Commit Graph
509 Commits
Author SHA1 Message Date
Mark Andrews 701ad350f8 Check dig's exist status 2023-09-06 01:03:11 +00:00
Matthijs Mekking 042c89ac69 Obsolete dnssec-update-mode
We no longer support 'no-resign' and thus the configuration option
becomes obsolete. Remove the corresponding dnssec system test cases.
2023-07-20 12:44:19 +02:00
Matthijs Mekking 88a687106f Obsolete sig-validity-interval dnskey-sig-validity
These two configuration options worked in conjunction with 'auto-dnssec'
to set the signature validity, and thus are now obsoleted.
2023-07-20 11:04:24 +02:00
Matthijs Mekking d3bf732697 Update dnssec system test
The dnssec system test has some tests that use auto-dnssec. Update
these tests to make use of dnssec-policy.

Remove any 'rndc signing -nsec3param' commands because with
dnssec-policy you set the NSEC3 parameters in the configuration.

Remove now duplicate tests that checked if CDS and CDNSKEY RRsets
are signed with KSK only (the dnssec-dnskey-kskonly option worked
in combination with auto-dnssec).

Also remove the publish-inactive.example test case because such
use cases are no longer supported (only with manual signing).

The auto-nsec and auto-nsec3 zones need to use an alternative
algorithm because duplicate lines in dnssec-policy/keys are ignored.
2023-07-20 11:04:23 +02:00
Matthijs Mekking 2152d06c8e Don't add signing records for dyn update DNSKEY
We removed DNSSEC management via dynamic update (see issue #3686),
this means we also should no longer add signing records (of private
type) for DNSKEY records added via dynamic update.
2023-07-18 15:38:53 +02:00
Tom Krizek 837c190d9e Make $? compatible with set -e in system tests
Ensure handling of return code from previous command doesn't cause the
script to halt if that code is non-zero when running with `set -e`.
2023-07-14 15:49:15 +02:00
Tom Krizek 01bc805f89 Run system tests with set -e
Ensure all shell system tests are executed with the errexit option set.
This prevents unchecked return codes from commands in the test from
interfering with the tests, since any failures need to be handled
explicitly.
2023-07-14 15:07:25 +02:00
Tom Krizek 06056c44a7 Fix checking for executables in shell conditions in tests
Surround the variables which are checked whether they're executable in
double quotes. Without them, empty paths won't be properly interpreted
as not executable.
2023-06-29 10:35:47 +02:00
Mark Andrews 3f93d3f757 Restore the ability to read legacy K*+157+* files
The ability to read legacy HMAC-MD5 K* keyfile pairs using algorithm
number 157 was accidentally lost when the algorithm numbers were
consolidated into a single block, in commit
09f7e0607a.

The assumption was that these algorithm numbers were only known
internally, but they were also used in key files. But since HMAC-MD5
got renumbered from 157 to 160, legacy HMAC-MD5 key files no longer
work.

Move HMAC-MD5 back to 157 and GSSAPI back to 160.  Add exception for
GSSAPI to list_hmac_algorithms.
2023-06-29 08:28:44 +10:00
Evan Hunt 0b09ee8cdc explicitly set dnssec-validation in system tests
the default value of dnssec-validation is 'auto', which causes
a server to send a key refresh query to the root zone when starting
up. this is undesirable behavior in system tests, so this commit
sets dnssec-validation to either 'yes' or 'no' in all tests where
it had not previously been set.

this change had the mostly-harmless side effect of changing the cached
trust level of unvalidated answer data from 'answer' to 'authanswer',
which caused a few test cases in which dumped cache data was examined in
the serve-stale system test to fail. those test cases have now been
updated to expect 'authanswer'.
2023-06-26 13:41:56 -07:00
Matthijs Mekking 7ab3bfd596 Fix dnssec system test
The 'update-nsec3.example' requires to be DNSSEC maintained via
dynamic update. Commit 03b22983cd20cec51ad8b9f25f2e7d0e472dc79c adds
checks to make sure the raw zone is not signed. So the test case neesd
to be updated to allow for DNSSEC maintenance.
2023-05-23 08:53:23 +02:00
Tom Krizek 2f5bf6d971 Add pytest functions for shell system tests
In order to run the shell system tests, the pytest runner has to pick
them up somehow. Adding an extra python file with a single function
for the shell tests for each system test proved to be the most
compatible way of running the shell tests across older pytest/xdist
versions.

Modify the legacy run.sh script to ignore these pytest-runner specific
glue files when executing tests written in pytest.
2023-05-22 14:11:39 +02:00
Mark Andrews d360d8af8f Let RSASHA1 signing keys be ignored in FIPS mode
When the FIPS provider is available, RSASHA1 signing keys for zone
"example.com." are ignored if the zone is attempted to be signed with
the dnssec-signzone "-F" (FIPS mode) option:

    "fatal: No signing keys specified or found"
2023-05-17 23:51:39 +00:00
Mark Andrews b82811d0b5 check that 'dnssec-signzone -F' fails for rsasha1 2023-04-03 12:44:27 +10:00
Mark Andrews 530142b2a1 dnssec: check that dnssec-signzone -F work with allowed algorithm 2023-04-03 12:44:27 +10:00
Mark Andrews 78764f99ca dnssec: test dnssec-keygen -F switches to FIPS mode 2023-04-03 12:44:27 +10:00
Mark Andrews ba6ee5af50 dnssec: check if RSASHA1 is supported by the OS
If not skip RSASHA1 based system tests which are supposed to succeed
even in FIPS mode.
2023-04-03 12:44:27 +10:00
Mark Andrews 333693ddf5 dnssec: Check validation with short RSA key size FIPS mode
use a pregenerated zone signed with RSASHA1 keys at 1024 bits.
2023-04-03 12:44:27 +10:00
Mark Andrews ed7750be56 dnssec: Check that RSASHA1 still validates in FIPS mode
Add a pregenerated RSASHA1 signed zone and verify that
answers still validate.
2023-04-03 12:44:27 +10:00
Mark Andrews ae1109f321 dnssec: use FIPS compatible algorithms and key sizes
RSASHA1 is verify only in FIPS mode.  Use RSASHA256 instead with
key of at least 2048 bits (minimum RSA FIPS size).
2023-04-03 12:44:27 +10:00
Ondřej Surý bd4576b3ce Remove TKEY Mode 2 (Diffie-Hellman)
Completely remove the TKEY Mode 2 (Diffie-Hellman Exchanged Keying) from
BIND 9 (from named, named.conf and all the tools).  The TKEY usage is
fringe at best and in all known cases, GSSAPI is being used as it should.

The draft-eastlake-dnsop-rfc2930bis-tkey specifies that:

    4.2 Diffie-Hellman Exchanged Keying (Deprecated)

       The use of this mode (#2) is NOT RECOMMENDED for the following two
       reasons but the specification is still included in Appendix A in case
       an implementation is needed for compatibility with old TKEY
       implementations. See Section 4.6 on ECDH Exchanged Keying.

          The mixing function used does not meet current cryptographic
          standards because it uses MD5 [RFC6151].

          RSA keys must be excessively long to achieve levels of security
          required by current standards.

We might optionally implement Elliptic Curve Diffie-Hellman (ECDH) key
exchange mode 6 if the draft ever reaches the RFC status.  Meanwhile the
insecure DH mode needs to be removed.
2023-03-08 08:36:25 +01:00
Matthijs Mekking 78e6b8646a Test dnssec-signzone -G digests
Add test cases for the new dnssec-signzone -G option.
2023-02-28 09:38:31 +01:00
Michal Nowak 3cd2cc6254 Adapt to Python scripts to black 23.1.0 2023-02-17 15:31:52 +01:00
Evan Hunt 916ea26ead remove nonfunctional DSCP implementation
DSCP has not been fully working since the network manager was
introduced in 9.16, and has been completely broken since 9.18.
This seems to have caused very few difficulties for anyone,
so we have now marked it as obsolete and removed the
implementation.

To ensure that old config files don't fail, the code to parse
dscp key-value pairs is still present, but a warning is logged
that the feature is obsolete and should not be used. Nothing is
done with configured values, and there is no longer any
range checking.
2023-01-09 12:15:21 -08:00
Tom Krizek c100308b7d Simplify start/stop helper func in system tests
The system test should never attempt to start or stop any other server
than those that belong to that system test. Therefore, it is not
necessary to specify the system test name in function calls.

Additionally, this makes it possible to run the test inside a
differently named directory, as its name is automatically detected with
the $SYSTESTDIR variable. This enables running the system tests inside a
temporary directory.

Direct use of stop.pl was replaced with a more systematic approach to
use stop_servers helper function.
2022-11-25 09:27:33 +01:00
Matthijs Mekking cd2f619842 Remove dynamic update key management tests
Remove test cases that rely upon key and denial of existence
management operations triggered by dynamic updates.

The autosign system test needed a bit more care than just removing
because the test cases are dependent on each other, so there are some
additional tweaks such as setting the NSEC3PARAM via rndc signing,
and renaming zone input files. In the process, some additional
debug output files have been added, and a 'ret' fail case overwrite
was fixed.
2022-11-18 11:04:17 +01:00
Aram Sargsyan 8c48eabbc1 Test managed-keys placeholder
Add a dnssec test to make sure that named can correctly process a
managed-keys zone with a placeholder KEYDATA record.
2022-11-01 09:50:34 +00:00
Mark AndrewsandPetr Špaček 09f7e0607a Convert DST_ALG defines to enum and group HMAC algorithms
The HMACs and GSSAPI are just using unallocated values.
Moving them around shouldn't cause issues.
Only the dnssec system test knew the internal number in use for hmacmd5.
2022-09-27 16:54:36 +02:00
Mark Andrews 8fe2876297 Improve awk tests to prevent false negatives
The old code could incorrectly match "INSOA" in the RRSIG rdata
when looking for the SOA record.
2022-08-18 02:56:57 +00:00
Mark AndrewsandMichal Nowak 591c087cbf dnssec/signer/general: Replace RSASHA1 keys with RSASHA512 keys
RSASHA1 is verify only in FIPS mode. Use RSASHA256 instead.
2022-08-09 16:22:19 +02:00
Mark Andrews d0b0139c90 dnssec: use $DEFAULT_ALGORITHM 2022-07-12 10:40:29 +10:00
Mark Andrews 19a7a1e557 Convert hmac-sha256 references in system tests to DEFAULT_HMAC
where a future change from hmac-sha256 would be applicable.  This
change involves dnssec, nsupdate and rndc system tests.
2022-07-07 10:11:42 +10:00
Mark Andrews ce324ae8ba Use DEFAULT_HMAC for rndc 2022-07-07 10:11:42 +10:00
Tom Krizek c9cb8ae9eb Auto-format Python files with black
This patch is strictly the result of:
$ black $(git ls-files '*.py')

There have been no manual changes.
2022-06-08 10:28:08 +02:00
Mark Andrews 69d5e22e58 Make modifications to keyless.example deterministic
The perl modifation code for keyless.example was not deterministic
(/NXT/ matched part of signature) resulting in different error
strings being returned.  Replaced /NXT/ with /A RRSIG NSEC/ and
updated expected error string,
2022-06-01 10:16:37 +10:00
Mark Andrews d2d9910da2 Check that pending negative cache entries for DS can be used successfully
Prime the cache with a negative cache DS entry then make a query for
name beneath that entry. This will cause the DS entry to be retieved
as part of the validation process.  Each RRset in the ncache entry
will be validated and the trust level for each will be updated.
2022-04-19 08:38:26 +10:00
Evan Hunt 08c2728ed1 add a test for dnssec-signzone -J
generate a journal file, and load it in dnssec-signzone.
2022-02-17 12:03:05 -08:00
Evan HuntandMichal Nowak 1d706f328c Remove leftover test code for Windows
- Removed all code that only runs under CYGWIN, and made all
  code that doesn't run under CYGWIN non-optional.
- Removed the $TP variable which was used to add optional
  trailing dots to filenames; they're no longer optional.
- Removed references to pssuspend and dos2unix.
- No need to use environment variables for diff and kill.
- Removed uses of "tr -d '\r'"; this was a workaround for
  a cygwin regex bug that is no longer needed.
2022-01-27 09:08:29 +01:00
Ondřej Surý 58bd26b6cf Update the copyright information in all files in the repository
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.
2022-01-11 09:05:02 +01:00
Mark Andrews e7a3ada1d2 Check dnssec-dsfromkey with revoked DNSKEY
Checks that there is a revoked key in the DNSKEY RRset then checks
that only the correct number of DS records are produced.
2021-11-30 21:48:17 +11:00
Mark Andrews dbeea1afa0 Don't use 'dnssec-signzone -P' unless necessary
Most of the test zones in the dnssec system test can be verified.
Use -z when only a single key is being used so that the verifier
knows that only a single key is in use.
2021-11-23 08:44:47 +11:00
Mark Andrews 77ca778377 Generate test zone with multiple NSEC and NSEC3 chains
The method used to generate a test zone with multiple NSEC and
NSEC3 chains was incorrect.  Multiple calls to dnssec-signzone
with multiple parameters is not additive.  Extract the chain on
each run then add them to the final signed zone instance.
2021-11-23 08:44:47 +11:00
Matthijs MekkingandEvan Hunt f3d3a4ff6e Replace "master/slave" terminology in tests
Replace most "master/slave" terminology in tests with the preferred
"primary/secondary", with the following exceptions:

- When testing the old syntax
- When master is used in master file and master file format terms
- When master is used in hostmaster or postmaster terms
- When master used in legacy domain names (for example in dig.batch)
- When there is no replacement (for example default-masters)
2021-10-12 13:04:00 -07:00
Matthijs Mekking 2abad4d969 Change default of dnssec-dnskey-kskonly to yes
The extra RRSIG on DNSKEY, CDS and CDNSKEY RRsets add to the payload,
without having added value.
2021-10-12 13:45:44 +02:00
Ondřej Surý 8cb2ba5dd3 Remove native PKCS#11 support
The native PKCS#11 support has been removed in favour of better
maintained, more performance and easier to use OpenSSL PKCS#11 engine
from the OpenSC project.
2021-09-09 15:35:39 +02:00
Matthijs Mekking 35efbc270f Add test for dnssec-signzone smooth ZSK roll
Add a test case to the dnssec system test to check that:
- a zone with a prepublished key is only signed with the active key.
- a zone with an inactive key but valid signatures retains those
  signatures and does not add signatures from successor key.
- signatures are swapped in a zone when signatures of predecessor
  inactive key are within the refresh interval.
2021-08-11 15:15:25 +02:00
Matthijs Mekking 837adb93d3 dnssec-signzone ZSK smooth rollover
When signing with a ZSK, check if it has a predecessor. If so, and if
the predecessor key is sane (same algorithm, key id matches predecessor
value, is zsk), check if the RRset is signed with this key. If so, skip
signing with this successor key. Otherwise, do sign with the successor
key.

This change means we also need to apply the interval to keys that are
not actively signing. In other words, 'expired' is always
'isc_serial_gt(now + cycle, rrsig.timeexpire)'.

Fix a print style issue ("removing signature by ..." was untabbed).
2021-08-11 15:15:25 +02:00
Matthijs MekkingandEvan Hunt 6b79db1fdd Add test for allowing update CDS/CDNSKEY
Add tests to the nsupdate system test to make sure that CDS and/or
CDNSKEY that match an algorithm in the DNSKEY RRset are allowed. Also
add tests that updates are rejected if the algorithm does not match.

Remove the now redundant test cases from the dnssec system test.

Update the checkzone system test: Change the algorithm of the CDS and
CDNSKEY records so that the zone is still rejected.
2021-07-14 12:10:11 -07:00
Ondřej Surý 4b3d0c6600 Remove ISC_MEM_DEBUGSIZE and ISC_MEM_DEBUGRECORD
The ISC_MEM_DEBUGSIZE and ISC_MEM_DEBUGCTX did sanity checks on matching
size and memory context on the memory returned to the allocator.  Those
will no longer needed when most of the allocator will be replaced with
jemalloc.
2021-07-09 15:58:02 +02:00
Mark AndrewsandMatthijs Mekking e6e0e29fbb Check insecure responses returned with too many NSEC3 iterations 2021-04-29 13:43:40 +02:00