Commit Graph

10338 Commits

Author SHA1 Message Date
Mark Andrews
4daa3d6dae keymgr2kasp: use FIPS compliant algorithms and key sizes
migrate-nomatch-alglen: switched to RSASHA256 instead of RSASHA1
and the key size now changes from 2048 bits to 3072 bits instead
of 1024 bits to 2048 bits.

migrate-nomatch-algnum: switched to RSASHA256 instead of RSASHA1
as initial algorithm and adjusted mininum key size to 2048 bits.

rsasha256: adjusted minimum key size to 2048 bits.

(cherry picked from commit 048b015166)
2022-10-03 13:28:25 +02:00
Mark Andrews
3d642f46f2 dnssec/signer/general: Replace RSASHA1 keys with RSASHA512 keys
RSASHA1 is verify only in FIPS mode. Use RSASHA256 instead.

(cherry picked from commit 9c6de6d12d)
2022-10-03 13:28:25 +02:00
Mark Andrews
77e0878444 autosign: use FIPS compatible algorithms and key sizes
The nsec-only.example zone was not converted as we use it to
test nsec-only DNSSEC algorithms to nsec3 conversion failure.
The subtest is skipped in fips mode.

Update "checking revoked key with duplicate key ID" test
to use FIPS compatible algorithm.

(cherry picked from commit 99ad09975e)
2022-10-03 13:28:25 +02:00
Mark Andrews
e6d1117891 rsabigexponent: convert the test from RSASHA1 to RSASHA256
RSASHA1 is not supported on some platforms.

(cherry picked from commit 8c3c011860)
2022-10-03 13:28:25 +02:00
Mark Andrews
fe4d8ca7c7 mkeys: use $() instead of back quotes
(cherry picked from commit 0e45a2b02c)
2022-10-03 13:19:35 +02:00
Mark Andrews
4950ab72e8 Upgrade uses of hmac-sha1 to DEFAULT_HMAC
where the test is not hmac-sha1 specific

(cherry picked from commit c533e8bc5b)
2022-10-03 13:19:35 +02:00
Mark Andrews
e8545ad255 zonechecks: use $DEFAULT_ALGORITHM
(cherry picked from commit 459e6980e5)
2022-10-03 13:19:35 +02:00
Mark Andrews
864a2b127a wildcard: use $DEFAULT_ALGORITHM
(cherry picked from commit 3f65c9cf85)
2022-10-03 13:19:34 +02:00
Mark Andrews
76a154d8b1 views: use $DEFAULT_ALGORITHM
(cherry picked from commit 86b29606c3)
2022-10-03 13:19:34 +02:00
Mark Andrews
16c6557aa2 verify: use $DEFAULT_ALGORITHM
(cherry picked from commit 93f7c7cdcd)
2022-10-03 13:19:34 +02:00
Mark Andrews
150ace9801 upforwd: use $DEFAULT_ALGORITHM
(cherry picked from commit 5585909904)
2022-10-03 13:19:34 +02:00
Mark Andrews
516694cd8c unknown: use $DEFAULT_ALGORITHM
(cherry picked from commit 9970d4317d)
2022-10-03 13:19:34 +02:00
Mark Andrews
b8645af516 synthfromdnssec: use $DEFAULT_ALGORITHM
(cherry picked from commit 73fd49f8bb)
2022-10-03 13:19:34 +02:00
Mark Andrews
a2d8660485 staticstub: use $DEFAULT_ALGORITHM
(cherry picked from commit 32337b9dbf)
2022-10-03 13:19:34 +02:00
Mark Andrews
204811ae41 smartsign: use $DEFAULT_ALGORITHM
(cherry picked from commit 941b95edb0)
2022-10-03 13:19:34 +02:00
Mark Andrews
49d8978cb4 rpz: use $DEFAULT_ALGORITHM
(cherry picked from commit 1861c3e503)
2022-10-03 13:19:34 +02:00
Mark Andrews
b26a89df34 rootkeysentinel: use $DEFAULT_ALGORITHM
(cherry picked from commit b0e1d9b1b3)
2022-10-03 13:19:34 +02:00
Mark Andrews
e78c158ba6 resolver: use $DEFAULT_ALGORITHM
(cherry picked from commit 05ef8c81dd)
2022-10-03 13:19:34 +02:00
Mark Andrews
52ce408f0d redirect: use $DEFAULT_ALGORITHM
(cherry picked from commit e0e03602ba)
2022-10-03 13:19:33 +02:00
Mark Andrews
ce8cef8a4b pending: use $DEFAULT_ALGORITHM
(cherry picked from commit 6fd50b9fda)
2022-10-03 13:19:33 +02:00
Mark Andrews
1b94de8d1f nsupdate: use $DEFAULT_ALGORITHM
(cherry picked from commit c2d18567fc)
2022-10-03 13:19:33 +02:00
Mark Andrews
fd8bd94212 mkeys: use $DEFAULT_ALGORITHM
(cherry picked from commit 78fa082999)
2022-10-03 13:19:33 +02:00
Mark Andrews
61cfb9a68e mirror: use $DEFAULT_ALGORITHM
(cherry picked from commit ff95bafa39)
2022-10-03 13:19:33 +02:00
Mark Andrews
17a26bced4 metadata: use $DEFAULT_ALGORITHM
(cherry picked from commit 3f1dc83bfb)
2022-10-03 13:19:33 +02:00
Mark Andrews
6843c764c6 inline: use $DEFAULT_ALGORITHM
(cherry picked from commit e3acddefd1)
2022-10-03 13:19:33 +02:00
Mark Andrews
45c21fd5af dsdigest: use $DEFAULT_ALGORITHM
(cherry picked from commit 49de14cb9e)
2022-10-03 13:19:33 +02:00
Mark Andrews
4ba58611c7 dnssec: use $DEFAULT_ALGORITHM
(cherry picked from commit d0b0139c90)
2022-10-03 13:19:33 +02:00
Mark Andrews
53625cc639 dns64: use $DEFAULT_ALGORITHM
(cherry picked from commit 5cbf1e1598)
2022-10-03 13:19:33 +02:00
Mark Andrews
7cf9e28924 chain: use $DEFAULT_ALGORITHM
(cherry picked from commit 3419178bd2)
2022-10-03 13:19:33 +02:00
Mark Andrews
5f146c76bd cds: use $DEFAULT_ALGORITHM
(cherry picked from commit 6cf0b73ede)
2022-10-03 13:19:33 +02:00
Mark Andrews
1bd3c49454 autosign: use $DEFAULT_ALGORITHM
(cherry picked from commit bb810b0ac9)
2022-10-03 13:19:32 +02:00
Petr Špaček
2c09403ab4 Document list of crypto algorithms in named -V output
(cherry picked from commit c648e280e4)
2022-09-30 09:57:32 +10:00
Mark Andrews
e8439121ad Deduplicate string formating
(cherry picked from commit d34ecdb366)
2022-09-30 09:57:32 +10:00
Mark Andrews
21d4befe09 silence scan-build false positive
(cherry picked from commit 3156d36495)
2022-09-30 09:57:32 +10:00
Mark Andrews
3265fc496e Report algorithms supported by named at startup
(cherry picked from commit cb1515e71f)
2022-09-30 09:57:32 +10:00
Mark Andrews
989811b6d9 Have 'named -V' report supported algorithms
These cover DNSSEC, DS, HMAC and TKEY algorithms.

(cherry picked from commit b308f866c0)
2022-09-30 09:57:32 +10:00
Mark Andrews
7f2b46f4e5 Suffix may be used before it is assigned a value
CID 350722 (#5 of 7): Bad use of null-like value (FORWARD_NULL)
        12. invalid_operation: Invalid operation on null-like value suffix.
    145        r.authority.append(
    146            dns.rrset.from_text(
    147                "icky.ptang.zoop.boing." + suffix,
    148                1,
    149                IN,
    150                NS,
    151                "a.bit.longer.ns.name." + suffix,
    152            )
    153        )

(cherry picked from commit 432064f63c)
2022-09-28 11:19:50 +10:00
Mark Andrews
4fc1975709 Check that changing the TSIG key is successful
Switch the primary to require 'next_key' for zone transfers then
update the catalog zone to say to use 'next_key'.  Next update the
zones contents then check that those changes are seen on the
secondary.

(cherry picked from commit 176e172210)
2022-09-27 23:58:22 +10:00
Michał Kępień
fe0b04d8d3 Fix the description of named's -n option
Since the advent of netmgr, named no longer creates a single thread per
CPU, but rather a set of two threads per CPU.  Update the man page for
named accordingly to prevent confusion.
2022-09-21 19:47:13 +02:00
Mark Andrews
ff883fd75f Suppress manykeys test on duplicate key ids
If there are duplicate key ids across multiple algorithms expected
output is no met.  We have fixed this in on main but decided to not
back port the fix as it will change the statistics channel output.

This change detects when there are duplicate key id across algorithms
as skips the sub test.

(cherry picked from commit ea1d3476a8)
2022-09-16 09:49:41 +10:00
Michal Nowak
9b41b63607 Bump socket.create_connection() timeout to 10 seconds
The tcp Pytest on OpenBSD fairly reliably fails when receive_tcp()
on a socket is attempted:

    >           (response, rtime) = dns.query.receive_tcp(sock, timeout())

    tests-tcp.py:50:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    /usr/local/lib/python3.9/site-packages/dns/query.py:659: in receive_tcp
        ldata = _net_read(sock, 2, expiration)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

    sock = <socket.socket [closed] fd=-1, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6>
    count = 2, expiration = 1662719959.8106785

        def _net_read(sock, count, expiration):
            """Read the specified number of bytes from sock.  Keep trying until we
            either get the desired amount, or we hit EOF.
            A Timeout exception will be raised if the operation is not completed
            by the expiration time.
            """
            s = b''
            while count > 0:
                try:
    >               n = sock.recv(count)
    E               socket.timeout: timed out

This is because the socket is already closed.

Bump the socket connection timeout to 10 seconds.

(cherry picked from commit 658cae9fad)
2022-09-15 12:36:14 +02:00
Tony Finch
dff843199f Ensure that named_server_t is properly initialized
There was a ubsan error reporting an invalid value for interface_auto
(a boolean value cannot be 190) because it was not initialized. To
avoid this problem happening again, ensure the whole of the server
structure is initialized to zero before setting the (relatively few)
non-zero elements.
2022-09-12 11:21:37 +01:00
Aram Sargsyan
3ad0f165ab Fix RRL responses-per-second bypass using wildcard names
It is possible to bypass Response Rate Limiting (RRL)
`responses-per-second` limitation using specially crafted wildcard
names, because the current implementation, when encountering a found
DNS name generated from a wildcard record, just strips the leftmost
label of the name before making a key for the bucket.

While that technique helps with limiting random requests like
<random>.example.com (because all those requests will be accounted
as belonging to a bucket constructed from "example.com" name), it does
not help with random names like subdomain.<random>.example.com.

The best solution would have been to strip not just the leftmost
label, but as many labels as necessary until reaching the suffix part
of the wildcard record from which the found name is generated, however,
we do not have that information readily available in the context of RRL
processing code.

Fix the issue by interpreting all valid wildcard domain names as
the zone's origin name concatenated to the "*" name, so they all will
be put into the same bucket.

(cherry picked from commit baa9698c9d)
2022-09-08 09:41:15 +02:00
Matthijs Mekking
d1336d49b3 Update inline system test, zone 'retransfer3.'
The zone 'retransfer3.' tests whether zones that 'rndc signing
-nsec3param' requests are queued even if the zone is not loaded.

The test assumes that if 'rndc signing -list' shows that the zone is
done signing with two keys, and there are no NSEC3 chains pending, the
zone is done handling the '-nsec3param' queued requests. However, it
is possible that the 'rndc signing -list' command is received before
the corresponding privatetype records are added to the zone (the records
that are used to retrieve the signing status with 'rndc signing').

This is what happens in test failure
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2722752.

The 'rndc signing -list retransfer3' is thus an unreliable check.
It is simpler to just remove the check and wait for a certain amount
of time and check whether ns3 has re-signed the zone using NSEC3.

(cherry picked from commit 8b71cbd09c)
2022-09-07 16:30:19 +02:00
Aram Sargsyan
8b328f0049 Do not use libxml2 deprecated functions
The usage of xmlInitThreads() and xmlCleanupThreads() functions in
libxml2 is now marked as deprecated, and these functions will be made
private in the future.

Use xmlInitParser() and xmlCleanupParser() instead of them.

(cherry picked from commit a5d412d924)
2022-09-06 09:22:35 +00:00
Matthijs Mekking
bc9c65f465 Remove implicit inline-signing code
Remove the code that sets implicit inline-signing on zones using
dnssec-policy.

(cherry picked from commit a6b09c9c69186e81a9be54e8b7bb413b1ac4d650)
2022-09-06 10:27:33 +02:00
Matthijs Mekking
145e888815 Update system tests
Update checkconf and kasp related system tests after requiring
inline-signing.

(cherry picked from commit 8fd75e8a4e1035ce0e81bf47d954a3f5b8a4d571)
2022-09-06 10:27:33 +02:00
Ondřej Surý
104eaf34da Enable the IDNA2003 domain names in the idna system test
Allow the IDNA2003 tests to succeed after the fallback to IDNA2003 was
implemented.

(cherry picked from commit 87de726f5c)
2022-09-05 10:22:23 +02:00
Ondřej Surý
efbdf81931 Allow fallback to IDNA2003 processing
In several cases where IDNA2008 mappings do not exist whereas IDNA2003
mappings do, dig was failing to process the suplied domain name.  Take a
backwards compatible approach, and convert the domain to IDNA2008 form,
and if that fails try the IDNA2003 conversion.

(cherry picked from commit 10923f9d87)
2022-09-05 10:21:36 +02:00
Evan Hunt
28640e37d8 quote addresses in YAML output
YAML strings should be quoted if they contain colon characters.
Since IPv6 addresses do, we now quote the query_address and
response_address strings in all YAML output.

(cherry picked from commit 66eaf6bb73)
2022-08-31 16:18:57 -07:00