From a97061c93990877f9e52229f4a789b0ce1b0de4d Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 15 Jan 2019 11:32:53 +0100 Subject: [PATCH] Ignore unsupported trust anchors (cherry picked from commit 1d45ad8f39dcd66f7e664e5d05d4ac553fdcbc0b) Some adaptations were made to make the code compile and tests pass. --- bin/named/server.c | 19 +++- bin/tests/system/conf.sh.in | 10 ++ bin/tests/system/conf.sh.win32 | 10 ++ bin/tests/system/dnssec/README | 3 + bin/tests/system/dnssec/clean.sh | 2 +- bin/tests/system/dnssec/ns1/root.db.in | 18 +-- bin/tests/system/dnssec/ns1/sign.sh | 10 +- bin/tests/system/dnssec/ns2/key.db.in | 40 +++++++ bin/tests/system/dnssec/ns2/named.conf.in | 10 ++ bin/tests/system/dnssec/ns2/sign.sh | 49 +++++++-- bin/tests/system/dnssec/ns3/key.db.in | 24 ++++ bin/tests/system/dnssec/ns3/named.conf.in | 20 ++++ bin/tests/system/dnssec/ns3/sign.sh | 128 ++++++++++++++-------- bin/tests/system/dnssec/ns5/sign.sh | 2 + bin/tests/system/dnssec/ns6/named.conf.in | 2 +- bin/tests/system/dnssec/ns6/sign.sh | 2 + bin/tests/system/dnssec/ns7/sign.sh | 2 + bin/tests/system/dnssec/ns8/named.conf.in | 44 ++++++++ bin/tests/system/dnssec/setup.sh | 1 + bin/tests/system/dnssec/tests.sh | 120 ++++++++++++++++---- doc/arm/Bv9ARM-book.xml | 6 + 21 files changed, 431 insertions(+), 91 deletions(-) create mode 100644 bin/tests/system/dnssec/ns2/key.db.in create mode 100644 bin/tests/system/dnssec/ns3/key.db.in create mode 100644 bin/tests/system/dnssec/ns8/named.conf.in diff --git a/bin/named/server.c b/bin/named/server.c index b63a3864da..75fb0af2c1 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -698,8 +698,9 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, } static isc_result_t -dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, - bool managed, dst_key_t **target, isc_mem_t *mctx) +dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig, + const cfg_obj_t *key, bool managed, dst_key_t **target, + isc_mem_t *mctx) { dns_rdataclass_t viewclass; dns_rdata_dnskey_t keystruct; @@ -792,6 +793,14 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf, mctx, &dstkey)); + if (!dns_resolver_algorithm_supported(view->resolver, keyname, alg)) { + cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, + "%s key for '%s': algorithm is disabled", + managed ? "managed" : "trusted", keynamestr); + result = DST_R_UNSUPPORTEDALG; + goto cleanup; + } + *target = dstkey; return (ISC_R_SUCCESS); @@ -842,9 +851,9 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, elt2 != NULL; elt2 = cfg_list_next(elt2)) { key = cfg_listelt_value(elt2); - result = dstkey_fromconfig(vconfig, key, managed, + result = dstkey_fromconfig(view, vconfig, key, managed, &dstkey, mctx); - if (result == DST_R_UNSUPPORTEDALG) { + if (result == DST_R_UNSUPPORTEDALG) { result = ISC_R_SUCCESS; continue; } @@ -9962,7 +9971,7 @@ add_zone_tolist(dns_zone_t *zone, void *uap) { struct zonelistentry *zle; zle = isc_mem_get(dctx->mctx, sizeof *zle); - if (zle == NULL) + if (zle == NULL) return (ISC_R_NOMEMORY); zle->zone = NULL; dns_zone_attach(zone, &zle->zone); diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 2236f0a151..4909307cda 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -27,6 +27,13 @@ ALTERNATIVE_ALGORITHM=RSASHA1 ALTERNATIVE_ALGORITHM_NUMBER=5 ALTERNATIVE_BITS=1280 +# This is an algorithm that is used for tests against the +# "disable-algorithms" configuration option. Must be different from above +# algorithms. +DISABLED_ALGORITHM=ECDSAP384SHA384 +DISABLED_ALGORITHM_NUMBER=14 +DISABLED_BITS=384 + NAMED=$TOP/bin/named/named # We must use "named -l" instead of "lwresd" because argv[0] is lost # if the program is libtoolized. @@ -353,6 +360,9 @@ copy_setports() { -e "s/@ALTERNATIVE_ALGORITHM@/${ALTERNATIVE_ALGORITHM}/g" \ -e "s/@ALTERNATIVE_ALGORITHM_NUMBER@/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \ -e "s/@ALTERNATIVE_BITS@/${ALTERNATIVE_BITS}/g" \ + -e "s/@DISABLED_ALGORITHM@/${DISABLED_ALGORITHM}/g" \ + -e "s/@DISABLED_ALGORITHM_NUMBER@/${DISABLED_ALGORITHM_NUMBER}/g" \ + -e "s/@DISABLED_BITS@/${DISABLED_BITS}/g" \ $1 > $2 } diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32 index 87d2fc84fe..3135e88185 100644 --- a/bin/tests/system/conf.sh.win32 +++ b/bin/tests/system/conf.sh.win32 @@ -36,6 +36,13 @@ ALTERNATIVE_ALGORITHM=RSASHA1 ALTERNATIVE_ALGORITHM_NUMBER=5 ALTERNATIVE_BITS=1280 +# This is an algorithm that is used for tests against the +# "disable-algorithms" configuration option. Must be different from above +# algorithms. +DISABLED_ALGORITHM=ECDSAP384SHA384 +DISABLED_ALGORITHM_NUMBER=14 +DISABLED_BITS=384 + ARPANAME=$TOP/Build/$VSCONF/arpaname@EXEEXT@ CHECKCONF=$TOP/Build/$VSCONF/named-checkconf@EXEEXT@ CHECKDS="$PYTHON `cygpath -w $TOP/bin/python/dnssec-checkds.py`" @@ -336,6 +343,9 @@ copy_setports() { -e "s/${atsign}ALTERNATIVE_ALGORITHM${atsign}/${ALTERNATIVE_ALGORITHM}/g" \ -e "s/${atsign}ALTERNATIVE_ALGORITHM_NUMBER${atsign}/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \ -e "s/${atsign}ALTERNATIVE_BITS${atsign}/${ALTERNATIVE_BITS}/g" \ + -e "s/${atsign}DISABLED_ALGORITHM${atsign}/${DISABLED_ALGORITHM}/g" \ + -e "s/${atsign}DISABLED_ALGORITHM_NUMBER${atsign}/${DISABLED_ALGORITHM_NUMBER}/g" \ + -e "s/${atsign}DISABLED_BITS${atsign}/${DISABLED_BITS}/g" \ $1 > $2 } diff --git a/bin/tests/system/dnssec/README b/bin/tests/system/dnssec/README index c45bd71f23..df83eb14e2 100644 --- a/bin/tests/system/dnssec/README +++ b/bin/tests/system/dnssec/README @@ -17,3 +17,6 @@ key for the root. It is used for testing failure cases. ns6 is a caching-only server configured to use DLV. ns7 is used for checking non-cacheable answers. + +ns8 is a caching-only server, configured with unsupported and disabled +algorithms. It is used for testing failure cases. diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index fa0abe3c98..c49ee9a1ac 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -33,7 +33,7 @@ rm -f ./ns*/*.nta rm -f ./ns*/managed-keys.bind* ./ns*/*.mkeys* rm -f ./ns*/named.lock rm -f ./ns1/managed.key.id -rm -f ./ns1/root.db ./ns2/example.db ./ns3/secure.example.db +rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db rm -f ./ns2/algroll.db rm -f ./ns2/badparam.db ./ns2/badparam.db.bad rm -f ./ns2/cdnskey-kskonly.secure.db diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in index 5ad5d9ef1d..7fdbab9c4e 100644 --- a/bin/tests/system/dnssec/ns1/root.db.in +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -8,12 +8,12 @@ ; information regarding copyright ownership. $TTL 300 -. IN SOA gson.nominum.com. a.root.servers.nil. ( - 2000042100 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 600 ; minimum +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum ) . NS a.root-servers.nil. a.root-servers.nil. A 10.53.0.1 @@ -22,8 +22,12 @@ example. NS ns2.example. ns2.example. A 10.53.0.2 dlv. NS ns2.dlv. ns2.dlv. A 10.53.0.2 -algroll NS ns2.algroll +algroll. NS ns2.algroll. ns2.algroll. A 10.53.0.2 +managed. NS ns2.managed. +ns2.managed. A 10.53.0.2 +trusted. NS ns2.trusted. +ns2.trusted. A 10.53.0.2 optout-tld NS ns6.optout-tld. ns6.optout-tld. A 10.53.0.6 in-addr.arpa. NS ns2.example. diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 198d60ae15..0bcf5673cd 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -20,14 +20,16 @@ zonefile=root.db (cd ../ns6 && $SHELL sign.sh ) (cd ../ns7 && $SHELL sign.sh ) +echo_i "ns1/sign.sh" + cp ../ns2/dsset-example$TP . cp ../ns2/dsset-dlv$TP . cp ../ns2/dsset-in-addr.arpa$TP . -grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP +grep "$DEFAULT_ALGORITHM_NUMBER [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP cp ../ns6/dsset-optout-tld$TP . -keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key > $zonefile @@ -48,6 +50,4 @@ cp managed.conf ../ns4/managed.conf # # Save keyid for managed key id test. # -keyid=`expr $keyname : 'K.+001+\(.*\)'` -keyid=`expr $keyid + 0` -echo "$keyid" > managed.key.id +echo "$keyname" | sed -e 's/.*[+]//' -e 's/^0*//' > managed.key.id diff --git a/bin/tests/system/dnssec/ns2/key.db.in b/bin/tests/system/dnssec/ns2/key.db.in new file mode 100644 index 0000000000..60be0cf4c1 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/key.db.in @@ -0,0 +1,40 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; A secure subdomain +secure NS ns3.secure +ns3.secure A 10.53.0.3 + +; A subdomain that is signed with an unsupported algorithm +unsupported NS ns3.unsupported +ns3.unsupported A 10.53.0.3 + +; A secure subdomain with a disabled algorithm +disabled NS ns3.disabled +ns3.disabled A 10.53.0.3 + +; A secure subdomain with a disabled algorithm, but not in bailiwick +enabled NS ns3.enabled +ns3.enabled A 10.53.0.3 + diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 6124f4540f..72ae328995 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -45,6 +45,16 @@ zone "dlv" { file "dlv.db.signed"; }; +zone "trusted" { + type master; + file "trusted.db.signed"; +}; + +zone "managed" { + type master; + file "managed.db.signed"; +}; + zone "example" { type master; file "example.db.signed"; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 6ee989b14f..fb58a1fa77 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -12,26 +12,61 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh +# Sign child zones (served by ns3). +( cd ../ns3 && $SHELL sign.sh ) + +echo_i "ns2/sign.sh" + +# Get the DS records for the "trusted." and "managed." zones. +for subdomain in secure unsupported disabled enabled +do + cp ../ns3/dsset-$subdomain.managed$TP . + cp ../ns3/dsset-$subdomain.trusted$TP . +done + +# Sign the "trusted." and "managed." zones. +zone=managed. +infile=key.db.in +zonefile=managed.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone -f KSK $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone $zone` + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 2>&1 + +zone=trusted. +infile=key.db.in +zonefile=trusted.db + +keyname1=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone -f KSK $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone $zone` + +cat $infile $keyname1.key $keyname2.key > $zonefile + +$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null 2>&1 + +# The "example." zone. zone=example. infile=example.db.in zonefile=example.db -# Have the child generate a zone key and pass it to us. - -( cd ../ns3 && $SHELL sign.sh ) - +# Get the DS records for the "example." zone. for subdomain in secure badds bogus dynamic keyless nsec3 optout \ nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ ttlpatch split-dnssec split-smart expired expiring upper lower \ - dnskey-unknown dnskey-nsec3-unknown managed-future revkey \ + dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ + dnskey-nsec3-unknown managed-future revkey \ dname-at-apex-nsec3 occluded do cp ../ns3/dsset-$subdomain.example$TP . done -keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` -keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone` +# Sign the "example." zone. +keyname1=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone -f KSK $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a $ALTERNATIVE_ALGORITHM -b $ALTERNATIVE_BITS -n zone $zone` cat $infile $keyname1.key $keyname2.key >$zonefile diff --git a/bin/tests/system/dnssec/ns3/key.db.in b/bin/tests/system/dnssec/ns3/key.db.in new file mode 100644 index 0000000000..3847e2ea10 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/key.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 435daffda9..4e2eff11bb 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -313,6 +313,26 @@ zone "occluded.example" { file "occluded.example.db.signed"; }; +zone "secure.managed" { + type master; + file "secure.managed.db.signed"; +}; + +zone "unsupported.managed" { + type master; + file "unsupported.managed.db.signed"; +}; + +zone "secure.trusted" { + type master; + file "secure.trusted.db.signed"; +}; + +zone "unsupported.trusted" { + type master; + file "unsupported.trusted.db.signed"; +}; + include "siginterval.conf"; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index b5fce0f854..d5ee783877 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -12,13 +12,55 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh +echo_i "ns3/sign.sh" + +infile=key.db.in +for tld in managed trusted +do + # A secure zone to test. + zone=secure.${tld} + zonefile=${zone}.db + + keyname1=`$KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` + cat $infile $keyname1.key > $zonefile + $SIGNER -z -P -3 - -o $zone -r $RANDFILE -O full -f ${zonefile}.signed $zonefile > /dev/null 2>&1 + DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP + $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE + + # Zone to test trust anchor with unsupported algorithm. + zone=unsupported.${tld} + zonefile=${zone}.db + + keyname2=`$KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` + cat $infile $keyname2.key > $zonefile + $SIGNER -z -P -3 - -o $zone -r $RANDFILE -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 + awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed + DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP + $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE + + # Make trusted-keys and managed keys conf sections for ns8. + mv ${keyname2}.key ${keyname2}.tmp + awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname2}.tmp > ${keyname2}.key + + case $tld in + "managed") + keyfile_to_managed_keys $keyname1 $keyname2 > ../ns8/managed.conf + ;; + "trusted") + keyfile_to_trusted_keys $keyname1 $keyname2 > ../ns8/trusted.conf + ;; + esac +done + +echo_i "ns3/sign.sh: example zones" + zone=secure.example. infile=secure.example.db.in zonefile=secure.example.db -cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone` -dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone` -keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n host cnameandkey.$zone` +dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n host dnameandkey.$zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile @@ -28,7 +70,7 @@ zone=bogus.example. infile=bogus.example.db.in zonefile=bogus.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -38,8 +80,8 @@ zone=dynamic.example. infile=dynamic.example.db.in zonefile=dynamic.example.db -keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` -keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone` +keyname1=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b 1024 -n zone -f KSK $zone` cat $infile $keyname1.key $keyname2.key >$zonefile @@ -49,7 +91,7 @@ zone=keyless.example. infile=generic.example.db.in zonefile=keyless.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -69,7 +111,7 @@ zone=secure.nsec3.example. infile=secure.nsec3.example.db.in zonefile=secure.nsec3.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -82,7 +124,7 @@ zone=nsec3.nsec3.example. infile=nsec3.nsec3.example.db.in zonefile=nsec3.nsec3.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -95,7 +137,7 @@ zone=optout.nsec3.example. infile=optout.nsec3.example.db.in zonefile=optout.nsec3.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -108,7 +150,7 @@ zone=nsec3.example. infile=nsec3.example.db.in zonefile=nsec3.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -121,7 +163,7 @@ zone=secure.optout.example. infile=secure.optout.example.db.in zonefile=secure.optout.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -134,7 +176,7 @@ zone=nsec3.optout.example. infile=nsec3.optout.example.db.in zonefile=nsec3.optout.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -147,7 +189,7 @@ zone=optout.optout.example. infile=optout.optout.example.db.in zonefile=optout.optout.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -160,7 +202,7 @@ zone=optout.example. infile=optout.example.db.in zonefile=optout.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -173,7 +215,7 @@ zone=nsec3-unknown.example. infile=nsec3-unknown.example.db.in zonefile=nsec3-unknown.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -186,7 +228,7 @@ zone=optout-unknown.example. infile=optout-unknown.example.db.in zonefile=optout-unknown.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -200,13 +242,13 @@ zone=dnskey-unknown.example. infile=dnskey-unknown.example.db.in zonefile=dnskey-unknown.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile $SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 -awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE @@ -219,16 +261,16 @@ zone=dnskey-unsupported.example. infile=dnskey-unsupported.example.db.in zonefile=dnskey-unsupported.example.db -keyname=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` -cat "$infile" "$keyname.key" > "$zonefile" +cat $infile $keyname.key > $zonefile -"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1 -awk '$4 == "DNSKEY" { $7 = 255; print } $4 == "RRSIG" { $6 = 255; print } { print }' ${zonefile}.tmp > ${zonefile}.signed +awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP" -$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" +$DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE # # A zone with a published unsupported DNSKEY algorithm (Reserved). @@ -238,12 +280,12 @@ zone=dnskey-unsupported-2.example. infile=dnskey-unsupported-2.example.db.in zonefile=dnskey-unsupported-2.example.db -ksk=$("$KEYGEN" -f KSK -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -zsk=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +ksk=`$KEYGEN -f KSK -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +zsk=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` -cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" +cat $infile $ksk.key $zsk.key unsupported-algorithm.key > $zonefile -"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 +$SIGNER -P -3 - -r $RANDFILE -o $zone -f ${zonefile}.signed $zonefile > /dev/null 2>&1 # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). @@ -253,7 +295,7 @@ zone=dnskey-nsec3-unknown.example. infile=dnskey-nsec3-unknown.example.db.in zonefile=dnskey-nsec3-unknown.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -271,7 +313,7 @@ zone=multiple.example. infile=multiple.example.db.in zonefile=multiple.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -294,7 +336,7 @@ zone=rsasha256.example. infile=rsasha256.example.db.in zonefile=rsasha256.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` cat $infile $keyname.key >$zonefile @@ -386,7 +428,7 @@ $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=secure.below-cname.example. infile=secure.below-cname.example.db.in zonefile=secure.below-cname.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 @@ -399,7 +441,7 @@ zonefile=ttlpatch.example.db signedfile=ttlpatch.example.db.signed patchedfile=ttlpatch.example.db.patched -keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile $SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1 @@ -414,7 +456,7 @@ infile=split-dnssec.example.db.in zonefile=split-dnssec.example.db signedfile=split-dnssec.example.db.signed -keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile echo '$INCLUDE "'"$signedfile"'"' >> $zonefile : > $signedfile @@ -428,13 +470,13 @@ infile=split-smart.example.db.in zonefile=split-smart.example.db signedfile=split-smart.example.db.signed -keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cp $infile $zonefile echo '$INCLUDE "'"$signedfile"'"' >> $zonefile : > $signedfile $SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 -# +# # Zone with signatures about to expire, but no private key to replace them # zone="expiring.example." @@ -532,7 +574,7 @@ zone=badds.example. infile=bogus.example.db.in zonefile=badds.example.db -keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` cat $infile $keyname.key >$zonefile @@ -584,8 +626,8 @@ $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=dname-at-apex-nsec3.example infile=dname-at-apex-nsec3.example.db.in zonefile=dname-at-apex-nsec3.example.db -kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -3fk $zone` -zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -3 $zone` +kskname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -3fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -3 $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -r $RANDFILE -3 - -o $zone $zonefile > /dev/null 2>&1 @@ -595,10 +637,10 @@ $SIGNER -P -r $RANDFILE -3 - -o $zone $zonefile > /dev/null 2>&1 zone=occluded.example infile=occluded.example.db.in zonefile=occluded.example.db -kskname=`"$KEYGEN" -q -r $RANDFILE -a RSASHA256 -b 1024 -fk "$zone"` -zskname=`"$KEYGEN" -q -r $RANDFILE -a RSASHA256 -b 1024 "$zone"` -dnskeyname=`"$KEYGEN" -q -r $RANDFILE -a RSASHA256 -b 1024 -fk "delegation.$zone"` -keyname=`"$KEYGEN" -q -r $RANDFILE -a RSASHA1 -b 1024 -n ENTITY -T KEY "delegation.$zone"` +kskname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk "$zone"` +zskname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS "$zone"` +dnskeyname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk "delegation.$zone"` +keyname=`"$KEYGEN" -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n ENTITY -T KEY "delegation.$zone"` $DSFROMKEY "$dnskeyname.key" > "dsset-delegation.${zone}$TP" cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \ "${dnskeyname}.key" "dsset-delegation.${zone}$TP" >"$zonefile" diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh index 93ca6767fd..0711a7817c 100644 --- a/bin/tests/system/dnssec/ns5/sign.sh +++ b/bin/tests/system/dnssec/ns5/sign.sh @@ -12,6 +12,8 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh +echo_i "ns5/sign.sh" + zone=. infile=../ns1/root.db.in zonefile=root.db.signed diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in index 0fb1091109..e3c553fd8f 100644 --- a/bin/tests/system/dnssec/ns6/named.conf.in +++ b/bin/tests/system/dnssec/ns6/named.conf.in @@ -22,7 +22,7 @@ options { recursion yes; acache-enable yes; notify yes; - disable-algorithms . { DSA; }; + disable-algorithms . { @ALTERNATIVE_ALGORITHM@; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside . trust-anchor dlv; diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh index 3092b5f477..0c79cec658 100644 --- a/bin/tests/system/dnssec/ns6/sign.sh +++ b/bin/tests/system/dnssec/ns6/sign.sh @@ -12,6 +12,8 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh +echo_i "ns6/sign.sh" + zone=optout-tld infile=optout-tld.db.in zonefile=optout-tld.db diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh index a4cf78f6ef..1bb3eea86d 100644 --- a/bin/tests/system/dnssec/ns7/sign.sh +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -12,6 +12,8 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh +echo_i "ns7/sign.sh" + zone=split-rrsig infile=split-rrsig.db.in zonefile=split-rrsig.db diff --git a/bin/tests/system/dnssec/ns8/named.conf.in b/bin/tests/system/dnssec/ns8/named.conf.in new file mode 100644 index 0000000000..fdc18df687 --- /dev/null +++ b/bin/tests/system/dnssec/ns8/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS8 + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-enable yes; + dnssec-validation yes; + minimal-responses no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "managed.conf"; +include "trusted.conf"; + diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 7532d0c9bd..c6767054bc 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -25,6 +25,7 @@ copy_setports ns5/named1.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf cd ns1 $SHELL sign.sh diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 73694f0072..f17413723d 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -168,7 +168,7 @@ if [ -x ${DELV} ] ; then echo_i "checking postive validation NSEC using dns_client ($n)" $DELV $DELVOPTS @10.53.0.4 a a.example > delv.out$n || ret=1 grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.example..*.RRSIG.A 3 2 300 .*" delv.out$n > /dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -191,7 +191,7 @@ if [ -x ${DELV} ] ; then echo_i "checking positive validation NSEC3 using dns_client ($n)" $DELV $DELVOPTS @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 grep "a.nsec3.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -214,7 +214,7 @@ if [ -x ${DELV} ] ; then echo_i "checking positive validation OPTOUT using dns_client ($n)" $DELV $DELVOPTS @10.53.0.4 a a.optout.example > delv.out$n || ret=1 grep "a.optout.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 - grep "a.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 + grep "a.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -240,7 +240,7 @@ if [ -x ${DELV} ] ; then echo_i "checking positive wildcard validation NSEC using dns_client ($n)" $DELV $DELVOPTS @10.53.0.4 a a.wild.example > delv.out$n || ret=1 grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1 - grep "a.wild.example..*RRSIG.A 3 2 300.*" delv.out$n > /dev/null || ret=1 + grep "a.wild.example..*RRSIG.A [0-9][0-9]* 2 300.*" delv.out$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -282,7 +282,7 @@ if [ -x ${DELV} ] ; then echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" $DELV $DELVOPTS @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 grep "a.wild.nsec3.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 + grep "a.wild.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -308,7 +308,7 @@ if [ -x ${DELV} ] ; then echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" $DELV $DELVOPTS @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 grep "a.wild.optout.example..*10.0.0.6" delv.out$n > /dev/null || ret=1 - grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" delv.out$n > /dev/null || ret=1 + grep "a.wild.optout.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -1417,8 +1417,11 @@ get_rsasha1_key_ids_from_sigs() { echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" ret=0 zone=example -$KEYGEN -a 255 example > dnssectools.out.test$n 2>&1 && ret=0 -grep "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 +# If dnssec-keygen fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-keygen unexpectedly +# succeeds, by using "&& ret=1". +$KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1 +grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1427,24 +1430,27 @@ echo_i "checking that a DS record cannot be generated for a key using an unsuppo ret=0 zone=example # Fake an unsupported algorithm key -unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -awk '$3 == "DNSKEY" { $6 = 255; print } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp +unsupportedkey=`$KEYGEN -q -r $RANDFILE -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone` +awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp mv ${unsupportedkey}.tmp ${unsupportedkey}.key -$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=0 -grep "algorithm is unsupported" dnssectools.out.test$n || ret=1 +# If dnssec-dsfromkey fails, the test script will exit immediately. Prevent +# that from happening, and also trigger a test failure if dnssec-dsfromkey +# unexpectedly succeeds, by using "&& ret=1". +$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" ret=0 -cp ${unsupportedkey}.* signer/ -( -cd signer || exit 1 -cat example.db.in "${unsupportedkey}.key" > example.db -$SIGNER -o example example.db ${unsupportedkey} > ../dnssectools.out.test$n 2>&1 && ret=0 -) && ret=0 -grep "algorithm is unsupported" dnssectools.out.test$n || ret=1 +ret=0 +cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db +# If dnssec-signzone fails, the test script will exit immediately. Prevent that +# from happening, and also trigger a test failure if dnssec-signzone +# unexpectedly succeeds, by using "&& ret=1". +$SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1 +grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1756,7 +1762,7 @@ ret=0 $RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i keyid=`cat ns1/managed.key.id` cp ns4/named.secroots named.secroots.test$n -linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l` +linecount=`grep "./$DEFAULT_ALGORITHM/$keyid ; trusted" named.secroots.test$n | wc -l` [ "$linecount" -eq 1 ] || ret=1 linecount=`cat named.secroots.test$n | wc -l` [ "$linecount" -eq 10 ] || ret=1 @@ -3084,11 +3090,11 @@ echo_i "check dig's +nocrypto flag ($n)" ret=0 $DIG $DIGOPTS +norec +nocrypto DNSKEY . \ @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 -grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 +grep '256 3 [0-9][0-9]* \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 $DIG $DIGOPTS +norec +nocrypto DS example \ @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 -grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1 +grep 'DS.* [0-9][0-9]* [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -3810,5 +3816,75 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# +# DNSSEC tests related to unsupported trust anchors. +# + +# This nameserver (ns8) is loaded with a bunch of trust anchors. Some of them +# are good (enabled.managed, enabled.trusted, secure.managed, secure.trusted), +# and some of them are bad (unsupported.managed, unsupported.trusted). Make +# sure that the bad trust anchors are ignored. This is tested by looking for +# the corresponding lines in the logfile. +echo_i "checking that keys with unsupported algorithms are ignored ($n)" +ret=0 +grep "skipping trusted key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1 +grep "skipping managed key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# The next two tests are fairly normal DNSSEC queries to signed zones with a +# default algorithm. First, a query is made against the server that is +# authoritative for the given zone (ns3). Second, a query is made against a +# resolver with trust anchors for the given zone (ns8). Both are expected to +# return an authentic data positive response. +echo_i "checking that a trusted key using a supported algorithm validates as secure ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 a.secure.trusted A > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a managed key using a supported algorithm validates as secure ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 a.secure.managed A > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# The next two queries ensure that a zone signed with a DNSKEY with an unsupported +# algorithm will yield insecure positive responses. These trust anchors in ns8 are +# ignored and so this domain is treated as insecure. The AD bit should not be set +# in the response. +echo_i "checking that a trusted key using an unsupported algorithm validates as insecure ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 a.unsupported.trusted A > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that a managed key using an unsupported algorithm validates as insecure ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 a.unsupported.managed A > dig.out.ns3.test$n +$DIG $DIGOPTS @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index dd5365c7be..381768d540 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5171,6 +5171,12 @@ options { by the disable-algorithms will be treated as insecure. + + Configured trust anchors in trusted-keys + or managed-keys that match a disabled + algorithm will be ignored and treated as if they were not + configured at all. +