diff --git a/.reuse/dep5 b/.reuse/dep5 index 455488977b..3396507cff 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -32,6 +32,12 @@ Files: **/*.after* bin/tests/system/checkzone/zones/bad-caa-rr.db bin/tests/system/checkzone/zones/bad1.db bin/tests/system/checkzone/zones/crashzone.db + bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db + bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db + bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db + bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db + bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db + bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db bin/tests/system/dnstap/large-answer.fstrm bin/tests/system/doth/CA/CA.cfg bin/tests/system/doth/CA/README diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index f20eb1a9de..13d4e5c190 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -318,6 +318,11 @@ emits(bool showall, bool cds, dns_rdata_t *rdata) { n = sizeof(dtype) / sizeof(dtype[0]); for (i = 0; i < n; i++) { + if (dtype[i] == DNS_DSDIGEST_SHA1) { + fprintf(stderr, + "WARNING: DS digest type %u is deprecated\n", + i); + } if (dtype[i] != 0) { emit(dtype[i], showall, cds, rdata); } @@ -336,10 +341,10 @@ usage(void) { fprintf(stderr, " %s [-h|-V]\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); fprintf(stderr, "Options:\n" - " -1: digest algorithm SHA-1\n" + " -1: digest algorithm SHA-1 (deprecated)\n" " -2: digest algorithm SHA-256\n" - " -a algorithm: digest algorithm (SHA-1, SHA-256 or " - "SHA-384)\n" + " -a algorithm: digest algorithm (SHA-1 " + "(deprecated), SHA-256 or SHA-384)\n" " -A: include all keys in DS set, not just KSKs (-f " "only)\n" " -c class: rdata class for DS set (default IN) (-f " diff --git a/bin/dnssec/dnssec-dsfromkey.rst b/bin/dnssec/dnssec-dsfromkey.rst index 9ca025a319..b23dff6164 100644 --- a/bin/dnssec/dnssec-dsfromkey.rst +++ b/bin/dnssec/dnssec-dsfromkey.rst @@ -32,30 +32,34 @@ Synopsis Description ~~~~~~~~~~~ -The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records -(RRs), or CDS (Child DS) RRs with the :option:`-C` option. +The :program:`dnssec-dsfromkey` command outputs DS (Delegation +Signer) resource records (RRs), or CDS (Child DS) RRs with the +:option:`-C` option. By default, only KSKs are converted (keys with flags = 257). The -:option:`-A` option includes ZSKs (flags = 256). Revoked keys are never -included. +:option:`-A` option includes ZSKs (flags = 256). Revoked keys are +never included. The input keys can be specified in a number of ways: -By default, :program:`dnssec-dsfromkey` reads a key file named in the format -``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`. +By default, :program:`dnssec-dsfromkey` reads a key file named in +the format ``Knnnn.+aaa+iiiii.key``, as generated by +:iscman:`dnssec-keygen`. -With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone -file or partial zone file (which can contain just the DNSKEY records). +With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` +reads keys from a zone file or partial zone file (which can contain +just the DNSKEY records). -With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file, -as generated by :iscman:`dnssec-keygen` :option:`-C`. +With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a +``keyset-`` file, as generated by :iscman:`dnssec-keygen` :option:`-C`. Options ~~~~~~~ .. option:: -1 - This option is an abbreviation for :option:`-a SHA1 <-a>`. + This option is an abbreviation for :option:`-a SHA1 <-a>`. This + digest is deprecated. .. option:: -2 @@ -63,24 +67,26 @@ Options .. option:: -a algorithm - This option specifies a digest algorithm to use when converting DNSKEY records to - DS records. This option can be repeated, so that multiple DS records - are created for each DNSKEY record. + This option specifies a digest algorithm to use when converting + DNSKEY records to DS records. This option can be repeated, so + that multiple DS records are created for each DNSKEY record. - The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values - are case-insensitive, and the hyphen may be omitted. If no algorithm - is specified, the default is SHA-256. + The algorithm must be one of SHA-1 (deprecated), SHA-256, or + SHA-384. These values are case-insensitive, and the hyphen may + be omitted. If no algorithm is specified, the default is SHA-256. .. option:: -A - This option indicates that ZSKs are to be included when generating DS records. Without this option, only - keys which have the KSK flag set are converted to DS records and - printed. This option is only useful in :option:`-f` zone file mode. + This option indicates that ZSKs are to be included when generating + DS records. Without this option, only keys which have the KSK + flag set are converted to DS records and printed. This option + is only useful in :option:`-f` zone file mode. .. option:: -c class - This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset - or :option:`-f` zone file mode. + This option specifies the DNS class; the default is IN. This + option is only useful in :option:`-s` keyset or :option:`-f` + zone file mode. .. option:: -C @@ -88,10 +94,10 @@ Options .. option:: -f file - This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the - DNS domain name of a zone whose master file can be read from - ``file``. If the zone name is the same as ``file``, then it may be - omitted. + This option sets zone file mode, in which the final dnsname + argument of :program:`dnssec-dsfromkey` is the DNS domain name + of a zone whose master file can be read from ``file``. If the + zone name is the same as ``file``, then it may be omitted. If ``file`` is ``-``, then the zone data is read from the standard input. This makes it possible to use the output of the :iscman:`dig` @@ -105,16 +111,19 @@ Options .. option:: -K directory - This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``. + This option tells BIND 9 to look for key files or ``keyset-`` + files in ``directory``. .. option:: -s - This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS - domain name used to locate a ``keyset-`` file. + This option enables keyset mode, in which the final dnsname + argument from :program:`dnssec-dsfromkey` is the DNS domain name + used to locate a ``keyset-`` file. .. option:: -T TTL - This option specifies the TTL of the DS records. By default the TTL is omitted. + This option specifies the TTL of the DS records. By default the + TTL is omitted. .. option:: -v level diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 33d576c014..8bd181708c 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -58,8 +58,8 @@ usage(void) { fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); fprintf(stderr, " -a algorithm: \n" - " RSASHA1 |\n" - " NSEC3RSASHA1 |\n" + " RSASHA1 (deprecated) |\n" + " NSEC3RSASHA1 (deprecated) |\n" " RSASHA256 | RSASHA512 |\n" " ECDSAP256SHA256 | ECDSAP384SHA384 |\n" " ED25519 | ED448\n"); @@ -582,6 +582,21 @@ main(int argc, char **argv) { fatal("invalid DNSKEY nametype %s", nametype); } + switch (alg) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: { + char algstr[DNS_SECALG_FORMATSIZE]; + dns_secalg_format(alg, algstr, sizeof(algstr)); + fprintf(stderr, + "WARNING: DNSKEY algorithm '%s' is deprecated. Please " + "migrate to another algorithm\n", + algstr); + break; + } + default: + break; + } + rdclass = strtoclass(classname); if (directory == NULL) { diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index ea5164d28f..11fbcd2030 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -41,27 +41,31 @@ Options .. option:: -a algorithm - This option selects the cryptographic algorithm. The value of ``algorithm`` must - be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, - ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. + This option selects the cryptographic algorithm. The value of + ``algorithm`` must be one of RSASHA1 (deprecated), NSEC3RSASHA1 + (deprecated), RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, + ED25519, or ED448. - These values are case-insensitive. In some cases, abbreviations are - supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for - ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3` - option, then NSEC3RSASHA1 is used instead. + These values are case-insensitive. In some cases, abbreviations + are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 + for ECDSAP384SHA384. If RSASHA1 (deprecated) is specified along + with the :option:`-3` option, then NSEC3RSASHA1 (deprecated) is + used instead. - This option is mandatory except when using the - :option:`-S` option, which copies the algorithm from the predecessory key. + This option is mandatory except when using the :option:`-S` + option, which copies the algorithm from the predecessory key. .. versionchanged:: 9.12.0 - The default value RSASHA1 for newly generated keys was removed. + The default value RSASHA1 (deprecated) for newly generated + keys was removed. .. option:: -3 - This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this - option is used with an algorithm that has both NSEC and NSEC3 - versions, then the NSEC3 version is used; for example, - ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. + This option uses an NSEC3-capable algorithm to generate a DNSSEC + key. If this option is used with an algorithm that has both NSEC + and NSEC3 versions, then the NSEC3 version is used; for example, + ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 + (deprecated) algorithm. .. option:: -E engine diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index e70b7ed632..13f34000fa 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -152,7 +152,8 @@ usage(void) { "statement\n"); fprintf(stderr, " -a :\n"); if (!isc_fips_mode()) { - fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n"); + fprintf(stderr, " RSASHA1 (deprecated) | NSEC3RSASHA1 " + "(deprecated) |\n"); } fprintf(stderr, " RSASHA256 | RSASHA512 |\n"); fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); @@ -160,10 +161,11 @@ usage(void) { fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -b :\n"); if (!isc_fips_mode()) { - fprintf(stderr, " RSASHA1:\t[%d..%d]\n", min_rsa, - MAX_RSA); - fprintf(stderr, " NSEC3RSASHA1:\t[%d..%d]\n", min_rsa, - MAX_RSA); + fprintf(stderr, " RSASHA1 (deprecated) :\t[%d..%d]\n", + min_rsa, MAX_RSA); + fprintf(stderr, + " NSEC3RSASHA1 (deprecated) :\t[%d..%d]\n", + min_rsa, MAX_RSA); } fprintf(stderr, " RSASHA256:\t[%d..%d]\n", min_rsa, MAX_RSA); fprintf(stderr, " RSASHA512:\t[%d..%d]\n", min_rsa, MAX_RSA); @@ -502,14 +504,27 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { } switch (ctx->alg) { - case DNS_KEYALG_RSASHA1: - case DNS_KEYALG_NSEC3RSASHA1: + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + dns_secalg_format(ctx->alg, algstr, sizeof(algstr)); + fprintf(stderr, + "WARNING: DNSKEY algorithm '%s' is deprecated. Please " + "migrate to another algorithm\n", + algstr); + break; + default: + break; + } + + switch (ctx->alg) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: if (isc_fips_mode()) { fatal("SHA1 based keys not supported in FIPS mode"); } FALLTHROUGH; - case DNS_KEYALG_RSASHA256: - case DNS_KEYALG_RSASHA512: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: if (ctx->size != 0 && (ctx->size < min_rsa || ctx->size > MAX_RSA)) { diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index bd9ad6a9b9..a03ab5d6cd 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -38,21 +38,24 @@ Options .. option:: -3 - This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this - option is used with an algorithm that has both NSEC and NSEC3 - versions, then the NSEC3 version is selected; for example, - ``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. + This option uses an NSEC3-capable algorithm to generate a DNSSEC + key. If this option is used with an algorithm that has both NSEC + and NSEC3 versions, then the NSEC3 version is selected; for + example, ``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 + (deprecated) algorithm. .. option:: -a algorithm - This option selects the cryptographic algorithm. For DNSSEC keys, the value of - ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, - RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. + This option selects the cryptographic algorithm. For DNSSEC keys, + the value of ``algorithm`` must be one of RSASHA1 (deprecated), + NSEC3RSASHA1 (deprecated), RSASHA256, RSASHA512, ECDSAP256SHA256, + ECDSAP384SHA384, ED25519, or ED448. - These values are case-insensitive. In some cases, abbreviations are - supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for - ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3` - option, NSEC3RSASHA1 is used instead. + These values are case-insensitive. In some cases, abbreviations + are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 + for ECDSAP384SHA384. If RSASHA1 (deprecated) is specified along + with the :option:`-3` option, NSEC3RSASHA1 (deprecated) is used + instead. This parameter *must* be specified except when using the :option:`-S` option, which copies the algorithm from the predecessor key. diff --git a/bin/tests/system/checkconf/kasp-deprecated-fips.conf b/bin/tests/system/checkconf/kasp-deprecated-fips.conf new file mode 100644 index 0000000000..6159940dcc --- /dev/null +++ b/bin/tests/system/checkconf/kasp-deprecated-fips.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy deprecated { + cds-digest-types { sha1; }; + keys { + csk lifetime unlimited algorithm ecdsa256; + }; +}; diff --git a/bin/tests/system/checkconf/kasp-deprecated.conf b/bin/tests/system/checkconf/kasp-deprecated.conf new file mode 100644 index 0000000000..ba7e72b8d6 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-deprecated.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy deprecated { + cds-digest-types { sha1; }; + keys { + csk lifetime unlimited algorithm rsasha1; + csk lifetime unlimited algorithm nsec3rsasha1; + }; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index fc776b1d47..3d4fd83cf4 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -647,7 +647,7 @@ if [ $RSASHA1_SUPPORTED = 0 ]; then expect=2 else conf=kasp-bad-nsec3-iter.conf - expect=3 + expect=5 fi $CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1 grep "dnssec-policy: nsec3 iterations value 1 not allowed, must be zero" /dev/null || ret=1 @@ -726,6 +726,20 @@ if [ $lines -ne 5 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking named-checkconf kasp deprecated algorithms and digests ($n)" +ret=0 +if [ $RSASHA1_SUPPORTED = 0 ]; then + $CHECKCONF kasp-deprecated-fips.conf >checkconf.out$n 2>&1 || ret=1 +else + $CHECKCONF kasp-deprecated.conf >checkconf.out$n 2>&1 || ret=1 + grep "dnssec-policy: DNSSEC algorithm rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1 + grep "dnssec-policy: DNSSEC algorithm nsec3rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1 +fi +grep "dnssec-policy: deprecated CDS digest-type sha1" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "check that a good 'kasp' configuration is accepted ($n)" ret=0 diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh index bda5e37b62..6a8fe092ac 100644 --- a/bin/tests/system/checkzone/tests.sh +++ b/bin/tests/system/checkzone/tests.sh @@ -139,28 +139,28 @@ status=$((status + ret)) echo_i "checking that expirations that loop using serial arithmetic are handled ($n)" ret=0 q=-q -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -207,10 +207,65 @@ ret=0 echo_i "checking integer overflow is prevented in \$GENERATE ($n)" $CHECKZONE -D example.com zones/generate-overflow.db >test.out.$n 2>&1 || ret=1 lines=$(grep -c CNAME test.out.$n) -echo $lines [ "$lines" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "Checking for RSASHA1 deprecated warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.rsasha1.db >test.out.$n || ret=1 +grep "deprecated DNSKEY algorithm found: 5 (RSASHA1)" test.out.$n >/dev/null || ret=1 +grep "all DNSKEY algorithms found are deprecated" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking for NSECRSASHA1 deprected warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.nsec3rsasha1.db >test.out.$n || ret=1 +grep "deprecated DNSKEY algorithm found: 7 (NSEC3RSASHA1)" test.out.$n >/dev/null || ret=1 +grep "all DNSKEY algorithms found are deprecated" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking for SHA1 CDS digest warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.cds-sha1.db >test.out.$n || ret=1 +grep "zone example/IN: deprecated CDS digest type 1 (SHA-1)" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking for SHA1 DS digest warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.digest-sha1.db >test.out.$n || ret=1 +grep "zone example/IN: child.example/DS deprecated digest type 1 (SHA-1)" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking for RSASHA1 DS algorithm warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.ds-alg.db >test.out.$n || ret=1 +grep "zone example/IN: child.example/DS deprecated algorithm 5 (RSASHA1)" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking for RSASHA1 KEY algorithm warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.key-alg.db >test.out.$n || ret=1 +grep "zone example/IN: example/KEY deprecated algorithm 5 (RSASHA1)" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db new file mode 100644 index 0000000000..13da8308e1 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db @@ -0,0 +1,44 @@ +; File written on Wed Jul 2 14:27:34 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP + 4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd + PArExFsuaKcWgQ== ) + 3600 NS . + 3600 RRSIG NS 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb + XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w + t+AfDiT2Mak9Lg== ) + 3600 NSEC example. NS SOA RRSIG NSEC DNSKEY CDS + 3600 RRSIG NSEC 13 1 3600 ( + 20901231235959 20250702032734 46204 example. + aPkaoO9OMYZwldpUPJeqFZoGCc8XQcmQHig2 + zJmp2Qv2QGRH1faoWosYy5jwQskxtpoyE0Eh + yxEoUhHZNCKogQ== ) + 3600 DNSKEY 256 3 13 ( + Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x + joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE + 5CT4INCzzeTuZQ== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204 + 3600 RRSIG DNSKEY 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx + 9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa + OmTOsXrBWly7ng== ) + 3600 CDS 46204 13 1 ( + 712DD9926EDF2A5E81E76D3BC5F5637BEA06 + 2E67 ) + 3600 RRSIG CDS 13 1 3600 ( + 20901231235959 20250702032734 46204 example. + nS9qKdj0dfWNe6U0ttuKSMiKMhxLq4Yo6WPT + 9j/cmjbaOdKO1DBoDxzZ7G4M34msvBcKq31L + mn8qUlrzSOfD9A== ) diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db new file mode 100644 index 0000000000..da817b54f3 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db @@ -0,0 +1,51 @@ +; File written on Mon Jun 30 15:20:51 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP + 4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd + PArExFsuaKcWgQ== ) + 3600 NS . + 3600 RRSIG NS 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb + XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w + t+AfDiT2Mak9Lg== ) + 3600 NSEC child.example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + jgKjQOGLqw7JY1qsyjWZGxL/47mc9dMeZ7yB + KtrRfFCsT7mCe/lMV3u7FOwM2r9/ta8U9/j2 + YRVJGECc6/rdcg== ) + 3600 DNSKEY 256 3 13 ( + Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x + joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE + 5CT4INCzzeTuZQ== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204 + 3600 RRSIG DNSKEY 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx + 9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa + OmTOsXrBWly7ng== ) +child.example. 3600 IN NS . + 3600 DS 30914 13 1 ( + 3FFB809FC091FDC931815B50E5DA9C00B5C1 + 454F ) + 3600 RRSIG DS 13 2 3600 ( + 20901231235959 20250630042051 46204 example. + 5Y/jx0eePoUztptSLwE9DeY2GlVNVHSr3lF4 + R8IajnK7zXs2QtoRIdmKwWZ1um1JICh59Xk7 + R/BXFAbO6FMaPA== ) + 3600 NSEC example. NS DS RRSIG NSEC + 3600 RRSIG NSEC 13 2 3600 ( + 20901231235959 20250630042051 46204 example. + A662/raRKle9b45C5douUufAne7iRtKw0u7C + gcnf3tSrJS+plT3e/jHOE5ZRttkloHSDVhYT + 7+Wv86G8MGt+3Q== ) diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db b/bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db new file mode 100644 index 0000000000..9c5fb8db07 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db @@ -0,0 +1,51 @@ +; File written on Wed Jul 2 12:22:09 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP + 4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd + PArExFsuaKcWgQ== ) + 3600 NS . + 3600 RRSIG NS 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb + XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w + t+AfDiT2Mak9Lg== ) + 3600 NSEC child.example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + jgKjQOGLqw7JY1qsyjWZGxL/47mc9dMeZ7yB + KtrRfFCsT7mCe/lMV3u7FOwM2r9/ta8U9/j2 + YRVJGECc6/rdcg== ) + 3600 DNSKEY 256 3 13 ( + Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x + joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE + 5CT4INCzzeTuZQ== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204 + 3600 RRSIG DNSKEY 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx + 9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa + OmTOsXrBWly7ng== ) +child.example. 3600 IN NS . + 3600 DS 58246 5 2 ( + 641AFA5ACB8099E4E571585B7B9A416078FF + 79D40D1C2E85F9179E28BF08D61D ) + 3600 RRSIG DS 13 2 3600 ( + 20901231235959 20250702012209 46204 example. + g17c5sfC0OAucFLA0n9C5EfPActxuPMpHN6G + spGmkkDUaU5UosWkdcapd20Yb29NaEKvJO3Q + Qn6K53MKtWt7zQ== ) + 3600 NSEC example. NS DS RRSIG NSEC + 3600 RRSIG NSEC 13 2 3600 ( + 20901231235959 20250630042051 46204 example. + A662/raRKle9b45C5douUufAne7iRtKw0u7C + gcnf3tSrJS+plT3e/jHOE5ZRttkloHSDVhYT + 7+Wv86G8MGt+3Q== ) diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db b/bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db new file mode 100644 index 0000000000..3dfa76eacf --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db @@ -0,0 +1,53 @@ +; File written on Wed Jul 2 16:48:02 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP + 4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd + PArExFsuaKcWgQ== ) + 3600 NS . + 3600 RRSIG NS 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb + XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w + t+AfDiT2Mak9Lg== ) + 3600 KEY 512 3 5 ( + AwEAAZwLHbB7cjvlEt0evebAMsJtuNYXgiyt + qe3lu0RO/ChFdddyHv+O9M1zLrCnWMBSLHad + YHSXfG3BMyMAnBh7om+1pgrHCShlmMaxZ5cC + sug5buS3E8eVRVAf7Qje63owxm2iF3G9kKWY + FgfE+Ml5Uv7etHkmxqAmFb3jYuXzYWfMz1qY + rICsJnw7qcKzNphl71tDvJUYD5pDA7izhzs3 + 8tdDH8qMQgK/yNU3Q/RAOg2VRvYuwYOteCAx + 6RB/z+rtNTKNbphrPrzSsekOurLo1B+AvDct + o/orbilbQ8qdq0cknKlqdMKuYcqQ1BbBMrdV + w1fBTLDwiFwiRBjYazPqPiE= + ); alg = RSASHA1 ; key id = 13684 + 3600 RRSIG KEY 13 1 3600 ( + 20901231235959 20250702054802 46204 example. + GvfNtx1F8crebI/QrPb2meHplhSpAsIDqJ48 + iMg6aT22mGBagR698GS+9ehg0ExMumfIDPSO + k/1wtwRKYqrKow== ) + 3600 NSEC example. NS SOA KEY RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 13 1 3600 ( + 20901231235959 20250702054802 46204 example. + Nah5tUuwQiiDKWpdgtqPp7LppMOoDUJkyTZB + pAzmbT8UA7kNJN2K5kfkLJgPqWAt4h2P0Ys1 + 9lkLcXqYUH0x5g== ) + 3600 DNSKEY 256 3 13 ( + Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x + joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE + 5CT4INCzzeTuZQ== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204 + 3600 RRSIG DNSKEY 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx + 9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa + OmTOsXrBWly7ng== ) diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db new file mode 100644 index 0000000000..1490935c68 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db @@ -0,0 +1,71 @@ +; File written on Mon Jun 30 14:55:37 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 7 1 3600 ( + 20901231235959 20250630035537 41424 example. + oqX2MaQSaMj2YPYWA/8echxn7QHBerVEs426 + z8IJ88lv8Ih3Rrsldur6hXCieYI46wK3xOft + p0VMAw9iIK5T49PXnaf7+hdaIJFDTAvuhzco + e1IcdfmS26a6rRZHG8QKNjVjn/Du3J2gbdoB + ubyio+7BY45Mk1S0sb0QzkmfTRZodULfvlW7 + BkmC9k0ixU1f1R+k26I0TJHYwH6Tw3O/0nPG + SkUKnIcgqjzXsnUN1XGR+gD9TVF8Hp+JYWCz + 5fFTR733OiScIK+Xlon+ydg1GixW1rOR2MOP + lowGJIHeE8nDYEgncKv91wFCp1IRHjgN/6zg + c6JBClYMhe0RS66I6A== ) + 3600 NS . + 3600 RRSIG NS 7 1 3600 ( + 20901231235959 20250630035411 41424 example. + pQUeJTZvpEPBZOdatA79eUE+qunKTasFyjgT + xB+hpvXujxFqf6FDs/TdfE9jGo5T8Rwb3Gu0 + 7+uo5ATwKuQL0TywDVm7DMj07iWoXpCGWge9 + q+iZ9sVXTzGKbb+1f8w9b/E9qW/s9Uir/tZq + pPWhEgy61ip/pjkcyoIi3wQtffBMckApBgao + Nk6YPi0TSl3W+cQUDkT2BeCoZDHuhuvS+Z3x + URTu5FnqT3YPKJ5xb4N3mr4um4oI9sy+TJIj + yuSW/ie0Bzy8x8ha1capfhlbPsZI6SKe0ldR + vC9dr0gertISQzAnl9GqxFne6Ya5DyYHKye+ + khVrRKAu2YIFRWYrOg== ) + 3600 NSEC example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 7 1 3600 ( + 20901231235959 20250630035537 41424 example. + IMgNRFY4qWHDFz/gWiXn6jrCSW4Az/5sE7ML + dyJgY8OHtM2Kq+ThRsgZn7gN47T7QJv8Dvc3 + oYNRH7R6sjGJBZmfoqfdZmJOrR1bdKhHjhHR + 0b3NuXlVAG7eqMu4eJvsKZCUTKxa3+iFStw/ + pTsHWEVT9ozMaAfQdzM86Pq6x8VVQCRwuw9g + JWkjt0/4VGA/tTj713o0/7Ju0055wSVnFNvH + XaAW2PG9nRDyFvoOq1lFSFEPm9gXDFfDmTZn + 40v+qIer/vPGMkHyizZAbZ0qnM7lwNAhDukz + catwpgsbpMWHrBUgnDCbxpzfl24n7wmHyCUa + ArewJH9UphjytrxHjw== ) + 3600 DNSKEY 256 3 7 ( + AwEAAakdlaNNa6UNEKTh7g0TPBLuEecXezJ2 + mz7kaBxIEx7t3IPxWymt5XezCtR7NilHW+zo + d42hzKrtqFilt5SBrsjnWr5ipczEySEYCtOz + Jx0P9xLj8MjCf5D6+elSY4zm9gtqlIo6ryhf + SuCJQ9XZOIFD10/8efr0HYxkc0N4msZhVcuB + yJ650Pjc0EFWEe2yseM+uXZCIc/0Q4OayMJA + 5GEJwvq/POH/POU7HlQR5RKzT0babm4Jvmpx + F1jf7gSRL44LgVLl/m4fKjseK1w0shOxhrwc + gAXI5ZMpspN9Mnhy+HNemkw9xyw3XkAtcTuN + yUHvCLEyaklh6latwxFQTLM= + ) ; ZSK; alg = NSEC3RSASHA1 ; key id = 41424 + 3600 RRSIG DNSKEY 7 1 3600 ( + 20901231235959 20250630035411 41424 example. + G2lr1Q+xjDnefyPbxLTy0yZ8wUg1+GcaBb9H + 7YX0FzZroRLTNr8SN2VYge4CbNZkTIC98dmV + TRwoBp4HbrWY5jDGT2oQS1zDc92dz0TuD0Ys + JMI2/IEVpA9wBcqsRssmAwzSuh4dMLqfMkrm + KzWk7CRNxqC1JXJ1MgbRCRuES22HGO3O7ZXZ + HjsFANBQt+7PebgdmAtS61RvztyJE+o6LyaA + qA9qawqYDBi7Lcar/U+arrfg77kQ8BmC+ZZV + toLkus9VsM9GShmMo2/KMu+PYWHKWUuHwRas + v9hSvLh/+b7mymssp/WtmX79a3WXlHovNP2v + Sh2S4RjDq4lFsyqTAA== ) diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db new file mode 100644 index 0000000000..6b18f5f155 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db @@ -0,0 +1,71 @@ +; File written on Mon Jun 30 14:57:52 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 5 1 3600 ( + 20901231235959 20250630035752 3495 example. + gq16Xp8iCErMp/R6jdzvws3MMvWAMowfYOa5 + K3Dwo3MXUruWhsDa4XjH3CJIk4LtSRDWcVSj + /STy/R4CEvz83/2VMjQ7L73hFZZNVrMHKrLi + SfRhnUueOHiYrv8sLM2ZHy0EYM/gULmcX51j + j0XJlSf9DfkT/nh3ZwqS+lD/RA+1Gg73xVkS + tRh5AZMWAGrjyBMOC0iW9qexqINmM0nR40K7 + 5L+17OL2Ay/Fp7zliN+g9bAEfgITQlFRO32Y + sZrPRguzavP5xad4m3GOCAQoTQJpnci7id2u + DhIwkh6+7Do3zjZOQy74IvbuPVUS5nVRiEd8 + XqF3Z7hHMYWWCEdslw== ) + 3600 NS . + 3600 RRSIG NS 5 1 3600 ( + 20901231235959 20250630034615 3495 example. + FrY8Bi8StW34PADKfVn2uPDIgDzbhyinoQDw + HjklP8PFXvl2VLhroGZy5EfoGQlC+eOL7Ffb + ZlKMvSOtGHpIIdqWg6GmGBWqCYoC3EoaFVXh + A2SBxOPdcbGbwzVk6MWnrpFRsxwMqX+7vjJg + eB7XVh1tZf90N6Yfswfy/UFf5Qbaj69gE7/7 + Eu3lkNNsFr5UVLPU4K4/dzNalllZjZ++w68T + 5Y97UmIJH+aXpNndibJU9c25F1/ou5NJLQQN + LxyWXIi1CRaF88sjQwXemO8xutnh2b3ULKI0 + pelDtKThLWWYAMhgMnhr5HktL69++cMZiZ4z + 3heBavJIPY2QTYOLZw== ) + 3600 NSEC example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 5 1 3600 ( + 20901231235959 20250630035752 3495 example. + N5mNbNXTSbLOya8baU6SaGao8bPquA4rO2hb + 5mkYjM+wzAJRNKSrViA5Ev7iFJolXKM+NCV3 + fpKtT+5v8mqhGZf80H1Z7inmAMX+Gz9B0YfO + yhmSTD7qnIgoxw+W/dFAeBx18XyCRDBRlGyj + 2FEqZa46AVuDaYgQoUJLfM4SkOhbsDdDfQV1 + uQinjRnhvOQEOd0wYRbqR7S8BMqppnahwyai + lH5tx8qsBVFTR7P8D5UlTfHCBM+d0VI5jXjt + 45eCwzqQBTl4ot4Tbc/nGaUvPU5ffkW8fmsk + BygQeKd97xPnzK0tt1KJaYGTiqc3UgUId929 + XniHMB6YmxkpIb2qrg== ) + 3600 DNSKEY 256 3 5 ( + AwEAAZmABvQsJBvsRu2fMlU1CtN58u7+yO5x + ioxkg8O2mH29NDFoMKtxZKlk74+hT8m0aAKV + hqEywM9S2NaWEXctv2lF6t/f8E8YJkY+cnLb + iZmxuJmScxce8u32KlX0MiKN2JQHIokDTz7m + 2AqUaLTnERyIXNUHJfHx1nzvhhz4G7TV41Pk + U1MSX3gCrgsSQ7IUzLOsyy6iQn4wFml+eXlO + qmypFvjRDhmjXAHms3nSOgDmDu6kF+9R0ccL + Lh4YAEYZlx2UoDigcEtRfMeYQwb76tC7xAkx + EEJAUo+oRkaw2in8kVjpwuXSWF5WlX+Cpie9 + o3r+4EpI/IV6z63QO9zqMEE= + ) ; ZSK; alg = RSASHA1 ; key id = 3495 + 3600 RRSIG DNSKEY 5 1 3600 ( + 20901231235959 20250630034615 3495 example. + gpKH6gf+47UNqMlTdtylpSW/yRNEyPtpj7Tu + Y939pwRPgQcPBscIwcZzezV0r4y2O5xMTKQ1 + fQZTidfCwvessYTxYJYSjE1i+pChblLmqY/j + JNjwUv0nH9rs8ZSXRSFiqPsC7tl4jBQsD1N+ + UdV3a/rEFCON1C+KirQlrdSq+/bAic0A4afZ + g746kgnLsNCu/FnVucfoOBGaAk6na9dYIt0+ + l7IKI+4dg+tHsaGdRVv2h2JXO6g1I2LtCiIB + FlKxFDCrMFV9+xduLFNnNxVsvnK7RtlAAPo5 + n4WBinbW5CpGJnc7n/0BknnecqZb63qkQgia + 50FJvVZCJ4WTZ+Hh0g== ) diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 8b5d2338a1..bc17c2c3a2 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -409,7 +409,7 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, } /* - * NS, SOA and DNSSKEY records are signed by their owner. + * NS, SOA and DNSKEY records are signed by their owner. * DS records are signed by the parent. */ switch (set->type) { diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h index 629729bc3a..649ca80065 100644 --- a/lib/dns/include/dns/ds.h +++ b/lib/dns/include/dns/ds.h @@ -23,6 +23,8 @@ #define DNS_DSDIGEST_GOST (3) #define DNS_DSDIGEST_SHA384 (4) +#define DNS_DSDIGEST_MAX (255) + /* * Assuming SHA-384 digest type. */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index d6245793cc..b0911800dd 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3201,18 +3201,18 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { dns_rdata_mx_t mx; dns_rdata_ns_t ns; dns_rdata_in_srv_t srv; - dns_rdata_t rdata; dns_name_t *name; dns_name_t *bottom; isc_result_t result; bool ok = true, have_spf, have_txt; int level; char namebuf[DNS_NAME_FORMATSIZE]; + bool logged_algorithm[DST_MAX_ALGS]; + bool logged_digest_type[DNS_DSDIGEST_MAX + 1]; name = dns_fixedname_initname(&fixed); bottom = dns_fixedname_initname(&fixedbottom); dns_rdataset_init(&rdataset); - dns_rdata_init(&rdata); result = dns_db_createiterator(db, 0, &dbiterator); if (result != ISC_R_SUCCESS) { @@ -3238,6 +3238,55 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { dns_dbiterator_pause(dbiterator); + /* + * Check for deprecated KEY algorithms + */ + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_key, + 0, 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) { + goto checkforns; + } + + memset(logged_algorithm, 0, sizeof(logged_algorithm)); + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_key_t key; + dns_rdataset_current(&rdataset, &rdata); + + result = dns_rdata_tostruct(&rdata, &key, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + /* + * If we ever deprecate a private algorithm use + * dst_algorithm_fromdata() here. + */ + switch (key.algorithm) { + case DNS_KEYALG_RSASHA1: + case DNS_KEYALG_NSEC3RSASHA1: + if (!logged_algorithm[key.algorithm]) { + char algbuf[DNS_SECALG_FORMATSIZE]; + dns_name_format(name, namebuf, + sizeof(namebuf)); + dns_secalg_format(key.algorithm, algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "%s/KEY deprecated " + "algorithm %u (%s)", + namebuf, key.algorithm, + algbuf); + logged_algorithm[key.algorithm] = true; + } + break; + default: + break; + } + } + dns_rdataset_disassociate(&rdataset); + + checkforns: /* * Don't check the NS records at the origin. */ @@ -3250,6 +3299,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { if (result != ISC_R_SUCCESS) { goto checkfords; } + /* * Remember bottom of zone due to NS. */ @@ -3257,6 +3307,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { result = dns_rdataset_first(&rdataset); while (result == ISC_R_SUCCESS) { + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &ns, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -3267,6 +3318,74 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { result = dns_rdataset_next(&rdataset); } dns_rdataset_disassociate(&rdataset); + + /* + * Check for deprecated DS digest types. + */ + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, + 0, 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) { + goto next; + } + + memset(logged_algorithm, 0, sizeof(logged_algorithm)); + memset(logged_digest_type, 0, sizeof(logged_digest_type)); + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(&rdataset, &rdata); + dns_rdata_ds_t ds; + + result = dns_rdata_tostruct(&rdata, &ds, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + switch (ds.digest_type) { + case DNS_DSDIGEST_SHA1: + case DNS_DSDIGEST_GOST: + if (!logged_digest_type[ds.digest_type]) { + char algbuf[DNS_DSDIGEST_FORMATSIZE]; + dns_name_format(name, namebuf, + sizeof(namebuf)); + dns_dsdigest_format(ds.digest_type, + algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "%s/DS deprecated digest " + "type %u (%s)", + namebuf, ds.digest_type, + algbuf); + logged_digest_type[ds.digest_type] = + true; + } + break; + } + + /* + * If we ever deprecate a private algorithm use + * dst_algorithm_fromdata() here. + */ + switch (ds.algorithm) { + case DNS_KEYALG_RSASHA1: + case DNS_KEYALG_NSEC3RSASHA1: + if (!logged_algorithm[ds.algorithm]) { + char algbuf[DNS_SECALG_FORMATSIZE]; + dns_name_format(name, namebuf, + sizeof(namebuf)); + dns_secalg_format(ds.algorithm, algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "%s/DS deprecated algorithm " + "%u (%s)", + namebuf, ds.algorithm, + algbuf); + logged_algorithm[ds.algorithm] = true; + } + break; + } + } + dns_rdataset_disassociate(&rdataset); + goto next; checkfords: @@ -3306,6 +3425,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { } result = dns_rdataset_first(&rdataset); while (result == ISC_R_SUCCESS) { + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &mx, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -3328,6 +3448,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { } result = dns_rdataset_first(&rdataset); while (result == ISC_R_SUCCESS) { + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &srv, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -3364,6 +3485,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { } result = dns_rdataset_first(&rdataset); while (result == ISC_R_SUCCESS) { + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); have_txt = isspf(&rdata); dns_rdata_reset(&rdata); @@ -3408,9 +3530,10 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { dns_dbnode_t *node = NULL; dns_dbversion_t *version = NULL; dns_rdata_dnskey_t dnskey; - dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; isc_result_t result; + bool logged_algorithm[DST_MAX_ALGS] = { 0 }; + bool alldeprecated = true; result = dns_db_findnode(db, &zone->origin, false, &node); if (result != ISC_R_SUCCESS) { @@ -3428,6 +3551,8 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(&rdataset)) { + char algbuf[DNS_SECALG_FORMATSIZE]; + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &dnskey, NULL); INSIST(result == ISC_R_SUCCESS); @@ -3469,10 +3594,36 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { algorithm, dnskey.algorithm, dst_region_computeid(&r)); } - dns_rdata_reset(&rdata); + + switch (dnskey.algorithm) { + case DNS_KEYALG_RSAMD5: + case DNS_KEYALG_DSA: + case DNS_KEYALG_RSASHA1: + case DNS_KEYALG_NSEC3DSA: + case DNS_KEYALG_NSEC3RSASHA1: + case DNS_KEYALG_ECCGOST: + if (!logged_algorithm[dnskey.algorithm]) { + dns_secalg_format(dnskey.algorithm, algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "deprecated DNSKEY algorithm found: " + "%u (%s)\n", + dnskey.algorithm, algbuf); + logged_algorithm[dnskey.algorithm] = true; + } + break; + default: + alldeprecated = false; + break; + } } dns_rdataset_disassociate(&rdataset); + if (alldeprecated) { + dnssec_log(zone, ISC_LOG_WARNING, + "all DNSKEY algorithms found are deprecated"); + } + cleanup: if (node != NULL) { dns_db_detachnode(db, &node); @@ -23155,6 +23306,7 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) { * record which must be by itself. */ if (dns_rdataset_isassociated(&cds)) { + bool logged_digest_type[DNS_DSDIGEST_MAX + 1] = { 0 }; bool delete = false; memset(algorithms, notexpected, sizeof(algorithms)); for (result = dns_rdataset_first(&cds); result == ISC_R_SUCCESS; @@ -23182,6 +23334,30 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) { } CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL)); + + /* + * Log deprecated CDS digest types. + */ + switch (structcds.digest_type) { + case DNS_DSDIGEST_SHA1: + case DNS_DSDIGEST_GOST: + if (!logged_digest_type[structcds.digest_type]) + { + char algbuf[DNS_DSDIGEST_FORMATSIZE]; + dns_dsdigest_format( + structcds.digest_type, algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "deprecated CDS digest type " + "%u (%s)", + structcds.digest_type, + algbuf); + logged_digest_type[structcds.digest_type] = + true; + } + break; + } + if (algorithms[structcds.algorithm] == 0) { algorithms[structcds.algorithm] = expected; } diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 3a37536149..9abb1c7cf8 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -252,6 +252,18 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, goto cleanup; } + switch (key->algorithm) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "dnssec-policy: DNSSEC algorithm %s is " + "deprecated", + alg.base); + break; + default: + break; + } + obj = cfg_tuple_get(config, "length"); if (cfg_obj_isuint32(obj)) { uint32_t min, size; @@ -432,6 +444,12 @@ add_digest(dns_kasp_t *kasp, const cfg_obj_t *digest, isc_log_t *logctx) { str); result = DST_R_UNSUPPORTEDALG; } else { + if (alg == DNS_DSDIGEST_SHA1) { + cfg_obj_log( + digest, logctx, ISC_LOG_WARNING, + "dnssec-policy: deprecated CDS digest-type %s", + str); + } dns_kasp_adddigest(kasp, alg); } return result;