From 1362360e8fa37acd26ef507c62f70738d0bf6e7c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 25 Aug 2022 11:05:40 +1000 Subject: [PATCH] nsec3: skip tests that depend on RSASHA1 in FIPS mode --- bin/tests/system/nsec3/clean.sh | 5 +- bin/tests/system/nsec3/ns3/named-fips.conf.in | 162 ++++++++++++++++++ bin/tests/system/nsec3/ns3/named.conf.in | 149 +--------------- .../system/nsec3/ns3/named2-fips.conf.in | 153 +++++++++++++++++ bin/tests/system/nsec3/ns3/named2.conf.in | 139 +-------------- bin/tests/system/nsec3/setup.sh | 10 +- bin/tests/system/nsec3/tests.sh | 9 +- 7 files changed, 337 insertions(+), 290 deletions(-) create mode 100644 bin/tests/system/nsec3/ns3/named-fips.conf.in create mode 100644 bin/tests/system/nsec3/ns3/named2-fips.conf.in diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh index fab9352c1c..8714dfe4b5 100644 --- a/bin/tests/system/nsec3/clean.sh +++ b/bin/tests/system/nsec3/clean.sh @@ -13,10 +13,11 @@ set -e +rm -f created.key-* *.created unused.key-* rm -f dig.out.* rndc.reload.* rndc.signing.* update.out.* verify.out.* -rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind rm -f ns*/K*.private ns*/K*.key ns*/K*.state rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed rm -f ns*/keygen.out.* ns*/settime.out.* -rm -f created.key-* *.created unused.key-* +rm -f ns*/named.conf ns*/named.memstats ns*/named.run* +rm -f ns3/named-fips.conf diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.in b/bin/tests/system/nsec3/ns3/named-fips.conf.in new file mode 100644 index 0000000000..0235f0c1e7 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named-fips.conf.in @@ -0,0 +1,162 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +dnssec-policy "nsec" { + // no need to change configuration: if no 'nsec3param' is set, + // NSEC will be used; +}; + +dnssec-policy "nsec3" { + nsec3param; +}; + +dnssec-policy "optout" { + nsec3param optout yes; +}; + +dnssec-policy "nsec3-other" { + nsec3param iterations 11 optout yes salt-length 8; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ +zone "nsec-to-nsec3.kasp" { + type primary; + file "nsec-to-nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "nsec"; +}; + +/* These zones use the default NSEC3 settings. */ +zone "nsec3.kasp" { + type primary; + file "nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +zone "nsec3-dynamic.kasp" { + type primary; + file "nsec3-dynamic.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* This zone uses non-default NSEC3 settings. */ +zone "nsec3-other.kasp" { + type primary; + file "nsec3-other.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3-other"; +}; + +/* These zones will be reconfigured to use other NSEC3 settings. */ +zone "nsec3-change.kasp" { + type primary; + file "nsec3-change.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +zone "nsec3-dynamic-change.kasp" { + type primary; + file "nsec3-dynamic-change.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* The zone will be reconfigured to use opt-out. */ +zone "nsec3-to-optout.kasp" { + type primary; + file "nsec3-to-optout.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* The zone will be reconfigured to disable opt-out. */ +zone "nsec3-from-optout.kasp" { + type primary; + file "nsec3-from-optout.kasp.db"; + inline-signing yes; + dnssec-policy "optout"; +}; + +/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ +zone "nsec3-to-nsec.kasp" { + type primary; + file "nsec3-to-nsec.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* The zone fails to load, this should not prevent shutdown. */ +zone "nsec3-fails-to-load.kasp" { + type primary; + file "nsec3-fails-to-load.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* These zones switch from dynamic to inline-signing or vice versa. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ +zone "nsec3-dynamic-update-inline.kasp" { + type primary; + file "nsec3-dynamic-update-inline.kasp.db"; + inline-signing yes; + allow-update { any; }; + dnssec-policy "nsec"; +}; + +zone "nsec3-xfr-inline.kasp" { + type secondary; + file "nsec3-xfr-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec"; + primaries { 10.53.0.2; }; +}; diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index de097744ba..74a8924d38 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -13,10 +13,7 @@ // NS3 -dnssec-policy "nsec" { - // no need to change configuration: if no 'nsec3param' is set, - // NSEC will be used; -}; +include "named-fips.conf"; dnssec-policy "rsasha1" { keys { @@ -24,47 +21,6 @@ dnssec-policy "rsasha1" { }; }; -dnssec-policy "nsec3" { - nsec3param; -}; - -dnssec-policy "optout" { - nsec3param optout yes; -}; - -dnssec-policy "nsec3-other" { - nsec3param iterations 11 optout yes salt-length 8; -}; - -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - allow-transfer { any; }; - recursion no; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ -zone "nsec-to-nsec3.kasp" { - type primary; - file "nsec-to-nsec3.kasp.db"; - inline-signing yes; - dnssec-policy "nsec"; -}; - /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should work despite the incompatible RSAHSHA1 algorithm, @@ -113,106 +69,3 @@ zone "nsec3-to-rsasha1-ds.kasp" { inline-signing yes; dnssec-policy "nsec3"; }; - - -/* These zones use the default NSEC3 settings. */ -zone "nsec3.kasp" { - type primary; - file "nsec3.kasp.db"; - inline-signing yes; - dnssec-policy "nsec3"; -}; - -zone "nsec3-dynamic.kasp" { - type primary; - file "nsec3-dynamic.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -/* This zone uses non-default NSEC3 settings. */ -zone "nsec3-other.kasp" { - type primary; - file "nsec3-other.kasp.db"; - inline-signing yes; - dnssec-policy "nsec3-other"; -}; - -/* These zones will be reconfigured to use other NSEC3 settings. */ -zone "nsec3-change.kasp" { - type primary; - file "nsec3-change.kasp.db"; - inline-signing yes; - dnssec-policy "nsec3"; -}; - -zone "nsec3-dynamic-change.kasp" { - type primary; - file "nsec3-dynamic-change.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -/* The zone will be reconfigured to use opt-out. */ -zone "nsec3-to-optout.kasp" { - type primary; - file "nsec3-to-optout.kasp.db"; - inline-signing yes; - dnssec-policy "nsec3"; -}; - -/* The zone will be reconfigured to disable opt-out. */ -zone "nsec3-from-optout.kasp" { - type primary; - file "nsec3-from-optout.kasp.db"; - inline-signing yes; - dnssec-policy "optout"; -}; - -/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ -zone "nsec3-to-nsec.kasp" { - type primary; - file "nsec3-to-nsec.kasp.db"; - inline-signing yes; - dnssec-policy "nsec3"; -}; - -/* The zone fails to load, this should not prevent shutdown. */ -zone "nsec3-fails-to-load.kasp" { - type primary; - file "nsec3-fails-to-load.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -/* These zones switch from dynamic to inline-signing or vice versa. */ -zone "nsec3-dynamic-to-inline.kasp" { - type primary; - file "nsec3-dynamic-to-inline.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -zone "nsec3-inline-to-dynamic.kasp" { - type primary; - file "nsec3-inline-to-dynamic.kasp.db"; - inline-signing yes; - dnssec-policy "nsec3"; -}; - -/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ -zone "nsec3-dynamic-update-inline.kasp" { - type primary; - file "nsec3-dynamic-update-inline.kasp.db"; - inline-signing yes; - allow-update { any; }; - dnssec-policy "nsec"; -}; - -zone "nsec3-xfr-inline.kasp" { - type secondary; - file "nsec3-xfr-inline.kasp.db"; - inline-signing yes; - dnssec-policy "nsec"; - primaries { 10.53.0.2; }; -}; diff --git a/bin/tests/system/nsec3/ns3/named2-fips.conf.in b/bin/tests/system/nsec3/ns3/named2-fips.conf.in new file mode 100644 index 0000000000..c5c5ec2969 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named2-fips.conf.in @@ -0,0 +1,153 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +dnssec-policy "nsec" { + // no need to change configuration: if no 'nsec3param' is set, + // NSEC will be used; +}; + +dnssec-policy "nsec3" { + nsec3param; +}; + +dnssec-policy "optout" { + nsec3param optout yes; +}; + +dnssec-policy "nsec3-other" { + nsec3param iterations 11 optout yes salt-length 0; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ +zone "nsec-to-nsec3.kasp" { + type primary; + file "nsec-to-nsec3.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec"; + dnssec-policy "nsec3"; +}; + +/* These zones use the default NSEC3 settings. */ +zone "nsec3.kasp" { + type primary; + file "nsec3.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +zone "nsec3-dynamic.kasp" { + type primary; + file "nsec3-dynamic.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* This zone uses non-default NSEC3 settings. */ +zone "nsec3-other.kasp" { + type primary; + file "nsec3-other.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3-other"; +}; + +/* These zone will be reconfigured to use other NSEC3 settings. */ +zone "nsec3-change.kasp" { + type primary; + file "nsec3-change.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "nsec3-other"; +}; + +zone "nsec3-dynamic-change.kasp" { + type primary; + file "nsec3-dynamic-change.kasp.db"; + //dnssec-policy "nsec3"; + dnssec-policy "nsec3-other"; + allow-update { any; }; +}; + +/* The zone will be reconfigured to use opt-out. */ +zone "nsec3-to-optout.kasp" { + type primary; + file "nsec3-to-optout.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "optout"; +}; + +/* The zone will be reconfigured to disable opt-out. */ +zone "nsec3-from-optout.kasp" { + type primary; + file "nsec3-from-optout.kasp.db"; + inline-signing yes; + //dnssec-policy "optout"; + dnssec-policy "nsec3"; +}; + +/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ +zone "nsec3-to-nsec.kasp" { + type primary; + file "nsec3-to-nsec.kasp.db"; + inline-signing yes; + //dnssec-policy "nsec3"; + dnssec-policy "nsec"; +}; + +/* The zone fails to load, but is fixed after a reload. */ +zone "nsec3-fails-to-load.kasp" { + type primary; + file "nsec3-fails-to-load.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +/* These zones switch from dynamic to inline-signing or vice versa. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing no; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index 084bba3f0b..81f6c49be1 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -13,10 +13,7 @@ // NS3 -dnssec-policy "nsec" { - // no need to change configuration: if no 'nsec3param' is set, - // NSEC will be used; -}; +include "named-fips.conf"; dnssec-policy "rsasha1" { keys { @@ -24,48 +21,6 @@ dnssec-policy "rsasha1" { }; }; -dnssec-policy "nsec3" { - nsec3param; -}; - -dnssec-policy "optout" { - nsec3param optout yes; -}; - -dnssec-policy "nsec3-other" { - nsec3param iterations 11 optout yes salt-length 0; -}; - -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - allow-transfer { any; }; - recursion no; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ -zone "nsec-to-nsec3.kasp" { - type primary; - file "nsec-to-nsec3.kasp.db"; - inline-signing yes; - //dnssec-policy "nsec"; - dnssec-policy "nsec3"; -}; - /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should work despite the incompatible RSAHSHA1 algorithm, @@ -118,95 +73,3 @@ zone "nsec3-to-rsasha1-ds.kasp" { //dnssec-policy "nsec3"; dnssec-policy "rsasha1"; }; - -/* These zones use the default NSEC3 settings. */ -zone "nsec3.kasp" { - type primary; - file "nsec3.kasp.db"; - inline-signing yes; - dnssec-policy "nsec3"; -}; - -zone "nsec3-dynamic.kasp" { - type primary; - file "nsec3-dynamic.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -/* This zone uses non-default NSEC3 settings. */ -zone "nsec3-other.kasp" { - type primary; - file "nsec3-other.kasp.db"; - inline-signing yes; - dnssec-policy "nsec3-other"; -}; - -/* These zone will be reconfigured to use other NSEC3 settings. */ -zone "nsec3-change.kasp" { - type primary; - file "nsec3-change.kasp.db"; - inline-signing yes; - //dnssec-policy "nsec3"; - dnssec-policy "nsec3-other"; -}; - -zone "nsec3-dynamic-change.kasp" { - type primary; - file "nsec3-dynamic-change.kasp.db"; - //dnssec-policy "nsec3"; - dnssec-policy "nsec3-other"; - allow-update { any; }; -}; - -/* The zone will be reconfigured to use opt-out. */ -zone "nsec3-to-optout.kasp" { - type primary; - file "nsec3-to-optout.kasp.db"; - inline-signing yes; - //dnssec-policy "nsec3"; - dnssec-policy "optout"; -}; - -/* The zone will be reconfigured to disable opt-out. */ -zone "nsec3-from-optout.kasp" { - type primary; - file "nsec3-from-optout.kasp.db"; - inline-signing yes; - //dnssec-policy "optout"; - dnssec-policy "nsec3"; -}; - -/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ -zone "nsec3-to-nsec.kasp" { - type primary; - file "nsec3-to-nsec.kasp.db"; - inline-signing yes; - //dnssec-policy "nsec3"; - dnssec-policy "nsec"; -}; - -/* The zone fails to load, but is fixed after a reload. */ -zone "nsec3-fails-to-load.kasp" { - type primary; - file "nsec3-fails-to-load.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -/* These zones switch from dynamic to inline-signing or vice versa. */ -zone "nsec3-dynamic-to-inline.kasp" { - type primary; - file "nsec3-dynamic-to-inline.kasp.db"; - inline-signing yes; - dnssec-policy "nsec3"; - allow-update { any; }; -}; - -zone "nsec3-inline-to-dynamic.kasp" { - type primary; - file "nsec3-inline-to-dynamic.kasp.db"; - inline-signing no; - dnssec-policy "nsec3"; - allow-update { any; }; -}; diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh index bdd1ae9a81..9124385d52 100644 --- a/bin/tests/system/nsec3/setup.sh +++ b/bin/tests/system/nsec3/setup.sh @@ -23,7 +23,15 @@ copy_setports ns2/named.conf.in ns2/named.conf cd ns2 $SHELL setup.sh ) -copy_setports ns3/named.conf.in ns3/named.conf + +if $FEATURETEST --have-fips-mode +then + copy_setports ns3/named-fips.conf.in ns3/named.conf +else + copy_setports ns3/named-fips.conf.in ns3/named-fips.conf + # includes named-fips.conf + cp ns3/named.conf.in ns3/named.conf +fi ( cd ns3 $SHELL setup.sh diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 9d9fec20bb..70e15d9af7 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -391,7 +391,14 @@ check_nsec # Reconfig named. ret=0 echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" -copy_setports ns3/named2.conf.in ns3/named.conf +if $FEATURETEST --have-fips-mode +then + copy_setports ns3/named2-fips.conf.in ns3/named.conf +else + copy_setports ns3/named2-fips.conf.in ns3/named-fips.conf + # includes named-fips.conf + cp ns3/named2.conf.in ns3/named.conf +fi rndc_reconfig ns3 10.53.0.3 # Zone: nsec-to-nsec3.kasp. (reconfigured)