Check nsec3param configuration values

Check 'nsec3param' configuration for the number of iterations. The maximum number of iterations that are allowed are based on the key size (see https://tools.ietf.org/html/rfc5155#section-10.3). Check 'nsec3param' configuration for correct salt. If the string is not "-" or hex-based, this is a bad salt. (cherry picked from commit 7039c5f805)
2020-10-13 17:48:22 +02:00
parent b6cf88333a
commit 2a1793a2be
7 changed files with 177 additions and 6 deletions
--- a/bin/tests/system/checkconf/kasp-bad-keylen.conf
+++ b/bin/tests/system/checkconf/kasp-bad-keylen.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-keylen" {
+	keys {
+		csk lifetime P10Y algorithm rsasha1 511;
+	};
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "badkeylen";
+};
--- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "rsasha1" {
+	keys {
+		csk lifetime P10Y algorithm rsasha1 1024;
+	};
+	nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha1-bad" {
+	keys {
+		csk lifetime P10Y algorithm rsasha1 1024;
+	};
+	nsec3param iterations 151;
+};
+
+dnssec-policy "rsasha256" {
+	keys {
+		csk lifetime P10Y algorithm rsasha256 2048;
+	};
+	nsec3param iterations 500;
+};
+
+dnssec-policy "rsasha256-bad" {
+	keys {
+		csk lifetime P10Y algorithm rsasha256 2048;
+	};
+	nsec3param iterations 501;
+};
+
+dnssec-policy "rsasha512" {
+	keys {
+		csk lifetime P10Y algorithm rsasha512 4096;
+	};
+	nsec3param iterations 2500;
+};
+
+dnssec-policy "rsasha512-bad" {
+	keys {
+		csk lifetime P10Y algorithm rsasha512 4096;
+	};
+	nsec3param iterations 2501;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "default";
+};
--- a/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-salt" {
+	nsec3param salt "pepper";
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "bad-salt";
+};
+
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -510,7 +510,35 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

 n=`expr $n + 1`
-echo_i "checking named-checkconf kasp predefined key lengths ($n)"
+echo_i "checking named-checkconf kasp nsec3 salt errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-nsec3-salt.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: bad nsec3 salt pepper" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: nsec3 iterations value 501 out of range" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: nsec3 iterations value 2501 out of range" < checkconf.out$n > /dev/null || ret=1
+lines=$(wc -l < "checkconf.out$n")
+if [ $lines != 3 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp key errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp predefined key length ($n)"
 ret=0
 $CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1
 grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1