diff --git a/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in b/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in new file mode 100644 index 0000000000..93cb34385c --- /dev/null +++ b/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 + A 10.53.0.4 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 293ff2dda8..5eba816b79 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -91,6 +91,18 @@ zone "secure.example" { allow-update { any; }; }; +zone "badalg.secure.example" { + type primary; + file "badalg.secure.example.db.signed"; + allow-update { any; }; +}; + +zone "zonecut.ent.secure.example" { + type primary; + file "zonecut.ent.secure.example.db.signed"; + allow-update { any; }; +}; + zone "bogus.example" { type primary; file "bogus.example.db.signed"; diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index 9aebd98007..eeb5a4cf49 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -30,7 +30,12 @@ g A 10.0.0.7 z A 10.0.0.26 a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 x CNAME a -badalg A 10.53.0.4 + +badalg NS ns3.badalg +ns3.badalg A 10.53.0.3 + +zonecut.ent NS ns3.zonecut.ent +ns3.zonecut.ent A 10.53.0.3 private NS ns.private ns.private A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index f61ea28381..350a504a13 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -77,6 +77,31 @@ done echo_i "ns3/sign.sh: example zones" +# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is +# disabled for it. +zone=badalg.secure.example. +infile=badalg.secure.example.db.in +zonefile=badalg.secure.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null + +# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is +# disabled for ent.secure.example. +zone=zonecut.ent.secure.example. +infile=zonecut.ent.secure.example.db.in +zonefile=zonecut.ent.secure.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null + +# zone=secure.example. infile=secure.example.db.in zonefile=secure.example.db @@ -85,7 +110,7 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone") keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile" +cat "$infile" dsset-badalg.secure.example. "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile" "$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null cat "$zonefile" "$zonefile".signed >"$zonefile".tmp diff --git a/bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in b/bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in new file mode 100644 index 0000000000..93cb34385c --- /dev/null +++ b/bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 + A 10.53.0.4 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in index 8e29a45db7..c3e055f8e9 100644 --- a/bin/tests/system/dnssec/ns4/named1.conf.in +++ b/bin/tests/system/dnssec/ns4/named1.conf.in @@ -34,6 +34,8 @@ options { disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "z.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "ent.secure.example." { ECDSAP256SHA256; }; # Note: We only reference the bind.keys file here to confirm that it # is *not* being used. It contains the real root key, and we're diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in index bf82385f71..ab14d44f34 100644 --- a/bin/tests/system/dnssec/ns4/named2.conf.in +++ b/bin/tests/system/dnssec/ns4/named2.conf.in @@ -29,6 +29,8 @@ options { disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "z.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "ent.secure.example." { ECDSAP256SHA256; }; }; key rndc_key { diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in index d6a44c799d..be9bb5431a 100644 --- a/bin/tests/system/dnssec/ns4/named3.conf.in +++ b/bin/tests/system/dnssec/ns4/named3.conf.in @@ -32,6 +32,8 @@ options { disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";}; disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "z.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "ent.secure.example." { ECDSAP256SHA256; }; }; key rndc_key { diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 34f59b498a..f0dc264ddc 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -25,6 +25,8 @@ options { disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "z.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "ent.secure.example." { ECDSAP256SHA256; }; }; key rndc_key { diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index cf7ce13d3a..5a01561eaa 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3757,10 +3757,42 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +echo_i "check that zone contents are still secure despite disable-algorithms on query name (name below zone name) ($n)" +ret=0 +dig_with_opts @10.53.0.4 z.secure.example >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that zone contents are treated as insecure when disable-algorithms name is above zone name ($n)" +ret=0 +dig_with_opts @10.53.0.4 zonecut.ent.secure.example >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +grep "; EDE: 1 (Unsupported DNSKEY Algorithm): " dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "check that DS records are still treated as secure at the disable-algorithm name ($n)" +ret=0 +dig_with_opts @10.53.0.4 badalg.secure.example DS >dig.out.ns4.test$n || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking EDE code 1 for bad alg mnemonic ($n)" ret=0 dig_with_opts @10.53.0.4 badalg.secure.example >dig.out.ns4.test$n || ret=1 grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP256SHA256 badalg.secure.example/A)" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index d3350561d9..7cd2633fe3 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -79,6 +79,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/NSEC3", "ns3/auto-nsec.example.db", "ns3/auto-nsec3.example.db", + "ns3/badalg.secure.example.db", "ns3/badds.example.db", "ns3/bogus.example.db", "ns3/disabled.managed.db", @@ -91,6 +92,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/dnskey-unsupported-2.example.db", "ns3/dnskey-unsupported.example.db", "ns3/dnskey-unsupported.example.db.tmp", + "ns3/ds-unsupported.example.db", "ns3/dynamic.example.db", "ns3/digest-alg-unsupported.example.db", "ns3/enabled.managed.db", @@ -141,7 +143,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/update-nsec3.example.db.signed", "ns3/upper.example.db", "ns3/upper.example.db.lower", - "ns3/ds-unsupported.example.db", + "ns3/zonecut.ent.secure.example.db", "ns4/managed.conf", "ns4/managed-keys.bind", "ns4/named.secroots", diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 82036f2cfe..3fc92abc40 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1617,7 +1617,7 @@ default is used. :short: Disables DNSSEC algorithms from a specified zone. This disables the specified DNSSEC algorithms at and below the specified - name. Multiple :any:`disable-algorithms` statements are allowed. Only + zone. Multiple :any:`disable-algorithms` statements are allowed. Only the best-match :any:`disable-algorithms` clause is used to determine the algorithms. diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 1f7c7154e8..bcbe026f91 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1679,7 +1679,8 @@ validate_answer_process(void *arg) { * At this point we could check that the signature algorithm * was known and "sufficiently good". */ - if (!dns_resolver_algorithm_supported(val->view->resolver, val->name, + if (!dns_resolver_algorithm_supported(val->view->resolver, + &val->siginfo->signer, val->siginfo->algorithm)) { if (val->unsupported_algorithm == 0) { diff --git a/lib/ns/query.c b/lib/ns/query.c index 54c541d55d..1710cabb6f 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -2504,7 +2504,8 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, result = dns_rdata_tostruct(&rdata, &rrsig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!dns_resolver_algorithm_supported(client->view->resolver, - name, rrsig.algorithm)) + &rrsig.signer, + rrsig.algorithm)) { char txt[DNS_NAME_FORMATSIZE + 32]; isc_buffer_t buffer;