ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Warn if multiple keys have same role

Browse Source 
If a dnssec-policy has multiple keys configured with the
same algorithm and role.
This commit is contained in:
Matthijs Mekking
2022-05-06 16:08:39 +02:00
parent 51a299d1fd
commit f54dad005e
3 changed files with 85 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
bin/tests/system/checkconf/kasp-warning.conf Normal file
View File

@@ -0,0 +1,46 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "warn1" {
keys {
// This policy has keys in the same algorithm with the same
// role, this should trigger a warning.
ksk lifetime unlimited algorithm ecdsa256;
zsk lifetime unlimited algorithm ecdsa256;
zsk lifetime unlimited algorithm ecdsa256;
ksk lifetime unlimited algorithm ecdsa256;
};
};
dnssec-policy "warn2" {
keys {
// This policy has keys in the same algorithm with the same
// role, this should trigger a warning.
csk lifetime unlimited algorithm rsasha256;
ksk lifetime unlimited algorithm rsasha256;
zsk lifetime unlimited algorithm rsasha256;
};
};
zone "warn1.example.net" {
type primary;
file "warn1.example.db";
dnssec-policy "warn1";
};
zone "warn2.example.net" {
type primary;
file "warn2.example.db";
dnssec-policy "warn2";
};

13
bin/tests/system/checkconf/tests.sh
View File

@@ -536,6 +536,19 @@ grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring leng
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp warns about weird policies ($n)"
ret=0
$CHECKCONF kasp-warning.conf > checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
lines=$(wc -l < "checkconf.out$n")
if [ $lines != 4 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check that a good 'kasp' configuration is accepted ($n)"
ret=0