fix: usr: Use signer name when disabling DNSSEC algorithms

``disable-algorithms`` could cause DNSSEC validation failures when the parent zone was
signed with the algorithms that were being disabled for the child zone.
This has been fixed; `disable-algorithms` now works
on a whole-of-zone basis.

If the zone's name is at or below the ``disable-algorithms`` name the algorithm
is disabled for that zone, using deepest match when there are multiple
``disable-algorithms`` clauses. 

Closes #5165

Merge branch '5165-use-signer-name-when-disabling-dnssec-algorithms' into 'main'

See merge request isc-projects/bind9!10837

bin/tests/system/dnssec/ns3/badalg.secure.example.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+			A	10.53.0.4
+ns3			A	10.53.0.3

bin/tests/system/dnssec/ns3/named.conf.j2

@@ -93,6 +93,18 @@ zone "secure.example" {
 	allow-update { any; };
 };
 
+zone "badalg.secure.example" {
+	type primary;
+	file "badalg.secure.example.db.signed";
+	allow-update { any; };
+};
+
+zone "zonecut.ent.secure.example" {
+	type primary;
+	file "zonecut.ent.secure.example.db.signed";
+	allow-update { any; };
+};
+
 zone "bogus.example" {
 	type primary;
 	file "bogus.example.db.signed";

bin/tests/system/dnssec/ns3/secure.example.db.in

@@ -30,7 +30,12 @@ g			A	10.0.0.7
 z			A	10.0.0.26
 a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 x			CNAME	a
-badalg			A	10.53.0.4
+
+badalg			NS	ns3.badalg
+ns3.badalg		A	10.53.0.3
+
+zonecut.ent		NS	ns3.zonecut.ent
+ns3.zonecut.ent		A	10.53.0.3
 
 private			NS	ns.private
 ns.private		A	10.53.0.2

bin/tests/system/dnssec/ns3/sign.sh

@@ -85,6 +85,32 @@ cp template.db.in insecure.optout.example.db
 cp extrakey.example.db.in extrakey.example.db
 
 # now the signed zones:
+
+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for it.
+zone=badalg.secure.example.
+infile=badalg.secure.example.db.in
+zonefile=badalg.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for ent.secure.example.
+zone=zonecut.ent.secure.example.
+infile=zonecut.ent.secure.example.db.in
+zonefile=zonecut.ent.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
 zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
@@ -93,7 +119,7 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cn
 dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "dnameandkey.$zone")
 keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 
-cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
+cat "$infile" dsset-badalg.secure.example. "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
 
 "$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
 cat "$zonefile" "$zonefile".signed >"$zonefile".tmp

bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+			A	10.53.0.4
+ns3			A	10.53.0.3

bin/tests/system/dnssec/ns4/named.conf.j2

@@ -50,6 +50,8 @@ options {
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
 	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
 	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
 };
 
 {% if not managed_key %}

bin/tests/system/dnssec/tests_validation.py

@@ -1320,12 +1320,40 @@ def test_unknown_algorithms():
     # check EDE code 1 for bad algorithm mnemonic
     msg = isctest.query.create("badalg.secure.example", "A")
     res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.noerror(res)
     isctest.check.noadflag(res)
     if hasattr(res, "extended_errors"):
         assert (
             res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
         )
 
+    # check that zone contents are still secure despite disable-algorithms
+    # on query name (name below zone name).
+    msg = isctest.query.create("z.secure.example", "A")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.rr_count_eq(res.answer, 2)
+    isctest.check.noerror(res)
+    isctest.check.adflag(res)
+
+    # check that zone contents are trated insecure (name above zone name).
+    msg = isctest.query.create("zonecut.ent.secure.example", "A")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.rr_count_eq(res.answer, 2)
+    isctest.check.noerror(res)
+    isctest.check.noadflag(res)
+    if hasattr(res, "extended_errors"):
+        assert (
+            res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
+        )
+
+    # check that DS records are still treated as secure at the
+    # disable-algorithm name
+    msg = isctest.query.create("badalg.secure.example", "DS")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.rr_count_eq(res.answer, 2)
+    isctest.check.noerror(res)
+    isctest.check.adflag(res)
+
     # check both EDE code 1 and 2 for unsupported digest on one DNSKEY
     # and unsupported algorithm on the other
     msg = isctest.query.create("a.digest-alg-unsupported.example", "A")

doc/arm/reference.rst

@@ -1618,7 +1618,7 @@ default is used.
    :short: Disables DNSSEC algorithms from a specified zone.
 
    This disables the specified DNSSEC algorithms at and below the specified
-   name. Multiple :any:`disable-algorithms` statements are allowed. Only
+   zone. Multiple :any:`disable-algorithms` statements are allowed. Only
    the best-match :any:`disable-algorithms` clause is used to
    determine the algorithms.
 

lib/dns/validator.c

@@ -1675,8 +1675,9 @@ validate_answer_process(void *arg) {
 	 * was known and "sufficiently good".
 	 */
 	if (!dns_resolver_algorithm_supported(
-		    val->view->resolver, val->name, val->siginfo->algorithm,
-		    val->siginfo->signature, val->siginfo->siglen))
+		    val->view->resolver, &val->siginfo->signer,
+		    val->siginfo->algorithm, val->siginfo->signature,
+		    val->siginfo->siglen))
 	{
 		if (val->unsupported_algorithm == 0) {
 			val->unsupported_algorithm = val->siginfo->algorithm;

lib/ns/query.c

@@ -2541,8 +2541,8 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if (!dns_resolver_algorithm_supported(
-			    client->inner.view->resolver, name, rrsig.algorithm,
-			    rrsig.signature, rrsig.siglen))
+			    client->inner.view->resolver, &rrsig.signer,
+			    rrsig.algorithm, rrsig.signature, rrsig.siglen))
 		{
 			char txt[DNS_NAME_FORMATSIZE + 32];
 			isc_buffer_t buffer;