4127. [protocol] CDS and CDNSKEY need to be signed by the key signing
key as per RFC 7344, Section 4.1. [RT #37215]
(cherry picked from commit 598b502695)
This commit is contained in:
Mark Andrews
@@ -2525,6 +2525,15 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that CDS records are signed using KSK by dnssec-signzone ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
#
|
||||
# Test for +sigchase with a null set of trusted keys.
|
||||
#
|
||||
@@ -2560,6 +2569,57 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that CDS records are signed using KSK by with dnssec-auto ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that a lone non matching CDS record is rejected ($n)"
|
||||
ret=0
|
||||
(
|
||||
echo zone cds-update.secure
|
||||
echo server 10.53.0.2 5300
|
||||
echo update delete cds-update.secure CDS
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure |
|
||||
grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' |
|
||||
$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
|
||||
sed "s/^/update add /"
|
||||
echo send
|
||||
) | $NSUPDATE > nsupdate.out.test$n 2>&1
|
||||
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-10} -eq 0 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that CDS records are signed using KSK when added by nsupdate ($n)"
|
||||
ret=0
|
||||
(
|
||||
echo zone cds-update.secure
|
||||
echo server 10.53.0.2 5300
|
||||
echo update delete cds-update.secure CDS
|
||||
echo send
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure |
|
||||
grep "DNSKEY.257" |
|
||||
$DSFROMKEY -C -f - -T 1 cds-update.secure |
|
||||
sed "s/^/update add /"
|
||||
echo send
|
||||
) | $NSUPDATE
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n
|
||||
@@ -2572,6 +2632,32 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that a non matching CDS record is accepted with a matching CDS record ($n)"
|
||||
ret=0
|
||||
(
|
||||
echo zone cds-update.secure
|
||||
echo server 10.53.0.2 5300
|
||||
echo update delete cds-update.secure CDS
|
||||
echo send
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure |
|
||||
grep "DNSKEY.257" |
|
||||
$DSFROMKEY -C -f - -T 1 cds-update.secure |
|
||||
sed "s/^/update add /"
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-update.secure |
|
||||
grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' |
|
||||
$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
|
||||
sed "s/^/update add /"
|
||||
echo send
|
||||
) | $NSUPDATE
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 4 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that negative unknown NSEC3 hash algorithm does not validate ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n
|
||||
@@ -2582,6 +2668,15 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that CDNSKEY records are signed using KSK by dnssec-signzone ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n
|
||||
@@ -2592,6 +2687,15 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that CDNSKEY records are signed using KSK by with dnssec-auto ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that unknown DNSKEY algorithm validates as insecure ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n
|
||||
@@ -2603,6 +2707,25 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that a lone non matching CDNSKEY record is rejected ($n)"
|
||||
ret=0
|
||||
(
|
||||
echo zone cdnskey-update.secure
|
||||
echo server 10.53.0.2 5300
|
||||
echo update delete cdnskey-update.secure CDNSKEY
|
||||
echo send
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
|
||||
sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p'
|
||||
echo send
|
||||
) | $NSUPDATE > nsupdate.out.test$n 2>&1
|
||||
grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-10} -eq 0 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n
|
||||
@@ -2614,6 +2737,25 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that CDNSKEY records are signed using KSK when added by nsupdate ($n)"
|
||||
ret=0
|
||||
(
|
||||
echo zone cdnskey-update.secure
|
||||
echo server 10.53.0.2 5300
|
||||
echo update delete cdnskey-update.secure CDNSKEY
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
|
||||
sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
|
||||
echo send
|
||||
) | $NSUPDATE
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 1 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking initialization with a revoked managed key ($n)"
|
||||
ret=0
|
||||
cp ns5/named2.conf ns5/named.conf
|
||||
@@ -2625,5 +2767,26 @@ n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record ($n)"
|
||||
ret=0
|
||||
(
|
||||
echo zone cdnskey-update.secure
|
||||
echo server 10.53.0.2 5300
|
||||
echo update delete cdnskey-update.secure CDNSKEY
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
|
||||
sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
|
||||
sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p'
|
||||
echo send
|
||||
) | $NSUPDATE
|
||||
$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
|
||||
lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
|
||||
test ${lines:-0} -eq 2 || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:exit status: $status"
|
||||
exit $status
|
||||
|
||||
Reference in New Issue
Block a user