mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-03 22:08:25 -04:00
Matthijs Mekking
parent
d07f643557
commit
93f33cdd0f
7 changed files with 212 additions and 79 deletions
|
|
@ -698,9 +698,8 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
|
|||
}
|
||||
|
||||
static isc_result_t
|
||||
dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
|
||||
const cfg_obj_t *key, bool managed, dst_key_t **target,
|
||||
isc_mem_t *mctx)
|
||||
dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
|
||||
bool managed, dst_key_t **target, isc_mem_t *mctx)
|
||||
{
|
||||
dns_rdataclass_t viewclass;
|
||||
dns_rdata_dnskey_t keystruct;
|
||||
|
|
@ -793,14 +792,6 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
|
||||
mctx, &dstkey));
|
||||
|
||||
if (!dns_resolver_algorithm_supported(view->resolver, keyname, alg)) {
|
||||
cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
|
||||
"%s key for '%s': algorithm is disabled",
|
||||
managed ? "managed" : "trusted", keynamestr);
|
||||
result = DST_R_UNSUPPORTEDALG;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
*target = dstkey;
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
|
|
@ -851,7 +842,7 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
|
|||
elt2 != NULL;
|
||||
elt2 = cfg_list_next(elt2)) {
|
||||
key = cfg_listelt_value(elt2);
|
||||
result = dstkey_fromconfig(view, vconfig, key, managed,
|
||||
result = dstkey_fromconfig(vconfig, key, managed,
|
||||
&dstkey, mctx);
|
||||
if (result == DST_R_UNSUPPORTEDALG) {
|
||||
result = ISC_R_SUCCESS;
|
||||
|
|
@ -9971,7 +9962,7 @@ add_zone_tolist(dns_zone_t *zone, void *uap) {
|
|||
struct zonelistentry *zle;
|
||||
|
||||
zle = isc_mem_get(dctx->mctx, sizeof *zle);
|
||||
if (zle == NULL)
|
||||
if (zle == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
zle->zone = NULL;
|
||||
dns_zone_attach(zone, &zle->zone);
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ rm -f K.+*+*.key
|
|||
rm -f K.+*+*.private
|
||||
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
|
||||
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
|
||||
$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1
|
||||
$SIGNER -r $RANDFILE -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1
|
||||
[ $? = 0 ] || cat signer.out
|
||||
|
||||
keyfile_to_trusted_keys $keyname > trusted.conf
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ options {
|
|||
transfer-source 10.53.0.3;
|
||||
port @PORT@;
|
||||
pid-file "named.pid";
|
||||
session-keyfile "session.key";
|
||||
listen-on { 10.53.0.3; };
|
||||
listen-on-v6 { none; };
|
||||
recursion no;
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ SYSTEMTESTTOP=../..
|
|||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
||||
# Fake an unsupported key
|
||||
unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported)
|
||||
unsupportedkey=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone unsupported`
|
||||
awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp
|
||||
mv ${unsupportedkey}.tmp ${unsupportedkey}.key
|
||||
|
||||
|
|
@ -51,7 +51,7 @@ rm -f K${zone}.+*+*.private
|
|||
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
|
||||
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
|
||||
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
|
||||
$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
|
||||
$SIGNER -r $RANDFILE -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
|
||||
cp master2.db.in updated.db
|
||||
|
||||
# signatures are expired and should be regenerated on startup
|
||||
|
|
@ -61,7 +61,7 @@ rm -f K${zone}.+*+*.private
|
|||
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
|
||||
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
|
||||
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
|
||||
$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
|
||||
$SIGNER -r $RANDFILE -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
|
||||
|
||||
zone=retransfer
|
||||
rm -f K${zone}.+*+*.key
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ SYSTEMTESTTOP=..
|
|||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
||||
DIGOPTS="+tcp +dnssec -p ${PORT}"
|
||||
DIGUDPOPTS="+dnssec -p ${PORT}"
|
||||
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
|
||||
|
||||
status=0
|
||||
|
|
@ -48,8 +49,8 @@ ret=0
|
|||
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
|
||||
keys=`grep '^Done signing' signing.out.test$n | wc -l`
|
||||
$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1
|
||||
keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
|
||||
[ $keys = 2 ] || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
|
|
@ -79,8 +80,8 @@ done 2>&1 |sed 's/^/ns3 /' | cat_i
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ans=0
|
||||
$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
|
||||
num=`grep "Done signing with" signing.out.test$n | wc -l`
|
||||
$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1
|
||||
num=`grep "Done signing with" signing.out.test$n.$i | wc -l`
|
||||
[ $num = 1 ] && break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -107,8 +108,8 @@ $RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ans=0
|
||||
$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
|
||||
grep "No signing records found" signing.out.test$n > /dev/null || ans=1
|
||||
$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1
|
||||
grep "No signing records found" signing.out.test$n.$i > /dev/null || ans=1
|
||||
[ $ans = 1 ] || break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -151,9 +152,9 @@ ret=0
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n
|
||||
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n.$i
|
||||
grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -182,10 +183,10 @@ echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)"
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
|
||||
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i
|
||||
grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "2011072400" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -198,8 +199,8 @@ ret=0
|
|||
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1
|
||||
keys=`grep '^Done signing' signing.out.test$n | wc -l`
|
||||
$RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n.$i 2>&1
|
||||
keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
|
||||
[ $keys = 2 ] || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
|
|
@ -229,9 +230,9 @@ ret=0
|
|||
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n
|
||||
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n.$i
|
||||
grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -260,10 +261,10 @@ echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)"
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
|
||||
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n.$i
|
||||
grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "2011072400" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -276,8 +277,8 @@ ret=0
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
|
||||
keys=`grep '^Done signing' signing.out.test$n | wc -l`
|
||||
$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1
|
||||
keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
|
||||
[ $keys = 2 ] || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
|
|
@ -298,8 +299,8 @@ done 2>&1 |sed 's/^/ns3 /' | cat_i
|
|||
for i in 1 2 3 4 5 6 7 8 9
|
||||
do
|
||||
ans=0
|
||||
$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
|
||||
num=`grep "Done signing with" signing.out.test$n | wc -l`
|
||||
$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1
|
||||
num=`grep "Done signing with" signing.out.test$n.$i | wc -l`
|
||||
[ $num = 1 ] && break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -325,8 +326,8 @@ $RNDCCMD 10.53.0.3 signing -clear all master > /dev/null || ret=1
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ans=0
|
||||
$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
|
||||
grep "No signing records found" signing.out.test$n > /dev/null || ans=1
|
||||
$RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1
|
||||
grep "No signing records found" signing.out.test$n.$i > /dev/null || ans=1
|
||||
[ $ans = 1 ] || break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -343,9 +344,9 @@ $RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i
|
|||
for i in 1 2 3 4 5 6 7 8 9
|
||||
do
|
||||
ans=0
|
||||
$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n
|
||||
grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
|
||||
$DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n.$i
|
||||
grep "10.0.0.5" dig.out.ns3.test$n.$i > /dev/null || ans=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1
|
||||
[ $ans = 1 ] || break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -372,9 +373,9 @@ $RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i
|
|||
for i in 1 2 3 4 5 6 7 8 9
|
||||
do
|
||||
ans=0
|
||||
$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
|
||||
grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
|
||||
$DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n.$i
|
||||
grep "10.0.0.3" dig.out.ns3.test$n.$i > /dev/null || ans=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1
|
||||
[ $ans = 1 ] || break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -399,8 +400,8 @@ ret=0
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1
|
||||
keys=`grep '^Done signing' signing.out.test$n | wc -l`
|
||||
$RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n.$i 2>&1
|
||||
keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
|
||||
[ $keys = 2 ] || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
|
|
@ -447,10 +448,10 @@ EOF
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ans=0
|
||||
$DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n
|
||||
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
|
||||
grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1
|
||||
$DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n.$i
|
||||
grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ans=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1
|
||||
grep "1.2.3.4" dig.out.ns3.test$n.$i > /dev/null || ans=1
|
||||
[ $ans = 0 ] && break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -495,10 +496,10 @@ echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)"
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
|
||||
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i
|
||||
grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "2011072450" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -527,10 +528,10 @@ echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)"
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
|
||||
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n.$i
|
||||
grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "2011072450" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -559,10 +560,10 @@ echo_i "checking forwarded update on signed zone ($n)"
|
|||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
ret=0
|
||||
$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
|
||||
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i
|
||||
grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
grep "2011072460" dig.out.ns3.test$n.$i > /dev/null || ret=1
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -807,9 +808,9 @@ $RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || r
|
|||
for i in 0 1 2 3 4 5 6 7 8 9
|
||||
do
|
||||
ans=0
|
||||
$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n
|
||||
grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
|
||||
grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
|
||||
$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n.$i
|
||||
grep "status: NXDOMAIN" dig.out.ns3.pre.test$n.$i > /dev/null || ans=1
|
||||
grep "NSEC3" dig.out.ns3.pre.test$n.$i > /dev/null || ans=1
|
||||
[ $ans = 0 ] && break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -817,9 +818,9 @@ $RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1
|
|||
for i in 0 1 2 3 4 5 6 7 8 9
|
||||
do
|
||||
ans=0
|
||||
$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
|
||||
grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
|
||||
grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
|
||||
$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i
|
||||
grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ans=1
|
||||
grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ans=1
|
||||
[ $ans = 0 ] && break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -1094,8 +1095,8 @@ EOF
|
|||
|
||||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1
|
||||
soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
|
||||
$DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n.$i || ret=1
|
||||
soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n.$i`
|
||||
test ${soa1:-0} -ne ${soa2:-0} && break
|
||||
sleep 1
|
||||
done
|
||||
|
|
@ -1324,8 +1325,8 @@ $RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
|
|||
ans=1
|
||||
for i in 1 2 3 4 5 6 7 8 9 10
|
||||
do
|
||||
$RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1
|
||||
num=`grep "Done signing with" signing.out.test$n | wc -l`
|
||||
$RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n.$i 2>&1
|
||||
num=`grep "Done signing with" signing.out.test$n.$i | wc -l`
|
||||
if [ $num -eq 2 ]; then
|
||||
ans=0
|
||||
break
|
||||
|
|
|
|||
139
doc/design/unsupported-algorithms-in-bind9
Normal file
139
doc/design/unsupported-algorithms-in-bind9
Normal file
|
|
@ -0,0 +1,139 @@
|
|||
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
|
||||
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
|
||||
|
||||
# Unsupported algorithms in BIND 9
|
||||
|
||||
Following RFC 6944 and jumping ahead to draft-ietf-dnsop-algorithm-update-04,
|
||||
BIND 9 takes preparations to remove support for deprecated DNSSEC algorithms.
|
||||
These include RSAMD5, DSA, and ECC-GOST.
|
||||
|
||||
How does this impact BIND 9 behavior? In order to determine this, we first
|
||||
need to establish in what contexts can DNSSEC algorithms be used. Two logical
|
||||
categories of such contexts can be identified: signing and validation.
|
||||
|
||||
## DNSSEC signing
|
||||
|
||||
### DNSSEC tools
|
||||
|
||||
BIND 9 DNSSEC tools do not allow generating new keys using unsupported
|
||||
algorithms:
|
||||
|
||||
$ dnssec-keygen -a RSAMD5 example.
|
||||
dnssec-keygen: fatal: unsupported algorithm: 1
|
||||
|
||||
The tools also refuse to work with previously generated keys using unsupported
|
||||
algorithms:
|
||||
|
||||
$ dnssec-dsfromkey Kexample.+001+53634
|
||||
dnssec-dsfromkey: fatal: can't load Kexample.+001+53634.key: algorithm is unsupported
|
||||
|
||||
$ dnssec-signzone example.db Kexample.+001+53634
|
||||
dnssec-signzone: fatal: cannot load dnskey Kexample.+001+53634: algorithm is unsupported
|
||||
|
||||
A DNSKEY RR with an unsupported algorithm may be *included* in a zone, as long
|
||||
as it is not used for *signing* that zone.
|
||||
|
||||
BIND 9 also does not allow unsupported algorithms to be used with `auto-dnssec`:
|
||||
|
||||
zone "example" IN {
|
||||
type master;
|
||||
file "db/example.db";
|
||||
key-directory "keys/example";
|
||||
inline-signing yes;
|
||||
auto-dnssec maintain;
|
||||
}
|
||||
...
|
||||
dns_dnssec_findmatchingkeys: error reading key file Kexample.+001+53634.private: algorithm is unsupported
|
||||
|
||||
(DISCUSS: We might want to fail hard for such configurations.)
|
||||
|
||||
## DNSSEC validation
|
||||
|
||||
A validator has more possible interactions with unsupported algorithms:
|
||||
|
||||
* a key using one of these algorithms may be configured as a trust anchor,
|
||||
* a DLV record for such a key may be placed in a DLV zone.
|
||||
* upstream answers may contain signatures using such algorithms,
|
||||
|
||||
### Disabled algorithms
|
||||
|
||||
The `disable-algorithms` clause in `named.conf` can be used to prevent the
|
||||
specified algorithms from being used when validating responses at and below a
|
||||
certain name. For example, the following configuration:
|
||||
|
||||
disable-algorithms "example." { RSASHA512; };
|
||||
|
||||
will mark RSASHA512 as disabled at and below `example.`. This effectively
|
||||
means that for this domain and all domains below it, the RSASHA512 algorithm is
|
||||
treated as unsupported.
|
||||
|
||||
### Trust anchors
|
||||
|
||||
In BIND 9, trust anchors can be configured using two clauses:
|
||||
|
||||
* `trusted-keys`, which contains hardcoded (static) trust anchors,
|
||||
* `managed-keys`, which will be kept up to date automatically, following the
|
||||
zone's key rollovers (according to the algorithm specified in RFC 5011).
|
||||
|
||||
When put into the above clauses, keys using unsupported algorithms will be
|
||||
ignored:
|
||||
|
||||
trusted.conf:3: skipping trusted key for 't.example.': algorithm is unsupported
|
||||
managed.conf:3: skipping managed key for 'm.example.': algorithm is unsupported
|
||||
|
||||
BIND 9 also ignores any configured trust anchor whose owner name and algorithm
|
||||
match any `disable-algorithms` clause present in `named.conf`.
|
||||
|
||||
If a given trust point is left with no trust anchors using supported
|
||||
algorithms, BIND 9 will act as if the trust point was not configured at all and
|
||||
if there are no trust points configured higher up the tree, names at the trust
|
||||
point and below it will be treated as insecure.
|
||||
|
||||
Note that prior to BIND 9.13.6, configured trust anchors that matched disabled
|
||||
algorithms were not ignored and that lead to SERVFAILs for associated domains.
|
||||
This behavior has changed to be more consistent with unsupported algorithms:
|
||||
BIND 9 will ignore such trust anchors, and responses for those domains will
|
||||
now be treated as insecure.
|
||||
|
||||
### DLV
|
||||
|
||||
If a DLV record in a DLV zone points to a DNSKEY using an unsupported algorithm
|
||||
or an algorithm which has been disabled for the relevant part of the tree using
|
||||
a `disable-algorithms` clause in `named.conf`, the corresponding zone will be
|
||||
treated as insecure.
|
||||
|
||||
However, if the trust anchor specified for the DLV zone itself uses an
|
||||
unsupported or disabled algorithm, no DLV record in that DLV zone can be
|
||||
treated as secure and thus attempts to resolve names in the domains pointed to
|
||||
by the records in that DLV zone will yield SERVFAIL responses. Consider the
|
||||
following example:
|
||||
|
||||
trusted-keys {
|
||||
"dlv.example." 257 3 1 ...;
|
||||
};
|
||||
|
||||
options {
|
||||
...
|
||||
dnssec-lookaside "foo." trust-anchor "dlv.example";
|
||||
};
|
||||
|
||||
The example above specifies a DLV trust anchor using the RSAMD5 algorithm
|
||||
(algorithm number 1), which effectively prevents resolution of data in any zone
|
||||
at and below `foo.` that is listed in `dlv.example` (and does not have a valid,
|
||||
non-DLV chain of trust established otherwise). This outcome is different than
|
||||
for a trust anchor which uses an unsupported or disabled algorithm and is not
|
||||
associated with a `dnssec-lookaside` clause; the reason for this is that in the
|
||||
case of a DLV-referenced, unusable key, the trust point is still defined, but
|
||||
has no keys associated with it, whereas non-DLV-referenced, unusable keys are
|
||||
ignored altogether and do not cause an associated trust point to be defined.
|
||||
|
||||
### Algorithm rollover
|
||||
|
||||
A zone for which BIND 9 has a trust anchor configured may decide to do an
|
||||
algorithm rollover to an unsupported algorithm. If configured with
|
||||
`managed-keys`, BIND 9 will ignore the newly introduced DNSKEY if it does
|
||||
not support the algorithm. That means that the moment the predecessor DNSKEY
|
||||
gets revoked, BIND 9 will no longer have any trust anchors for the given zone
|
||||
and it will treat the trust point as if it does not exist, meaning that
|
||||
the corresponding zone will now validate as insecure.
|
||||
|
|
@ -3151,6 +3151,7 @@
|
|||
./doc/design/resolver TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019
|
||||
./doc/design/search TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019
|
||||
./doc/design/tasks TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019
|
||||
./doc/design/unsupported-algorithms-in-bind9 TXT.BRIEF 2019
|
||||
./doc/design/verify TXT.BRIEF 2012,2016,2018,2019
|
||||
./doc/design/windows-nt TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019
|
||||
./doc/design/zone TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019
|
||||
|
|
|
|||
Loading…
Reference in a new issue