Commit 45e68016 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Merge branch '2171-dnssec-policy-weird-algo-15-bug' into 'main'

Resolve "dnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys"

Closes #2171

See merge request isc-projects/bind9!4199
parents e620f3a3 af3b0149
5514. [bug] Fix KASP expected key size for Ed25519 and Ed448.
[GL #2171]
5513. [doc] The ARM section describing the "rrset-order" statement
was rewritten to make it unambiguous and up-to-date with
the source code. [GL #2139]
......
......@@ -13,3 +13,6 @@ ns3 is an authoritative server for the various test domains.
ns4 and ns5 are authoritative servers for various test domains related to views.
ns6 is an authoritative server that tests changes in dnssec-policy.
ns7 is an authoritative server that tests a specific case where zones
using views migrate to dnssec-policy.
......@@ -26,3 +26,4 @@ rm -f ns*/zones ns*/*.db.infile
rm -f *.created published.test* retired.test*
rm -f rndc.dnssec.*.out.*
rm -f python.out.*
rm -f *-supported.file
dnssec-policy "ed25519" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 15;
zsk key-directory lifetime P5Y algorithm 15;
zsk key-directory lifetime P1Y algorithm 15 256;
};
};
zone "ed25519.kasp" {
type primary;
file "ed25519.kasp.db";
dnssec-policy "ed25519";
};
dnssec-policy "ed448" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 16;
zsk key-directory lifetime P5Y algorithm 16;
zsk key-directory lifetime P1Y algorithm 16 456;
};
};
zone "ed448.kasp" {
type primary;
file "ed448.kasp.db";
dnssec-policy "ed448";
};
......@@ -59,6 +59,18 @@ do
cp template.db.in "$zonefile"
done
if [ -f ../ed25519-supported.file ]; then
setup "ed25519.kasp"
cp template.db.in "$zonefile"
cat ed25519.conf >> named.conf
fi
if [ -f ../ed448-supported.file ]; then
setup "ed448.kasp"
cp template.db.in "$zonefile"
cat ed448.conf >> named.conf
fi
# Set up zone that stays unsigned.
zone="unsigned.kasp"
echo_i "setting up zone: $zone"
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS7
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
key-directory ".";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
key "external" {
algorithm "hmac-sha1";
secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
};
key "internal" {
algorithm "hmac-sha1";
secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
};
view "ext" {
match-clients { key "external"; };
zone "view-rsasha256.kasp" {
type master;
file "view-rsasha256.kasp.ext.db";
auto-dnssec maintain;
inline-signing yes;
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
};
view "int" {
match-clients { key "internal"; };
zone "view-rsasha256.kasp" {
type master;
file "view-rsasha256.kasp.int.db";
auto-dnssec maintain;
inline-signing yes;
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS7
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
key-directory ".";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
key "external" {
algorithm "hmac-sha1";
secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
};
key "internal" {
algorithm "hmac-sha1";
secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
};
dnssec-policy "rsasha256" {
keys {
zsk key-directory lifetime P3M algorithm 8 1024;
ksk key-directory lifetime P1Y algorithm 8 2048;
};
dnskey-ttl 6h;
publish-safety 1h;
retire-safety 1h;
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
max-zone-ttl 1d;
zone-propagation-delay 300;
parent-ds-ttl 86400;
parent-propagation-delay 3h;
};
view "external-view" {
zone "view-rsasha256.kasp" {
type master;
file "view-rsasha256.kasp.ext.db";
dnssec-policy "rsasha256";
};
};
view "internal-view" {
zone "view-rsasha256.kasp" {
type master;
file "view-rsasha256.kasp.int.db";
dnssec-policy "rsasha256";
};
};
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. ../../conf.sh
echo_i "ns7/setup.sh"
private_type_record() {
_zone=$1
_algorithm=$2
_keyfile=$3
_id=$(keyfile_to_key_id "$_keyfile")
printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id"
}
# Make lines shorter by storing key states in environment variables.
H="HIDDEN"
R="RUMOURED"
O="OMNIPRESENT"
U="UNRETENTIVE"
zone="view-rsasha256.kasp"
algo="RSASHA256"
num="8"
echo "$zone" >> zones
# Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy.
# The keys for these zones are in use long enough that they should start a
# rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y).
ksktimes="-P -186d -A -186d -P sync -186d"
zsktimes="-P -186d -A -186d"
KSK=$($KEYGEN -a $algo -L 21600 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $algo -L 21600 -b 1024 $zsktimes $zone 2> keygen.out.$zone.2)
echo_i "setting up zone $zone (external)"
view="ext"
zonefile="${zone}.${view}.db"
cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
echo_i "setting up zone $zone (internal)"
view="int"
zonefile="${zone}.${view}.db"
cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns7
ns7 A 10.53.0.7
view TXT "external"
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns7
ns7 A 10.53.0.7
view TXT "internal"
......@@ -23,6 +23,15 @@ copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
if $SHELL ../testcrypto.sh ed25519; then
echo "yes" > ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
echo "yes" > ed448-supported.file
fi
# Setup zones
(
......@@ -45,3 +54,7 @@ copy_setports ns6/named.conf.in ns6/named.conf
cd ns6
$SHELL setup.sh
)
(
cd ns7
$SHELL setup.sh
)
......@@ -127,6 +127,7 @@ key_clear "KEY4"
# Call dig with default options.
dig_with_opts() {
if [ -n "$TSIG" ]; then
"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
else
......@@ -609,7 +610,7 @@ dnssec_verify()
# Wait for the zone to be signed.
# The apex NSEC record indicates that it is signed.
_wait_for_nsec() {
dig_with_opts "@${SERVER}" -y "$TSIG" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1
dig_with_opts "@${SERVER}" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1
grep "NS SOA" "dig.out.nsec.test$n" > /dev/null || return 1
grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" > /dev/null || return 1
return 0
......@@ -831,23 +832,30 @@ status=$((status+ret))
next_key_event_threshold=$((next_key_event_threshold+i))
check_numkeys() {
_numkeys=$(get_keyids "$1" "$2" | wc -l)
test "$_numkeys" -eq "$NUM_KEYS" || return 1
return 0
}
# Check keys for a configured zone. This verifies:
# 1. The right number of keys exist in the key pool ($1).
# 2. The right number of keys is active. Checks KEY1, KEY2, KEY3, and KEY4.
#
# It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly.
# Found key identifiers are stored in the right key array.
check_keys()
{
check_keys() {
n=$((n+1))
echo_i "check keys are created for zone ${ZONE} ($n)"
ret=0
echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)"
_numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l)
test "$_numkeys" -eq "$NUM_KEYS" || log_error "bad number ($_numkeys) of key files for zone $ZONE (expected $NUM_KEYS)"
test "$ret" -eq 0 || echo_i "failed"
retry_quiet 10 check_numkeys "$DIR" "$ZONE" "$NUM_KEYS" || ret=1
if [ $ret -ne 0 ]; then
_numkeys=$(get_keyids "$1" "$2" | wc -l)
log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)"
status=$((status+ret))
fi
# Temporarily don't log errors because we are searching multiple files.
_log=0
......@@ -2041,7 +2049,49 @@ check_apex
check_subdomain
dnssec_verify
# TODO: ED25519 and ED448.
#
# Zone: ed25519.kasp.
#
if [ -f ed25519-supported.file ]; then
set_zone "ed25519.kasp"
set_policy "ed25519" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "15" "ED25519" "256"
set_keyalgorithm "KEY2" "15" "ED25519" "256"
set_keyalgorithm "KEY3" "15" "ED25519" "256"
# Key timings and states same as above.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
check_subdomain
dnssec_verify
fi
#
# Zone: ed448.kasp.
#
if [ -f ed448-supported.file ]; then
set_zone "ed448.kasp"
set_policy "ed448" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "16" "ED448" "456"
set_keyalgorithm "KEY2" "16" "ED448" "456"
set_keyalgorithm "KEY3" "16" "ED448" "456"
# Key timings and states same as above.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
check_subdomain
dnssec_verify
fi
# Set key times for 'autosign' policy.
set_keytimes_autosign_policy() {
......@@ -5229,5 +5279,230 @@ dnssec_verify
# an unlimited lifetime. Fallback to the default loadkeys interval.
check_next_key_event 3600
#
# Testing good migration with views.
#
init_view_migration() {
key_clear "KEY1"
key_set "KEY1" "LEGACY" "yes"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "0"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
key_set "KEY2" "LEGACY" "yes"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "0"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
key_clear "KEY3"
key_clear "KEY4"
set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_DS" "rumoured"
set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
}
set_keytimes_view_migration() {
# Key is six months in use.
created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400
created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400
set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400
}
# Zone view.rsasha256.kasp (external)
set_zone "view-rsasha256.kasp"
set_policy "rsasha256" "2" "21600"
set_server "ns7" "10.53.0.7"
init_view_migration
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
TSIG="hmac-sha1:external:$VIEW1"
wait_for_nsec
# Make sure the zone is signed with legacy keys.
check_keys
set_keytimes_view_migration
check_keytimes
dnssec_verify
n=$((n+1))
# check subdomain
echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)"
ret=0
dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# Remember legacy key tags.
_migrate_ext8_ksk=$(key_get KEY1 ID)
_migrate_ext8_zsk=$(key_get KEY2 ID)
# Zone view.rsasha256.kasp (internal)
set_zone "view-rsasha256.kasp"
set_policy "rsasha256" "2" "21600"
set_server "ns7" "10.53.0.7"
init_view_migration
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
TSIG="hmac-sha1:internal:$VIEW2"
wait_for_nsec
# Make sure the zone is signed with legacy keys.
check_keys
set_keytimes_view_migration
check_keytimes
dnssec_verify
n=$((n+1))
# check subdomain
echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)"
ret=0
dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# Remember legacy key tags.
_migrate_int8_ksk=$(key_get KEY1 ID)
_migrate_int8_zsk=$(key_get KEY2 ID)
# Reconfig dnssec-policy.
echo_i "reconfig to switch to dnssec-policy"
copy_setports ns7/named2.conf.in ns7/named.conf
rndc_reconfig ns7 10.53.0.7
# Calculate time passed to correctly check for next key events.
now="$(TZ=UTC date +%s)"
time_passed=$((now-start_time))
echo_i "${time_passed} seconds passed between start of tests and reconfig"
#
# Testing migration (RSASHA256, views).
#
set_zone "view-rsasha256.kasp"
set_policy "rsasha256" "3" "21600"
set_server "ns7" "10.53.0.7"
init_migration_match
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
# Key properties, timings and metadata should be the same as legacy keys above.
# However, because the keys have a lifetime, kasp will set the retired time.
key_set "KEY1" "LEGACY" "no"
set_keylifetime "KEY1" "31536000"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_DS" "omnipresent"
key_set "KEY2" "LEGACY" "no"
set_keylifetime "KEY2" "8035200"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# The ZSK needs to be replaced.
set_keystate "KEY2" "GOAL" "hidden"
set_keystate "KEY3" "GOAL" "omnipresent"
set_keyrole "KEY3" "zsk"
set_keylifetime "KEY3" "8035200"
set_keyalgorithm "KEY3" "8" "RSASHA256" "1024"
set_keysigning "KEY3" "no"
set_zonesigning "KEY3" "no" # not yet
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
# Various signing policy checks (external).
TSIG="hmac-sha1:external:$VIEW1"
check_keys
wait_for_done_signing
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "external-view"
set_keytimes_view_migration
# Set expected key times:
published=$(key_get KEY1 PUBLISHED)
set_keytime "KEY1" "ACTIVE" "${published}"
set_keytime "KEY1" "SYNCPUBLISH" "${published}"
# Lifetime: 1 year (8035200 seconds)
active=$(key_get KEY1 ACTIVE)
set_addkeytime "KEY1" "RETIRED" "${active}" "31536000"
# Retire interval:
# DS TTL: 1d
# Parent zone propagation: 3h
# Retire safety: 1h
# Total: 100800 seconds
retired=$(key_get KEY1 RETIRED)
set_addkeytime "KEY1" "REMOVED" "${