diff --git a/bin/named/server.c b/bin/named/server.c index 75fb0af2c1..0abbbed531 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -698,9 +698,8 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, } static isc_result_t -dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig, - const cfg_obj_t *key, bool managed, dst_key_t **target, - isc_mem_t *mctx) +dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, + bool managed, dst_key_t **target, isc_mem_t *mctx) { dns_rdataclass_t viewclass; dns_rdata_dnskey_t keystruct; @@ -793,14 +792,6 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig, CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf, mctx, &dstkey)); - if (!dns_resolver_algorithm_supported(view->resolver, keyname, alg)) { - cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, - "%s key for '%s': algorithm is disabled", - managed ? "managed" : "trusted", keynamestr); - result = DST_R_UNSUPPORTEDALG; - goto cleanup; - } - *target = dstkey; return (ISC_R_SUCCESS); @@ -851,7 +842,7 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, elt2 != NULL; elt2 = cfg_list_next(elt2)) { key = cfg_listelt_value(elt2); - result = dstkey_fromconfig(view, vconfig, key, managed, + result = dstkey_fromconfig(vconfig, key, managed, &dstkey, mctx); if (result == DST_R_UNSUPPORTEDALG) { result = ISC_R_SUCCESS; @@ -9971,7 +9962,7 @@ add_zone_tolist(dns_zone_t *zone, void *uap) { struct zonelistentry *zle; zle = isc_mem_get(dctx->mctx, sizeof *zle); - if (zle == NULL) + if (zle == NULL) return (ISC_R_NOMEMORY); zle->zone = NULL; dns_zone_attach(zone, &zle->zone); diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh index 4c7dfd2a6b..80b88cc3e5 100644 --- a/bin/tests/system/inline/ns1/sign.sh +++ b/bin/tests/system/inline/ns1/sign.sh @@ -17,7 +17,7 @@ rm -f K.+*+*.key rm -f K.+*+*.private keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` -$SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1 +$SIGNER -r $RANDFILE -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1 [ $? = 0 ] || cat signer.out keyfile_to_trusted_keys $keyname > trusted.conf diff --git a/bin/tests/system/inline/ns3/named.conf.in b/bin/tests/system/inline/ns3/named.conf.in index a8c434dc02..b501902290 100644 --- a/bin/tests/system/inline/ns3/named.conf.in +++ b/bin/tests/system/inline/ns3/named.conf.in @@ -23,6 +23,7 @@ options { transfer-source 10.53.0.3; port @PORT@; pid-file "named.pid"; + session-keyfile "session.key"; listen-on { 10.53.0.3; }; listen-on-v6 { none; }; recursion no; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index d114842e26..b6f3b37f64 100755 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -13,7 +13,7 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh # Fake an unsupported key -unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone unsupported) +unsupportedkey=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone unsupported` awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp mv ${unsupportedkey}.tmp ${unsupportedkey}.key @@ -51,7 +51,7 @@ rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 +$SIGNER -r $RANDFILE -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 cp master2.db.in updated.db # signatures are expired and should be regenerated on startup @@ -61,7 +61,7 @@ rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db -$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 +$SIGNER -r $RANDFILE -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1 zone=retransfer rm -f K${zone}.+*+*.key diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index 65a4154478..f201ee9550 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -13,6 +13,7 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh DIGOPTS="+tcp +dnssec -p ${PORT}" +DIGUDPOPTS="+dnssec -p ${PORT}" RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" status=0 @@ -48,8 +49,8 @@ ret=0 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 do ret=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 - keys=`grep '^Done signing' signing.out.test$n | wc -l` + $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1 + keys=`grep '^Done signing' signing.out.test$n.$i | wc -l` [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 @@ -79,8 +80,8 @@ done 2>&1 |sed 's/^/ns3 /' | cat_i for i in 1 2 3 4 5 6 7 8 9 10 do ans=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 - num=`grep "Done signing with" signing.out.test$n | wc -l` + $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1 + num=`grep "Done signing with" signing.out.test$n.$i | wc -l` [ $num = 1 ] && break sleep 1 done @@ -107,8 +108,8 @@ $RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1 for i in 1 2 3 4 5 6 7 8 9 10 do ans=0 - $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 - grep "No signing records found" signing.out.test$n > /dev/null || ans=1 + $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1 + grep "No signing records found" signing.out.test$n.$i > /dev/null || ans=1 [ $ans = 1 ] || break sleep 1 done @@ -151,9 +152,9 @@ ret=0 for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 - $DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n.$i + grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done @@ -182,10 +183,10 @@ echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 - $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i + grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n.$i > /dev/null || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done @@ -198,8 +199,8 @@ ret=0 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 do ret=0 - $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1 - keys=`grep '^Done signing' signing.out.test$n | wc -l` + $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n.$i 2>&1 + keys=`grep '^Done signing' signing.out.test$n.$i | wc -l` [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 @@ -229,9 +230,9 @@ ret=0 for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 do ret=0 - $DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n.$i + grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done @@ -260,10 +261,10 @@ echo_i "checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 - $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n.$i + grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "2011072400" dig.out.ns3.test$n.$i > /dev/null || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done @@ -276,8 +277,8 @@ ret=0 for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 - $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1 - keys=`grep '^Done signing' signing.out.test$n | wc -l` + $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1 + keys=`grep '^Done signing' signing.out.test$n.$i | wc -l` [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 @@ -298,8 +299,8 @@ done 2>&1 |sed 's/^/ns3 /' | cat_i for i in 1 2 3 4 5 6 7 8 9 do ans=0 - $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1 - num=`grep "Done signing with" signing.out.test$n | wc -l` + $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1 + num=`grep "Done signing with" signing.out.test$n.$i | wc -l` [ $num = 1 ] && break sleep 1 done @@ -325,8 +326,8 @@ $RNDCCMD 10.53.0.3 signing -clear all master > /dev/null || ret=1 for i in 1 2 3 4 5 6 7 8 9 10 do ans=0 - $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1 - grep "No signing records found" signing.out.test$n > /dev/null || ans=1 + $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1 + grep "No signing records found" signing.out.test$n.$i > /dev/null || ans=1 [ $ans = 1 ] || break sleep 1 done @@ -343,9 +344,9 @@ $RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i for i in 1 2 3 4 5 6 7 8 9 do ans=0 - $DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n - grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + $DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n.$i + grep "10.0.0.5" dig.out.ns3.test$n.$i > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1 [ $ans = 1 ] || break sleep 1 done @@ -372,9 +373,9 @@ $RNDCCMD 10.53.0.3 reload master 2>&1 | sed 's/^/ns3 /' | cat_i for i in 1 2 3 4 5 6 7 8 9 do ans=0 - $DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n - grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + $DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n.$i + grep "10.0.0.3" dig.out.ns3.test$n.$i > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1 [ $ans = 1 ] || break sleep 1 done @@ -399,8 +400,8 @@ ret=0 for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 - $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1 - keys=`grep '^Done signing' signing.out.test$n | wc -l` + $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n.$i 2>&1 + keys=`grep '^Done signing' signing.out.test$n.$i | wc -l` [ $keys = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 @@ -447,10 +448,10 @@ EOF for i in 1 2 3 4 5 6 7 8 9 10 do ans=0 - $DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 - grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1 + $DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n.$i + grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1 + grep "1.2.3.4" dig.out.ns3.test$n.$i > /dev/null || ans=1 [ $ans = 0 ] && break sleep 1 done @@ -495,10 +496,10 @@ echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 - $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i + grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n.$i > /dev/null || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done @@ -527,10 +528,10 @@ echo_i "checking YYYYMMDDVV (2011072450) serial in signed zone, noixfr ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 - $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n.$i + grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "2011072450" dig.out.ns3.test$n.$i > /dev/null || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done @@ -559,10 +560,10 @@ echo_i "checking forwarded update on signed zone ($n)" for i in 1 2 3 4 5 6 7 8 9 10 do ret=0 - $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n - grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 - grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1 - grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1 + $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i + grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1 + grep "2011072460" dig.out.ns3.test$n.$i > /dev/null || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 done @@ -807,9 +808,9 @@ $RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || r for i in 0 1 2 3 4 5 6 7 8 9 do ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n - grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n.$i + grep "status: NXDOMAIN" dig.out.ns3.pre.test$n.$i > /dev/null || ans=1 + grep "NSEC3" dig.out.ns3.pre.test$n.$i > /dev/null || ans=1 [ $ans = 0 ] && break sleep 1 done @@ -817,9 +818,9 @@ $RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1 for i in 0 1 2 3 4 5 6 7 8 9 do ans=0 - $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n - grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1 - grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i + grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ans=1 + grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ans=1 [ $ans = 0 ] && break sleep 1 done @@ -1094,8 +1095,8 @@ EOF for i in 1 2 3 4 5 6 7 8 9 10 do - $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1 - soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n` + $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n.$i || ret=1 + soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n.$i` test ${soa1:-0} -ne ${soa2:-0} && break sleep 1 done @@ -1324,8 +1325,8 @@ $RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 ans=1 for i in 1 2 3 4 5 6 7 8 9 10 do - $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 - num=`grep "Done signing with" signing.out.test$n | wc -l` + $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n.$i 2>&1 + num=`grep "Done signing with" signing.out.test$n.$i | wc -l` if [ $num -eq 2 ]; then ans=0 break diff --git a/doc/design/unsupported-algorithms-in-bind9 b/doc/design/unsupported-algorithms-in-bind9 new file mode 100644 index 0000000000..25fef1a49a --- /dev/null +++ b/doc/design/unsupported-algorithms-in-bind9 @@ -0,0 +1,139 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +# Unsupported algorithms in BIND 9 + +Following RFC 6944 and jumping ahead to draft-ietf-dnsop-algorithm-update-04, +BIND 9 takes preparations to remove support for deprecated DNSSEC algorithms. +These include RSAMD5, DSA, and ECC-GOST. + +How does this impact BIND 9 behavior? In order to determine this, we first +need to establish in what contexts can DNSSEC algorithms be used. Two logical +categories of such contexts can be identified: signing and validation. + +## DNSSEC signing + +### DNSSEC tools + +BIND 9 DNSSEC tools do not allow generating new keys using unsupported +algorithms: + + $ dnssec-keygen -a RSAMD5 example. + dnssec-keygen: fatal: unsupported algorithm: 1 + +The tools also refuse to work with previously generated keys using unsupported +algorithms: + + $ dnssec-dsfromkey Kexample.+001+53634 + dnssec-dsfromkey: fatal: can't load Kexample.+001+53634.key: algorithm is unsupported + + $ dnssec-signzone example.db Kexample.+001+53634 + dnssec-signzone: fatal: cannot load dnskey Kexample.+001+53634: algorithm is unsupported + +A DNSKEY RR with an unsupported algorithm may be *included* in a zone, as long +as it is not used for *signing* that zone. + +BIND 9 also does not allow unsupported algorithms to be used with `auto-dnssec`: + + zone "example" IN { + type master; + file "db/example.db"; + key-directory "keys/example"; + inline-signing yes; + auto-dnssec maintain; + } + ... + dns_dnssec_findmatchingkeys: error reading key file Kexample.+001+53634.private: algorithm is unsupported + +(DISCUSS: We might want to fail hard for such configurations.) + +## DNSSEC validation + +A validator has more possible interactions with unsupported algorithms: + + * a key using one of these algorithms may be configured as a trust anchor, + * a DLV record for such a key may be placed in a DLV zone. + * upstream answers may contain signatures using such algorithms, + +### Disabled algorithms + +The `disable-algorithms` clause in `named.conf` can be used to prevent the +specified algorithms from being used when validating responses at and below a +certain name. For example, the following configuration: + + disable-algorithms "example." { RSASHA512; }; + +will mark RSASHA512 as disabled at and below `example.`. This effectively +means that for this domain and all domains below it, the RSASHA512 algorithm is +treated as unsupported. + +### Trust anchors + +In BIND 9, trust anchors can be configured using two clauses: + + * `trusted-keys`, which contains hardcoded (static) trust anchors, + * `managed-keys`, which will be kept up to date automatically, following the + zone's key rollovers (according to the algorithm specified in RFC 5011). + +When put into the above clauses, keys using unsupported algorithms will be +ignored: + + trusted.conf:3: skipping trusted key for 't.example.': algorithm is unsupported + managed.conf:3: skipping managed key for 'm.example.': algorithm is unsupported + +BIND 9 also ignores any configured trust anchor whose owner name and algorithm +match any `disable-algorithms` clause present in `named.conf`. + +If a given trust point is left with no trust anchors using supported +algorithms, BIND 9 will act as if the trust point was not configured at all and +if there are no trust points configured higher up the tree, names at the trust +point and below it will be treated as insecure. + +Note that prior to BIND 9.13.6, configured trust anchors that matched disabled +algorithms were not ignored and that lead to SERVFAILs for associated domains. +This behavior has changed to be more consistent with unsupported algorithms: +BIND 9 will ignore such trust anchors, and responses for those domains will +now be treated as insecure. + +### DLV + +If a DLV record in a DLV zone points to a DNSKEY using an unsupported algorithm +or an algorithm which has been disabled for the relevant part of the tree using +a `disable-algorithms` clause in `named.conf`, the corresponding zone will be +treated as insecure. + +However, if the trust anchor specified for the DLV zone itself uses an +unsupported or disabled algorithm, no DLV record in that DLV zone can be +treated as secure and thus attempts to resolve names in the domains pointed to +by the records in that DLV zone will yield SERVFAIL responses. Consider the +following example: + + trusted-keys { + "dlv.example." 257 3 1 ...; + }; + + options { + ... + dnssec-lookaside "foo." trust-anchor "dlv.example"; + }; + +The example above specifies a DLV trust anchor using the RSAMD5 algorithm +(algorithm number 1), which effectively prevents resolution of data in any zone +at and below `foo.` that is listed in `dlv.example` (and does not have a valid, +non-DLV chain of trust established otherwise). This outcome is different than +for a trust anchor which uses an unsupported or disabled algorithm and is not +associated with a `dnssec-lookaside` clause; the reason for this is that in the +case of a DLV-referenced, unusable key, the trust point is still defined, but +has no keys associated with it, whereas non-DLV-referenced, unusable keys are +ignored altogether and do not cause an associated trust point to be defined. + +### Algorithm rollover + +A zone for which BIND 9 has a trust anchor configured may decide to do an +algorithm rollover to an unsupported algorithm. If configured with +`managed-keys`, BIND 9 will ignore the newly introduced DNSKEY if it does +not support the algorithm. That means that the moment the predecessor DNSKEY +gets revoked, BIND 9 will no longer have any trust anchors for the given zone +and it will treat the trust point as if it does not exist, meaning that +the corresponding zone will now validate as insecure. diff --git a/util/copyrights b/util/copyrights index df5ecec551..6a7a001bab 100644 --- a/util/copyrights +++ b/util/copyrights @@ -3151,6 +3151,7 @@ ./doc/design/resolver TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019 ./doc/design/search TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019 ./doc/design/tasks TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019 +./doc/design/unsupported-algorithms-in-bind9 TXT.BRIEF 2019 ./doc/design/verify TXT.BRIEF 2012,2016,2018,2019 ./doc/design/windows-nt TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019 ./doc/design/zone TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019