upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-18 00:26:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/dnssec
History
Ondřej Surý bd4576b3ce Remove TKEY Mode 2 (Diffie-Hellman) 
Completely remove the TKEY Mode 2 (Diffie-Hellman Exchanged Keying) from
BIND 9 (from named, named.conf and all the tools).  The TKEY usage is
fringe at best and in all known cases, GSSAPI is being used as it should.

The draft-eastlake-dnsop-rfc2930bis-tkey specifies that:

    4.2 Diffie-Hellman Exchanged Keying (Deprecated)

       The use of this mode (#2) is NOT RECOMMENDED for the following two
       reasons but the specification is still included in Appendix A in case
       an implementation is needed for compatibility with old TKEY
       implementations. See Section 4.6 on ECDH Exchanged Keying.

          The mixing function used does not meet current cryptographic
          standards because it uses MD5 [RFC6151].

          RSA keys must be excessively long to achieve levels of security
          required by current standards.

We might optionally implement Elliptic Curve Diffie-Hellman (ECDH) key
exchange mode 6 if the draft ever reaches the RFC status.  Meanwhile the
insecure DH mode needs to be removed.
2023-03-08 08:36:25 +01:00
..
ans10 Adapt to Python scripts to black 23.1.0 2023-02-17 15:31:52 +01:00
ns1 Remove leftover test code for Windows 2022-01-27 09:08:29 +01:00
ns2 Use DEFAULT_HMAC for rndc 2022-07-07 10:11:42 +10:00
ns3 Remove TKEY Mode 2 (Diffie-Hellman) 2023-03-08 08:36:25 +01:00
ns4 remove nonfunctional DSCP implementation 2023-01-09 12:15:21 -08:00
ns5 Use DEFAULT_HMAC for rndc 2022-07-07 10:11:42 +10:00
ns6 Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
ns7 Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
ns8 Use DEFAULT_HMAC for rndc 2022-07-07 10:11:42 +10:00
ns9 Use DEFAULT_HMAC for rndc 2022-07-07 10:11:42 +10:00
signer dnssec/signer/general: Replace RSASHA1 keys with RSASHA512 keys 2022-08-09 16:22:19 +02:00
clean.sh Test dnssec-signzone -G digests 2023-02-28 09:38:31 +01:00
dnssec_update_test.pl Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
ntadiff.pl Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
README Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
setup.sh Update the copyright information in all files in the repository 2022-01-11 09:05:02 +01:00
tests.sh Test dnssec-signzone -G digests 2023-02-28 09:38:31 +01:00

README 

Copyright (C) Internet Systems Consortium, Inc. ("ISC")

SPDX-License-Identifier: MPL-2.0

This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0.  If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.

See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.

The test setup for the DNSSEC tests has a secure root.

ns1 is the root server.

ns2 and ns3 are authoritative servers for the various test domains.

ns4 is a caching-only server, configured with the correct trusted key
for the root.

ns5 is a caching-only server, configured with the an incorrect trusted
key for the root.  It is used for testing failure cases.

ns6 is an caching and authoritative server used for testing unusual
server behaviors such as disabled DNSSEC algorithms.

ns7 is used for checking non-cacheable answers.

ns8 is a caching-only server, configured with unsupported and disabled
algorithms.  It is used for testing failure cases.

ns9 is a forwarding-only server.