diff --git a/bin/named/server.c b/bin/named/server.c
index b63a3864da..75fb0af2c1 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -698,8 +698,9 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
}
static isc_result_t
-dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
- bool managed, dst_key_t **target, isc_mem_t *mctx)
+dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
+ const cfg_obj_t *key, bool managed, dst_key_t **target,
+ isc_mem_t *mctx)
{
dns_rdataclass_t viewclass;
dns_rdata_dnskey_t keystruct;
@@ -792,6 +793,14 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
mctx, &dstkey));
+ if (!dns_resolver_algorithm_supported(view->resolver, keyname, alg)) {
+ cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
+ "%s key for '%s': algorithm is disabled",
+ managed ? "managed" : "trusted", keynamestr);
+ result = DST_R_UNSUPPORTEDALG;
+ goto cleanup;
+ }
+
*target = dstkey;
return (ISC_R_SUCCESS);
@@ -842,9 +851,9 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
elt2 != NULL;
elt2 = cfg_list_next(elt2)) {
key = cfg_listelt_value(elt2);
- result = dstkey_fromconfig(vconfig, key, managed,
+ result = dstkey_fromconfig(view, vconfig, key, managed,
&dstkey, mctx);
- if (result == DST_R_UNSUPPORTEDALG) {
+ if (result == DST_R_UNSUPPORTEDALG) {
result = ISC_R_SUCCESS;
continue;
}
@@ -9962,7 +9971,7 @@ add_zone_tolist(dns_zone_t *zone, void *uap) {
struct zonelistentry *zle;
zle = isc_mem_get(dctx->mctx, sizeof *zle);
- if (zle == NULL)
+ if (zle == NULL)
return (ISC_R_NOMEMORY);
zle->zone = NULL;
dns_zone_attach(zone, &zle->zone);
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 2236f0a151..4909307cda 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -27,6 +27,13 @@ ALTERNATIVE_ALGORITHM=RSASHA1
ALTERNATIVE_ALGORITHM_NUMBER=5
ALTERNATIVE_BITS=1280
+# This is an algorithm that is used for tests against the
+# "disable-algorithms" configuration option. Must be different from above
+# algorithms.
+DISABLED_ALGORITHM=ECDSAP384SHA384
+DISABLED_ALGORITHM_NUMBER=14
+DISABLED_BITS=384
+
NAMED=$TOP/bin/named/named
# We must use "named -l" instead of "lwresd" because argv[0] is lost
# if the program is libtoolized.
@@ -353,6 +360,9 @@ copy_setports() {
-e "s/@ALTERNATIVE_ALGORITHM@/${ALTERNATIVE_ALGORITHM}/g" \
-e "s/@ALTERNATIVE_ALGORITHM_NUMBER@/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \
-e "s/@ALTERNATIVE_BITS@/${ALTERNATIVE_BITS}/g" \
+ -e "s/@DISABLED_ALGORITHM@/${DISABLED_ALGORITHM}/g" \
+ -e "s/@DISABLED_ALGORITHM_NUMBER@/${DISABLED_ALGORITHM_NUMBER}/g" \
+ -e "s/@DISABLED_BITS@/${DISABLED_BITS}/g" \
$1 > $2
}
diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32
index 87d2fc84fe..3135e88185 100644
--- a/bin/tests/system/conf.sh.win32
+++ b/bin/tests/system/conf.sh.win32
@@ -36,6 +36,13 @@ ALTERNATIVE_ALGORITHM=RSASHA1
ALTERNATIVE_ALGORITHM_NUMBER=5
ALTERNATIVE_BITS=1280
+# This is an algorithm that is used for tests against the
+# "disable-algorithms" configuration option. Must be different from above
+# algorithms.
+DISABLED_ALGORITHM=ECDSAP384SHA384
+DISABLED_ALGORITHM_NUMBER=14
+DISABLED_BITS=384
+
ARPANAME=$TOP/Build/$VSCONF/arpaname@EXEEXT@
CHECKCONF=$TOP/Build/$VSCONF/named-checkconf@EXEEXT@
CHECKDS="$PYTHON `cygpath -w $TOP/bin/python/dnssec-checkds.py`"
@@ -336,6 +343,9 @@ copy_setports() {
-e "s/${atsign}ALTERNATIVE_ALGORITHM${atsign}/${ALTERNATIVE_ALGORITHM}/g" \
-e "s/${atsign}ALTERNATIVE_ALGORITHM_NUMBER${atsign}/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \
-e "s/${atsign}ALTERNATIVE_BITS${atsign}/${ALTERNATIVE_BITS}/g" \
+ -e "s/${atsign}DISABLED_ALGORITHM${atsign}/${DISABLED_ALGORITHM}/g" \
+ -e "s/${atsign}DISABLED_ALGORITHM_NUMBER${atsign}/${DISABLED_ALGORITHM_NUMBER}/g" \
+ -e "s/${atsign}DISABLED_BITS${atsign}/${DISABLED_BITS}/g" \
$1 > $2
}
diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README
index c45bd71f23..df83eb14e2 100644
--- a/bin/tests/system/dnssec/README
+++ b/bin/tests/system/dnssec/README
@@ -17,3 +17,6 @@ key for the root. It is used for testing failure cases.
ns6 is a caching-only server configured to use DLV.
ns7 is used for checking non-cacheable answers.
+
+ns8 is a caching-only server, configured with unsupported and disabled
+algorithms. It is used for testing failure cases.
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index fa0abe3c98..c49ee9a1ac 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -33,7 +33,7 @@ rm -f ./ns*/*.nta
rm -f ./ns*/managed-keys.bind* ./ns*/*.mkeys*
rm -f ./ns*/named.lock
rm -f ./ns1/managed.key.id
-rm -f ./ns1/root.db ./ns2/example.db ./ns3/secure.example.db
+rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db
rm -f ./ns2/algroll.db
rm -f ./ns2/badparam.db ./ns2/badparam.db.bad
rm -f ./ns2/cdnskey-kskonly.secure.db
diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in
index 5ad5d9ef1d..7fdbab9c4e 100644
--- a/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@@ -8,12 +8,12 @@
; information regarding copyright ownership.
$TTL 300
-. IN SOA gson.nominum.com. a.root.servers.nil. (
- 2000042100 ; serial
- 600 ; refresh
- 600 ; retry
- 1200 ; expire
- 600 ; minimum
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
@@ -22,8 +22,12 @@ example. NS ns2.example.
ns2.example. A 10.53.0.2
dlv. NS ns2.dlv.
ns2.dlv. A 10.53.0.2
-algroll NS ns2.algroll
+algroll. NS ns2.algroll.
ns2.algroll. A 10.53.0.2
+managed. NS ns2.managed.
+ns2.managed. A 10.53.0.2
+trusted. NS ns2.trusted.
+ns2.trusted. A 10.53.0.2
optout-tld NS ns6.optout-tld.
ns6.optout-tld. A 10.53.0.6
in-addr.arpa. NS ns2.example.
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 198d60ae15..0bcf5673cd 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -20,14 +20,16 @@ zonefile=root.db
(cd ../ns6 && $SHELL sign.sh )
(cd ../ns7 && $SHELL sign.sh )
+echo_i "ns1/sign.sh"
+
cp ../ns2/dsset-example$TP .
cp ../ns2/dsset-dlv$TP .
cp ../ns2/dsset-in-addr.arpa$TP .
-grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP
+grep "$DEFAULT_ALGORITHM_NUMBER [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP
cp ../ns6/dsset-optout-tld$TP .
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key > $zonefile
@@ -48,6 +50,4 @@ cp managed.conf ../ns4/managed.conf
#
# Save keyid for managed key id test.
#
-keyid=`expr $keyname : 'K.+001+\(.*\)'`
-keyid=`expr $keyid + 0`
-echo "$keyid" > managed.key.id
+echo "$keyname" | sed -e 's/.*[+]//' -e 's/^0*//' > managed.key.id
diff --git a/bin/tests/system/dnssec/ns2/key.db.in b/bin/tests/system/dnssec/ns2/key.db.in
new file mode 100644
index 0000000000..60be0cf4c1
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/key.db.in
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+
+; A secure subdomain
+secure NS ns3.secure
+ns3.secure A 10.53.0.3
+
+; A subdomain that is signed with an unsupported algorithm
+unsupported NS ns3.unsupported
+ns3.unsupported A 10.53.0.3
+
+; A secure subdomain with a disabled algorithm
+disabled NS ns3.disabled
+ns3.disabled A 10.53.0.3
+
+; A secure subdomain with a disabled algorithm, but not in bailiwick
+enabled NS ns3.enabled
+ns3.enabled A 10.53.0.3
+
diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in
index 6124f4540f..72ae328995 100644
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@@ -45,6 +45,16 @@ zone "dlv" {
file "dlv.db.signed";
};
+zone "trusted" {
+ type master;
+ file "trusted.db.signed";
+};
+
+zone "managed" {
+ type master;
+ file "managed.db.signed";
+};
+
zone "example" {
type master;
file "example.db.signed";
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 6ee989b14f..fb58a1fa77 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -12,26 +12,61 @@
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
+# Sign child zones (served by ns3).
+( cd ../ns3 && $SHELL sign.sh )
+
+echo_i "ns2/sign.sh"
+
+# Get the DS records for the "trusted." and "managed." zones.
+for subdomain in secure unsupported disabled enabled
+do
+ cp ../ns3/dsset-$subdomain.managed$TP .
+ cp ../ns3/dsset-$subdomain.trusted$TP .
+done
+
+# Sign the "trusted." and "managed." zones.
+zone=managed.
+infile=key.db.in
+zonefile=managed.db
+
+keyname1=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone -f KSK $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 2>&1
+
+zone=trusted.
+infile=key.db.in
+zonefile=trusted.db
+
+keyname1=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone -f KSK $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 2>&1
+
+# The "example." zone.
zone=example.
infile=example.db.in
zonefile=example.db
-# Have the child generate a zone key and pass it to us.
-
-( cd ../ns3 && $SHELL sign.sh )
-
+# Get the DS records for the "example." zone.
for subdomain in secure badds bogus dynamic keyless nsec3 optout \
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \
- dnskey-unknown dnskey-nsec3-unknown managed-future revkey \
+ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
+ dnskey-nsec3-unknown managed-future revkey \
dname-at-apex-nsec3 occluded
do
cp ../ns3/dsset-$subdomain.example$TP .
done
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+# Sign the "example." zone.
+keyname1=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone -f KSK $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns3/key.db.in b/bin/tests/system/dnssec/ns3/key.db.in
new file mode 100644
index 0000000000..3847e2ea10
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/key.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
+
diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
index 435daffda9..4e2eff11bb 100644
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -313,6 +313,26 @@ zone "occluded.example" {
file "occluded.example.db.signed";
};
+zone "secure.managed" {
+ type master;
+ file "secure.managed.db.signed";
+};
+
+zone "unsupported.managed" {
+ type master;
+ file "unsupported.managed.db.signed";
+};
+
+zone "secure.trusted" {
+ type master;
+ file "secure.trusted.db.signed";
+};
+
+zone "unsupported.trusted" {
+ type master;
+ file "unsupported.trusted.db.signed";
+};
+
include "siginterval.conf";
include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index b5fce0f854..d5ee783877 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -12,13 +12,55 @@
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
+echo_i "ns3/sign.sh"
+
+infile=key.db.in
+for tld in managed trusted
+do
+ # A secure zone to test.
+ zone=secure.${tld}
+ zonefile=${zone}.db
+
+ keyname1=`$KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+ cat $infile $keyname1.key > $zonefile
+ $SIGNER -z -P -3 - -o $zone -r $RANDFILE -O full -f ${zonefile}.signed $zonefile > /dev/null 2>&1
+ DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP
+ $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE
+
+ # Zone to test trust anchor with unsupported algorithm.
+ zone=unsupported.${tld}
+ zonefile=${zone}.db
+
+ keyname2=`$KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+ cat $infile $keyname2.key > $zonefile
+ $SIGNER -z -P -3 - -o $zone -r $RANDFILE -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
+ awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
+ DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP
+ $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE
+
+ # Make trusted-keys and managed keys conf sections for ns8.
+ mv ${keyname2}.key ${keyname2}.tmp
+ awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key
+
+ case $tld in
+ "managed")
+ keyfile_to_managed_keys $keyname1 $keyname2 > ../ns8/managed.conf
+ ;;
+ "trusted")
+ keyfile_to_trusted_keys $keyname1 $keyname2 > ../ns8/trusted.conf
+ ;;
+ esac
+done
+
+echo_i "ns3/sign.sh: example zones"
+
zone=secure.example.
infile=secure.example.db.in
zonefile=secure.example.db
-cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone`
-dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n host cnameandkey.$zone`
+dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n host dnameandkey.$zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile
@@ -28,7 +70,7 @@ zone=bogus.example.
infile=bogus.example.db.in
zonefile=bogus.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -38,8 +80,8 @@ zone=dynamic.example.
infile=dynamic.example.db.in
zonefile=dynamic.example.db
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
+keyname1=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b 1024 -n zone -f KSK $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -49,7 +91,7 @@ zone=keyless.example.
infile=generic.example.db.in
zonefile=keyless.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -69,7 +111,7 @@ zone=secure.nsec3.example.
infile=secure.nsec3.example.db.in
zonefile=secure.nsec3.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -82,7 +124,7 @@ zone=nsec3.nsec3.example.
infile=nsec3.nsec3.example.db.in
zonefile=nsec3.nsec3.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -95,7 +137,7 @@ zone=optout.nsec3.example.
infile=optout.nsec3.example.db.in
zonefile=optout.nsec3.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -108,7 +150,7 @@ zone=nsec3.example.
infile=nsec3.example.db.in
zonefile=nsec3.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -121,7 +163,7 @@ zone=secure.optout.example.
infile=secure.optout.example.db.in
zonefile=secure.optout.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -134,7 +176,7 @@ zone=nsec3.optout.example.
infile=nsec3.optout.example.db.in
zonefile=nsec3.optout.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -147,7 +189,7 @@ zone=optout.optout.example.
infile=optout.optout.example.db.in
zonefile=optout.optout.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -160,7 +202,7 @@ zone=optout.example.
infile=optout.example.db.in
zonefile=optout.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -173,7 +215,7 @@ zone=nsec3-unknown.example.
infile=nsec3-unknown.example.db.in
zonefile=nsec3-unknown.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -186,7 +228,7 @@ zone=optout-unknown.example.
infile=optout-unknown.example.db.in
zonefile=optout-unknown.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -200,13 +242,13 @@ zone=dnskey-unknown.example.
infile=dnskey-unknown.example.db.in
zonefile=dnskey-unknown.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
-awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
+awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP
$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE
@@ -219,16 +261,16 @@ zone=dnskey-unsupported.example.
infile=dnskey-unsupported.example.db.in
zonefile=dnskey-unsupported.example.db
-keyname=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
-cat "$infile" "$keyname.key" > "$zonefile"
+cat $infile $keyname.key > $zonefile
-"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
+$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
-awk '$4 == "DNSKEY" { $7 = 255; print } $4 == "RRSIG" { $6 = 255; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
+awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
-$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
+$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE
#
# A zone with a published unsupported DNSKEY algorithm (Reserved).
@@ -238,12 +280,12 @@ zone=dnskey-unsupported-2.example.
infile=dnskey-unsupported-2.example.db.in
zonefile=dnskey-unsupported-2.example.db
-ksk=$("$KEYGEN" -f KSK -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-zsk=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+ksk=`$KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+zsk=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
-cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
+cat $infile $ksk.key $zsk.key unsupported-algorithm.key > $zonefile
-"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
+$SIGNER -P -3 - -r $RANDFILE -o $zone -f ${zonefile}.signed $zonefile > /dev/null 2>&1
#
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
@@ -253,7 +295,7 @@ zone=dnskey-nsec3-unknown.example.
infile=dnskey-nsec3-unknown.example.db.in
zonefile=dnskey-nsec3-unknown.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -271,7 +313,7 @@ zone=multiple.example.
infile=multiple.example.db.in
zonefile=multiple.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -294,7 +336,7 @@ zone=rsasha256.example.
infile=rsasha256.example.db.in
zonefile=rsasha256.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -386,7 +428,7 @@ $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=secure.below-cname.example.
infile=secure.below-cname.example.db.in
zonefile=secure.below-cname.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
@@ -399,7 +441,7 @@ zonefile=ttlpatch.example.db
signedfile=ttlpatch.example.db.signed
patchedfile=ttlpatch.example.db.patched
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
@@ -414,7 +456,7 @@ infile=split-dnssec.example.db.in
zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
: > $signedfile
@@ -428,13 +470,13 @@ infile=split-smart.example.db.in
zonefile=split-smart.example.db
signedfile=split-smart.example.db.signed
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cp $infile $zonefile
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
: > $signedfile
$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
-#
+#
# Zone with signatures about to expire, but no private key to replace them
#
zone="expiring.example."
@@ -532,7 +574,7 @@ zone=badds.example.
infile=bogus.example.db.in
zonefile=badds.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname.key >$zonefile
@@ -584,8 +626,8 @@ $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=dname-at-apex-nsec3.example
infile=dname-at-apex-nsec3.example.db.in
zonefile=dname-at-apex-nsec3.example.db
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -3fk $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -3 $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -3fk $zone`
+zskname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -3 $zone`
cat $infile $kskname.key $zskname.key >$zonefile
$SIGNER -P -r $RANDFILE -3 - -o $zone $zonefile > /dev/null 2>&1
@@ -595,10 +637,10 @@ $SIGNER -P -r $RANDFILE -3 - -o $zone $zonefile > /dev/null 2>&1
zone=occluded.example
infile=occluded.example.db.in
zonefile=occluded.example.db
-kskname=`"$KEYGEN" -q -r $RANDFILE -a RSASHA256 -b 1024 -fk "$zone"`
-zskname=`"$KEYGEN" -q -r $RANDFILE -a RSASHA256 -b 1024 "$zone"`
-dnskeyname=`"$KEYGEN" -q -r $RANDFILE -a RSASHA256 -b 1024 -fk "delegation.$zone"`
-keyname=`"$KEYGEN" -q -r $RANDFILE -a RSASHA1 -b 1024 -n ENTITY -T KEY "delegation.$zone"`
+kskname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk "$zone"`
+zskname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS "$zone"`
+dnskeyname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk "delegation.$zone"`
+keyname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n ENTITY -T KEY "delegation.$zone"`
$DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP"
cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
"${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile"
diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh
index 93ca6767fd..0711a7817c 100644
--- a/bin/tests/system/dnssec/ns5/sign.sh
+++ b/bin/tests/system/dnssec/ns5/sign.sh
@@ -12,6 +12,8 @@
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
+echo_i "ns5/sign.sh"
+
zone=.
infile=../ns1/root.db.in
zonefile=root.db.signed
diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in
index 0fb1091109..e3c553fd8f 100644
--- a/bin/tests/system/dnssec/ns6/named.conf.in
+++ b/bin/tests/system/dnssec/ns6/named.conf.in
@@ -22,7 +22,7 @@ options {
recursion yes;
acache-enable yes;
notify yes;
- disable-algorithms . { DSA; };
+ disable-algorithms . { @ALTERNATIVE_ALGORITHM@; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv;
diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh
index 3092b5f477..0c79cec658 100644
--- a/bin/tests/system/dnssec/ns6/sign.sh
+++ b/bin/tests/system/dnssec/ns6/sign.sh
@@ -12,6 +12,8 @@
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
+echo_i "ns6/sign.sh"
+
zone=optout-tld
infile=optout-tld.db.in
zonefile=optout-tld.db
diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh
index a4cf78f6ef..1bb3eea86d 100644
--- a/bin/tests/system/dnssec/ns7/sign.sh
+++ b/bin/tests/system/dnssec/ns7/sign.sh
@@ -12,6 +12,8 @@
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
+echo_i "ns7/sign.sh"
+
zone=split-rrsig
infile=split-rrsig.db.in
zonefile=split-rrsig.db
diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.in
new file mode 100644
index 0000000000..fdc18df687
--- /dev/null
+++ b/bin/tests/system/dnssec/ns8/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS8
+
+options {
+ query-source address 10.53.0.8;
+ notify-source 10.53.0.8;
+ transfer-source 10.53.0.8;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.8; };
+ listen-on-v6 { none; };
+ recursion yes;
+ dnssec-enable yes;
+ dnssec-validation yes;
+ minimal-responses no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+include "managed.conf";
+include "trusted.conf";
+
diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh
index 7532d0c9bd..c6767054bc 100644
--- a/bin/tests/system/dnssec/setup.sh
+++ b/bin/tests/system/dnssec/setup.sh
@@ -25,6 +25,7 @@ copy_setports ns5/named1.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
cd ns1
$SHELL sign.sh
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 73694f0072..f17413723d 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -168,7 +168,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking postive validation NSEC using dns_client ($n)"
$DELV $DELVOPTS @10.53.0.4 a a.example > delv.out$n || ret=1
grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
- grep "a.example..*.RRSIG.A 3 2 300 .*" delv.out$n > /dev/null || ret=1
+ grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -191,7 +191,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking positive validation NSEC3 using dns_client ($n)"
$DELV $DELVOPTS @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1
grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
- grep "a.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1
+ grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -214,7 +214,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking positive validation OPTOUT using dns_client ($n)"
$DELV $DELVOPTS @10.53.0.4 a a.optout.example > delv.out$n || ret=1
grep "a.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
- grep "a.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1
+ grep "a.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -240,7 +240,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking positive wildcard validation NSEC using dns_client ($n)"
$DELV $DELVOPTS @10.53.0.4 a a.wild.example > delv.out$n || ret=1
grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1
- grep "a.wild.example..*RRSIG.A 3 2 300.*" delv.out$n > /dev/null || ret=1
+ grep "a.wild.example..*RRSIG.A [0-9][0-9]* 2 300.*" delv.out$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -282,7 +282,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)"
$DELV $DELVOPTS @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1
grep "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
- grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1
+ grep "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -308,7 +308,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)"
$DELV $DELVOPTS @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1
grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1
- grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1
+ grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -1417,8 +1417,11 @@ get_rsasha1_key_ids_from_sigs() {
echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)"
ret=0
zone=example
-$KEYGEN -a 255 example > dnssectools.out.test$n 2>&1 && ret=0
-grep "unsupported algorithm: 255" dnssectools.out.test$n || ret=1
+# If dnssec-keygen fails, the test script will exit immediately. Prevent that
+# from happening, and also trigger a test failure if dnssec-keygen unexpectedly
+# succeeds, by using "&& ret=1".
+$KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1
+grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@@ -1427,24 +1430,27 @@ echo_i "checking that a DS record cannot be generated for a key using an unsuppo
ret=0
zone=example
# Fake an unsupported algorithm key
-unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-awk '$3 == "DNSKEY" { $6 = 255; print } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp
+unsupportedkey=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp
mv ${unsupportedkey}.tmp ${unsupportedkey}.key
-$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=0
-grep "algorithm is unsupported" dnssectools.out.test$n || ret=1
+# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent
+# that from happening, and also trigger a test failure if dnssec-dsfromkey
+# unexpectedly succeeds, by using "&& ret=1".
+$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1
+grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)"
ret=0
-cp ${unsupportedkey}.* signer/
-(
-cd signer || exit 1
-cat example.db.in "${unsupportedkey}.key" > example.db
-$SIGNER -o example example.db ${unsupportedkey} > ../dnssectools.out.test$n 2>&1 && ret=0
-) && ret=0
-grep "algorithm is unsupported" dnssectools.out.test$n || ret=1
+ret=0
+cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db
+# If dnssec-signzone fails, the test script will exit immediately. Prevent that
+# from happening, and also trigger a test failure if dnssec-signzone
+# unexpectedly succeeds, by using "&& ret=1".
+$SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1
+grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@@ -1756,7 +1762,7 @@ ret=0
$RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
keyid=`cat ns1/managed.key.id`
cp ns4/named.secroots named.secroots.test$n
-linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l`
+linecount=`grep "./$DEFAULT_ALGORITHM/$keyid ; trusted" named.secroots.test$n | wc -l`
[ "$linecount" -eq 1 ] || ret=1
linecount=`cat named.secroots.test$n | wc -l`
[ "$linecount" -eq 10 ] || ret=1
@@ -3084,11 +3090,11 @@ echo_i "check dig's +nocrypto flag ($n)"
ret=0
$DIG $DIGOPTS +norec +nocrypto DNSKEY . \
@10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
-grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+grep '256 3 [0-9][0-9]* \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +norec +nocrypto DS example \
@10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
-grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1
+grep 'DS.* [0-9][0-9]* [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -3810,5 +3816,75 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
+#
+# DNSSEC tests related to unsupported trust anchors.
+#
+
+# This nameserver (ns8) is loaded with a bunch of trust anchors. Some of them
+# are good (enabled.managed, enabled.trusted, secure.managed, secure.trusted),
+# and some of them are bad (unsupported.managed, unsupported.trusted). Make
+# sure that the bad trust anchors are ignored. This is tested by looking for
+# the corresponding lines in the logfile.
+echo_i "checking that keys with unsupported algorithms are ignored ($n)"
+ret=0
+grep "skipping trusted key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
+grep "skipping managed key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# The next two tests are fairly normal DNSSEC queries to signed zones with a
+# default algorithm. First, a query is made against the server that is
+# authoritative for the given zone (ns3). Second, a query is made against a
+# resolver with trust anchors for the given zone (ns8). Both are expected to
+# return an authentic data positive response.
+echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 a.secure.trusted A > dig.out.ns3.test$n
+$DIG $DIGOPTS @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a managed key using a supported algorithm validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 a.secure.managed A > dig.out.ns3.test$n
+$DIG $DIGOPTS @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# The next two queries ensure that a zone signed with a DNSKEY with an unsupported
+# algorithm will yield insecure positive responses. These trust anchors in ns8 are
+# ignored and so this domain is treated as insecure. The AD bit should not be set
+# in the response.
+echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 a.unsupported.trusted A > dig.out.ns3.test$n
+$DIG $DIGOPTS @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 a.unsupported.managed A > dig.out.ns3.test$n
+$DIG $DIGOPTS @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n
+grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index dd5365c7be..381768d540 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5171,6 +5171,12 @@ options {
by the disable-algorithms will be treated
as insecure.
+
+ Configured trust anchors in trusted-keys
+ or managed-keys that match a disabled
+ algorithm will be ignored and treated as if they were not
+ configured at all.
+