Merge branch '4625-broken-trust-chain-on-corner-case-secure-chain-fixup-keytrap-test-only-v9_18' into 'bind-9.18'
[9.18] Test secure chain that includes inactive KSK See merge request isc-projects/bind9!8850
This commit is contained in:
Matthijs Mekking
@@ -28,6 +28,8 @@ managed. NS ns2.managed.
|
||||
ns2.managed. A 10.53.0.2
|
||||
trusted. NS ns2.trusted.
|
||||
ns2.trusted. A 10.53.0.2
|
||||
lazy-ksk. NS ns2.lazy-ksk.
|
||||
ns2.lazy-ksk. A 10.53.0.2
|
||||
optout-tld NS ns6.optout-tld.
|
||||
ns6.optout-tld. A 10.53.0.6
|
||||
in-addr.arpa. NS ns2.example.
|
||||
|
||||
@@ -29,6 +29,7 @@ echo_i "ns1/sign.sh"
|
||||
cp "../ns2/dsset-example." .
|
||||
cp "../ns2/dsset-in-addr.arpa." .
|
||||
cp "../ns2/dsset-too-many-iterations." .
|
||||
cp "../ns2/dsset-lazy-ksk." .
|
||||
|
||||
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll."
|
||||
cp "../ns6/dsset-optout-tld." .
|
||||
|
||||
27
bin/tests/system/dnssec/ns2/lazy-ksk.db.in
Normal file
27
bin/tests/system/dnssec/ns2/lazy-ksk.db.in
Normal file
@@ -0,0 +1,27 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; SPDX-License-Identifier: MPL-2.0
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 30 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
30 ; minimum (1 hour)
|
||||
)
|
||||
NS ns2
|
||||
ns2 A 10.53.0.2
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
*.a A 10.0.0.3
|
||||
b A 10.0.0.2
|
||||
d A 10.0.0.4
|
||||
@@ -37,6 +37,13 @@ controls {
|
||||
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
dnssec-policy "dnssec" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../_common/root.hint";
|
||||
@@ -202,4 +209,11 @@ zone "too-many-iterations" {
|
||||
file "too-many-iterations.db.signed";
|
||||
};
|
||||
|
||||
zone "lazy-ksk" {
|
||||
type primary;
|
||||
file "lazy-ksk.db";
|
||||
dnssec-policy "dnssec";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
@@ -328,3 +328,44 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
|
||||
"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1
|
||||
|
||||
#
|
||||
# A zone with a secure chain of trust of two KSKs, only one KSK is not signing.
|
||||
#
|
||||
zone=lazy-ksk
|
||||
infile=lazy-ksk.db.in
|
||||
zonefile=lazy-ksk.db
|
||||
ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
ksk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$ksk1.key" "$ksk2.key" "$ksk3.key" "$zsk.key" >"$zonefile"
|
||||
$DSFROMKEY "$ksk1.key" >"dsset-$zone."
|
||||
$DSFROMKEY "$ksk2.key" >>"dsset-$zone."
|
||||
$DSFROMKEY "$ksk3.key" >>"dsset-$zone."
|
||||
# Keep the KSK with the highest key tag
|
||||
id1=$(keyfile_to_key_id "$ksk1")
|
||||
id2=$(keyfile_to_key_id "$ksk2")
|
||||
id3=$(keyfile_to_key_id "$ksk3")
|
||||
if [ $id1 -gt $id2 ]; then
|
||||
if [ $id1 -gt $id3 ]; then
|
||||
rm1="$ksk2"
|
||||
rm2="$ksk3"
|
||||
else # id3 -gt $id1
|
||||
rm1="$ksk2"
|
||||
rm2="$ksk1"
|
||||
fi
|
||||
else # $id2 -gt $id1
|
||||
if [ $id2 -gt $id3 ]; then
|
||||
rm1="$ksk1"
|
||||
rm2="$ksk3"
|
||||
else #id3 -gt $id2
|
||||
rm1="$ksk2"
|
||||
rm2="$ksk1"
|
||||
fi
|
||||
fi
|
||||
|
||||
rm "$rm1.key"
|
||||
rm "$rm1.private"
|
||||
rm "$rm2.key"
|
||||
rm "$rm2.private"
|
||||
|
||||
@@ -3672,6 +3672,18 @@ n=$((n + 1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Check that a query for a domain that has a KSK that is not actively signing
|
||||
# the DNSKEY RRset. This should not result in a broken trust chain if there is
|
||||
# another KSK that is signing the DNSKEY RRset.
|
||||
echo_i "checking that a secure chain with one active and one inactive KSK validates as secure ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.4 a.lazy-ksk A >dig.out.ns4.test$n
|
||||
grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
|
||||
n=$((n + 1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# TODO: test case for GL #1689.
|
||||
# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5)
|
||||
# we could write a test that signs a zone with supported and unsupported
|
||||
|
||||
Reference in New Issue
Block a user