
sizeof(algbuf));
dnssec_log(zone, ISC_LOG_WARNING,
"%s/DS deprecated algorithm "
"%u (%s)",
namebuf, ds.algorithm,
algbuf);
logged_algorithm[ds.algorithm] = true;
}
break;
}
}
dns_rdataset_disassociate(&rdataset);
goto next;
checkfords:
@ -3306,6 +3425,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
}
result = dns_rdataset_first(&rdataset);
while (result == ISC_R_SUCCESS) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &mx, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
@ -3328,6 +3448,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
}
result = dns_rdataset_first(&rdataset);
while (result == ISC_R_SUCCESS) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &srv, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
@ -3364,6 +3485,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
}
result = dns_rdataset_first(&rdataset);
while (result == ISC_R_SUCCESS) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
have_txt = isspf(&rdata);
dns_rdata_reset(&rdata);
@ -3408,9 +3530,10 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
dns_dbnode_t *node = NULL;
dns_dbversion_t *version = NULL;
dns_rdata_dnskey_t dnskey;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
isc_result_t result;
bool logged_algorithm[DST_MAX_ALGS] = { 0 };
bool alldeprecated = true;
result = dns_db_findnode(db, &zone->origin, false, &node);
if (result != ISC_R_SUCCESS) {
@ -3428,6 +3551,8 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset))
{
char algbuf[DNS_SECALG_FORMATSIZE];
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
INSIST(result == ISC_R_SUCCESS);
@ -3469,10 +3594,36 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
algorithm, dnskey.algorithm,
dst_region_computeid(&r));
}
dns_rdata_reset(&rdata);
switch (dnskey.algorithm) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_DSA:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3DSA:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_ECCGOST:
if (!logged_algorithm[dnskey.algorithm]) {
dns_secalg_format(dnskey.algorithm, algbuf,
sizeof(algbuf));
dnssec_log(zone, ISC_LOG_WARNING,
"deprecated DNSKEY algorithm found: "
"%u (%s)\n",
dnskey.algorithm, algbuf);
logged_algorithm[dnskey.algorithm] = true;
}
break;
default:
alldeprecated = false;
break;
}
}
dns_rdataset_disassociate(&rdataset);
if (alldeprecated) {
dnssec_log(zone, ISC_LOG_WARNING,
"all DNSKEY algorithms found are deprecated");
}
cleanup:
if (node != NULL) {
dns_db_detachnode(db, &node);
@ -23155,6 +23306,7 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
* record which must be by itself.
*/
if (dns_rdataset_isassociated(&cds)) {
bool logged_digest_type[DNS_DSDIGEST_MAX + 1] = { 0 };
bool delete = false;
memset(algorithms, notexpected, sizeof(algorithms));
for (result = dns_rdataset_first(&cds); result == ISC_R_SUCCESS;
@ -23182,6 +23334,30 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
}
CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL));
/*
* Log deprecated CDS digest types.
*/
switch (structcds.digest_type) {
case DNS_DSDIGEST_SHA1:
case DNS_DSDIGEST_GOST:
if (!logged_digest_type[structcds.digest_type])
{
char algbuf[DNS_DSDIGEST_FORMATSIZE];
dns_dsdigest_format(
structcds.digest_type, algbuf,
sizeof(algbuf));
dnssec_log(zone, ISC_LOG_WARNING,
"deprecated CDS digest type "
"%u (%s)",
structcds.digest_type,
algbuf);
logged_digest_type[structcds.digest_type] =
true;
}
break;
}
if (algorithms[structcds.algorithm] == 0) {
algorithms[structcds.algorithm] = expected;
}

18
lib/isccfg/kaspconf.c
View file

@ -252,6 +252,18 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
goto cleanup;
}
switch (key->algorithm) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
"dnssec-policy: DNSSEC algorithm %s is "
"deprecated",
alg.base);
break;
default:
break;
}
obj = cfg_tuple_get(config, "length");
if (cfg_obj_isuint32(obj)) {
uint32_t min, size;
@ -432,6 +444,12 @@ add_digest(dns_kasp_t *kasp, const cfg_obj_t *digest, isc_log_t *logctx) {
str);
result = DST_R_UNSUPPORTEDALG;
} else {
if (alg == DNS_DSDIGEST_SHA1) {
cfg_obj_log(
digest, logctx, ISC_LOG_WARNING,
"dnssec-policy: deprecated CDS digest-type %s",
str);
}
dns_kasp_adddigest(kasp, alg);
}
return result;