BIND stops DNSKEY lookup in get_dst_key() when a key with unsupported algorithm is found first
Summary
Bind stops zone validation when dnskey with unsupported algorithm is found first. That means that zone signed with supported ksk and unsupported zsk will not be validated and such query will result in servfail status. Described configuration should be ok according to https://tools.ietf.org/html/rfc6840#section-5.11
BIND version used
BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 (Extended Support Version) id:7107deb
Steps to reproduce
issue can be reproduced with 2 bind servers. Authoritative and a forwarder.
A. On a host with bind supporting ED25519 algorithm. This will be our authoritative server. I will be using rhel-8
- Install BIND on RHEL-8 host.
- Edit /etc/named/named.conf:
options {
listen-on port 53 { 127.0.0.1; <IP-of-RHEL8-host>; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; <IP-of-RHEL7-host>; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "bad." IN {
type master;
file "bad.zone.signed";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";- Create /var/named/bad.zone:
$TTL 5M
@ IN SOA <hostname-of-RHEL8>.bad. hostmaster.bad. (
1 ; serial
5M ; refresh
1M ; retry
1H ; expire
5M ) ; minimum
NS <hostname-of-RHEL8>
A 127.0.0.1
AAAA ::1
<hostname-of-RHEL8> A 127.0.0.1
AAAA ::1- Create key pairs:
# cd /var/named
RHEL-7 supported KSK:
# dnssec-keygen -f KSK -a RSASHA512 -b 2048 bad
(remember the KSK name, it will be Kbad.+010+?????)
One or two RHEL-7 unsupported ZSKs:
# dnssec-keygen -a ED25519 -n ZONE bad
- Include the keys in the bad.zone:
# for key in 'ls Kbad.+0*.key '; do echo "\$INCLUDE $key">> /var/named/bad.zone; done
- Sign the zone using the KSK (replace ???? with the KSK key-id):
# dnssec-signzone -A -k Kbad.+010+????? -z -3 9911c319070e83f8 -N INCREMENT -o bad -t /var/named/bad.zone
- Start named.
# systemctl start named
B. On our forwarder. Bind without ED25519 support. I will be using rhel 7.
- Edit /etc/named.conf:
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
forward only;
forwarders { <IP-of-RHEL8-host>; };
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
trusted-keys {
<paste the KSK key content here in the following example format>
/* bad. 257 3 10 "AwEAAcjgApTNTSiRSKs4vKQtjbg0rRZSH2eFze87mbRJgH8CWJrKzDT9 XorxywQuiDGDtB/MLGRumrtRQbXppgZR+5KZrwej3AzD2TFRXQokN8k9 Rrf0vuY2XEMEXgEfEHTuaNH5vzdJlv4PbHh/HDH0b2i5JuWGKbCJmt9A 6WUUkj/PsRzGXxnEqKvRjgGGsxyJsZdmR+NeOKXP7yLQej4JYsqcnd/0 ycuKjHtQn4L7fjafS8yi/75yyrcdegN97aldBZXyMOjfvkLa3Sn3WGQD qVmM/t7WlkjOhyPqBcTUCPch74YZoWph4cjnYrxWGrVQJnRku7DUUllA jzTLZxFGuH8="; */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";- Start named.
# service named start
- Run the query.
# dig +dnssec @127.0.0.1 bad.
What is the current bug behavior?
Response with status SERVFAIL.
What is the expected correct behavior?
Correct response with status NOERROR.
Relevant configuration files
Configuration files mentioned in reproducer.
Relevant logs and/or screenshots
No important logs.
Possible fixes
In current master it is branch it is https://gitlab.isc.org/isc-projects/bind9/-/blob/master/lib/dns/validator.c#L1128 I'm attaching patch which fixes this. dnssec-unsupp-algo.patch