Support for NSEC3 in dnssec-policy

Implement support for NSEC3 in dnssec-policy.  Store the configuration
in kasp objects. When configuring a zone, call 'dns_zone_setnsec3param'
to queue an nsec3param event. This will ensure that any previous
chains will be removed and a chain according to the dnssec-policy is
created.

Add tests for dnssec-policy zones that uses the new 'nsec3param'
option, as well as changing to new values, changing to NSEC, and
changing from NSEC.

bin/tests/system/nsec3/clean.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f dig.out.* rndc.signing.*
+rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
+

bin/tests/system/nsec3/ns3/named.conf.in

@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+	// no need to change configuration: if no 'nsec3param' is set,
+	// NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+	nsec3param;
+};
+
+dnssec-policy "nsec3-other" {
+	nsec3param iterations 11 optout yes salt "deadbeef";
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+	type primary;
+	file "nsec-to-nsec3.kasp.db";
+	dnssec-policy "nsec";
+};
+
+/* This zone uses the default NSEC3 settings. */
+zone "nsec3.kasp" {
+	type primary;
+	file "nsec3.kasp.db";
+	dnssec-policy "nsec3";
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+	type primary;
+	file "nsec3-other.kasp.db";
+	dnssec-policy "nsec3-other";
+};
+
+/* The zone will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+	type primary;
+	file "nsec3-change.kasp.db";
+	dnssec-policy "nsec3";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+	type primary;
+	file "nsec3-to-nsec.kasp.db";
+	dnssec-policy "nsec3";
+};

bin/tests/system/nsec3/ns3/named2.conf.in

@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+	// no need to change configuration: if no 'nsec3param' is set,
+	// NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+	nsec3param;
+};
+
+dnssec-policy "nsec3-other" {
+	nsec3param iterations 11 optout yes salt "deadbeef";
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+	type primary;
+	file "nsec-to-nsec3.kasp.db";
+	//dnssec-policy "nsec";
+	dnssec-policy "nsec3";
+};
+
+/* This zone uses the default NSEC3 settings. */
+zone "nsec3.kasp" {
+	type primary;
+	file "nsec3.kasp.db";
+	dnssec-policy "nsec3";
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+	type primary;
+	file "nsec3-other.kasp.db";
+	dnssec-policy "nsec3-other";
+};
+
+/* The zone will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+	type primary;
+	file "nsec3-change.kasp.db";
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec3-other";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+	type primary;
+	file "nsec3-to-nsec.kasp.db";
+	//dnssec-policy "nsec3";
+	dnssec-policy "nsec";
+};

bin/tests/system/nsec3/ns3/setup.sh

@@ -0,0 +1,28 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+setup() {
+	zone="$1"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+	cp template.db.in "$zonefile"
+}
+
+for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec
+do
+	setup "${zn}.kasp"
+done

bin/tests/system/nsec3/ns3/template.db.in

@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+

bin/tests/system/nsec3/setup.sh

@@ -0,0 +1,24 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns3/named.conf.in ns3/named.conf
+
+(
+	cd ns3
+	$SHELL setup.sh
+)

bin/tests/system/nsec3/tests.sh

@@ -0,0 +1,244 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+# Log errors and increment $ret.
+log_error() {
+	echo_i "error: $1"
+	ret=$((ret+1))
+}
+
+# Call dig with default options.
+dig_with_opts() {
+	$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+# Call rndc.
+rndccmd() {
+    "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+}
+
+# Set server key-directory ($1) and address ($2) for testing nsec3.
+set_server() {
+	DIR=$1
+	SERVER=$2
+}
+# Set zone name ($1) and policy ($2) for testing nsec3.
+set_zone_policy() {
+	ZONE=$1
+	POLICY=$2
+}
+# Set expected NSEC3 parameters: flags ($1), iterations ($2), and salt ($3).
+set_nsec3param() {
+	FLAGS=$1
+	ITERATIONS=$2
+	SALT=$3
+}
+
+# The apex NSEC3PARAM record indicates that it is signed.
+_wait_for_nsec3param() {
+	dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1
+	grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+        return 0
+}
+# The apex NSEC record indicates that it is signed.
+_wait_for_nsec() {
+	dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC > "dig.out.test$n.wait" || return 1
+	grep "NS SOA" "dig.out.test$n.wait" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+	grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" > /dev/null && return 1
+        return 0
+}
+
+# Wait for the zone to be signed.
+wait_for_zone_is_signed() {
+	n=$((n+1))
+	ret=0
+	echo_i "wait for ${ZONE} to be signed ($n)"
+
+	if [ "$1" = "nsec3" ]; then
+		retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed"
+	else
+		retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed"
+	fi
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Test: dnssec-verify zone $1.
+dnssec_verify()
+{
+	n=$((n+1))
+	echo_i "dnssec-verify zone ${ZONE} ($n)"
+	ret=0
+	dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.test$n.axfr || log_error "dig ${ZONE} AXFR failed"
+	$VERIFY -z -o "$ZONE" dig.out.test$n.axfr > /dev/null || log_error "dnssec verify zone $ZONE failed"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Test: check NSEC in answers
+_check_nsec_nsec3param()
+{
+	dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+	grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1
+	return 0
+}
+
+_check_nsec_nxdomain()
+{
+	dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+	grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+	grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1
+	return 0
+}
+
+check_nsec()
+{
+	n=$((n+1))
+	echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+	n=$((n+1))
+	echo_i "check NXDOMAIN response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Test: check NSEC3 parameters in answers
+_check_nsec3_nsec3param()
+{
+	dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+	grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1
+	return 0
+}
+
+_check_nsec3_nxdomain()
+{
+	dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+	grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+	return 0
+}
+
+check_nsec3()
+{
+	n=$((n+1))
+	echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+
+	n=$((n+1))
+	echo_i "check NSEC3 response for zone ${ZONE} ($n)"
+	ret=0
+	retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+start_time="$(TZ=UTC date +%s)"
+status=0
+n=0
+
+# Zone: nsec-to-nsec3.kasp.
+set_zone_policy "nsec-to-nsec3.kasp" "nsec"
+set_server "ns3" "10.53.0.3"
+echo_i "initial check zone ${ZONE}"
+check_nsec
+dnssec_verify
+
+# Zone: nsec3.kasp.
+set_zone_policy "nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "-"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-change.kasp.
+set_zone_policy "nsec3-change.kasp" "nsec3"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-to-nsec.kasp.
+set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-other.kasp.
+set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_nsec3param "1" "11" "DEADBEEF"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+
+# Reconfig named.
+echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+
+
+# Zone: nsec-to-nsec3.kasp. (reconfigured)
+set_zone_policy "nsec-to-nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "-"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3.kasp. (same)
+set_zone_policy "nsec3.kasp" "nsec3"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-change.kasp. (reconfigured)
+set_zone_policy "nsec3-change.kasp" "nsec3-other"
+set_nsec3param "1" "11" "DEADBEEF"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-to-nsec.kasp. (reconfigured)
+set_zone_policy "nsec3-to-nsec.kasp" "nsec"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec
+dnssec_verify
+
+# Zone: nsec3-other.kasp. (same)
+set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_nsec3param "1" "11" "DEADBEEF"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Using rndc signing -nsec3param
+set_zone_policy "nsec3-change.kasp" "nsec3-other"
+echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
+rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
+grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail"
+check_nsec3
+dnssec_verify
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
+