[9.20] fix: usr: Use signer name when disabling DNSSEC algorithms

``disable-algorithms`` could cause DNSSEC validation failures when the parent zone was
signed with the algorithms that were being disabled for the child zone.
This has been fixed; `disable-algorithms` now works
on a whole-of-zone basis.

If the zone's name is at or below the ``disable-algorithms`` name the algorithm
is disabled for that zone, using deepest match when there are multiple
``disable-algorithms`` clauses. 

Closes #5165

Backport of MR !10837

Merge branch 'backport-5165-use-signer-name-when-disabling-dnssec-algorithms-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11014

bin/tests/system/dnssec/ns3/badalg.secure.example.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+			A	10.53.0.4
+ns3			A	10.53.0.3

bin/tests/system/dnssec/ns3/named.conf.in

@@ -91,6 +91,18 @@ zone "secure.example" {
 	allow-update { any; };
 };
 
+zone "badalg.secure.example" {
+	type primary;
+	file "badalg.secure.example.db.signed";
+	allow-update { any; };
+};
+
+zone "zonecut.ent.secure.example" {
+	type primary;
+	file "zonecut.ent.secure.example.db.signed";
+	allow-update { any; };
+};
+
 zone "bogus.example" {
 	type primary;
 	file "bogus.example.db.signed";

bin/tests/system/dnssec/ns3/secure.example.db.in

@@ -30,7 +30,12 @@ g			A	10.0.0.7
 z			A	10.0.0.26
 a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 x			CNAME	a
-badalg			A	10.53.0.4
+
+badalg			NS	ns3.badalg
+ns3.badalg		A	10.53.0.3
+
+zonecut.ent		NS	ns3.zonecut.ent
+ns3.zonecut.ent		A	10.53.0.3
 
 private			NS	ns.private
 ns.private		A	10.53.0.2

bin/tests/system/dnssec/ns3/sign.sh

@@ -77,6 +77,31 @@ done
 
 echo_i "ns3/sign.sh: example zones"
 
+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for it.
+zone=badalg.secure.example.
+infile=badalg.secure.example.db.in
+zonefile=badalg.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for ent.secure.example.
+zone=zonecut.ent.secure.example.
+infile=zonecut.ent.secure.example.db.in
+zonefile=zonecut.ent.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
 zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
@@ -85,7 +110,7 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n
 dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
 keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 
-cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
+cat "$infile" dsset-badalg.secure.example. "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
 
 "$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
 cat "$zonefile" "$zonefile".signed >"$zonefile".tmp

bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+			A	10.53.0.4
+ns3			A	10.53.0.3

bin/tests/system/dnssec/ns4/named1.conf.in

@@ -34,6 +34,8 @@ options {
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
 	disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
 	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
 
 	# Note: We only reference the bind.keys file here to confirm that it
 	# is *not* being used.  It contains the real root key, and we're

bin/tests/system/dnssec/ns4/named2.conf.in

@@ -29,6 +29,8 @@ options {
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";  };
 	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
 	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
 };
 
 key rndc_key {

bin/tests/system/dnssec/ns4/named3.conf.in

@@ -32,6 +32,8 @@ options {
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";};
 	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
 	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
 };
 
 key rndc_key {

bin/tests/system/dnssec/ns4/named4.conf.in

@@ -25,6 +25,8 @@ options {
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
 	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
 	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+	disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
 };
 
 key rndc_key {

bin/tests/system/dnssec/tests.sh

@@ -3757,10 +3757,42 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
+echo_i "check that zone contents are still secure despite disable-algorithms on query name (name below zone name) ($n)"
+ret=0
+dig_with_opts @10.53.0.4 z.secure.example >dig.out.ns4.test$n || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check that zone contents are treated as insecure when disable-algorithms name is above zone name ($n)"
+ret=0
+dig_with_opts @10.53.0.4 zonecut.ent.secure.example >dig.out.ns4.test$n || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
+grep "; EDE: 1 (Unsupported DNSKEY Algorithm): " dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check that DS records are still treated as secure at the disable-algorithm name ($n)"
+ret=0
+dig_with_opts @10.53.0.4 badalg.secure.example DS >dig.out.ns4.test$n || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 echo_i "checking EDE code 1 for bad alg mnemonic ($n)"
 ret=0
 dig_with_opts @10.53.0.4 badalg.secure.example >dig.out.ns4.test$n || ret=1
 grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP256SHA256 badalg.secure.example/A)" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"

bin/tests/system/dnssec/tests_sh_dnssec.py

@@ -79,6 +79,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/NSEC3",
         "ns3/auto-nsec.example.db",
         "ns3/auto-nsec3.example.db",
+        "ns3/badalg.secure.example.db",
         "ns3/badds.example.db",
         "ns3/bogus.example.db",
         "ns3/disabled.managed.db",
@@ -91,6 +92,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/dnskey-unsupported-2.example.db",
         "ns3/dnskey-unsupported.example.db",
         "ns3/dnskey-unsupported.example.db.tmp",
+        "ns3/ds-unsupported.example.db",
         "ns3/dynamic.example.db",
         "ns3/digest-alg-unsupported.example.db",
         "ns3/enabled.managed.db",
@@ -141,7 +143,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/update-nsec3.example.db.signed",
         "ns3/upper.example.db",
         "ns3/upper.example.db.lower",
-        "ns3/ds-unsupported.example.db",
+        "ns3/zonecut.ent.secure.example.db",
         "ns4/managed.conf",
         "ns4/managed-keys.bind",
         "ns4/named.secroots",

doc/arm/reference.rst

@@ -1617,7 +1617,7 @@ default is used.
    :short: Disables DNSSEC algorithms from a specified zone.
 
    This disables the specified DNSSEC algorithms at and below the specified
-   name. Multiple :any:`disable-algorithms` statements are allowed. Only
+   zone. Multiple :any:`disable-algorithms` statements are allowed. Only
    the best-match :any:`disable-algorithms` clause is used to
    determine the algorithms.
 

lib/dns/validator.c

@@ -1679,7 +1679,8 @@ validate_answer_process(void *arg) {
 	 * At this point we could check that the signature algorithm
 	 * was known and "sufficiently good".
 	 */
-	if (!dns_resolver_algorithm_supported(val->view->resolver, val->name,
+	if (!dns_resolver_algorithm_supported(val->view->resolver,
+					      &val->siginfo->signer,
 					      val->siginfo->algorithm))
 	{
 		if (val->unsupported_algorithm == 0) {

lib/ns/query.c

@@ -2504,7 +2504,8 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if (!dns_resolver_algorithm_supported(client->view->resolver,
-						      name, rrsig.algorithm))
+						      &rrsig.signer,
+						      rrsig.algorithm))
 		{
 			char txt[DNS_NAME_FORMATSIZE + 32];
 			isc_buffer_t buffer;