Commit Graph

5020 Commits

Author SHA1 Message Date
Mark Andrews
4daa3d6dae keymgr2kasp: use FIPS compliant algorithms and key sizes
migrate-nomatch-alglen: switched to RSASHA256 instead of RSASHA1
and the key size now changes from 2048 bits to 3072 bits instead
of 1024 bits to 2048 bits.

migrate-nomatch-algnum: switched to RSASHA256 instead of RSASHA1
as initial algorithm and adjusted mininum key size to 2048 bits.

rsasha256: adjusted minimum key size to 2048 bits.

(cherry picked from commit 048b015166)
2022-10-03 13:28:25 +02:00
Mark Andrews
3d642f46f2 dnssec/signer/general: Replace RSASHA1 keys with RSASHA512 keys
RSASHA1 is verify only in FIPS mode. Use RSASHA256 instead.

(cherry picked from commit 9c6de6d12d)
2022-10-03 13:28:25 +02:00
Mark Andrews
77e0878444 autosign: use FIPS compatible algorithms and key sizes
The nsec-only.example zone was not converted as we use it to
test nsec-only DNSSEC algorithms to nsec3 conversion failure.
The subtest is skipped in fips mode.

Update "checking revoked key with duplicate key ID" test
to use FIPS compatible algorithm.

(cherry picked from commit 99ad09975e)
2022-10-03 13:28:25 +02:00
Mark Andrews
e6d1117891 rsabigexponent: convert the test from RSASHA1 to RSASHA256
RSASHA1 is not supported on some platforms.

(cherry picked from commit 8c3c011860)
2022-10-03 13:28:25 +02:00
Mark Andrews
fe4d8ca7c7 mkeys: use $() instead of back quotes
(cherry picked from commit 0e45a2b02c)
2022-10-03 13:19:35 +02:00
Mark Andrews
4950ab72e8 Upgrade uses of hmac-sha1 to DEFAULT_HMAC
where the test is not hmac-sha1 specific

(cherry picked from commit c533e8bc5b)
2022-10-03 13:19:35 +02:00
Mark Andrews
e8545ad255 zonechecks: use $DEFAULT_ALGORITHM
(cherry picked from commit 459e6980e5)
2022-10-03 13:19:35 +02:00
Mark Andrews
864a2b127a wildcard: use $DEFAULT_ALGORITHM
(cherry picked from commit 3f65c9cf85)
2022-10-03 13:19:34 +02:00
Mark Andrews
76a154d8b1 views: use $DEFAULT_ALGORITHM
(cherry picked from commit 86b29606c3)
2022-10-03 13:19:34 +02:00
Mark Andrews
16c6557aa2 verify: use $DEFAULT_ALGORITHM
(cherry picked from commit 93f7c7cdcd)
2022-10-03 13:19:34 +02:00
Mark Andrews
150ace9801 upforwd: use $DEFAULT_ALGORITHM
(cherry picked from commit 5585909904)
2022-10-03 13:19:34 +02:00
Mark Andrews
516694cd8c unknown: use $DEFAULT_ALGORITHM
(cherry picked from commit 9970d4317d)
2022-10-03 13:19:34 +02:00
Mark Andrews
b8645af516 synthfromdnssec: use $DEFAULT_ALGORITHM
(cherry picked from commit 73fd49f8bb)
2022-10-03 13:19:34 +02:00
Mark Andrews
a2d8660485 staticstub: use $DEFAULT_ALGORITHM
(cherry picked from commit 32337b9dbf)
2022-10-03 13:19:34 +02:00
Mark Andrews
204811ae41 smartsign: use $DEFAULT_ALGORITHM
(cherry picked from commit 941b95edb0)
2022-10-03 13:19:34 +02:00
Mark Andrews
49d8978cb4 rpz: use $DEFAULT_ALGORITHM
(cherry picked from commit 1861c3e503)
2022-10-03 13:19:34 +02:00
Mark Andrews
b26a89df34 rootkeysentinel: use $DEFAULT_ALGORITHM
(cherry picked from commit b0e1d9b1b3)
2022-10-03 13:19:34 +02:00
Mark Andrews
e78c158ba6 resolver: use $DEFAULT_ALGORITHM
(cherry picked from commit 05ef8c81dd)
2022-10-03 13:19:34 +02:00
Mark Andrews
52ce408f0d redirect: use $DEFAULT_ALGORITHM
(cherry picked from commit e0e03602ba)
2022-10-03 13:19:33 +02:00
Mark Andrews
ce8cef8a4b pending: use $DEFAULT_ALGORITHM
(cherry picked from commit 6fd50b9fda)
2022-10-03 13:19:33 +02:00
Mark Andrews
1b94de8d1f nsupdate: use $DEFAULT_ALGORITHM
(cherry picked from commit c2d18567fc)
2022-10-03 13:19:33 +02:00
Mark Andrews
fd8bd94212 mkeys: use $DEFAULT_ALGORITHM
(cherry picked from commit 78fa082999)
2022-10-03 13:19:33 +02:00
Mark Andrews
61cfb9a68e mirror: use $DEFAULT_ALGORITHM
(cherry picked from commit ff95bafa39)
2022-10-03 13:19:33 +02:00
Mark Andrews
17a26bced4 metadata: use $DEFAULT_ALGORITHM
(cherry picked from commit 3f1dc83bfb)
2022-10-03 13:19:33 +02:00
Mark Andrews
6843c764c6 inline: use $DEFAULT_ALGORITHM
(cherry picked from commit e3acddefd1)
2022-10-03 13:19:33 +02:00
Mark Andrews
45c21fd5af dsdigest: use $DEFAULT_ALGORITHM
(cherry picked from commit 49de14cb9e)
2022-10-03 13:19:33 +02:00
Mark Andrews
4ba58611c7 dnssec: use $DEFAULT_ALGORITHM
(cherry picked from commit d0b0139c90)
2022-10-03 13:19:33 +02:00
Mark Andrews
53625cc639 dns64: use $DEFAULT_ALGORITHM
(cherry picked from commit 5cbf1e1598)
2022-10-03 13:19:33 +02:00
Mark Andrews
7cf9e28924 chain: use $DEFAULT_ALGORITHM
(cherry picked from commit 3419178bd2)
2022-10-03 13:19:33 +02:00
Mark Andrews
5f146c76bd cds: use $DEFAULT_ALGORITHM
(cherry picked from commit 6cf0b73ede)
2022-10-03 13:19:33 +02:00
Mark Andrews
1bd3c49454 autosign: use $DEFAULT_ALGORITHM
(cherry picked from commit bb810b0ac9)
2022-10-03 13:19:32 +02:00
Mark Andrews
7f2b46f4e5 Suffix may be used before it is assigned a value
CID 350722 (#5 of 7): Bad use of null-like value (FORWARD_NULL)
        12. invalid_operation: Invalid operation on null-like value suffix.
    145        r.authority.append(
    146            dns.rrset.from_text(
    147                "icky.ptang.zoop.boing." + suffix,
    148                1,
    149                IN,
    150                NS,
    151                "a.bit.longer.ns.name." + suffix,
    152            )
    153        )

(cherry picked from commit 432064f63c)
2022-09-28 11:19:50 +10:00
Mark Andrews
4fc1975709 Check that changing the TSIG key is successful
Switch the primary to require 'next_key' for zone transfers then
update the catalog zone to say to use 'next_key'.  Next update the
zones contents then check that those changes are seen on the
secondary.

(cherry picked from commit 176e172210)
2022-09-27 23:58:22 +10:00
Mark Andrews
ff883fd75f Suppress manykeys test on duplicate key ids
If there are duplicate key ids across multiple algorithms expected
output is no met.  We have fixed this in on main but decided to not
back port the fix as it will change the statistics channel output.

This change detects when there are duplicate key id across algorithms
as skips the sub test.

(cherry picked from commit ea1d3476a8)
2022-09-16 09:49:41 +10:00
Michal Nowak
9b41b63607 Bump socket.create_connection() timeout to 10 seconds
The tcp Pytest on OpenBSD fairly reliably fails when receive_tcp()
on a socket is attempted:

    >           (response, rtime) = dns.query.receive_tcp(sock, timeout())

    tests-tcp.py:50:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    /usr/local/lib/python3.9/site-packages/dns/query.py:659: in receive_tcp
        ldata = _net_read(sock, 2, expiration)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

    sock = <socket.socket [closed] fd=-1, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6>
    count = 2, expiration = 1662719959.8106785

        def _net_read(sock, count, expiration):
            """Read the specified number of bytes from sock.  Keep trying until we
            either get the desired amount, or we hit EOF.
            A Timeout exception will be raised if the operation is not completed
            by the expiration time.
            """
            s = b''
            while count > 0:
                try:
    >               n = sock.recv(count)
    E               socket.timeout: timed out

This is because the socket is already closed.

Bump the socket connection timeout to 10 seconds.

(cherry picked from commit 658cae9fad)
2022-09-15 12:36:14 +02:00
Aram Sargsyan
3ad0f165ab Fix RRL responses-per-second bypass using wildcard names
It is possible to bypass Response Rate Limiting (RRL)
`responses-per-second` limitation using specially crafted wildcard
names, because the current implementation, when encountering a found
DNS name generated from a wildcard record, just strips the leftmost
label of the name before making a key for the bucket.

While that technique helps with limiting random requests like
<random>.example.com (because all those requests will be accounted
as belonging to a bucket constructed from "example.com" name), it does
not help with random names like subdomain.<random>.example.com.

The best solution would have been to strip not just the leftmost
label, but as many labels as necessary until reaching the suffix part
of the wildcard record from which the found name is generated, however,
we do not have that information readily available in the context of RRL
processing code.

Fix the issue by interpreting all valid wildcard domain names as
the zone's origin name concatenated to the "*" name, so they all will
be put into the same bucket.

(cherry picked from commit baa9698c9d)
2022-09-08 09:41:15 +02:00
Matthijs Mekking
d1336d49b3 Update inline system test, zone 'retransfer3.'
The zone 'retransfer3.' tests whether zones that 'rndc signing
-nsec3param' requests are queued even if the zone is not loaded.

The test assumes that if 'rndc signing -list' shows that the zone is
done signing with two keys, and there are no NSEC3 chains pending, the
zone is done handling the '-nsec3param' queued requests. However, it
is possible that the 'rndc signing -list' command is received before
the corresponding privatetype records are added to the zone (the records
that are used to retrieve the signing status with 'rndc signing').

This is what happens in test failure
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2722752.

The 'rndc signing -list retransfer3' is thus an unreliable check.
It is simpler to just remove the check and wait for a certain amount
of time and check whether ns3 has re-signed the zone using NSEC3.

(cherry picked from commit 8b71cbd09c)
2022-09-07 16:30:19 +02:00
Matthijs Mekking
145e888815 Update system tests
Update checkconf and kasp related system tests after requiring
inline-signing.

(cherry picked from commit 8fd75e8a4e1035ce0e81bf47d954a3f5b8a4d571)
2022-09-06 10:27:33 +02:00
Ondřej Surý
104eaf34da Enable the IDNA2003 domain names in the idna system test
Allow the IDNA2003 tests to succeed after the fallback to IDNA2003 was
implemented.

(cherry picked from commit 87de726f5c)
2022-09-05 10:22:23 +02:00
Mark Andrews
69be4d3bdc Improve awk tests to prevent false negatives
The old code could incorrectly match "INSOA" in the RRSIG rdata
when looking for the SOA record.

(cherry picked from commit 2fc5f6fb2831697c79f75c50a769449ac561aad0)
2022-08-18 13:43:47 +10:00
Mark Andrews
19bf98201b Ensure suffix is always valid in bin/tests/system/qmin/ans4/ans.py
initalise suffix to ""

    170        r.answer.append(
    171            dns.rrset.from_text(
    172                lqname + suffix, 1, IN, NS, "a.bit.longer.ns.name." + suffix
    173            )
    174        )
    175        r.flags |= dns.flags.AA
           15. Condition endswith(lqname, "icky.ptang.zoop.boing."), taking true branch.
    176    elif endswith(lqname, "icky.ptang.zoop.boing."):
           CID 350722 (#7 of 7): Bad use of null-like value (FORWARD_NULL)
           16. invalid_operation: Invalid operation on null-like value suffix.
    177        r.authority.append(
    178            dns.rrset.from_text(
    179                "icky.ptang.zoop.boing." + suffix,
    180                1,
    181                IN,
    182                SOA,
    183                "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
    184            )
    185        )

(cherry picked from commit eb798d0478)
2022-07-27 14:27:26 -04:00
Evan Hunt
fb8f102ffc warn about zones with both dnssec-policy and max-zone-ttl
max-zone-ttl in zone/view/options is a no-op if dnssec-policy
is in use, so generate a warning.
2022-07-22 15:24:34 -07:00
Matthijs Mekking
2022384b8d Test dnssec-policy max-zone-ttl rejects zone with too high TTL
Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.
2022-07-22 13:39:17 -07:00
Ondřej Surý
c1b8f5f30c Increase the BUFSIZ-long buffers
The BUFSIZ value varies between platforms, it could be 8K on Linux and
512 bytes on mingw.  Make sure the buffers are always big enough for the
output data to prevent truncation of the output by appropriately
enlarging or sizing the buffers.

(cherry picked from commit b19d932262)
2022-07-15 21:21:03 +02:00
Mark Andrews
9980c7be8d kasp: add missing logging during setup
Some zones where not being logged when just DNSSEC keys where being
generated in system test setup phase.  Add logging for these zones.

(cherry picked from commit 04627997eb)
2022-07-14 09:46:16 +10:00
Mark Andrews
5fec2fcbe7 Make "checking revoked key with duplicate key ID" work
There should be 2 keys with the same key id after the numerically
lower one is revoked (serial space arithmetic).  The DS points
at the non-revoked key so validation should still succeed.

(cherry picked from commit 513cb24b55)
2022-07-13 10:58:41 +10:00
Matthijs Mekking
eb7d65b84d Test setting of inline-signing with dnssec-policy
When dnssec-policy is used, and the zone is not dynamic, BIND will
assume that the zone is inline-signed. Add test cases to verify this.

(cherry picked from commit efa8a4e88d)
2022-07-12 12:48:16 +02:00
Matthijs Mekking
2db23e475b Fix kasp system test bugs
Fix a comment, ensuring the right parameters are used (zone is
parameter $3, not $2) and add view and policy parameters to the comment.

Fix the view tests and test the correct view (example3 instead of
example2).

Fix placement of "n=$((n+1)" for two test cases.

(cherry picked from commit ff65f07779)
2022-07-12 12:48:08 +02:00
Mark Andrews
40c7096caf Add DEFAULT_HMAC to conf.sh.common
(cherry picked from commit 972d7fd682)
(cherry picked from commit ba45075acb)
2022-07-07 15:11:33 +10:00
Mark Andrews
76ed6f32e8 update ifconfig.sh
* make it harder to get the interface numbers wrong by using 'max'
to specify the upper bound of the sequence of interfaces and use 'max'
when calculating the interface number
* extract the platform specific instruction into 'up' and 'down'
and call them from the inner loop so that the interface number is
calculated in one place.
* calculate the A and AAAA address in a single place rather than
in each command
* use /sbin/ipadm on Solaris 2.11 and greater

(cherry picked from commit abfb5b1173)
2022-07-07 10:15:35 +10:00