mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
[9.20] fix: dev: DNSSEC EDE system tests on FIPS platform
Changes introducing the support of extended DNS error code 1 and 2 uses SHA-1 digest for some tests which break FIPS platform. The digest itself was irrelevant, another digest is used. Backport of MR !10002 Merge branch 'backport-colin/fix-fips-9807-9.20' into 'bind-9.20' See merge request isc-projects/bind9!10031
This commit is contained in:
Colin Vidal
commit
917181b4e2
6 changed files with 16 additions and 16 deletions
|
|
@ -309,7 +309,7 @@ zonefile=digest-alg-unsupported.example.db
|
|||
cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
|
||||
dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
|
||||
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
keyname2=$("$KEYGEN" -q -a ED448 -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
keyname2=$("$KEYGEN" -q -a ECDSAP384SHA384 -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" "$keyname2.key" >"$zonefile"
|
||||
|
||||
|
|
@ -319,7 +319,7 @@ mv "$zonefile".tmp "$zonefile".signed
|
|||
|
||||
# override generated DS record file so we can set different digest to each keys
|
||||
DSFILE="dsset-${zone}"
|
||||
$DSFROMKEY -1 -A -f ${zonefile}.signed "$zone" | head -n 1 >"$DSFILE"
|
||||
$DSFROMKEY -a SHA-384 -A -f ${zonefile}.signed "$zone" | head -n 1 >"$DSFILE"
|
||||
$DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE"
|
||||
|
||||
#
|
||||
|
|
|
|||
|
|
@ -30,9 +30,9 @@ options {
|
|||
nta-recheck 9s;
|
||||
validate-except { corp; };
|
||||
|
||||
disable-algorithms "digest-alg-unsupported.example." { ED448; };
|
||||
disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
|
||||
disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
|
||||
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
|
||||
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
|
||||
disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
|
||||
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
|
||||
|
||||
# Note: We only reference the bind.keys file here to confirm that it
|
||||
|
|
|
|||
|
|
@ -25,9 +25,9 @@ options {
|
|||
dnssec-validation auto;
|
||||
bindkeys-file "managed.conf";
|
||||
minimal-responses no;
|
||||
disable-algorithms "digest-alg-unsupported.example." { ED448; };
|
||||
disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
|
||||
disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
|
||||
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
|
||||
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
|
||||
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
|
||||
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -26,9 +26,9 @@ options {
|
|||
bindkeys-file "managed.conf";
|
||||
dnssec-accept-expired yes;
|
||||
minimal-responses no;
|
||||
disable-algorithms "digest-alg-unsupported.example." { ED448; };
|
||||
disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
|
||||
disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
|
||||
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
|
||||
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";};
|
||||
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
|
||||
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -21,9 +21,9 @@ options {
|
|||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.4; };
|
||||
listen-on-v6 { none; };
|
||||
disable-algorithms "digest-alg-unsupported.example." { ED448; };
|
||||
disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
|
||||
disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
|
||||
disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
|
||||
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
|
||||
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
|
||||
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -3704,8 +3704,8 @@ status=$((status + ret))
|
|||
echo_i "checking both EDE code 1 and 2 for unsupported digest on one DNSKEY and alg on the other ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.4 a.digest-alg-unsupported.example >dig.out.ns4.test$n || ret=1
|
||||
grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ED448 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
|
||||
grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-1 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
|
||||
grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP384SHA384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
|
||||
grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
|
||||
n=$((n + 1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
|
|
|
|||
Loading…
Reference in a new issue