From 6b79db1fdd7874d64be6d7dc55176200c24f5d15 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 13 Jul 2021 11:04:44 +0200 Subject: [PATCH] Add test for allowing update CDS/CDNSKEY Add tests to the nsupdate system test to make sure that CDS and/or CDNSKEY that match an algorithm in the DNSKEY RRset are allowed. Also add tests that updates are rejected if the algorithm does not match. Remove the now redundant test cases from the dnssec system test. Update the checkzone system test: Change the algorithm of the CDS and CDNSKEY records so that the zone is still rejected. --- .../system/checkzone/zones/bad-cdnskey.db | 2 +- bin/tests/system/checkzone/zones/bad-cds.db | 4 +- bin/tests/system/dnssec/tests.sh | 39 --------- bin/tests/system/nsupdate/clean.sh | 1 + .../nsupdate/ns3/multisigner.test.db.in | 12 +++ bin/tests/system/nsupdate/ns3/named.conf.in | 8 ++ bin/tests/system/nsupdate/ns3/sign.sh | 3 + bin/tests/system/nsupdate/tests.sh | 79 +++++++++++++++++++ 8 files changed, 105 insertions(+), 43 deletions(-) create mode 100644 bin/tests/system/nsupdate/ns3/multisigner.test.db.in diff --git a/bin/tests/system/checkzone/zones/bad-cdnskey.db b/bin/tests/system/checkzone/zones/bad-cdnskey.db index e3c0ded019..9247247ae5 100644 --- a/bin/tests/system/checkzone/zones/bad-cdnskey.db +++ b/bin/tests/system/checkzone/zones/bad-cdnskey.db @@ -1,4 +1,4 @@ example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= -example. 0 CDNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= +example. 0 CDNSKEY 257 3 14 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= diff --git a/bin/tests/system/checkzone/zones/bad-cds.db b/bin/tests/system/checkzone/zones/bad-cds.db index 9cd48a164f..a412c1ed0a 100644 --- a/bin/tests/system/checkzone/zones/bad-cds.db +++ b/bin/tests/system/checkzone/zones/bad-cds.db @@ -1,6 +1,4 @@ example. 0 SOA . . 0 0 0 0 0 example. 0 NS . example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc= -; Actual CDS -; example. 0 CDS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C -example. 0 CDS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B +example. 0 CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 9e50a0edf1..bada872181 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3368,26 +3368,6 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that a lone non matching CDS record is rejected ($n)" -ret=0 -( -echo zone cds-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-update.secure CDS -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure | -grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' | -$DSFROMKEY -C -A -f - -T 1 cds-update.secure | -sed "s/^/update add /" -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true -grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 -dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 0 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "check that a CDS deletion record is accepted ($n)" ret=0 ( @@ -3601,25 +3581,6 @@ status=$((status+ret)) # precedes the supported one in the DNSKEY RRset, and verify the result still # validates succesfully. -echo_i "check that a lone non matching CDNSKEY record is rejected ($n)" -ret=0 -( -echo zone cdnskey-update.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-update.secure CDNSKEY -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p' -echo send -) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true -grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1 -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 0 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "check that a CDNSKEY deletion record is accepted ($n)" ret=0 ( diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index 2034aa46ab..aa327f8962 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -43,6 +43,7 @@ rm -f ns3/delegation.test.db rm -f ns3/dnskey.test.db rm -f ns3/dsset-* rm -f ns3/example.db +rm -f ns3/multisigner.test.db rm -f ns3/many.test.bk rm -f ns3/nsec3param.test.db rm -f ns3/too-big.test.db diff --git a/bin/tests/system/nsupdate/ns3/multisigner.test.db.in b/bin/tests/system/nsupdate/ns3/multisigner.test.db.in new file mode 100644 index 0000000000..05f651f430 --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/multisigner.test.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +multisigner.test. 10 IN SOA multisigner.test. hostmaster.multisigner.test. 1 3600 900 2419200 3600 +multisigner.test. 10 IN NS multisigner.test. +multisigner.test. 10 IN A 10.53.0.3 diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in index f658a19b1b..c1e0047fdb 100644 --- a/bin/tests/system/nsupdate/ns3/named.conf.in +++ b/bin/tests/system/nsupdate/ns3/named.conf.in @@ -61,3 +61,11 @@ zone "too-big.test" { max-records 3; file "too-big.test.db"; }; + +/* Zone for testing CDS and CDNSKEY updates from other provider */ +zone "multisigner.test" { + type primary; + allow-update { any; }; + dnssec-policy "default"; + file "multisigner.test.db"; +}; diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh index 2fab79ba56..ba6fc8c9bf 100644 --- a/bin/tests/system/nsupdate/ns3/sign.sh +++ b/bin/tests/system/nsupdate/ns3/sign.sh @@ -43,3 +43,6 @@ keyname2=`$KEYGEN -q -a RSASHA256 -3 $zone` cat $infile $keyname1.key $keyname2.key >$zonefile $SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +# Just copy multisigner.db.in because it is signed with dnssec-policy. +cp multisigner.test.db.in multisigner.test.db diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index f6198b06f1..ac4ce7eaf8 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -52,6 +52,16 @@ while true; do fi done +has_positive_response() { + zone=$1 + type=$2 + ns=$3 + $DIG $DIGOPTS +tcp +norec $zone $type @$ns > dig.out.post.test$n || return 1 + grep "status: NOERROR" dig.out.post.test$n > /dev/null || return 1 + grep "ANSWER: 0," dig.out.post.test$n > /dev/null && return 1 + return 0 +} + ret=0 echo_i "fetching first copy of zone before update" $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\ @@ -1227,6 +1237,75 @@ grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } +n=`expr $n + 1` +ret=0 +echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C +send +END +msg=": bad CDS RRset" +nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=`expr $n + 1` +ret=0 +echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +nextpart ns3/named.run > /dev/null +$NSUPDATE -d < nsupdate.out-$n 2>&1 && ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== +send +END +msg=": bad CDNSKEY RRset" +nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=`expr $n + 1` +ret=0 +echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +$NSUPDATE -d < nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C +send +END +retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +n=`expr $n + 1` +ret=0 +echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)" +$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +$NSUPDATE -d < nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone multisigner.test +update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ== +send +END +retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + n=`expr $n + 1` ret=0 echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"