From d03d58a10fab050023548417994bf87008caad2e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 5 Jun 2025 14:49:10 +1000 Subject: [PATCH 1/8] Warn about deprecated DNSKEY and DS algorithms / digest types DNSKEY algorithms RSASHA1 and RSASHA-NSEC3-SHA1 and DS digest type SHA1 are deprecated. Log when these are present in primary zone files and when generating new DNSKEYs, DS and CDS records. (cherry picked from commit cb6903c55e9ff6135a37c987fb6cee327967f0db) --- bin/dnssec/dnssec-dsfromkey.c | 11 +- bin/dnssec/dnssec-keyfromlabel.c | 19 ++- bin/dnssec/dnssec-keygen.c | 33 +++-- bin/tests/system/checkconf/tests.sh | 2 +- lib/dns/dnssec.c | 2 +- lib/dns/include/dns/ds.h | 2 + lib/dns/zone.c | 182 +++++++++++++++++++++++++++- lib/isccfg/kaspconf.c | 18 +++ 8 files changed, 249 insertions(+), 20 deletions(-) diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index f20eb1a9de..13d4e5c190 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -318,6 +318,11 @@ emits(bool showall, bool cds, dns_rdata_t *rdata) { n = sizeof(dtype) / sizeof(dtype[0]); for (i = 0; i < n; i++) { + if (dtype[i] == DNS_DSDIGEST_SHA1) { + fprintf(stderr, + "WARNING: DS digest type %u is deprecated\n", + i); + } if (dtype[i] != 0) { emit(dtype[i], showall, cds, rdata); } @@ -336,10 +341,10 @@ usage(void) { fprintf(stderr, " %s [-h|-V]\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); fprintf(stderr, "Options:\n" - " -1: digest algorithm SHA-1\n" + " -1: digest algorithm SHA-1 (deprecated)\n" " -2: digest algorithm SHA-256\n" - " -a algorithm: digest algorithm (SHA-1, SHA-256 or " - "SHA-384)\n" + " -a algorithm: digest algorithm (SHA-1 " + "(deprecated), SHA-256 or SHA-384)\n" " -A: include all keys in DS set, not just KSKs (-f " "only)\n" " -c class: rdata class for DS set (default IN) (-f " diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 33d576c014..8bd181708c 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -58,8 +58,8 @@ usage(void) { fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); fprintf(stderr, " -a algorithm: \n" - " RSASHA1 |\n" - " NSEC3RSASHA1 |\n" + " RSASHA1 (deprecated) |\n" + " NSEC3RSASHA1 (deprecated) |\n" " RSASHA256 | RSASHA512 |\n" " ECDSAP256SHA256 | ECDSAP384SHA384 |\n" " ED25519 | ED448\n"); @@ -582,6 +582,21 @@ main(int argc, char **argv) { fatal("invalid DNSKEY nametype %s", nametype); } + switch (alg) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: { + char algstr[DNS_SECALG_FORMATSIZE]; + dns_secalg_format(alg, algstr, sizeof(algstr)); + fprintf(stderr, + "WARNING: DNSKEY algorithm '%s' is deprecated. Please " + "migrate to another algorithm\n", + algstr); + break; + } + default: + break; + } + rdclass = strtoclass(classname); if (directory == NULL) { diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index e70b7ed632..13f34000fa 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -152,7 +152,8 @@ usage(void) { "statement\n"); fprintf(stderr, " -a :\n"); if (!isc_fips_mode()) { - fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n"); + fprintf(stderr, " RSASHA1 (deprecated) | NSEC3RSASHA1 " + "(deprecated) |\n"); } fprintf(stderr, " RSASHA256 | RSASHA512 |\n"); fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); @@ -160,10 +161,11 @@ usage(void) { fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -b :\n"); if (!isc_fips_mode()) { - fprintf(stderr, " RSASHA1:\t[%d..%d]\n", min_rsa, - MAX_RSA); - fprintf(stderr, " NSEC3RSASHA1:\t[%d..%d]\n", min_rsa, - MAX_RSA); + fprintf(stderr, " RSASHA1 (deprecated) :\t[%d..%d]\n", + min_rsa, MAX_RSA); + fprintf(stderr, + " NSEC3RSASHA1 (deprecated) :\t[%d..%d]\n", + min_rsa, MAX_RSA); } fprintf(stderr, " RSASHA256:\t[%d..%d]\n", min_rsa, MAX_RSA); fprintf(stderr, " RSASHA512:\t[%d..%d]\n", min_rsa, MAX_RSA); @@ -502,14 +504,27 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { } switch (ctx->alg) { - case DNS_KEYALG_RSASHA1: - case DNS_KEYALG_NSEC3RSASHA1: + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + dns_secalg_format(ctx->alg, algstr, sizeof(algstr)); + fprintf(stderr, + "WARNING: DNSKEY algorithm '%s' is deprecated. Please " + "migrate to another algorithm\n", + algstr); + break; + default: + break; + } + + switch (ctx->alg) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: if (isc_fips_mode()) { fatal("SHA1 based keys not supported in FIPS mode"); } FALLTHROUGH; - case DNS_KEYALG_RSASHA256: - case DNS_KEYALG_RSASHA512: + case DST_ALG_RSASHA256: + case DST_ALG_RSASHA512: if (ctx->size != 0 && (ctx->size < min_rsa || ctx->size > MAX_RSA)) { diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index fc776b1d47..53cb782708 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -647,7 +647,7 @@ if [ $RSASHA1_SUPPORTED = 0 ]; then expect=2 else conf=kasp-bad-nsec3-iter.conf - expect=3 + expect=5 fi $CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1 grep "dnssec-policy: nsec3 iterations value 1 not allowed, must be zero" /dev/null || ret=1 diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 8b5d2338a1..bc17c2c3a2 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -409,7 +409,7 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, } /* - * NS, SOA and DNSSKEY records are signed by their owner. + * NS, SOA and DNSKEY records are signed by their owner. * DS records are signed by the parent. */ switch (set->type) { diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h index 629729bc3a..649ca80065 100644 --- a/lib/dns/include/dns/ds.h +++ b/lib/dns/include/dns/ds.h @@ -23,6 +23,8 @@ #define DNS_DSDIGEST_GOST (3) #define DNS_DSDIGEST_SHA384 (4) +#define DNS_DSDIGEST_MAX (255) + /* * Assuming SHA-384 digest type. */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index d6245793cc..1a5e407fb6 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3201,18 +3201,18 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { dns_rdata_mx_t mx; dns_rdata_ns_t ns; dns_rdata_in_srv_t srv; - dns_rdata_t rdata; dns_name_t *name; dns_name_t *bottom; isc_result_t result; bool ok = true, have_spf, have_txt; int level; char namebuf[DNS_NAME_FORMATSIZE]; + bool logged_algorithm[DST_MAX_ALGS]; + bool logged_digest_type[DNS_DSDIGEST_MAX + 1]; name = dns_fixedname_initname(&fixed); bottom = dns_fixedname_initname(&fixedbottom); dns_rdataset_init(&rdataset); - dns_rdata_init(&rdata); result = dns_db_createiterator(db, 0, &dbiterator); if (result != ISC_R_SUCCESS) { @@ -3238,6 +3238,55 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { dns_dbiterator_pause(dbiterator); + /* + * Check for deprecated KEY algorithms + */ + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_key, + 0, 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) { + goto checkforns; + } + + memset(logged_algorithm, 0, sizeof(logged_algorithm)); + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_key_t key; + dns_rdataset_current(&rdataset, &rdata); + + result = dns_rdata_tostruct(&rdata, &key, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + /* + * If we ever deprecate a private algorithm use + * dst_algorithm_fromdata() here. + */ + switch (key.algorithm) { + case DNS_KEYALG_RSASHA1: + case DNS_KEYALG_NSEC3RSASHA1: + if (!logged_algorithm[key.algorithm]) { + char algbuf[DNS_SECALG_FORMATSIZE]; + dns_name_format(name, namebuf, + sizeof(namebuf)); + dns_secalg_format(key.algorithm, algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "%s/KEY deprecated " + "algorithm %u (%s)", + namebuf, key.algorithm, + algbuf); + logged_algorithm[key.algorithm] = true; + } + break; + default: + break; + } + } + dns_rdataset_disassociate(&rdataset); + + checkforns: /* * Don't check the NS records at the origin. */ @@ -3250,6 +3299,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { if (result != ISC_R_SUCCESS) { goto checkfords; } + /* * Remember bottom of zone due to NS. */ @@ -3257,6 +3307,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { result = dns_rdataset_first(&rdataset); while (result == ISC_R_SUCCESS) { + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &ns, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -3267,6 +3318,73 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { result = dns_rdataset_next(&rdataset); } dns_rdataset_disassociate(&rdataset); + + /* + * Check for deprecated DS digest types. + */ + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, + 0, 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) { + goto next; + } + + memset(logged_algorithm, 0, sizeof(logged_algorithm)); + memset(logged_digest_type, 0, sizeof(logged_digest_type)); + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(&rdataset, &rdata); + dns_rdata_ds_t ds; + + result = dns_rdata_tostruct(&rdata, &ds, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + switch (ds.digest_type) { + case DNS_DSDIGEST_SHA1: + if (!logged_digest_type[ds.digest_type]) { + char algbuf[DNS_DSDIGEST_FORMATSIZE]; + dns_name_format(name, namebuf, + sizeof(namebuf)); + dns_dsdigest_format(ds.digest_type, + algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "%s/DS deprecated digest " + "type %u (%s)", + namebuf, ds.digest_type, + algbuf); + logged_digest_type[ds.digest_type] = + true; + } + break; + } + + /* + * If we ever deprecate a private algorithm use + * dst_algorithm_fromdata() here. + */ + switch (ds.algorithm) { + case DNS_KEYALG_RSASHA1: + case DNS_KEYALG_NSEC3RSASHA1: + if (!logged_algorithm[ds.algorithm]) { + char algbuf[DNS_SECALG_FORMATSIZE]; + dns_name_format(name, namebuf, + sizeof(namebuf)); + dns_secalg_format(ds.algorithm, algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "%s/DS deprecated algorithm " + "%u (%s)", + namebuf, ds.algorithm, + algbuf); + logged_algorithm[ds.algorithm] = true; + } + break; + } + } + dns_rdataset_disassociate(&rdataset); + goto next; checkfords: @@ -3306,6 +3424,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { } result = dns_rdataset_first(&rdataset); while (result == ISC_R_SUCCESS) { + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &mx, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -3328,6 +3447,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { } result = dns_rdataset_first(&rdataset); while (result == ISC_R_SUCCESS) { + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &srv, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); @@ -3364,6 +3484,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { } result = dns_rdataset_first(&rdataset); while (result == ISC_R_SUCCESS) { + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); have_txt = isspf(&rdata); dns_rdata_reset(&rdata); @@ -3408,9 +3529,10 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { dns_dbnode_t *node = NULL; dns_dbversion_t *version = NULL; dns_rdata_dnskey_t dnskey; - dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; isc_result_t result; + bool logged_algorithm[DST_MAX_ALGS] = { 0 }; + bool alldeprecated = true; result = dns_db_findnode(db, &zone->origin, false, &node); if (result != ISC_R_SUCCESS) { @@ -3428,6 +3550,8 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(&rdataset)) { + char algbuf[DNS_SECALG_FORMATSIZE]; + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_current(&rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &dnskey, NULL); INSIST(result == ISC_R_SUCCESS); @@ -3469,10 +3593,36 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { algorithm, dnskey.algorithm, dst_region_computeid(&r)); } - dns_rdata_reset(&rdata); + + switch (dnskey.algorithm) { + case DNS_KEYALG_RSAMD5: + case DNS_KEYALG_DSA: + case DNS_KEYALG_RSASHA1: + case DNS_KEYALG_NSEC3DSA: + case DNS_KEYALG_NSEC3RSASHA1: + case DNS_KEYALG_ECCGOST: + if (!logged_algorithm[dnskey.algorithm]) { + dns_secalg_format(dnskey.algorithm, algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "deprecated DNSKEY algorithm found: " + "%u (%s)\n", + dnskey.algorithm, algbuf); + logged_algorithm[dnskey.algorithm] = true; + } + break; + default: + alldeprecated = false; + break; + } } dns_rdataset_disassociate(&rdataset); + if (alldeprecated) { + dnssec_log(zone, ISC_LOG_WARNING, + "all DNSKEY algorithms found are deprecated"); + } + cleanup: if (node != NULL) { dns_db_detachnode(db, &node); @@ -23155,6 +23305,7 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) { * record which must be by itself. */ if (dns_rdataset_isassociated(&cds)) { + bool logged_digest_type[DNS_DSDIGEST_MAX + 1] = { 0 }; bool delete = false; memset(algorithms, notexpected, sizeof(algorithms)); for (result = dns_rdataset_first(&cds); result == ISC_R_SUCCESS; @@ -23182,6 +23333,29 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) { } CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL)); + + /* + * Log deprecated CDS digest types. + */ + switch (structcds.digest_type) { + case DNS_DSDIGEST_SHA1: + if (!logged_digest_type[structcds.digest_type]) + { + char algbuf[DNS_DSDIGEST_FORMATSIZE]; + dns_dsdigest_format( + structcds.digest_type, algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "deprecated CDS digest type " + "%u (%s)", + structcds.digest_type, + algbuf); + logged_digest_type[structcds.digest_type] = + true; + } + break; + } + if (algorithms[structcds.algorithm] == 0) { algorithms[structcds.algorithm] = expected; } diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 3a37536149..9abb1c7cf8 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -252,6 +252,18 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, goto cleanup; } + switch (key->algorithm) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "dnssec-policy: DNSSEC algorithm %s is " + "deprecated", + alg.base); + break; + default: + break; + } + obj = cfg_tuple_get(config, "length"); if (cfg_obj_isuint32(obj)) { uint32_t min, size; @@ -432,6 +444,12 @@ add_digest(dns_kasp_t *kasp, const cfg_obj_t *digest, isc_log_t *logctx) { str); result = DST_R_UNSUPPORTEDALG; } else { + if (alg == DNS_DSDIGEST_SHA1) { + cfg_obj_log( + digest, logctx, ISC_LOG_WARNING, + "dnssec-policy: deprecated CDS digest-type %s", + str); + } dns_kasp_adddigest(kasp, alg); } return result; From 6d8281b9137c27374d272e23294ba554d7e93253 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 5 Jun 2025 15:33:35 +1000 Subject: [PATCH 2/8] Update man pages for deprecated algorithms (cherry picked from commit 1e3e61ba53ad2ef12b48a2b32190ece06e2b6203) --- bin/dnssec/dnssec-dsfromkey.rst | 69 +++++++++++++++++------------- bin/dnssec/dnssec-keyfromlabel.rst | 32 ++++++++------ bin/dnssec/dnssec-keygen.rst | 25 ++++++----- 3 files changed, 71 insertions(+), 55 deletions(-) diff --git a/bin/dnssec/dnssec-dsfromkey.rst b/bin/dnssec/dnssec-dsfromkey.rst index 9ca025a319..b23dff6164 100644 --- a/bin/dnssec/dnssec-dsfromkey.rst +++ b/bin/dnssec/dnssec-dsfromkey.rst @@ -32,30 +32,34 @@ Synopsis Description ~~~~~~~~~~~ -The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records -(RRs), or CDS (Child DS) RRs with the :option:`-C` option. +The :program:`dnssec-dsfromkey` command outputs DS (Delegation +Signer) resource records (RRs), or CDS (Child DS) RRs with the +:option:`-C` option. By default, only KSKs are converted (keys with flags = 257). The -:option:`-A` option includes ZSKs (flags = 256). Revoked keys are never -included. +:option:`-A` option includes ZSKs (flags = 256). Revoked keys are +never included. The input keys can be specified in a number of ways: -By default, :program:`dnssec-dsfromkey` reads a key file named in the format -``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`. +By default, :program:`dnssec-dsfromkey` reads a key file named in +the format ``Knnnn.+aaa+iiiii.key``, as generated by +:iscman:`dnssec-keygen`. -With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone -file or partial zone file (which can contain just the DNSKEY records). +With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` +reads keys from a zone file or partial zone file (which can contain +just the DNSKEY records). -With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file, -as generated by :iscman:`dnssec-keygen` :option:`-C`. +With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a +``keyset-`` file, as generated by :iscman:`dnssec-keygen` :option:`-C`. Options ~~~~~~~ .. option:: -1 - This option is an abbreviation for :option:`-a SHA1 <-a>`. + This option is an abbreviation for :option:`-a SHA1 <-a>`. This + digest is deprecated. .. option:: -2 @@ -63,24 +67,26 @@ Options .. option:: -a algorithm - This option specifies a digest algorithm to use when converting DNSKEY records to - DS records. This option can be repeated, so that multiple DS records - are created for each DNSKEY record. + This option specifies a digest algorithm to use when converting + DNSKEY records to DS records. This option can be repeated, so + that multiple DS records are created for each DNSKEY record. - The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values - are case-insensitive, and the hyphen may be omitted. If no algorithm - is specified, the default is SHA-256. + The algorithm must be one of SHA-1 (deprecated), SHA-256, or + SHA-384. These values are case-insensitive, and the hyphen may + be omitted. If no algorithm is specified, the default is SHA-256. .. option:: -A - This option indicates that ZSKs are to be included when generating DS records. Without this option, only - keys which have the KSK flag set are converted to DS records and - printed. This option is only useful in :option:`-f` zone file mode. + This option indicates that ZSKs are to be included when generating + DS records. Without this option, only keys which have the KSK + flag set are converted to DS records and printed. This option + is only useful in :option:`-f` zone file mode. .. option:: -c class - This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset - or :option:`-f` zone file mode. + This option specifies the DNS class; the default is IN. This + option is only useful in :option:`-s` keyset or :option:`-f` + zone file mode. .. option:: -C @@ -88,10 +94,10 @@ Options .. option:: -f file - This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the - DNS domain name of a zone whose master file can be read from - ``file``. If the zone name is the same as ``file``, then it may be - omitted. + This option sets zone file mode, in which the final dnsname + argument of :program:`dnssec-dsfromkey` is the DNS domain name + of a zone whose master file can be read from ``file``. If the + zone name is the same as ``file``, then it may be omitted. If ``file`` is ``-``, then the zone data is read from the standard input. This makes it possible to use the output of the :iscman:`dig` @@ -105,16 +111,19 @@ Options .. option:: -K directory - This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``. + This option tells BIND 9 to look for key files or ``keyset-`` + files in ``directory``. .. option:: -s - This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS - domain name used to locate a ``keyset-`` file. + This option enables keyset mode, in which the final dnsname + argument from :program:`dnssec-dsfromkey` is the DNS domain name + used to locate a ``keyset-`` file. .. option:: -T TTL - This option specifies the TTL of the DS records. By default the TTL is omitted. + This option specifies the TTL of the DS records. By default the + TTL is omitted. .. option:: -v level diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index ea5164d28f..11fbcd2030 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -41,27 +41,31 @@ Options .. option:: -a algorithm - This option selects the cryptographic algorithm. The value of ``algorithm`` must - be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, - ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. + This option selects the cryptographic algorithm. The value of + ``algorithm`` must be one of RSASHA1 (deprecated), NSEC3RSASHA1 + (deprecated), RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, + ED25519, or ED448. - These values are case-insensitive. In some cases, abbreviations are - supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for - ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3` - option, then NSEC3RSASHA1 is used instead. + These values are case-insensitive. In some cases, abbreviations + are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 + for ECDSAP384SHA384. If RSASHA1 (deprecated) is specified along + with the :option:`-3` option, then NSEC3RSASHA1 (deprecated) is + used instead. - This option is mandatory except when using the - :option:`-S` option, which copies the algorithm from the predecessory key. + This option is mandatory except when using the :option:`-S` + option, which copies the algorithm from the predecessory key. .. versionchanged:: 9.12.0 - The default value RSASHA1 for newly generated keys was removed. + The default value RSASHA1 (deprecated) for newly generated + keys was removed. .. option:: -3 - This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this - option is used with an algorithm that has both NSEC and NSEC3 - versions, then the NSEC3 version is used; for example, - ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. + This option uses an NSEC3-capable algorithm to generate a DNSSEC + key. If this option is used with an algorithm that has both NSEC + and NSEC3 versions, then the NSEC3 version is used; for example, + ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 + (deprecated) algorithm. .. option:: -E engine diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index bd9ad6a9b9..a03ab5d6cd 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -38,21 +38,24 @@ Options .. option:: -3 - This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this - option is used with an algorithm that has both NSEC and NSEC3 - versions, then the NSEC3 version is selected; for example, - ``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. + This option uses an NSEC3-capable algorithm to generate a DNSSEC + key. If this option is used with an algorithm that has both NSEC + and NSEC3 versions, then the NSEC3 version is selected; for + example, ``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 + (deprecated) algorithm. .. option:: -a algorithm - This option selects the cryptographic algorithm. For DNSSEC keys, the value of - ``algorithm`` must be one of RSASHA1, NSEC3RSASHA1, RSASHA256, - RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. + This option selects the cryptographic algorithm. For DNSSEC keys, + the value of ``algorithm`` must be one of RSASHA1 (deprecated), + NSEC3RSASHA1 (deprecated), RSASHA256, RSASHA512, ECDSAP256SHA256, + ECDSAP384SHA384, ED25519, or ED448. - These values are case-insensitive. In some cases, abbreviations are - supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for - ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3` - option, NSEC3RSASHA1 is used instead. + These values are case-insensitive. In some cases, abbreviations + are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 + for ECDSAP384SHA384. If RSASHA1 (deprecated) is specified along + with the :option:`-3` option, NSEC3RSASHA1 (deprecated) is used + instead. This parameter *must* be specified except when using the :option:`-S` option, which copies the algorithm from the predecessor key. From 2ee06d5b9dfe1f40a94268d119190dfc5e9f2371 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 30 Jun 2025 15:09:32 +1000 Subject: [PATCH 3/8] Check that named-checkzone reports deprecated algorithms (cherry picked from commit 5d406677f1b930c034128af6348a3e42ec367cd3) --- bin/tests/system/checkzone/tests.sh | 20 ++++++ .../zones/warn.deprecated.nsec3rsasha1.db | 71 +++++++++++++++++++ .../zones/warn.deprecated.rsasha1.db | 71 +++++++++++++++++++ 3 files changed, 162 insertions(+) create mode 100644 bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db create mode 100644 bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh index bda5e37b62..103c200edc 100644 --- a/bin/tests/system/checkzone/tests.sh +++ b/bin/tests/system/checkzone/tests.sh @@ -212,5 +212,25 @@ echo $lines if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "Checking for RSASHA1 deprecated warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.rsasha1.db >test.out.$n || ret=1 +grep "deprecated DNSKEY algorithm found: 5 (RSASHA1)" test.out.$n >/dev/null || ret=1 +grep "all DNSKEY algorithms found are deprecated" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking for NSECRSASHA1 deprected warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.nsec3rsasha1.db >test.out.$n || ret=1 +grep "deprecated DNSKEY algorithm found: 7 (NSEC3RSASHA1)" test.out.$n >/dev/null || ret=1 +grep "all DNSKEY algorithms found are deprecated" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db new file mode 100644 index 0000000000..1490935c68 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db @@ -0,0 +1,71 @@ +; File written on Mon Jun 30 14:55:37 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 7 1 3600 ( + 20901231235959 20250630035537 41424 example. + oqX2MaQSaMj2YPYWA/8echxn7QHBerVEs426 + z8IJ88lv8Ih3Rrsldur6hXCieYI46wK3xOft + p0VMAw9iIK5T49PXnaf7+hdaIJFDTAvuhzco + e1IcdfmS26a6rRZHG8QKNjVjn/Du3J2gbdoB + ubyio+7BY45Mk1S0sb0QzkmfTRZodULfvlW7 + BkmC9k0ixU1f1R+k26I0TJHYwH6Tw3O/0nPG + SkUKnIcgqjzXsnUN1XGR+gD9TVF8Hp+JYWCz + 5fFTR733OiScIK+Xlon+ydg1GixW1rOR2MOP + lowGJIHeE8nDYEgncKv91wFCp1IRHjgN/6zg + c6JBClYMhe0RS66I6A== ) + 3600 NS . + 3600 RRSIG NS 7 1 3600 ( + 20901231235959 20250630035411 41424 example. + pQUeJTZvpEPBZOdatA79eUE+qunKTasFyjgT + xB+hpvXujxFqf6FDs/TdfE9jGo5T8Rwb3Gu0 + 7+uo5ATwKuQL0TywDVm7DMj07iWoXpCGWge9 + q+iZ9sVXTzGKbb+1f8w9b/E9qW/s9Uir/tZq + pPWhEgy61ip/pjkcyoIi3wQtffBMckApBgao + Nk6YPi0TSl3W+cQUDkT2BeCoZDHuhuvS+Z3x + URTu5FnqT3YPKJ5xb4N3mr4um4oI9sy+TJIj + yuSW/ie0Bzy8x8ha1capfhlbPsZI6SKe0ldR + vC9dr0gertISQzAnl9GqxFne6Ya5DyYHKye+ + khVrRKAu2YIFRWYrOg== ) + 3600 NSEC example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 7 1 3600 ( + 20901231235959 20250630035537 41424 example. + IMgNRFY4qWHDFz/gWiXn6jrCSW4Az/5sE7ML + dyJgY8OHtM2Kq+ThRsgZn7gN47T7QJv8Dvc3 + oYNRH7R6sjGJBZmfoqfdZmJOrR1bdKhHjhHR + 0b3NuXlVAG7eqMu4eJvsKZCUTKxa3+iFStw/ + pTsHWEVT9ozMaAfQdzM86Pq6x8VVQCRwuw9g + JWkjt0/4VGA/tTj713o0/7Ju0055wSVnFNvH + XaAW2PG9nRDyFvoOq1lFSFEPm9gXDFfDmTZn + 40v+qIer/vPGMkHyizZAbZ0qnM7lwNAhDukz + catwpgsbpMWHrBUgnDCbxpzfl24n7wmHyCUa + ArewJH9UphjytrxHjw== ) + 3600 DNSKEY 256 3 7 ( + AwEAAakdlaNNa6UNEKTh7g0TPBLuEecXezJ2 + mz7kaBxIEx7t3IPxWymt5XezCtR7NilHW+zo + d42hzKrtqFilt5SBrsjnWr5ipczEySEYCtOz + Jx0P9xLj8MjCf5D6+elSY4zm9gtqlIo6ryhf + SuCJQ9XZOIFD10/8efr0HYxkc0N4msZhVcuB + yJ650Pjc0EFWEe2yseM+uXZCIc/0Q4OayMJA + 5GEJwvq/POH/POU7HlQR5RKzT0babm4Jvmpx + F1jf7gSRL44LgVLl/m4fKjseK1w0shOxhrwc + gAXI5ZMpspN9Mnhy+HNemkw9xyw3XkAtcTuN + yUHvCLEyaklh6latwxFQTLM= + ) ; ZSK; alg = NSEC3RSASHA1 ; key id = 41424 + 3600 RRSIG DNSKEY 7 1 3600 ( + 20901231235959 20250630035411 41424 example. + G2lr1Q+xjDnefyPbxLTy0yZ8wUg1+GcaBb9H + 7YX0FzZroRLTNr8SN2VYge4CbNZkTIC98dmV + TRwoBp4HbrWY5jDGT2oQS1zDc92dz0TuD0Ys + JMI2/IEVpA9wBcqsRssmAwzSuh4dMLqfMkrm + KzWk7CRNxqC1JXJ1MgbRCRuES22HGO3O7ZXZ + HjsFANBQt+7PebgdmAtS61RvztyJE+o6LyaA + qA9qawqYDBi7Lcar/U+arrfg77kQ8BmC+ZZV + toLkus9VsM9GShmMo2/KMu+PYWHKWUuHwRas + v9hSvLh/+b7mymssp/WtmX79a3WXlHovNP2v + Sh2S4RjDq4lFsyqTAA== ) diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db new file mode 100644 index 0000000000..6b18f5f155 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db @@ -0,0 +1,71 @@ +; File written on Mon Jun 30 14:57:52 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 5 1 3600 ( + 20901231235959 20250630035752 3495 example. + gq16Xp8iCErMp/R6jdzvws3MMvWAMowfYOa5 + K3Dwo3MXUruWhsDa4XjH3CJIk4LtSRDWcVSj + /STy/R4CEvz83/2VMjQ7L73hFZZNVrMHKrLi + SfRhnUueOHiYrv8sLM2ZHy0EYM/gULmcX51j + j0XJlSf9DfkT/nh3ZwqS+lD/RA+1Gg73xVkS + tRh5AZMWAGrjyBMOC0iW9qexqINmM0nR40K7 + 5L+17OL2Ay/Fp7zliN+g9bAEfgITQlFRO32Y + sZrPRguzavP5xad4m3GOCAQoTQJpnci7id2u + DhIwkh6+7Do3zjZOQy74IvbuPVUS5nVRiEd8 + XqF3Z7hHMYWWCEdslw== ) + 3600 NS . + 3600 RRSIG NS 5 1 3600 ( + 20901231235959 20250630034615 3495 example. + FrY8Bi8StW34PADKfVn2uPDIgDzbhyinoQDw + HjklP8PFXvl2VLhroGZy5EfoGQlC+eOL7Ffb + ZlKMvSOtGHpIIdqWg6GmGBWqCYoC3EoaFVXh + A2SBxOPdcbGbwzVk6MWnrpFRsxwMqX+7vjJg + eB7XVh1tZf90N6Yfswfy/UFf5Qbaj69gE7/7 + Eu3lkNNsFr5UVLPU4K4/dzNalllZjZ++w68T + 5Y97UmIJH+aXpNndibJU9c25F1/ou5NJLQQN + LxyWXIi1CRaF88sjQwXemO8xutnh2b3ULKI0 + pelDtKThLWWYAMhgMnhr5HktL69++cMZiZ4z + 3heBavJIPY2QTYOLZw== ) + 3600 NSEC example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 5 1 3600 ( + 20901231235959 20250630035752 3495 example. + N5mNbNXTSbLOya8baU6SaGao8bPquA4rO2hb + 5mkYjM+wzAJRNKSrViA5Ev7iFJolXKM+NCV3 + fpKtT+5v8mqhGZf80H1Z7inmAMX+Gz9B0YfO + yhmSTD7qnIgoxw+W/dFAeBx18XyCRDBRlGyj + 2FEqZa46AVuDaYgQoUJLfM4SkOhbsDdDfQV1 + uQinjRnhvOQEOd0wYRbqR7S8BMqppnahwyai + lH5tx8qsBVFTR7P8D5UlTfHCBM+d0VI5jXjt + 45eCwzqQBTl4ot4Tbc/nGaUvPU5ffkW8fmsk + BygQeKd97xPnzK0tt1KJaYGTiqc3UgUId929 + XniHMB6YmxkpIb2qrg== ) + 3600 DNSKEY 256 3 5 ( + AwEAAZmABvQsJBvsRu2fMlU1CtN58u7+yO5x + ioxkg8O2mH29NDFoMKtxZKlk74+hT8m0aAKV + hqEywM9S2NaWEXctv2lF6t/f8E8YJkY+cnLb + iZmxuJmScxce8u32KlX0MiKN2JQHIokDTz7m + 2AqUaLTnERyIXNUHJfHx1nzvhhz4G7TV41Pk + U1MSX3gCrgsSQ7IUzLOsyy6iQn4wFml+eXlO + qmypFvjRDhmjXAHms3nSOgDmDu6kF+9R0ccL + Lh4YAEYZlx2UoDigcEtRfMeYQwb76tC7xAkx + EEJAUo+oRkaw2in8kVjpwuXSWF5WlX+Cpie9 + o3r+4EpI/IV6z63QO9zqMEE= + ) ; ZSK; alg = RSASHA1 ; key id = 3495 + 3600 RRSIG DNSKEY 5 1 3600 ( + 20901231235959 20250630034615 3495 example. + gpKH6gf+47UNqMlTdtylpSW/yRNEyPtpj7Tu + Y939pwRPgQcPBscIwcZzezV0r4y2O5xMTKQ1 + fQZTidfCwvessYTxYJYSjE1i+pChblLmqY/j + JNjwUv0nH9rs8ZSXRSFiqPsC7tl4jBQsD1N+ + UdV3a/rEFCON1C+KirQlrdSq+/bAic0A4afZ + g746kgnLsNCu/FnVucfoOBGaAk6na9dYIt0+ + l7IKI+4dg+tHsaGdRVv2h2JXO6g1I2LtCiIB + FlKxFDCrMFV9+xduLFNnNxVsvnK7RtlAAPo5 + n4WBinbW5CpGJnc7n/0BknnecqZb63qkQgia + 50FJvVZCJ4WTZ+Hh0g== ) From 05062b6f669e0dbfa8dc4546840dfe62437952a6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 30 Jun 2025 15:26:10 +1000 Subject: [PATCH 4/8] Check that named-checkzone reports deprecated digests (cherry picked from commit 95a82d08938fe3102757f5182bc017eb6a7eb68d) --- .reuse/dep5 | 6 +++ bin/tests/system/checkzone/tests.sh | 36 +++++++++++++ .../zones/warn.deprecated.cds-sha1.db | 44 +++++++++++++++ .../zones/warn.deprecated.digest-sha1.db | 51 ++++++++++++++++++ .../checkzone/zones/warn.deprecated.ds-alg.db | 51 ++++++++++++++++++ .../zones/warn.deprecated.key-alg.db | 53 +++++++++++++++++++ 6 files changed, 241 insertions(+) create mode 100644 bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db create mode 100644 bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db create mode 100644 bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db create mode 100644 bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db diff --git a/.reuse/dep5 b/.reuse/dep5 index 455488977b..3396507cff 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -32,6 +32,12 @@ Files: **/*.after* bin/tests/system/checkzone/zones/bad-caa-rr.db bin/tests/system/checkzone/zones/bad1.db bin/tests/system/checkzone/zones/crashzone.db + bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db + bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db + bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db + bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db + bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db + bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db bin/tests/system/dnstap/large-answer.fstrm bin/tests/system/doth/CA/CA.cfg bin/tests/system/doth/CA/README diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh index 103c200edc..1f340a3fcc 100644 --- a/bin/tests/system/checkzone/tests.sh +++ b/bin/tests/system/checkzone/tests.sh @@ -232,5 +232,41 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "Checking for SHA1 CDS digest warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.cds-sha1.db >test.out.$n || ret=1 +grep "zone example/IN: deprecated CDS digest type 1 (SHA-1)" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking for SHA1 DS digest warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.digest-sha1.db >test.out.$n || ret=1 +grep "zone example/IN: child.example/DS deprecated digest type 1 (SHA-1)" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking for RSASHA1 DS algorithm warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.ds-alg.db >test.out.$n || ret=1 +grep "zone example/IN: child.example/DS deprecated algorithm 5 (RSASHA1)" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "Checking for RSASHA1 KEY algorithm warning ($n)" +ret=0 +$CHECKZONE example zones/warn.deprecated.key-alg.db >test.out.$n || ret=1 +grep "zone example/IN: example/KEY deprecated algorithm 5 (RSASHA1)" test.out.$n >/dev/null || ret=1 +grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db new file mode 100644 index 0000000000..13da8308e1 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db @@ -0,0 +1,44 @@ +; File written on Wed Jul 2 14:27:34 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP + 4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd + PArExFsuaKcWgQ== ) + 3600 NS . + 3600 RRSIG NS 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb + XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w + t+AfDiT2Mak9Lg== ) + 3600 NSEC example. NS SOA RRSIG NSEC DNSKEY CDS + 3600 RRSIG NSEC 13 1 3600 ( + 20901231235959 20250702032734 46204 example. + aPkaoO9OMYZwldpUPJeqFZoGCc8XQcmQHig2 + zJmp2Qv2QGRH1faoWosYy5jwQskxtpoyE0Eh + yxEoUhHZNCKogQ== ) + 3600 DNSKEY 256 3 13 ( + Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x + joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE + 5CT4INCzzeTuZQ== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204 + 3600 RRSIG DNSKEY 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx + 9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa + OmTOsXrBWly7ng== ) + 3600 CDS 46204 13 1 ( + 712DD9926EDF2A5E81E76D3BC5F5637BEA06 + 2E67 ) + 3600 RRSIG CDS 13 1 3600 ( + 20901231235959 20250702032734 46204 example. + nS9qKdj0dfWNe6U0ttuKSMiKMhxLq4Yo6WPT + 9j/cmjbaOdKO1DBoDxzZ7G4M34msvBcKq31L + mn8qUlrzSOfD9A== ) diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db new file mode 100644 index 0000000000..da817b54f3 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db @@ -0,0 +1,51 @@ +; File written on Mon Jun 30 15:20:51 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP + 4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd + PArExFsuaKcWgQ== ) + 3600 NS . + 3600 RRSIG NS 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb + XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w + t+AfDiT2Mak9Lg== ) + 3600 NSEC child.example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + jgKjQOGLqw7JY1qsyjWZGxL/47mc9dMeZ7yB + KtrRfFCsT7mCe/lMV3u7FOwM2r9/ta8U9/j2 + YRVJGECc6/rdcg== ) + 3600 DNSKEY 256 3 13 ( + Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x + joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE + 5CT4INCzzeTuZQ== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204 + 3600 RRSIG DNSKEY 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx + 9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa + OmTOsXrBWly7ng== ) +child.example. 3600 IN NS . + 3600 DS 30914 13 1 ( + 3FFB809FC091FDC931815B50E5DA9C00B5C1 + 454F ) + 3600 RRSIG DS 13 2 3600 ( + 20901231235959 20250630042051 46204 example. + 5Y/jx0eePoUztptSLwE9DeY2GlVNVHSr3lF4 + R8IajnK7zXs2QtoRIdmKwWZ1um1JICh59Xk7 + R/BXFAbO6FMaPA== ) + 3600 NSEC example. NS DS RRSIG NSEC + 3600 RRSIG NSEC 13 2 3600 ( + 20901231235959 20250630042051 46204 example. + A662/raRKle9b45C5douUufAne7iRtKw0u7C + gcnf3tSrJS+plT3e/jHOE5ZRttkloHSDVhYT + 7+Wv86G8MGt+3Q== ) diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db b/bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db new file mode 100644 index 0000000000..9c5fb8db07 --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db @@ -0,0 +1,51 @@ +; File written on Wed Jul 2 12:22:09 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP + 4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd + PArExFsuaKcWgQ== ) + 3600 NS . + 3600 RRSIG NS 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb + XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w + t+AfDiT2Mak9Lg== ) + 3600 NSEC child.example. NS SOA RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + jgKjQOGLqw7JY1qsyjWZGxL/47mc9dMeZ7yB + KtrRfFCsT7mCe/lMV3u7FOwM2r9/ta8U9/j2 + YRVJGECc6/rdcg== ) + 3600 DNSKEY 256 3 13 ( + Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x + joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE + 5CT4INCzzeTuZQ== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204 + 3600 RRSIG DNSKEY 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx + 9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa + OmTOsXrBWly7ng== ) +child.example. 3600 IN NS . + 3600 DS 58246 5 2 ( + 641AFA5ACB8099E4E571585B7B9A416078FF + 79D40D1C2E85F9179E28BF08D61D ) + 3600 RRSIG DS 13 2 3600 ( + 20901231235959 20250702012209 46204 example. + g17c5sfC0OAucFLA0n9C5EfPActxuPMpHN6G + spGmkkDUaU5UosWkdcapd20Yb29NaEKvJO3Q + Qn6K53MKtWt7zQ== ) + 3600 NSEC example. NS DS RRSIG NSEC + 3600 RRSIG NSEC 13 2 3600 ( + 20901231235959 20250630042051 46204 example. + A662/raRKle9b45C5douUufAne7iRtKw0u7C + gcnf3tSrJS+plT3e/jHOE5ZRttkloHSDVhYT + 7+Wv86G8MGt+3Q== ) diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db b/bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db new file mode 100644 index 0000000000..3dfa76eacf --- /dev/null +++ b/bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db @@ -0,0 +1,53 @@ +; File written on Wed Jul 2 16:48:02 2025 +; dnssec-signzone version 9.21.3-dev +example. 3600 IN SOA . . ( + 0 ; serial + 0 ; refresh (0 seconds) + 0 ; retry (0 seconds) + 0 ; expire (0 seconds) + 3600 ; minimum (1 hour) + ) + 3600 RRSIG SOA 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP + 4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd + PArExFsuaKcWgQ== ) + 3600 NS . + 3600 RRSIG NS 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb + XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w + t+AfDiT2Mak9Lg== ) + 3600 KEY 512 3 5 ( + AwEAAZwLHbB7cjvlEt0evebAMsJtuNYXgiyt + qe3lu0RO/ChFdddyHv+O9M1zLrCnWMBSLHad + YHSXfG3BMyMAnBh7om+1pgrHCShlmMaxZ5cC + sug5buS3E8eVRVAf7Qje63owxm2iF3G9kKWY + FgfE+Ml5Uv7etHkmxqAmFb3jYuXzYWfMz1qY + rICsJnw7qcKzNphl71tDvJUYD5pDA7izhzs3 + 8tdDH8qMQgK/yNU3Q/RAOg2VRvYuwYOteCAx + 6RB/z+rtNTKNbphrPrzSsekOurLo1B+AvDct + o/orbilbQ8qdq0cknKlqdMKuYcqQ1BbBMrdV + w1fBTLDwiFwiRBjYazPqPiE= + ); alg = RSASHA1 ; key id = 13684 + 3600 RRSIG KEY 13 1 3600 ( + 20901231235959 20250702054802 46204 example. + GvfNtx1F8crebI/QrPb2meHplhSpAsIDqJ48 + iMg6aT22mGBagR698GS+9ehg0ExMumfIDPSO + k/1wtwRKYqrKow== ) + 3600 NSEC example. NS SOA KEY RRSIG NSEC DNSKEY + 3600 RRSIG NSEC 13 1 3600 ( + 20901231235959 20250702054802 46204 example. + Nah5tUuwQiiDKWpdgtqPp7LppMOoDUJkyTZB + pAzmbT8UA7kNJN2K5kfkLJgPqWAt4h2P0Ys1 + 9lkLcXqYUH0x5g== ) + 3600 DNSKEY 256 3 13 ( + Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x + joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE + 5CT4INCzzeTuZQ== + ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204 + 3600 RRSIG DNSKEY 13 1 3600 ( + 20901231235959 20250630042051 46204 example. + KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx + 9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa + OmTOsXrBWly7ng== ) From 13afcc8af4865a31747a7e8596e65c9eae6ceed0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 30 Jun 2025 15:56:21 +1000 Subject: [PATCH 5/8] Check deprecated algorithms in dnssec-policy (cherry picked from commit 86fb638085cf6487fa3b3af6f96ebfdca26c0fa8) --- .../checkconf/kasp-deprecated-fips.conf | 19 ++++++++++++++++++ .../system/checkconf/kasp-deprecated.conf | 20 +++++++++++++++++++ bin/tests/system/checkconf/tests.sh | 14 +++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 bin/tests/system/checkconf/kasp-deprecated-fips.conf create mode 100644 bin/tests/system/checkconf/kasp-deprecated.conf diff --git a/bin/tests/system/checkconf/kasp-deprecated-fips.conf b/bin/tests/system/checkconf/kasp-deprecated-fips.conf new file mode 100644 index 0000000000..6159940dcc --- /dev/null +++ b/bin/tests/system/checkconf/kasp-deprecated-fips.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy deprecated { + cds-digest-types { sha1; }; + keys { + csk lifetime unlimited algorithm ecdsa256; + }; +}; diff --git a/bin/tests/system/checkconf/kasp-deprecated.conf b/bin/tests/system/checkconf/kasp-deprecated.conf new file mode 100644 index 0000000000..ba7e72b8d6 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-deprecated.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy deprecated { + cds-digest-types { sha1; }; + keys { + csk lifetime unlimited algorithm rsasha1; + csk lifetime unlimited algorithm nsec3rsasha1; + }; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 53cb782708..3d4fd83cf4 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -726,6 +726,20 @@ if [ $lines -ne 5 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking named-checkconf kasp deprecated algorithms and digests ($n)" +ret=0 +if [ $RSASHA1_SUPPORTED = 0 ]; then + $CHECKCONF kasp-deprecated-fips.conf >checkconf.out$n 2>&1 || ret=1 +else + $CHECKCONF kasp-deprecated.conf >checkconf.out$n 2>&1 || ret=1 + grep "dnssec-policy: DNSSEC algorithm rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1 + grep "dnssec-policy: DNSSEC algorithm nsec3rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1 +fi +grep "dnssec-policy: deprecated CDS digest-type sha1" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "check that a good 'kasp' configuration is accepted ($n)" ret=0 From 77e6b07fae4715974ae9ce7d4cfb555e16b34f5e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 2 Jul 2025 23:23:01 +1000 Subject: [PATCH 6/8] Digest type GOST is also deprecated (cherry picked from commit 125a232bfbd8eeb9074bd10392e387597aa343df) --- lib/dns/zone.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 1a5e407fb6..b0911800dd 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3342,6 +3342,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { RUNTIME_CHECK(result == ISC_R_SUCCESS); switch (ds.digest_type) { case DNS_DSDIGEST_SHA1: + case DNS_DSDIGEST_GOST: if (!logged_digest_type[ds.digest_type]) { char algbuf[DNS_DSDIGEST_FORMATSIZE]; dns_name_format(name, namebuf, @@ -23339,6 +23340,7 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) { */ switch (structcds.digest_type) { case DNS_DSDIGEST_SHA1: + case DNS_DSDIGEST_GOST: if (!logged_digest_type[structcds.digest_type]) { char algbuf[DNS_DSDIGEST_FORMATSIZE]; From ae47f5732e3dcf4ca5609be3f7fef40e3797a4f7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 2 Jul 2025 12:49:16 +1000 Subject: [PATCH 7/8] Redirect named-checkzone output to file (cherry picked from commit 370d28de97606019a4fb19e476018e83d3a77bf7) --- bin/tests/system/checkzone/tests.sh | 44 ++++++++++++++--------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh index 1f340a3fcc..98d6ac37f4 100644 --- a/bin/tests/system/checkzone/tests.sh +++ b/bin/tests/system/checkzone/tests.sh @@ -139,28 +139,28 @@ status=$((status + ret)) echo_i "checking that expirations that loop using serial arithmetic are handled ($n)" ret=0 q=-q -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 +test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db >test.out.$n 2>&1 || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) From f702cb85ab01d8df73f7763669010dddc84b67f7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 2 Jul 2025 23:27:39 +1000 Subject: [PATCH 8/8] Remove leftover test development echo (cherry picked from commit 1a82a1999b4ee86c7143726516bbbc925df38508) --- bin/tests/system/checkzone/tests.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh index 98d6ac37f4..6a8fe092ac 100644 --- a/bin/tests/system/checkzone/tests.sh +++ b/bin/tests/system/checkzone/tests.sh @@ -207,7 +207,6 @@ ret=0 echo_i "checking integer overflow is prevented in \$GENERATE ($n)" $CHECKZONE -D example.com zones/generate-overflow.db >test.out.$n 2>&1 || ret=1 lines=$(grep -c CNAME test.out.$n) -echo $lines [ "$lines" -eq 1 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret))