From 333693ddf561049ef97c86b6fbdb4e60e25c0b90 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 11 Jan 2022 18:44:23 +1100 Subject: [PATCH] dnssec: Check validation with short RSA key size FIPS mode use a pregenerated zone signed with RSASHA1 keys at 1024 bits. --- bin/tests/system/dnssec/clean.sh | 8 ++- bin/tests/system/dnssec/ns2/example.db.in | 3 + bin/tests/system/dnssec/ns2/sign.sh | 2 +- bin/tests/system/dnssec/ns3/named.conf.in | 5 ++ .../system/dnssec/ns3/rsasha1-1024.example.db | 63 +++++++++++++++++++ .../dnssec/ns3/rsasha1-1024.example.db.in | 27 ++++++++ .../system/dnssec/ns3/sign-rsasha1-1024.sh | 27 ++++++++ bin/tests/system/dnssec/ns3/sign.sh | 5 ++ bin/tests/system/dnssec/tests.sh | 11 ++++ 9 files changed, 147 insertions(+), 4 deletions(-) create mode 100644 bin/tests/system/dnssec/ns3/rsasha1-1024.example.db create mode 100644 bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in create mode 100644 bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 738fa3c387..8fcee1ace8 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -27,7 +27,6 @@ rm -f ./canonical?.* rm -f ./delv.out* rm -f ./delve.out* rm -f ./dig.out.* -rm -f ./ns2/too-many-iterations.db rm -f ./dnssectools.out* rm -f ./dsfromkey.out.* rm -f ./keygen.err @@ -54,7 +53,9 @@ rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db rm -f ./ns2/in-addr.arpa.db rm -f ./ns2/nsec3chain-test.db rm -f ./ns2/single-nsec3.db +rm -f ./ns2/too-many-iterations.db rm -f ./ns2/updatecheck-kskonly.secure.* +rm -f ./ns3/NSEC ./ns3/NSEC3 rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db rm -f ./ns3/badds.example.db rm -f ./ns3/dname-at-apex-nsec3.example.db @@ -83,6 +84,8 @@ rm -f ./ns3/optout.nsec3.example.db rm -f ./ns3/optout.optout.example.db rm -f ./ns3/publish-inactive.example.db rm -f ./ns3/revkey.example.db +rm -f ./ns3/rsasha1-1024.example.tmp +rm -f ./ns3/rsasha1.example.tmp rm -f ./ns3/rsasha256.example.db ./ns3/rsasha512.example.db rm -f ./ns3/secure.below-cname.example.db rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db @@ -96,7 +99,6 @@ rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed rm -f ./ns3/ttlpatch.example.db.patched rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp -rm -f ./ns3/NSEC ./ns3/NSEC3 rm -f ./ns4/named_dump.db* rm -f ./ns6/optout-tld.db rm -f ./ns7/multiple.example.bk ./ns7/nsec3.example.bk ./ns7/optout.example.bk @@ -109,9 +111,9 @@ rm -f ./signer/*.signed.post* rm -f ./signer/*.signed.pre* rm -f ./signer/example.db.after ./signer/example.db.before rm -f ./signer/example.db.changed +rm -f ./signer/general/*.jnl rm -f ./signer/general/dsset* rm -f ./signer/general/signed.zone -rm -f ./signer/general/*.jnl rm -f ./signer/general/signer.err.* rm -f ./signer/general/signer.out.* rm -f ./signer/nsec3param.out diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 767462b8e8..015be5fd1d 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -171,4 +171,7 @@ ns.revkey A 10.53.0.3 rsasha1 NS ns.rsasha1 ns.rsasha1 A 10.53.0.3 +rsasha1-1024 NS ns.rsasha1-1024 +ns.rsasha1-1024 A 10.53.0.3 + dname-at-apex-nsec3 NS ns3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 2e91369287..87a5896d76 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -63,7 +63,7 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \ ttlpatch split-dnssec split-smart expired expiring upper lower \ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ dnskey-nsec3-unknown managed-future revkey \ - dname-at-apex-nsec3 occluded rsasha1 + dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 do cp "../ns3/dsset-$subdomain.example." . done diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 367b45a24f..afca54747d 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -383,6 +383,11 @@ zone "rsasha1.example" { file "rsasha1.example.db"; }; +zone "rsasha1-1024.example" { + type primary; + file "rsasha1-1024.example.db"; +}; + include "siginterval.conf"; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db new file mode 100644 index 0000000000..d51672c03c --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db @@ -0,0 +1,63 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; File written on Tue Jan 11 18:07:57 2022 +; dnssec_signzone version 9.17.21 +rsasha1-1024.example. 300 IN SOA mname1. . 2000042407 20 20 1814400 3600 +rsasha1-1024.example. 300 IN RRSIG SOA 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. kM6ztqAaLkxcRxYWrw2oe3qofzoIRjDv/tLD/A5edreqzzwj7H6Ihm0s JHfzqVOWBTwYzX0XgD0PXCqMdkXP7QlcWGYK7uCWnisayZIwNCdkywPC sS2ky1d0eK1A7kJ9nEH/eOgLba5uFZcAo8+9dD/6o6Rt1jTeTQkL4RHI UC8= +; resign=20900129082204 +rsasha1-1024.example. 300 IN NS ns.rsasha1-1024.example. +rsasha1-1024.example. 300 IN RRSIG NS 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. jxbsZlgK4B6IkCrZuNDVv/EIqgCU8pTOyWEt2DqvzRI8AeL3I+U9Nbcz 9gmQRaNEtffLVR/sfht6v1ms4AFJKd0xLSZj9ywsZKCmG12UxfNIoZ49 4d1ono8hGYU8xr1Qh1BU2HwgGY1JF4OyO28cgrkT2F9dAvG8MSMEW5Sg 9A8= +; resign=20900129082204 +rsasha1-1024.example. 300 IN NSEC a.rsasha1-1024.example. NS SOA RRSIG NSEC DNSKEY +rsasha1-1024.example. 300 IN RRSIG NSEC 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. AfEX9beXrft4d1moQD1VP3Em9cMgJmx2EYBKMlW5e5XFNk2Z5Wj1N//3 sBuUPNppxUilUEydqH5psVw7IMhrz8Q1+bhABNV7cPm1EOuq0NuQJ2LN JNlTnjfaRT6IAtY7d+NOCO2eKlDzMC/q8t2oaB+iHhgO7yc5+fxMGyQ/ PVc= +; resign=20900129082204 +rsasha1-1024.example. 300 IN DNSKEY 256 3 5 AwEAAaYD3SqsLtFHSfDhA8HhNKQJOToRptRmFhsYbqre+lq/BLpLQNkA 7Kq+chsUhOe+8OHMfkNXfr3XFyuUA3rBg15kq57NZ5gLzkHyeGqB9Ths M5pdwDCqPjJKP43W2+EXXHWsg5P94yldWcvMx1v80vrxGvUimfiQSznE hok/6oqR +rsasha1-1024.example. 300 IN DNSKEY 257 3 5 AwEAAeEe/ohrvXtDqYgrz5Q1WAKRstnnH0xi/4Mne49PLO56TcVPf6sg xpv/SaHSlQGJnVbQBLebPemKDAC1vVOUqdTDxHJbLuO28brIWMzf0pc1 5G2RNtrQf44E4yaibSROhyBmWoerUHTPGJw6BGDI4fb/CVWujFQ1ieBy WC0p1NWH +rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. nBLPJfoZe4G3wOe17bBSMooRZHe523pjdaTAK2PmXEa8exXH+OWCHh7f Jnh/SI89Hp9a2ru1Skze3FcUcTj/SlwtEuWpxOs9B1R29P1xVPCwkAfb xsmtmE6u5+oeLGrt88zA/kpjx6t0sFbU7A8/qxlpuoH+hdAu1jI2tlP4 d30= +rsasha1-1024.example. 300 IN RRSIG DNSKEY 5 2 300 20900129082204 20220111060757 1151 rsasha1-1024.example. 0oNrcBsFySVjBT60SX3m7cKIPmuCOUH0ZFucrmEVXJLGpNOXe37aXbnC Iz+NHcaaeZQP/w4aYSTyQvZs6Vl5Tufeic3SWalzTGv0f01mIIk24v1a h4ePUB8w0b0+/qq89zl6Ccr2/PgTaLvjuSGYcgX15cigqPRcKQNYCwO1 Vsk= +; resign=20900129082204 +z.rsasha1-1024.example. 300 IN A 10.0.0.26 +z.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Zf/ynA7APXpNjcMPusIjRan0/ITLmeeY7GJfhCLeD3lEjnAd7dWRl7sC N5sBzUG78Mtgm39Ov/Kj2EwQjFcwcMUmppan3NzS+1YtYuZqlN9iAW+b UUfv8UQUHvM3x/hW4kNCPd2PHIzV2uedIp7VG3Lz72FvjHxECbI7g79V 18c= +; resign=20900129082204 +z.rsasha1-1024.example. 300 IN NSEC rsasha1-1024.example. A RRSIG NSEC +z.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. FPlYMJ41r79tkhIkDTX9/uVtcKXfHa+5oXb8fdo7/2CugjBfp5uihn57 3gMmY7Mi2aVsW64hRkehPJr+sTUOk5+ILhO2Qhjdrm2DpHgeSK29BTQr Okn9ruvpLhRFHwI/DllnKvBOyCmKSzJZE7PDOrqouGclNue07IXz+K2R bME= +; resign=20900129082204 +b.rsasha1-1024.example. 300 IN A 10.0.0.2 +b.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. gQmhCIwai57iscF2s5CJ5DbSy0Z9TiOWYGeFeZITxQ/koFOOjyuZXAZn 6f7mTUcFPhNm4AT/PJAs/L/tzcE16pcVwwDnHszdY28XwEU6OqaXUB3E T/Qu4Sh0BWet9U6JcSSqLG5317qJxqSGfnIJOXMucYi3MH3W8uSpapr+ 4Qk= +; resign=20900129082204 +b.rsasha1-1024.example. 300 IN NSEC d.rsasha1-1024.example. A RRSIG NSEC +b.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Do6VghMEcHk35Q7fI2VrrQBYhChT4pnw791qUFhHZeol5fIKtEnrlviA RN2fbEY+7OrQQXo7Ywxo7nTD9sYsFgOwGKqKJ+yLNPcr++0csbkgt5rU ch1Lv+t7jOUuUX8IzgjOoCH5j9eoU5QtGkEBxf6z0nvlsLJaTWwTqvbr 7aU= +; resign=20900129082204 +a.rsasha1-1024.example. 300 IN A 10.0.0.1 +a.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. CaPXSTPLNeQ4MyRylYP/Ztb6kRT9/QdgpTnZxUHCjSdWEBXsrkEr55/z dBSQ8zGGOfCxlOkmgH/UrR7JmHTQrIqsb/iVq+6D0mfvNJDyNpT92bo8 r+C62/9NXLlkS5zcpyNG8Ls66EQ7dcFa6SxwdxF1qaoeBjJvkrGUMnzP UFo= +; resign=20900129082204 +a.rsasha1-1024.example. 300 IN NSEC b.rsasha1-1024.example. A RRSIG NSEC +a.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. DJlfCVMSPZ6KUIUhWUBt7LOCB8vBbxOFaR4PoHs/fLpGBWrQj46sjLKO W/TImquBg3ygYTOIyWEzVb177HryRmx65AKnfGLbzaTdTgHzcELwg88t EYFT4ODalqTn68o2RfWtNl95FNqJR/kguxxzFVgpN4zfGKXdhTWAA4JW zG0= +; resign=20900129082204 +a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN A 10.0.0.27 +a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG A 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. PVFCHIXgDCZOHsTsr3G9wMnPPmiY4CfOXC3b1ZF2qEDqloIT+YX5oKKE uiT6fCBteS6Cq8XTXdezXjqTqxrdY4qMMOBDnIZhf8eOxjFzMEUKKZuH 9c5rt8u35TihuIdKv9OPXdWuTJ4dVSEZjNNxvh3VoMW6XFagYmu3f8Gr 0rg= +; resign=20900129082204 +a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN NSEC ns.rsasha1-1024.example. A RRSIG NSEC +a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. 300 IN RRSIG NSEC 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. VOOEksRwMWNO2ESMrcMyPFAHuXyYgeLVODy46DwDx8PTli3/UwOH1e3l qd3Poh2K/OFP2v8TuzkXXnPW48Lg90haHtG9yLr5UUNoKntmBC9PFeqt P/qdOBiHszvcyyjJ4gabEX2gn+o/sL/klQV4m3mB4Vf5sg2dfX8Qyuw6 nDQ= +; resign=20900129082204 +d.rsasha1-1024.example. 300 IN A 10.0.0.4 +d.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. XcxbM4wA+yTOAwPePwRIg6E58HuMr5qIkdghNn/R5ck1JdirLbMB/Wpp Si+5a4q9F02Bs8uZv2YXtXRIa32i1/L6OPeU3RFQfvkpHbQNTvPtsuAL bmFGB/zdR6XQpqC6G+ip9qY+mk2hXwCZZ24NW90O9qYlE8Rp145/dIVM DPo= +; resign=20900129082204 +d.rsasha1-1024.example. 300 IN NSEC a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. A RRSIG NSEC +d.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. fmBjPGTNWOXAs51XO1fIRCKAbf9TLTV04TmlgLm50oOouEXsXpwKo6tb MbCGI2f+u986mtzLW4gWY+rcAPrMCndu5BPIYPk/Ngd6zqylWJzAfKyg PIqO0lf6jg0J3FfP39fw9bf+xB+AI1PWBrVZ55LotBYgIBZYhQ1LKPZ2 iyU= +; resign=20900129082204 +ns.rsasha1-1024.example. 300 IN A 10.53.0.3 +ns.rsasha1-1024.example. 300 IN RRSIG A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. beHl0WxLgPYkzKs/tdQnphXDzHx6FqdQRlVtJIYHGoWmWe4X6JWg4ENB a0xPeOGFQPBMgNuKbwyjAVmX0B3Su4LiBM7GcmfJbd4YRNCa4hQvhDpG o5A54Pxo2Qdo9Cffhzva5z4iO+DNnmBsfKGPna4sO2lRNfIxXlxCTbnE zps= +; resign=20900129082204 +ns.rsasha1-1024.example. 300 IN NSEC z.rsasha1-1024.example. A RRSIG NSEC +ns.rsasha1-1024.example. 300 IN RRSIG NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. aZTImJ5QFufIQEIuX+5ZYVW2Yq4ctxeX9zm9yrQaUODvVRm3X3WjncrU hkgDaW3a/j8RRG0cdAnzSWCzIMz0Yv4kWxrxCEJyIgmVUQ3fzxzpGwMF ZwCtNb9aWmImcAugTnjocn5+iCiyTEVipZmTASEyN0Bgp5Q4oFChnzIj kjk= +; resign=20900129082204 diff --git a/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in new file mode 100644 index 0000000000..b2e7e21e20 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 diff --git a/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh b/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh new file mode 100644 index 0000000000..59d152926f --- /dev/null +++ b/bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh @@ -0,0 +1,27 @@ +#!/bin/sh -ef + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# RSASHA1 is validate only in FIPS mode so we need to have a pre-signed +# version of the zone to test with in FIPS mode. This requires a non +# FIPS build which supports RSASHA1 to be used to generate it. + +. ../../conf.sh + +zone=rsasha1-1024.example +k1=$("$KEYGEN" -a rsasha1 -b 1024 $zone) +k2=$("$KEYGEN" -a rsasha1 -b 1024 -f KSK $zone) +cat $zone.db.in $k1.key $k2.key > $zone.tmp +# use maximum expirey period (-e 2^31-1-3600) +# use output format full for easy extraction of KSK (-O full) +"$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp +rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 2ec997a26a..701cd97ba3 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -684,3 +684,8 @@ zone=rsasha1.example zonefile=rsasha1.example.db awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" | $DSFROMKEY -f - "$zone" > "dsset-${zone}." + +zone=rsasha1-1024.example +zonefile=rsasha1-1024.example.db +awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" | +$DSFROMKEY -f - "$zone" > "dsset-${zone}." diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index b826c15826..4a04e98a7d 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1111,6 +1111,17 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Should work with FIPS mode as we are only validating +echo_i "checking positive validation RSASHA1 (1024 bits) NSEC ($n)" +ret=0 +dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "checking positive validation RSASHA256 NSEC ($n)" ret=0 dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1