Commit 1d45ad8f authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Ignore trust anchors using disabled algorithm

More specifically: ignore configured trusted and managed keys that
match a disabled algorithm.  The behavioral change is that
associated responses no longer SERVFAIL, but return insecure.
parent 07c35f32
...@@ -700,8 +700,9 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, ...@@ -700,8 +700,9 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
} }
static isc_result_t static isc_result_t
dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
bool managed, dst_key_t **target, isc_mem_t *mctx) const cfg_obj_t *key, bool managed, dst_key_t **target,
isc_mem_t *mctx)
{ {
dns_rdataclass_t viewclass; dns_rdataclass_t viewclass;
dns_rdata_dnskey_t keystruct; dns_rdata_dnskey_t keystruct;
...@@ -793,6 +794,14 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key, ...@@ -793,6 +794,14 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf, CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
mctx, &dstkey)); mctx, &dstkey));
if (!dns_resolver_algorithm_supported(view->resolver, keyname, alg)) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"%s key for '%s': algorithm is disabled",
managed ? "managed" : "trusted", keynamestr);
result = DST_R_UNSUPPORTEDALG;
goto cleanup;
}
*target = dstkey; *target = dstkey;
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
...@@ -850,7 +859,7 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, ...@@ -850,7 +859,7 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
elt2 = cfg_list_next(elt2)) elt2 = cfg_list_next(elt2))
{ {
key = cfg_listelt_value(elt2); key = cfg_listelt_value(elt2);
result = dstkey_fromconfig(vconfig, key, managed, result = dstkey_fromconfig(view, vconfig, key, managed,
&dstkey, mctx); &dstkey, mctx);
if (result == DST_R_UNSUPPORTEDALG) { if (result == DST_R_UNSUPPORTEDALG) {
result = ISC_R_SUCCESS; result = ISC_R_SUCCESS;
......
...@@ -17,3 +17,6 @@ key for the root. It is used for testing failure cases. ...@@ -17,3 +17,6 @@ key for the root. It is used for testing failure cases.
ns6 is a caching-only server configured to use DLV. ns6 is a caching-only server configured to use DLV.
ns7 is used for checking non-cacheable answers. ns7 is used for checking non-cacheable answers.
ns8 is a caching-only server, configured with unsupported and disabled
algorithms. It is used for testing failure cases.
...@@ -33,7 +33,7 @@ rm -f ./ns*/*.nta ...@@ -33,7 +33,7 @@ rm -f ./ns*/*.nta
rm -f ./ns*/managed-keys.bind* ./ns*/*.mkeys* rm -f ./ns*/managed-keys.bind* ./ns*/*.mkeys*
rm -f ./ns*/named.lock rm -f ./ns*/named.lock
rm -f ./ns1/managed.key.id rm -f ./ns1/managed.key.id
rm -f ./ns1/root.db ./ns2/example.db ./ns3/secure.example.db rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db
rm -f ./ns2/algroll.db rm -f ./ns2/algroll.db
rm -f ./ns2/badparam.db ./ns2/badparam.db.bad rm -f ./ns2/badparam.db ./ns2/badparam.db.bad
rm -f ./ns2/cdnskey-kskonly.secure.db rm -f ./ns2/cdnskey-kskonly.secure.db
...@@ -49,6 +49,8 @@ rm -f ./ns2/in-addr.arpa.db ...@@ -49,6 +49,8 @@ rm -f ./ns2/in-addr.arpa.db
rm -f ./ns2/nsec3chain-test.db rm -f ./ns2/nsec3chain-test.db
rm -f ./ns2/private.secure.example.db rm -f ./ns2/private.secure.example.db
rm -f ./ns2/single-nsec3.db rm -f ./ns2/single-nsec3.db
rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db
rm -f ./ns3/badds.example.db rm -f ./ns3/badds.example.db
rm -f ./ns3/dname-at-apex-nsec3.example.db rm -f ./ns3/dname-at-apex-nsec3.example.db
......
...@@ -22,8 +22,12 @@ example. NS ns2.example. ...@@ -22,8 +22,12 @@ example. NS ns2.example.
ns2.example. A 10.53.0.2 ns2.example. A 10.53.0.2
dlv. NS ns2.dlv. dlv. NS ns2.dlv.
ns2.dlv. A 10.53.0.2 ns2.dlv. A 10.53.0.2
algroll NS ns2.algroll algroll. NS ns2.algroll.
ns2.algroll. A 10.53.0.2 ns2.algroll. A 10.53.0.2
managed. NS ns2.managed.
ns2.managed. A 10.53.0.2
trusted. NS ns2.trusted.
ns2.trusted. A 10.53.0.2
optout-tld NS ns6.optout-tld. optout-tld NS ns6.optout-tld.
ns6.optout-tld. A 10.53.0.6 ns6.optout-tld. A 10.53.0.6
in-addr.arpa. NS ns2.example. in-addr.arpa. NS ns2.example.
...@@ -22,6 +22,8 @@ zonefile=root.db ...@@ -22,6 +22,8 @@ zonefile=root.db
(cd ../ns6 && $SHELL sign.sh ) (cd ../ns6 && $SHELL sign.sh )
(cd ../ns7 && $SHELL sign.sh ) (cd ../ns7 && $SHELL sign.sh )
echo_i "ns1/sign.sh"
cp "../ns2/dsset-example$TP" . cp "../ns2/dsset-example$TP" .
cp "../ns2/dsset-dlv$TP" . cp "../ns2/dsset-dlv$TP" .
cp "../ns2/dsset-in-addr.arpa$TP" . cp "../ns2/dsset-in-addr.arpa$TP" .
......
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
ns2 A 10.53.0.2
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
; A secure subdomain
secure NS ns3.secure
ns3.secure A 10.53.0.3
; A subdomain that is signed with an unsupported algorithm
unsupported NS ns3.unsupported
ns3.unsupported A 10.53.0.3
; A secure subdomain with a disabled algorithm
disabled NS ns3.disabled
ns3.disabled A 10.53.0.3
; A secure subdomain with a disabled algorithm, but not in bailiwick
enabled NS ns3.enabled
ns3.enabled A 10.53.0.3
...@@ -36,6 +36,16 @@ zone "dlv" { ...@@ -36,6 +36,16 @@ zone "dlv" {
file "dlv.db.signed"; file "dlv.db.signed";
}; };
zone "trusted" {
type master;
file "trusted.db.signed";
};
zone "managed" {
type master;
file "managed.db.signed";
};
zone "example" { zone "example" {
type master; type master;
file "example.db.signed"; file "example.db.signed";
......
...@@ -14,24 +14,59 @@ ...@@ -14,24 +14,59 @@
set -e set -e
# Sign child zones (served by ns3).
( cd ../ns3 && $SHELL sign.sh )
echo_i "ns2/sign.sh"
# Get the DS records for the "trusted." and "managed." zones.
for subdomain in secure unsupported disabled enabled
do
cp "../ns3/dsset-$subdomain.managed$TP" .
cp "../ns3/dsset-$subdomain.trusted$TP" .
done
# Sign the "trusted." and "managed." zones.
zone=managed.
infile=key.db.in
zonefile=managed.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
zone=trusted.
infile=key.db.in
zonefile=trusted.db
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
# The "example." zone.
zone=example. zone=example.
infile=example.db.in infile=example.db.in
zonefile=example.db zonefile=example.db
# Have the child generate a zone key and pass it to us. # Get the DS records for the "example." zone.
( cd ../ns3 && $SHELL sign.sh )
for subdomain in secure badds bogus dynamic keyless nsec3 optout \ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \ ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-nsec3-unknown managed-future revkey \ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
dnskey-nsec3-unknown managed-future revkey \
dname-at-apex-nsec3 occluded dname-at-apex-nsec3 occluded
do do
cp "../ns3/dsset-$subdomain.example$TP" . cp "../ns3/dsset-$subdomain.example$TP" .
done done
# Sign the "example." zone.
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone") keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone") keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
......
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns3
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
...@@ -313,6 +313,46 @@ zone "occluded.example" { ...@@ -313,6 +313,46 @@ zone "occluded.example" {
file "occluded.example.db.signed"; file "occluded.example.db.signed";
}; };
zone "secure.managed" {
type master;
file "secure.managed.db.signed";
};
zone "disabled.managed" {
type master;
file "disabled.managed.db.signed";
};
zone "enabled.managed" {
type master;
file "enabled.managed.db.signed";
};
zone "unsupported.managed" {
type master;
file "unsupported.managed.db.signed";
};
zone "secure.trusted" {
type master;
file "secure.trusted.db.signed";
};
zone "disabled.trusted" {
type master;
file "disabled.trusted.db.signed";
};
zone "enabled.trusted" {
type master;
file "enabled.trusted.db.signed";
};
zone "unsupported.trusted" {
type master;
file "unsupported.trusted.db.signed";
};
include "siginterval.conf"; include "siginterval.conf";
include "trusted.conf"; include "trusted.conf";
...@@ -14,6 +14,68 @@ ...@@ -14,6 +14,68 @@
set -e set -e
echo_i "ns3/sign.sh"
infile=key.db.in
for tld in managed trusted
do
# A secure zone to test.
zone=secure.${tld}
zonefile=${zone}.db
keyname1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname1.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
# Zone to test trust anchor that matches disabled algorithm.
zone=disabled.${tld}
zonefile=${zone}.db
keyname2=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname2.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
# Zone to test trust anchor that has disabled algorithm for other domain.
zone=enabled.${tld}
zonefile=${zone}.db
keyname3=$("$KEYGEN" -f KSK -q -a "$DISABLED_ALGORITHM" -b "$DISABLED_BITS" -n zone "$zone")
cat "$infile" "$keyname3.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
# Zone to test trust anchor with unsupported algorithm.
zone=unsupported.${tld}
zonefile=${zone}.db
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname4.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
# Make trusted-keys and managed keys conf sections for ns8.
mv ${keyname4}.key ${keyname4}.tmp
awk '$1 == "unsupported.'"${tld}"'." { $6 = 255 } { print }' ${keyname4}.tmp > ${keyname4}.key
# Zone to test trust anchor that is revoked.
zone=revoked.${tld}
zonefile=${zone}.db
keyname5=$("$KEYGEN" -f KSK -f REVOKE -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$keyname5.key" > "$zonefile"
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
case $tld in
"managed")
keyfile_to_managed_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/managed.conf
;;
"trusted")
keyfile_to_trusted_keys $keyname1 $keyname2 $keyname3 $keyname4 $keyname5 > ../ns8/trusted.conf
;;
esac
done
echo_i "ns3/sign.sh: example zones"
zone=secure.example. zone=secure.example.
infile=secure.example.db.in infile=secure.example.db.in
zonefile=secure.example.db zonefile=secure.example.db
...@@ -209,7 +271,7 @@ cat "$infile" "$keyname.key" > "$zonefile" ...@@ -209,7 +271,7 @@ cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 "$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP" DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" $DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
...@@ -228,7 +290,7 @@ cat "$infile" "$keyname.key" > "$zonefile" ...@@ -228,7 +290,7 @@ cat "$infile" "$keyname.key" > "$zonefile"
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 "$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
awk '$4 == "DNSKEY" { $7 = 255; print } $4 == "RRSIG" { $6 = 255; print } { print }' ${zonefile}.tmp > ${zonefile}.signed awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP" DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" $DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
...@@ -246,7 +308,6 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") ...@@ -246,7 +308,6 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
# "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
# #
......
...@@ -14,6 +14,8 @@ ...@@ -14,6 +14,8 @@
set -e set -e
echo_i "ns5/sign.sh"
zone=. zone=.
infile=../ns1/root.db.in infile=../ns1/root.db.in
zonefile=root.db.signed zonefile=root.db.signed
......
...@@ -14,6 +14,8 @@ ...@@ -14,6 +14,8 @@
set -e set -e
echo_i "ns6/sign.sh"
zone=optout-tld zone=optout-tld
infile=optout-tld.db.in infile=optout-tld.db.in
zonefile=optout-tld.db zonefile=optout-tld.db
......
...@@ -14,6 +14,8 @@ ...@@ -14,6 +14,8 @@
set -e set -e
echo_i "ns7/sign.sh"
zone=split-rrsig zone=split-rrsig
infile=split-rrsig.db.in infile=split-rrsig.db.in
zonefile=split-rrsig.db zonefile=split-rrsig.db
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS8
options {
query-source address 10.53.0.8;
notify-source 10.53.0.8;
transfer-source 10.53.0.8;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.8; };
listen-on-v6 { none; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
minimal-responses no;
disable-algorithms "disabled.managed." { @DISABLED_ALGORITHM@; };
disable-algorithms "disabled.trusted." { @DISABLED_ALGORITHM@; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../common/root.hint";
};
include "managed.conf";
include "trusted.conf";
...@@ -25,6 +25,7 @@ copy_setports ns5/named1.conf.in ns5/named.conf ...@@ -25,6 +25,7 @@ copy_setports ns5/named1.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
( (
cd ns1 cd ns1
......
...@@ -1402,8 +1402,11 @@ status=$((status+ret)) ...@@ -1402,8 +1402,11 @@ status=$((status+ret))
echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)" echo_i "checking that a key using an unsupported algorithm cannot be generated ($n)"
ret=0 ret=0
zone=example zone=example
$KEYGEN -a 255 example > dnssectools.out.test$n 2>&1 && ret=0 # If dnssec-keygen fails, the test script will exit immediately. Prevent that
grep "unsupported algorithm: 255" dnssectools.out.test$n || ret=1 # from happening, and also trigger a test failure if dnssec-keygen unexpectedly
# succeeds, by using "&& ret=1".
$KEYGEN -a 255 $zone > dnssectools.out.test$n 2>&1 && ret=1
grep -q "unsupported algorithm: 255" dnssectools.out.test$n || ret=1
n=$((n+1)) n=$((n+1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret)) status=$((status+ret))
...@@ -1413,23 +1416,26 @@ ret=0 ...@@ -1413,23 +1416,26 @@ ret=0
zone=example zone=example
# Fake an unsupported algorithm key # Fake an unsupported algorithm key
unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") unsupportedkey=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
awk '$3 == "DNSKEY" { $6 = 255; print } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp awk '$3 == "DNSKEY" { $6 = 255 } { print }' ${unsupportedkey}.key > ${unsupportedkey}.tmp
mv ${unsupportedkey}.tmp ${unsupportedkey}.key mv ${unsupportedkey}.tmp ${unsupportedkey}.key
$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=0 # If dnssec-dsfromkey fails, the test script will exit immediately. Prevent
grep "algorithm is unsupported" dnssectools.out.test$n || ret=1 # that from happening, and also trigger a test failure if dnssec-dsfromkey
# unexpectedly succeeds, by using "&& ret=1".
$DSFROMKEY ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1
grep -q "algorithm is unsupported" dnssectools.out.test$n || ret=1
n=$((n+1)) n=$((n+1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret)) status=$((status+ret))
echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)" echo_i "checking that a zone cannot be signed with a key using an unsupported algorithm ($n)"
ret=0 ret=0
cp ${unsupportedkey}.* signer/ ret=0
( cat signer/example.db.in "${unsupportedkey}.key" > signer/example.db
cd signer || exit 1 # If dnssec-signzone fails, the test script will exit immediately. Prevent that
cat example.db.in "${unsupportedkey}.key" > example.db # from happening, and also trigger a test failure if dnssec-signzone
$SIGNER -o example example.db ${unsupportedkey} > ../dnssectools.out.test$n 2>&1 && ret=0 # unexpectedly succeeds, by using "&& ret=1".
) && ret=0 $SIGNER -o example signer/example.db ${unsupportedkey} > dnssectools.out.test$n 2>&1 && ret=1
grep "algorithm is unsupported" dnssectools.out.test$n || ret=1 <