Add tests using PRIVATEOID algorithms

There are 4 tests: 1) a zone using a known private OID. Validations should succeed and return AD=1. 2) a zone using an unknown private OID. Validation should succeed and return AD=0 as the DS to DNSKEY has provably unsupported algorithm. 3) a zone using a known private OID and an extra DS record. Validation should succeed as there is DS to DNSKEY with a known algorithm linkage. 4) a zone using an unknown private OID and an extra DS record. Validation should fail as only one of the DS records can be matched to a provable unknown algorithm. The algorithm of the second DS is indeterminate.
2026-06-11 14:19:59 -04:00 · 2025-05-16 15:50:53 +10:00 · 2025-05-16 15:50:53 +10:00 · 8d554c0c03
commit 8d554c0c03
parent 92393f3c97
11 changed files with 357 additions and 3 deletions
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@ -181,3 +181,18 @@ rsasha1-1024		NS	ns.rsasha1-1024
 ns.rsasha1-1024		A	10.53.0.3

 dname-at-apex-nsec3	NS	ns3
+
+rsasha256oid		NS	ns.rsasha256oid
+ns.rsasha256oid		A	10.53.0.3
+
+rsasha512oid		NS	ns.rsasha512oid
+ns.rsasha512oid		A	10.53.0.3
+
+unknownoid		NS	ns.unknownoid
+ns.unknownoid		A	10.53.0.3
+
+extradsoid		NS	ns.extradsoid
+ns.extradsoid		A	10.53.0.3
+
+extradsunknownoid	NS	ns.extradsunknownoid
+ns.extradsunknownoid	A	10.53.0.3
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@ -65,7 +65,8 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \
  ttlpatch split-dnssec split-smart expired expiring upper lower \
  dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
  dnskey-nsec3-unknown managed-future future revkey \
-  dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024; do
+  dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \
+  rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid; do
  cp "../ns3/dsset-$subdomain.example." .
 done

--- a/bin/tests/system/dnssec/ns3/extradsoid.example.db.in
+++ b/bin/tests/system/dnssec/ns3/extradsoid.example.db.in
@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
--- a/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in
+++ b/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in
@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@ -429,11 +429,36 @@ zone "rsasha1-1024.example" {
 	file "rsasha1-1024.example.db";
 };

+zone "rsasha256oid.example" {
+        type primary;
+        file "rsasha256oid.example.db.signed";
+};
+
+zone "rsasha512oid.example" {
+        type primary;
+        file "rsasha512oid.example.db.signed";
+};
+
+zone "unknownoid.example" {
+        type primary;
+        file "unknownoid.example.db.signed";
+};
+
 zone "target.peer-ns-spoof" {
 	type primary;
 	file "target.peer-ns-spoof.db.signed";
 };

+zone "extradsoid.example" {
+        type primary;
+        file "extradsoid.example.db.signed";
+};
+
+zone "extradsunknownoid.example" {
+        type primary;
+        file "extradsunknownoid.example.db.signed";
+};
+
 dnssec-policy "siginterval1" {
 	keys {
 		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
--- a/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in
+++ b/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in
@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
--- a/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in
+++ b/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in
@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@ -424,6 +424,110 @@ cat "$infile" "$keyname.key" >"$zonefile"

 "$SIGNER" -P -o "$zone" "$zonefile" >/dev/null

+#
+# A RSASHA256OID zone.
+#
+zone=rsasha256oid.example.
+infile=rsasha256oid.example.db.in
+zonefile=rsasha256oid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA256OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
+# A RSASHA512OID zone.
+#
+zone=rsasha512oid.example.
+infile=rsasha512oid.example.db.in
+zonefile=rsasha512oid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
+# A UNKNOWNOID zone.  Sign the zone using RSASHA512OID then
+# update the OID in the DNSKEY and RRSIGS to the unknown OID
+# 1.2.840.113549.1.1.14
+#
+zone=unknownoid.example
+infile=unknownoid.example.db.in
+zonefile=unknownoid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+# Sign with known OID RSASHA512OID
+"$SIGNER" -z -o "$zone" -f "${zonefile}.stage1" "$zonefile" >/dev/null
+
+# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14
+sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"${zonefile}.stage1" >"${zonefile}.stage2"
+
+"$DSFROMKEY" -2A -f "${zonefile}.stage2" "$zone" >"dsset-${zone}."
+
+# extract the updated DNSKEY's tag
+tag=$(awk '{print $4}' "dsset-${zone}.")
+
+# Update RRSIG tags
+sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* unknownoid.example./\1 ${tag} unknownoid.example./" <"${zonefile}.stage2" >"${zonefile}.signed"
+
+#
+# A PRIVATEOID zone with a extra DS record for a non-existent DNSKEY.
+#
+zone=extradsoid.example.
+infile=extradsoid.example.db.in
+zonefile=extradsoid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+# add a DS for a second key with the same algorithm
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+"$DSFROMKEY" -2A "$keyname.key" >>"dsset-$zone"
+
+#
+# A UNKNOWNOID with an extra DS zone.  Sign the zone using RSASHA512OID
+# then update the OID in the DNSKEY and RRSIGS to the unknown OID
+# 1.2.840.113549.1.1.14.  Add an additional DS which does not match
+# the DNSKEY RRset with using this unknown OID.
+#
+zone=extradsunknownoid.example
+infile=extradsunknownoid.example.db.in
+zonefile=extradsunknownoid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+# Sign with known OID RSASHA512OID
+"$SIGNER" -z -o "$zone" -f "${zonefile}.stage1" "$zonefile" >/dev/null
+
+# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14
+sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"${zonefile}.stage1" >"${zonefile}.stage2"
+
+"$DSFROMKEY" -2A -f "${zonefile}.stage2" "$zone" >"dsset-${zone}."
+tag=$(awk '{print $4}' "dsset-${zone}.")
+
+# Update RRSIG tags
+sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* extradsunknownoid.example./\1 ${tag} extradsunknownoid.example./" <"${zonefile}.stage2" >"${zonefile}.signed"
+
+# add a DS for a second key with the same algorithm
+keyname=$("$KEYGEN" -L 300 -q -a RSASHA512OID "$zone")
+
+# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14 and
+# add the resulting DS to the dsset.
+sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -2A -f - "$zone" >>"dsset-${zone}."
+
 #
 # A zone with the DNSKEY set only signed by the KSK
 #
--- a/bin/tests/system/dnssec/ns3/unknownoid.example.db.in
+++ b/bin/tests/system/dnssec/ns3/unknownoid.example.db.in
@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -960,6 +960,66 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

+echo_i "checking positive validation with private algorithm works ($n)"
+ret=0
+dig_with_opts +noauth a.rsasha256oid.example. \
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.rsasha256oid.example. \
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+if [ -x "${DELV}" ]; then
+  ret=0
+  echo_i "checking positive validation NSEC3 using dns_client ($n)"
+  delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1
+  grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1
+  grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1
+  n=$((n + 1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status + ret))
+fi
+
+echo_i "checking positive validation with unknown private algorithm works ($n)"
+ret=0
+dig_with_opts +noauth a.unknownoid.example. \
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.unknownoid.example. \
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking positive validation with extra ds for private algorithm ($n)"
+ret=0
+dig_with_opts +noauth a.extradsoid.example. \
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.extradsoid.example. \
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking positive validation with extra ds for unknown private algorithm fails ($n)"
+ret=0
+dig_with_opts +noauth a.extradsunknownoid.example. \
+  @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.extradsunknownoid.example. \
+  @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1
+grep 'No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID algorithm, tag [1-9][0-9]*$' ns4/named.run >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 # Check the bogus domain

 echo_i "checking failed validation ($n)"
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@ -84,6 +84,7 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/auto-nsec3.example.db",
        "ns3/badds.example.db",
        "ns3/bogus.example.db",
+        "ns3/digest-alg-unsupported.example.db",
        "ns3/disabled.managed.db",
        "ns3/disabled.trusted.db",
        "ns3/dname-at-apex-nsec3.example.db",
@ -94,13 +95,17 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/dnskey-unsupported-2.example.db",
        "ns3/dnskey-unsupported.example.db",
        "ns3/dnskey-unsupported.example.db.tmp",
+        "ns3/ds-unsupported.example.db",
        "ns3/dynamic.example.db",
-        "ns3/digest-alg-unsupported.example.db",
        "ns3/enabled.managed.db",
        "ns3/enabled.trusted.db",
        "ns3/example.bk",
        "ns3/expired.example.db",
        "ns3/expiring.example.db",
+        "ns3/extradsoid.example.db",
+        "ns3/extradsunknownoid.example.db",
+        "ns3/extradsunknownoid.example.db.stage1",
+        "ns3/extradsunknownoid.example.db.stage2",
        "ns3/future.example.db",
        "ns3/keyless.example.db",
        "ns3/kskonly.example.db",
@ -123,7 +128,9 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/revoked.trusted.db",
        "ns3/rfc2335.example.bk",
        "ns3/rsasha256.example.db",
+        "ns3/rsasha256oid.example.db",
        "ns3/rsasha512.example.db",
+        "ns3/rsasha512oid.example.db",
        "ns3/secure.below-cname.example.db",
        "ns3/secure.example.db",
        "ns3/secure.managed.db",
@ -138,6 +145,9 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/trusted-future.key",
        "ns3/ttlpatch.example.db",
        "ns3/ttlpatch.example.db.patched",
+        "ns3/unknownoid.example.db",
+        "ns3/unknownoid.example.db.stage1",
+        "ns3/unknownoid.example.db.stage2",
        "ns3/unsupported.managed.db",
        "ns3/unsupported.managed.db.tmp",
        "ns3/unsupported.trusted.db",
@ -146,7 +156,6 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/update-nsec3.example.db.signed",
        "ns3/upper.example.db",
        "ns3/upper.example.db.lower",
-        "ns3/ds-unsupported.example.db",
        "ns4/broken.conf",
        "ns4/managed.conf",
        "ns4/managed-keys.bind",