Compare commits
8 Commits
wpk/perfte
...
806-disabl
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
e89ec05835 | ||
|
|
7b2e28cedd | ||
|
|
08b2994dce | ||
|
|
45247cd5fb | ||
|
|
a51ac19592 | ||
|
|
a875b93dfd | ||
|
|
0cd9781a04 | ||
|
|
2e01c0e490 |
3
CHANGES
3
CHANGES
@@ -1,3 +1,6 @@
|
||||
5122. [bug] Ignore disabled algorithm trusted and managed keys.
|
||||
[GL #806]
|
||||
|
||||
5121. [contrib] dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
|
||||
matching zone names. [GL !1299]
|
||||
|
||||
|
||||
@@ -702,8 +702,9 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
|
||||
bool managed, dst_key_t **target, isc_mem_t *mctx)
|
||||
dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
|
||||
const cfg_obj_t *key, bool managed, dst_key_t **target,
|
||||
isc_mem_t *mctx)
|
||||
{
|
||||
dns_rdataclass_t viewclass;
|
||||
dns_rdata_dnskey_t keystruct;
|
||||
@@ -795,6 +796,14 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
|
||||
CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
|
||||
mctx, &dstkey));
|
||||
|
||||
if (!dns_resolver_algorithm_supported(view->resolver, keyname, alg)) {
|
||||
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
|
||||
"%s key for '%s': algorithm is disabled",
|
||||
managed ? "managed" : "trusted", keynamestr);
|
||||
result = DST_R_UNSUPPORTEDALG;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
*target = dstkey;
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
@@ -852,9 +861,9 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
|
||||
elt2 = cfg_list_next(elt2))
|
||||
{
|
||||
key = cfg_listelt_value(elt2);
|
||||
result = dstkey_fromconfig(vconfig, key, managed,
|
||||
result = dstkey_fromconfig(view, vconfig, key, managed,
|
||||
&dstkey, mctx);
|
||||
if (result == DST_R_UNSUPPORTEDALG) {
|
||||
if (result == DST_R_UNSUPPORTEDALG) {
|
||||
result = ISC_R_SUCCESS;
|
||||
continue;
|
||||
}
|
||||
@@ -10572,7 +10581,7 @@ add_zone_tolist(dns_zone_t *zone, void *uap) {
|
||||
struct zonelistentry *zle;
|
||||
|
||||
zle = isc_mem_get(dctx->mctx, sizeof *zle);
|
||||
if (zle == NULL)
|
||||
if (zle == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
zle->zone = NULL;
|
||||
dns_zone_attach(zone, &zle->zone);
|
||||
|
||||
@@ -240,6 +240,28 @@ nextpartpeek() {
|
||||
nextpartread $1 2> /dev/null
|
||||
}
|
||||
|
||||
# wait_for_log: wait up to 10 seconds for a log message to appear in
|
||||
# the logfile. A quick usage example:
|
||||
#
|
||||
# $ wait_for_log "failure" named.log
|
||||
#
|
||||
# This will read named.log and look for the string "failure". If the
|
||||
# string is not found, retry in a second. If the string is found,
|
||||
# return with a return status of 0. If after 10 seconds the string is
|
||||
# still not found, abort and return with a status of 1.
|
||||
#
|
||||
# The search string may include regular expressions.
|
||||
wait_for_log() {
|
||||
msg=$1
|
||||
file=$2
|
||||
for i in 1 2 3 4 5 6 7 8 9 10; do
|
||||
nextpart "$file" | grep "$msg" > /dev/null && return
|
||||
sleep 1
|
||||
done
|
||||
echo_i "exceeded time limit waiting for '$msg' in $file"
|
||||
ret=1
|
||||
}
|
||||
|
||||
rndc_reload() {
|
||||
echo_i "`$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'$1' /'`"
|
||||
# reloading single zone is synchronous, if we're reloading whole server
|
||||
|
||||
@@ -27,6 +27,11 @@ ALTERNATIVE_ALGORITHM=RSASHA256
|
||||
ALTERNATIVE_ALGORITHM_NUMBER=8
|
||||
ALTERNATIVE_BITS=1280
|
||||
|
||||
# must be different from above algorithms
|
||||
DISABLED_ALGORITHM=ECDSAP384SHA384
|
||||
DISABLED_ALGORITHM_NUMBER=14
|
||||
DISABLED_BITS=384
|
||||
|
||||
ARPANAME=$TOP/bin/tools/arpaname
|
||||
CDS=$TOP/bin/dnssec/dnssec-cds
|
||||
CHECKCONF=$TOP/bin/check/named-checkconf
|
||||
@@ -174,6 +179,9 @@ copy_setports() {
|
||||
-e "s/@ALTERNATIVE_ALGORITHM@/${ALTERNATIVE_ALGORITHM}/g" \
|
||||
-e "s/@ALTERNATIVE_ALGORITHM_NUMBER@/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \
|
||||
-e "s/@ALTERNATIVE_BITS@/${ALTERNATIVE_BITS}/g" \
|
||||
-e "s/@DISABLED_ALGORITHM@/${DISABLED_ALGORITHM}/g" \
|
||||
-e "s/@DISABLED_ALGORITHM_NUMBER@/${DISABLED_ALGORITHM_NUMBER}/g" \
|
||||
-e "s/@DISABLED_BITS@/${DISABLED_BITS}/g" \
|
||||
$1 > $2
|
||||
}
|
||||
|
||||
|
||||
@@ -17,3 +17,6 @@ key for the root. It is used for testing failure cases.
|
||||
ns6 is a caching-only server configured to use DLV.
|
||||
|
||||
ns7 is used for checking non-cacheable answers.
|
||||
|
||||
ns8 is a caching-only server, configured with unsupported and disabled
|
||||
algorithms. It is used for testing failure cases.
|
||||
|
||||
@@ -32,7 +32,7 @@ rm -f ./ns*/*.nta
|
||||
rm -f ./ns*/managed-keys.bind* ./ns*/*.mkeys*
|
||||
rm -f ./ns*/named.lock
|
||||
rm -f ./ns1/managed.key.id
|
||||
rm -f ./ns1/root.db ./ns2/example.db ./ns3/secure.example.db
|
||||
rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db
|
||||
rm -f ./ns2/algroll.db
|
||||
rm -f ./ns2/badparam.db ./ns2/badparam.db.bad
|
||||
rm -f ./ns2/cdnskey-kskonly.secure.db
|
||||
@@ -48,6 +48,8 @@ rm -f ./ns2/in-addr.arpa.db
|
||||
rm -f ./ns2/nsec3chain-test.db
|
||||
rm -f ./ns2/private.secure.example.db
|
||||
rm -f ./ns2/single-nsec3.db
|
||||
rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
|
||||
rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
|
||||
rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db
|
||||
rm -f ./ns3/badds.example.db
|
||||
rm -f ./ns3/dname-at-apex-nsec3.example.db
|
||||
@@ -67,6 +69,7 @@ rm -f ./ns3/inline.example.db.signed
|
||||
rm -f ./ns3/kskonly.example.db
|
||||
rm -f ./ns3/lower.example.db ./ns3/upper.example.db ./ns3/upper.example.db.lower
|
||||
rm -f ./ns3/managed-future.example.db
|
||||
rm -f ./ns3/managed-ns8.conf ./ns3/trusted-ns8.conf
|
||||
rm -f ./ns3/multiple.example.db ./ns3/nsec3-unknown.example.db ./ns3/nsec3.example.db
|
||||
rm -f ./ns3/nsec3.nsec3.example.db
|
||||
rm -f ./ns3/nsec3.optout.example.db
|
||||
|
||||
@@ -8,12 +8,12 @@
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300
|
||||
. IN SOA gson.nominum.com. a.root.servers.nil. (
|
||||
2000042100 ; serial
|
||||
600 ; refresh
|
||||
600 ; retry
|
||||
1200 ; expire
|
||||
600 ; minimum
|
||||
. IN SOA gson.nominum.com. a.root.servers.nil. (
|
||||
2000042100 ; serial
|
||||
600 ; refresh
|
||||
600 ; retry
|
||||
1200 ; expire
|
||||
600 ; minimum
|
||||
)
|
||||
. NS a.root-servers.nil.
|
||||
a.root-servers.nil. A 10.53.0.1
|
||||
@@ -22,8 +22,12 @@ example. NS ns2.example.
|
||||
ns2.example. A 10.53.0.2
|
||||
dlv. NS ns2.dlv.
|
||||
ns2.dlv. A 10.53.0.2
|
||||
algroll NS ns2.algroll
|
||||
algroll. NS ns2.algroll.
|
||||
ns2.algroll. A 10.53.0.2
|
||||
managed. NS ns2.managed.
|
||||
ns2.managed. A 10.53.0.2
|
||||
trusted. NS ns2.trusted.
|
||||
ns2.trusted. A 10.53.0.2
|
||||
optout-tld NS ns6.optout-tld.
|
||||
ns6.optout-tld. A 10.53.0.6
|
||||
in-addr.arpa. NS ns2.example.
|
||||
|
||||
@@ -26,6 +26,9 @@ cp "../ns2/dsset-example$TP" .
|
||||
cp "../ns2/dsset-dlv$TP" .
|
||||
cp "../ns2/dsset-in-addr.arpa$TP" .
|
||||
|
||||
cp "../ns3/trusted-ns8.conf" "../ns8/trusted.conf"
|
||||
cp "../ns3/managed-ns8.conf" "../ns8/managed.conf"
|
||||
|
||||
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP"
|
||||
cp "../ns6/dsset-optout-tld$TP" .
|
||||
|
||||
|
||||
41
bin/tests/system/dnssec/ns2/managed.db.in
Normal file
41
bin/tests/system/dnssec/ns2/managed.db.in
Normal file
@@ -0,0 +1,41 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns2
|
||||
NS ns3
|
||||
ns2 A 10.53.0.2
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
d A 10.0.0.4
|
||||
|
||||
; A secure subdomain
|
||||
secure NS ns3.secure
|
||||
ns3.secure A 10.53.0.3
|
||||
|
||||
; A subdomain that is signed with an unsupported algorithm
|
||||
unsupported NS ns3.unsupported
|
||||
ns3.unsupported A 10.53.0.3
|
||||
|
||||
; A secure subdomain with a disabled algorithm
|
||||
disabled NS ns3.disabled
|
||||
ns3.disabled A 10.53.0.3
|
||||
|
||||
; A secure subdomain with a disabled algorithm, but not in bailiwick
|
||||
enabled NS ns3.enabled
|
||||
ns3.enabled A 10.53.0.3
|
||||
@@ -37,6 +37,16 @@ zone "dlv" {
|
||||
file "dlv.db.signed";
|
||||
};
|
||||
|
||||
zone "trusted" {
|
||||
type master;
|
||||
file "trusted.db.signed";
|
||||
};
|
||||
|
||||
zone "managed" {
|
||||
type master;
|
||||
file "managed.db.signed";
|
||||
};
|
||||
|
||||
zone "example" {
|
||||
type master;
|
||||
file "example.db.signed";
|
||||
|
||||
@@ -14,24 +14,57 @@
|
||||
|
||||
set -e
|
||||
|
||||
# Sign child zones (served by ns3).
|
||||
( cd ../ns3 && $SHELL sign.sh )
|
||||
|
||||
# Get the DS records for the trusted. and managed. zones.
|
||||
for subdomain in secure unsupported disabled enabled
|
||||
do
|
||||
cp "../ns3/dsset-$subdomain.managed$TP" .
|
||||
cp "../ns3/dsset-$subdomain.trusted$TP" .
|
||||
done
|
||||
|
||||
# Sign the trusted. and managed. zones.
|
||||
zone=managed.
|
||||
infile=managed.db.in
|
||||
zonefile=managed.db
|
||||
|
||||
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
|
||||
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
|
||||
zone=trusted.
|
||||
infile=trusted.db.in
|
||||
zonefile=trusted.db
|
||||
|
||||
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
|
||||
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
|
||||
# The example. zone.
|
||||
zone=example.
|
||||
infile=example.db.in
|
||||
zonefile=example.db
|
||||
|
||||
# Have the child generate a zone key and pass it to us.
|
||||
|
||||
( cd ../ns3 && $SHELL sign.sh )
|
||||
|
||||
# Get the DS records for the example. zone.
|
||||
for subdomain in secure badds bogus dynamic keyless nsec3 optout \
|
||||
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
|
||||
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
|
||||
ttlpatch split-dnssec split-smart expired expiring upper lower \
|
||||
dnskey-unknown dnskey-nsec3-unknown managed-future revkey \
|
||||
dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
|
||||
dnskey-nsec3-unknown managed-future revkey \
|
||||
dname-at-apex-nsec3 occluded
|
||||
do
|
||||
cp "../ns3/dsset-$subdomain.example$TP" .
|
||||
done
|
||||
|
||||
# Sign the example. zone.
|
||||
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
|
||||
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
|
||||
|
||||
|
||||
41
bin/tests/system/dnssec/ns2/trusted.db.in
Normal file
41
bin/tests/system/dnssec/ns2/trusted.db.in
Normal file
@@ -0,0 +1,41 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns2
|
||||
NS ns3
|
||||
ns2 A 10.53.0.2
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
d A 10.0.0.4
|
||||
|
||||
; A secure subdomain
|
||||
secure NS ns3.secure
|
||||
ns3.secure A 10.53.0.3
|
||||
|
||||
; A subdomain that is signed with an unsupported algorithm
|
||||
unsupported NS ns3.unsupported
|
||||
ns3.unsupported A 10.53.0.3
|
||||
|
||||
; A secure subdomain with a disabled algorithm
|
||||
disabled NS ns3.disabled
|
||||
ns3.disabled A 10.53.0.3
|
||||
|
||||
; A secure subdomain with a disabled algorithm, but not in bailiwick
|
||||
enabled NS ns3.enabled
|
||||
ns3.enabled A 10.53.0.3
|
||||
23
bin/tests/system/dnssec/ns3/disabled.managed.db.in
Normal file
23
bin/tests/system/dnssec/ns3/disabled.managed.db.in
Normal file
@@ -0,0 +1,23 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
c A 10.0.0.3
|
||||
23
bin/tests/system/dnssec/ns3/disabled.trusted.db.in
Normal file
23
bin/tests/system/dnssec/ns3/disabled.trusted.db.in
Normal file
@@ -0,0 +1,23 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
c A 10.0.0.3
|
||||
23
bin/tests/system/dnssec/ns3/enabled.managed.db.in
Normal file
23
bin/tests/system/dnssec/ns3/enabled.managed.db.in
Normal file
@@ -0,0 +1,23 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
c A 10.0.0.3
|
||||
23
bin/tests/system/dnssec/ns3/enabled.trusted.db.in
Normal file
23
bin/tests/system/dnssec/ns3/enabled.trusted.db.in
Normal file
@@ -0,0 +1,23 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
c A 10.0.0.3
|
||||
@@ -314,6 +314,46 @@ zone "occluded.example" {
|
||||
file "occluded.example.db.signed";
|
||||
};
|
||||
|
||||
zone "secure.managed" {
|
||||
type master;
|
||||
file "secure.managed.db.signed";
|
||||
};
|
||||
|
||||
zone "disabled.managed" {
|
||||
type master;
|
||||
file "disabled.managed.db.signed";
|
||||
};
|
||||
|
||||
zone "enabled.managed" {
|
||||
type master;
|
||||
file "enabled.managed.db.signed";
|
||||
};
|
||||
|
||||
zone "unsupported.managed" {
|
||||
type master;
|
||||
file "unsupported.managed.db.signed";
|
||||
};
|
||||
|
||||
zone "secure.trusted" {
|
||||
type master;
|
||||
file "secure.trusted.db.signed";
|
||||
};
|
||||
|
||||
zone "disabled.trusted" {
|
||||
type master;
|
||||
file "disabled.trusted.db.signed";
|
||||
};
|
||||
|
||||
zone "enabled.trusted" {
|
||||
type master;
|
||||
file "enabled.trusted.db.signed";
|
||||
};
|
||||
|
||||
zone "unsupported.trusted" {
|
||||
type master;
|
||||
file "unsupported.trusted.db.signed";
|
||||
};
|
||||
|
||||
include "siginterval.conf";
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
23
bin/tests/system/dnssec/ns3/secure.managed.db.in
Normal file
23
bin/tests/system/dnssec/ns3/secure.managed.db.in
Normal file
@@ -0,0 +1,23 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
c A 10.0.0.3
|
||||
23
bin/tests/system/dnssec/ns3/secure.trusted.db.in
Normal file
23
bin/tests/system/dnssec/ns3/secure.trusted.db.in
Normal file
@@ -0,0 +1,23 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
c A 10.0.0.3
|
||||
@@ -14,6 +14,74 @@
|
||||
|
||||
set -e
|
||||
|
||||
for tld in trusted managed
|
||||
do
|
||||
zone=secure.${tld}
|
||||
infile=${zone}.db.in
|
||||
zonefile=${zone}.db
|
||||
|
||||
keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$keyname1.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
|
||||
|
||||
DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
|
||||
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
|
||||
|
||||
zone=disabled.${tld}
|
||||
infile=${zone}.db.in
|
||||
zonefile=${zone}.db
|
||||
|
||||
keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$keyname2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
|
||||
|
||||
DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
|
||||
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
|
||||
|
||||
zone=enabled.${tld}
|
||||
infile=${zone}.db.in
|
||||
zonefile=${zone}.db
|
||||
|
||||
keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$keyname3.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
|
||||
|
||||
DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
|
||||
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
|
||||
|
||||
zone=unsupported.${tld}
|
||||
infile=${zone}.db.in
|
||||
zonefile=${zone}.db
|
||||
|
||||
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$keyname4.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
|
||||
awk '$4 == "DNSKEY" { $7 = 255; print } $4 == "RRSIG" { $6 = 255; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
|
||||
|
||||
DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
|
||||
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
|
||||
|
||||
mv ${keyname4}.key ${keyname4}.tmp
|
||||
if [ $tld == "trusted" ]; then
|
||||
awk '$1 == "unsupported.trusted." { $6 = 255; print } { print }' ${keyname4}.tmp > ${keyname4}.key
|
||||
keyfile_to_trusted_keys $keyname1 $keyname2 $keyname3 $keyname4 > trusted-ns8.conf
|
||||
fi
|
||||
|
||||
if [ $tld == "managed" ]; then
|
||||
awk '$1 == "unsupported.managed." { $6 = 255; print } { print }' ${keyname4}.tmp > ${keyname4}.key
|
||||
keyfile_to_managed_keys $keyname1 $keyname2 $keyname3 $keyname4 > managed-ns8.conf
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
zone=secure.example.
|
||||
infile=secure.example.db.in
|
||||
zonefile=secure.example.db
|
||||
@@ -246,8 +314,10 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
|
||||
|
||||
# "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile"
|
||||
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
|
||||
|
||||
DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
|
||||
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
|
||||
|
||||
#
|
||||
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
|
||||
|
||||
23
bin/tests/system/dnssec/ns3/unsupported.managed.db.in
Normal file
23
bin/tests/system/dnssec/ns3/unsupported.managed.db.in
Normal file
@@ -0,0 +1,23 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
c A 10.0.0.3
|
||||
23
bin/tests/system/dnssec/ns3/unsupported.trusted.db.in
Normal file
23
bin/tests/system/dnssec/ns3/unsupported.trusted.db.in
Normal file
@@ -0,0 +1,23 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
c A 10.0.0.3
|
||||
46
bin/tests/system/dnssec/ns8/named.conf.in
Normal file
46
bin/tests/system/dnssec/ns8/named.conf.in
Normal file
@@ -0,0 +1,46 @@
|
||||
/*
|
||||
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
*
|
||||
* See the COPYRIGHT file distributed with this work for additional
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
// NS8
|
||||
|
||||
options {
|
||||
query-source address 10.53.0.8 dscp 4;
|
||||
notify-source 10.53.0.8 dscp 5;
|
||||
transfer-source 10.53.0.8 dscp 6;
|
||||
dscp 16;
|
||||
port @PORT@;
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.8; };
|
||||
listen-on-v6 { none; };
|
||||
recursion yes;
|
||||
dnssec-enable yes;
|
||||
dnssec-validation yes;
|
||||
minimal-responses no;
|
||||
disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; };
|
||||
disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; };
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
controls {
|
||||
inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
};
|
||||
|
||||
include "managed.conf";
|
||||
include "trusted.conf";
|
||||
@@ -19,12 +19,11 @@ $SHELL clean.sh
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
copy_setports ns2/named.conf.in ns2/named.conf
|
||||
copy_setports ns3/named.conf.in ns3/named.conf
|
||||
|
||||
copy_setports ns4/named1.conf.in ns4/named.conf
|
||||
copy_setports ns5/named1.conf.in ns5/named.conf
|
||||
|
||||
copy_setports ns6/named.conf.in ns6/named.conf
|
||||
copy_setports ns7/named.conf.in ns7/named.conf
|
||||
copy_setports ns8/named.conf.in ns8/named.conf
|
||||
|
||||
(
|
||||
cd ns1
|
||||
|
||||
@@ -3625,6 +3625,106 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "check that keys with unsupported algorithms and disabled algorithms are ignored ($n)"
|
||||
ret=0
|
||||
grep "trusted key for 'disabled\.trusted\.': algorithm is disabled" ns8/named.run > /dev/null || ret=1
|
||||
grep "skipping trusted key for 'disabled\.trusted\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
|
||||
grep "skipping trusted key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
|
||||
grep "managed key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run > /dev/null || ret=1
|
||||
grep "skipping managed key for 'disabled\.managed\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
|
||||
grep "skipping managed key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that supported DNSKEY algorithm trusted key validates as secure ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.3 a.secure.trusted A > dig.out.ns3.test$n
|
||||
dig_with_opts @10.53.0.8 a.secure.trusted A > dig.out.ns8.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that supported DNSKEY algorithm managed key validates as secure ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.3 a.secure.managed A > dig.out.ns3.test$n
|
||||
dig_with_opts @10.53.0.8 a.secure.managed A > dig.out.ns8.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that unsupported DNSKEY algorithm trusted key validates as insecure ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.3 a.unsupported.trusted A > dig.out.ns3.test$n
|
||||
dig_with_opts @10.53.0.8 a.unsupported.trusted A > dig.out.ns8.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that unsupported DNSKEY algorithm managed key validates as insecure ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.3 a.unsupported.managed A > dig.out.ns3.test$n
|
||||
dig_with_opts @10.53.0.8 a.unsupported.managed A > dig.out.ns8.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that disabled DNSKEY algorithm trusted key validates as insecure ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.3 a.disabled.trusted A > dig.out.ns3.test$n
|
||||
dig_with_opts @10.53.0.8 a.disabled.trusted A > dig.out.ns8.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that disabled DNSKEY algorithm managed key validates as insecure ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.3 a.disabled.managed A > dig.out.ns3.test$n
|
||||
dig_with_opts @10.53.0.8 a.disabled.managed A > dig.out.ns8.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null && ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that disabled algorithm trusted key not in bailiwick validates as secure ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.3 a.enabled.trusted A > dig.out.ns3.test$n
|
||||
dig_with_opts @10.53.0.8 a.enabled.trusted A > dig.out.ns8.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that disabled algorithm managed key not in bailiwick validates as secure ($n)"
|
||||
ret=0
|
||||
dig_with_opts @10.53.0.3 a.enabled.managed A > dig.out.ns3.test$n
|
||||
dig_with_opts @10.53.0.8 a.enabled.managed A > dig.out.ns8.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns8.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns8.test$n > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
# Note: after this check, ns4 will not be validating any more; do not add any
|
||||
# further validation tests employing ns4 below this check.
|
||||
echo_i "check that validation defaults to off when dnssec-enable is off ($n)"
|
||||
|
||||
@@ -16,17 +16,6 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
|
||||
DELVOPTS="-a ns1/trusted.conf -p ${PORT}"
|
||||
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
|
||||
|
||||
wait_for_log() {
|
||||
msg=$1
|
||||
file=$2
|
||||
for i in 1 2 3 4 5 6 7 8 9 10; do
|
||||
nextpart "$file" | grep "$msg" > /dev/null && return
|
||||
sleep 1
|
||||
done
|
||||
echo_i "exceeded time limit waiting for '$msg' in $file"
|
||||
ret=1
|
||||
}
|
||||
|
||||
mkeys_reconfig_on() {
|
||||
nsidx=$1
|
||||
$RNDCCMD 10.53.0.${nsidx} reconfig . | sed "s/^/ns${nsidx} /" | cat_i
|
||||
|
||||
@@ -5075,6 +5075,11 @@ options {
|
||||
by the <command>disable-algorithms</command> will be treated
|
||||
as insecure.
|
||||
</para>
|
||||
<para>
|
||||
You cannot configure a trust anchor with a disabled
|
||||
algorithm using <command>trusted-keys</command> or
|
||||
<command>managed-keys</command>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user