Commit 2534a73a authored by Mark Andrews's avatar Mark Andrews
Browse files

2608. [func] Perform post signing verification checks in

                        dnssec-signzone.  These can be disabled with -P.

                        The post sign verification test ensures that for each
                        algorithm in use there is at least one non revoked
                        self signed KSK key.  That all revoked KSK keys are
                        self signed.  That all records in the zone are signed
                        by the algorithm.  [RT #19653]
parent f05a6b11
2608. [func] Perform post signing verification checks in
dnssec-signzone. These can be disabled with -P.
The post sign verification test ensures that for each
algorithm in use there is at least one non revoked
self signed KSK key. That all revoked KSK keys are
self signed. That all records in the zone are signed
by the algorithm. [RT #19653]
2607. [bug] named could incorrectly delete NSEC3 records for
empty nodes when processing a update request.
[RT #19749]
......
This diff is collapsed.
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.31 2008/10/14 14:28:25 jreed Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.32 2009/06/04 02:13:37 marka Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 30, 2000</date>
......@@ -72,6 +72,7 @@
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
<arg><option>-p</option></arg>
<arg><option>-P</option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg><option>-t</option></arg>
......@@ -358,6 +359,21 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-P</term>
<listitem>
<para>
Disable post sign verification tests.
</para>
<para>
The post sign verification test ensures that for each algorithm
in use there is at least one non revoked self signed KSK key.
That all revoked KSK keys are self signed. That all records
in the zone are signed by the algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssectool.c,v 1.45 2007/06/19 23:46:59 tbox Exp $ */
/* $Id: dnssectool.c,v 1.46 2009/06/04 02:13:37 marka Exp $ */
/*! \file */
......@@ -65,7 +65,7 @@ void
fatal(const char *format, ...) {
va_list args;
fprintf(stderr, "%s: ", program);
fprintf(stderr, "%s: fatal: ", program);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
......
example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpZ
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: oXTPXsN2QEAqJhJxU2rOypfDtXP8LHk4LDtP/pGdT8qIa/zXmSUfahvLBFlfZlwSD1HxJTNCI/3KBjSzXEXkgViLfYexZ+01XtX+A3A2sycYLSBXZ7c5rCxDYJhZllXA5uv9+Zwohe5jp5F0m3I6KUxGGW+ugl1dnDUJB2JzGlk=
PublicExponent: AQAB
PrivateExponent: QrbJmRabHiFlSSYFvbo8iGn9bFTotlfAZkZ732y72+SMSlLHo3g7atThJoLncJxKuhnZ0s1DXyvW9omAM3iN2lxfVDW58at1amj/lWRDYkjI0fM8z6eyrF4U2lHKDM2YEstg+sGAAs5DUZBbli4Y7+zHjhxSKLYvRf4AJvX8aoE=
Prime1: 0259CgdF0JW+miedRZXC6tn3FijZJ4/j5edzd8IpTpdUSZupQg9hMP1ot7crreNq7MnzO0Z2ImbowUx8CDOuXQ==
Prime2: w31/WLM2275Z1tsHEOhrntUQCUk55B4PNOCmM4hjp0vAvA/SVSgAYRNb7rc/ujaLf0DnxnDsnVsFAS2PmvQELQ==
Exponent1: yKPhJNMh/X8dEUzmglJMVnHheLXq3RA/RL0PZmZqrJoO8os1Y+sUYFkaNr0sRie6IFrE50tGb/8YgdcDHQVuQQ==
Exponent2: lVhDuGy5RSjnk1eiz0zwIthctutlOZupPFk/P3E7yGv74vAnXH0BxSe3/Oer3MOc0GuyZYyRhyko6px28AbpRQ==
Coefficient: Hjup1nDnPFkQrxU2qLQBJrDz+ipw0RkNhsjWs6IgAq1Mq4sFV50bR9hOTLDd9oNhhtAwVjF+Oc0WIq+M1Mi6Ow==
example.com. IN DNSKEY 257 3 5 AwEAAbuWh5W3eGwixISqPwxszotQ0246KqhUB2Mb6JqNMJd6cWR66IrX YnevpIHsb6oanqJmVzOcJ6Yj3rXOIYtYYXgLbT7EJ8x7BNCZPHxG+w5C 7I1WsDbT6eGf//FLn2c4odKLOXaWCVITeNy61w43IlteIT9Q1egKdt+8 a7X9605j
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: u5aHlbd4bCLEhKo/DGzOi1DTbjoqqFQHYxvomo0wl3pxZHroitdid6+kgexvqhqeomZXM5wnpiPetc4hi1hheAttPsQnzHsE0Jk8fEb7DkLsjVawNtPp4Z//8UufZzih0os5dpYJUhN43LrXDjciW14hP1DV6Ap237xrtf3rTmM=
PublicExponent: AQAB
PrivateExponent: XZSssv3CL3/wtZYQuewV5d4+e8C8wxiYTtL/aQqCcS7+HnhKRelJEBgpYz9GPX/mH3Iakn6WMQW39s6MYW2HwXUnqhsvHoyabGX0Dbc/1LcY4J2VPgzVHwSXYm+j4unOByOOS4KoBtUAQxJsTBokVZrZ5pKsLUK9X2gdywYw+PE=
Prime1: 9fB7PaygjKoT1nbbeEMy1KYNqetg3zmN49Mk6ilEWxzJXKSSjTIhdkiLGXtYmE8rDBLBiYm8YWNe7YdA9PbQ7Q==
Prime2: w0L7mTOLDecH3XAkC/wvALv8K9KSoZ31ajidKBxV15u8awj5AxDG7gjerYgCLjU1fq1GulMr11j8r4ftQn3Cjw==
Exponent1: Up52yEE1rgt0npdPIxdv+//Ml0h7QoITKHXF8OPsEq+Y9YZTtRsiIpo8IFNPb9somuWyHoImxpCbUzAcoi5IAQ==
Exponent2: uYTbvYx+UsAt9dOFPCnnkqAJEK3qCUomET0m/CQn30mldGC7DpGTIDgnMeLmh3agk/IYIBHDtsBinHfeEe2guw==
Coefficient: FiHAet8On9Yaz1ksEAlCWulwck3zPWIsgqJBM2J4kHhgHTm17mZyxtVxIzLAMBNMIBcFl40FCpmPmTLY5QK5mw==
;
; This is a bogus key. It will not have a .private file.
;
; This will be key id 7091
;
example.com. IN DNSKEY 257 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz
;
; This is a bogus key. It will not have a .private file.
;
; This will be key id 7092
;
example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz
#!/bin/sh
sign="../../dnssec/dnssec-signzone -f signed.zone -o example.com."
signit() {
rm -f signed.zone
grep '^;' $zone
$sign $zone
}
expect_success() {
if ! test -f signed.zone ; then
echo "Error: expected success, but sign failed for $zone."
else
echo "Success: Sign succeeded for $zone."
fi
}
expect_failure() {
if test -f signed.zone ; then
echo "Error: expected failure, but sign succeeded for $zone."
else
echo "Success: Sign failed (expected) for $zone"
fi
}
zone="test1.zone" ; signit ; expect_success
zone="test2.zone" ; signit ; expect_failure
zone="test3.zone" ; signit ; expect_failure
zone="test4.zone" ; signit ; expect_success
zone="test5.zone" ; signit ; expect_failure
zone="test6.zone" ; signit ; expect_failure
zone="test7.zone" ; signit ; expect_failure
zone="test8.zone" ; signit ; expect_failure
;
; This is a zone which has two DNSKEY records, both of which have
; existing private key files available. They should be loaded automatically
; and the zone correctly signed.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
$include Kexample.com.+005+23362.key
;
; This is a zone which has one non-KSK DNSKEY record for which the
; private key file exists. It should be loaded automatically and the zone
; correctly signed.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
;
; This is a zone which has one KSK DNSKEY record for which the
; private key file exists. It should be loaded automatically. As there
; is no non-KSK DNSKEY the resulting zone should be rejected.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+23362.key
;
; This is a zone which has three DNSKEY records, two (KSK + ZSK) of
; which have existing private key files available. The third is a
; pre-published ZSK.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
$include Kexample.com.+005+23362.key
$include bogus-zsk.key
;
; This is a zone which has three DNSKEY records, two (KSK +ZSK) of which
; have existing private key files available. The third is a KSK.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
$include Kexample.com.+005+23362.key
$include bogus-ksk.key
;
; This is a zone which has four DNSKEY records, two (KK + ZSK) of which
; have existing private key files available. There are also a KSK and ZSK
; for which there will be no signatures.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
$include Kexample.com.+005+23362.key
$include bogus-ksk.key
$include bogus-zsk.key
;
; This is a zone which has two DNSKEY records, none of which have
; existing private key files available. The resulting zone should fail
; the consistancy tests.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include bogus-ksk.key
$include bogus-zsk.key
;
; This is a zone which has two DNSKEY records, one of which,
; the KSK, has a private key. The resulting zone should be rejected as
; it has no ZSK signatures.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+23362.key
$include bogus-zsk.key
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.25 2008/09/25 04:02:38 tbox Exp $
# $Id: sign.sh,v 1.26 2009/06/04 02:13:37 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -35,8 +35,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key > $zonefile
echo $SIGNER -g -r $RANDFILE -o $zone $zonefile
$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
# Configure the resolving server with a trusted key.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment