diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 1bbfd203a55caae1e125749cc4837b9dc9f0874f..f67c61d52fa2a5adb2e169b1915badf5062f5072 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -55,6 +55,10 @@ rm -f ./ns3/dnskey-nsec3-unknown.example.db rm -f ./ns3/dnskey-nsec3-unknown.example.db.tmp rm -f ./ns3/dnskey-unknown.example.db rm -f ./ns3/dnskey-unknown.example.db.tmp +rm -f ./ns3/dnskey-unsupported.example.db +rm -f ./ns3/dnskey-unsupported.example.db.tmp +rm -f ./ns3/dnskey-unsupported-2.example.db +rm -f ./ns3/dnskey-unsupported-2.example.db.tmp rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 79424b4a0a521eb47fae04df497adf549786805c..2545faf6b9fb68cffc4add8827fbee7612381874 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -97,6 +97,9 @@ ns.optout-unknown A 10.53.0.3 dnskey-unknown NS ns.dnskey-unknown ns.dnskey-unknown A 10.53.0.3 +dnskey-unsupported NS ns.dnskey-unsupported +ns.dnskey-unsupported A 10.53.0.3 + dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown ns.dnskey-nsec3-unknown A 10.53.0.3 @@ -111,7 +114,7 @@ ns.rsasha256 A 10.53.0.3 rsasha512 NS ns.rsasha512 ns.rsasha512 A 10.53.0.3 -kskonly NS ns.kskonly +kskonly NS ns.kskonly ns.kskonly A 10.53.0.3 update-nsec3 NS ns.update-nsec3 diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in new file mode 100644 index 0000000000000000000000000000000000000000..c9e7c2b3da765dea9e423745c151434859ee6fff --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in new file mode 100644 index 0000000000000000000000000000000000000000..c9e7c2b3da765dea9e423745c151434859ee6fff --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.e A 10.0.0.6 +child NS ns2.example. diff --git a/bin/tests/system/dnssec/ns3/dsa.key b/bin/tests/system/dnssec/ns3/dsa.key new file mode 100644 index 0000000000000000000000000000000000000000..1dfb289da26667b410c5ab9078d350b1332b8962 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/dsa.key @@ -0,0 +1 @@ +dnskey-unsupported-2.example. IN DNSKEY 257 3 3 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b} diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 0218ef1100f44f5a1bb70eb30cdd57149cc1e015..fc43832b4e1a7df25b60d8f2d44d4a8b353cf2c8 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -151,6 +151,16 @@ zone "dnskey-unknown.example" { file "dnskey-unknown.example.db.signed"; }; +zone "dnskey-unsupported.example" { + type master; + file "dnskey-unsupported.example.db.signed"; +}; + +zone "dnskey-unsupported-2.example" { + type master; + file "dnskey-unsupported-2.example.db.signed"; +}; + zone "dnskey-nsec3-unknown.example" { type master; nsec3-test-zone yes; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 3ac3afc8e1ee88cef902448d4b99d9ffdc34fab1..6b9b320ce267101b4720a642d1e7bbd7df7dd743 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -193,7 +193,7 @@ cat $infile $keyname.key >$zonefile $SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # -# A zone with a unknown DNSKEY algorithm. +# A zone that is signed with an unknown DNSKEY algorithm. # Algorithm 7 is replaced by 100 in the zone and dsset. # zone=dnskey-unknown.example. @@ -211,6 +211,41 @@ awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { prin DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE +# +# A zone that is signed with an unsupported DNSKEY algorithm (3). +# Algorithm 7 is replaced by 3 in the zone and dsset. +# +zone=dnskey-unsupported.example. +infile=dnskey-unsupported.example.db.in +zonefile=dnskey-unsupported.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$keyname.key" > "$zonefile" + +"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1 + +awk '$4 == "DNSKEY" { $7 = 3; print } $4 == "RRSIG" { $6 = 3; print } { print }' ${zonefile}.tmp > ${zonefile}.signed + +DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP" +$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE" + +# +# A zone with a published unsupported DNSKEY algorithm (DSA). +# Different from above because this key is not intended for signing. +# +zone=dnskey-unsupported-2.example. +infile=dnskey-unsupported-2.example.db.in +zonefile=dnskey-unsupported-2.example.db + +ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") + +cat "$infile" "$ksk.key" "$zsk.key" dsa.key > "$zonefile" + +# "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 +"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" + # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). # Algorithm 7 is replaced by 100 in the zone and dsset. diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index c69cb155ed87c90e72b735d753ddc8dd8f8b5b07..5d0b1282aee6f5ae17d0bd2ec4653796a1845dd8 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3338,6 +3338,26 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1 +grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)" +ret=0 +dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n +grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1 +grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 3" dig.out.test$n > /dev/null || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "check that a lone non matching CDNSKEY record is rejected ($n)" ret=0 ( diff --git a/util/copyrights b/util/copyrights index 4ffffb3326245fde39278ecd6f1cac814d9dd84a..a2532a6a4c8ef117094abc5e1b41b0da535013c7 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1015,6 +1015,9 @@ ./bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in ZONE 2018 ./bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in ZONE 2014,2016,2018 ./bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in ZONE 2014,2016,2018 +./bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in ZONE 2018 +./bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in ZONE 2018 +./bin/tests/system/dnssec/ns3/dsa.key X 2018 ./bin/tests/system/dnssec/ns3/dynamic.example.db.in ZONE 2002,2004,2007,2016,2018 ./bin/tests/system/dnssec/ns3/expired.example.db.in ZONE 2011,2012,2016,2018 ./bin/tests/system/dnssec/ns3/expiring.example.db.in ZONE 2011,2012,2016,2018 @@ -1060,6 +1063,7 @@ ./bin/tests/system/dnssec/ns4/named2.conf.in CONF-C 2011,2013,2016,2017,2018 ./bin/tests/system/dnssec/ns4/named3.conf.in CONF-C 2012,2013,2016,2017,2018 ./bin/tests/system/dnssec/ns4/named4.conf.in CONF-C 2013,2016,2017,2018 +./bin/tests/system/dnssec/ns5/.gitignore X 2015,2018 ./bin/tests/system/dnssec/ns5/named1.conf.in CONF-C 2000,2001,2004,2006,2007,2015,2016,2017,2018 ./bin/tests/system/dnssec/ns5/named2.conf.in CONF-C 2000,2001,2004,2006,2007,2015,2016,2018 ./bin/tests/system/dnssec/ns5/sign.sh SH 2015,2016,2017,2018