ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

add support for key algorithm mnemonics in dnssec-policy

Browse Source
This commit is contained in:
Evan Hunt
2020-02-06 12:13:20 -08:00
committed by Matthijs Mekking
parent 8c0db909ee
commit 58aa084edc
12 changed files with 149 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
bin/tests/system/checkconf/bad-kasp-key1.conf Normal file
View File

@@ -0,0 +1,22 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "badalg" {
keys {
csk lifetime unlimited algorithm ceasarscipher;
};
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badalg";
};

22
bin/tests/system/checkconf/bad-kasp-key2.conf Normal file
View File

@@ -0,0 +1,22 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "badalg" {
keys {
csk lifetime unlimited algorithm 8 4097;
};
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badalg";
};

22
bin/tests/system/checkconf/bad-kasp-key3.conf Normal file
View File

@@ -0,0 +1,22 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "badalg" {
keys {
csk lifetime unlimited algorithm rsasha512 1023;
};
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badalg";
};

22
bin/tests/system/checkconf/bad-kasp-key4.conf Normal file
View File

@@ -0,0 +1,22 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "badalg" {
keys {
csk lifetime unlimited algorithm 5 511;
};
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badalg";
};

4
bin/tests/system/checkconf/good-kasp.conf
View File

@@ -17,9 +17,9 @@
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P1Y algorithm ecdsa256;
zsk lifetime P30D algorithm 13;
csk key-directory lifetime unlimited algorithm 8 2048;
csk key-directory lifetime unlimited algorithm rsasha256 2048;
};
max-zone-ttl 86400;
parent-ds-ttl 7200;

4
bin/tests/system/checkconf/kasp-ignore-keylen.conf
View File

@@ -12,9 +12,7 @@
dnssec-policy "warn-length" {
keys {
// Algorithm 13 has predefined length, warn about length param.
csk lifetime unlimited algorithm 13 2048;
// Algorithm 5 length out of range, warn about length param.
csk lifetime unlimited algorithm 5 4097;
csk lifetime unlimited algorithm ecdsa256 2048;
};
};

11
bin/tests/system/checkconf/tests.sh
View File

@@ -475,9 +475,9 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp warnings ($n)"
echo_i "checking named-checkconf kasp errors ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
@@ -490,11 +490,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp key warnings ($n)"
echo_i "checking named-checkconf kasp predefined key lengths ($n)"
ret=0
$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1
grep "dnssec-policy: key algorithm 13 has predefined length, ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: key with algorithm 5 has invalid key length, ignoring length value 4097" < checkconf.out$n > /dev/null || ret=1
$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`