add DNSSEC EDE test for unsupported digest and alg

A DNSSEC validation can fail in the case where multiple DNSKEY are available for a zone and none of them are supported, but for different reasons: one has a DS record in the parent zone using an unsupported digest while the other one uses an unsupported encryption algorithm. Add a specific test case covering this flow and making sure that two extended DNS error are provided: code 1 and 2, each of them highlighting unsupported algorithm and digest.
2025-08-31 06:25:31 +00:00 · 2025-01-20 20:59:23 +01:00
parent 8b50d63fe1
commit 244923b9dc
11 changed files with 77 additions and 2 deletions
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -105,6 +105,9 @@ ns.dnskey-unsupported	A	10.53.0.3
 ds-unsupported	NS	ns.ds-unsupported
 ns.ds-unsupported	A	10.53.0.3

+digest-alg-unsupported    NS 	ns.digest-alg-unsupported
+ns.digest-alg-unsupported A	10.53.0.3
+
 dnskey-nsec3-unknown	NS	ns.dnskey-nsec3-unknown
 ns.dnskey-nsec3-unknown	A	10.53.0.3

--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -56,7 +56,8 @@ infile=example.db.in
 zonefile=example.db

 # Get the DS records for the "example." zone.
-for subdomain in ds-unsupported secure badds bogus dynamic keyless nsec3 optout \
+for subdomain in digest-alg-unsupported ds-unsupported secure badds \
+  bogus dynamic keyless nsec3 optout \
  nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
  kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
  ttlpatch split-dnssec split-smart expired expiring upper lower \
--- a/bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in
+++ b/bin/tests/system/dnssec/ns3/digest-alg-unsupported.example.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+a			A	10.0.0.1
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -195,6 +195,12 @@ zone "dnskey-unknown.example" {
 	file "dnskey-unknown.example.db.signed";
 };

+zone "digest-alg-unsupported.example" {
+	type primary;
+	file "digest-alg-unsupported.example.db.signed";
+	allow-update { any; };
+};
+
 zone "ds-unsupported.example" {
 	type primary;
 	file "ds-unsupported.example.db.signed";
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -299,7 +299,31 @@ DSFILE="dsset-${zone}."
 $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"

 #
-# A zone which is fime by itself (supported alg and digest) but that is used
+# A zone which uses an unsupported algorithm for a DNSKEY and an unsupported
+# digest for another DNSKEY
+#
+zone=digest-alg-unsupported.example.
+infile=digest-alg-unsupported.example.db.in
+zonefile=digest-alg-unsupported.example.db
+
+cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
+dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+keyname2=$("$KEYGEN" -q -a ED448 -b "$DEFAULT_BITS" -n zone "$zone")
+
+cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" "$keyname2.key" >"$zonefile"
+
+"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
+cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
+mv "$zonefile".tmp "$zonefile".signed
+
+# override generated DS record file so we can set different digest to each keys
+DSFILE="dsset-${zone}"
+$DSFROMKEY -1 -A -f ${zonefile}.signed "$zone" | head -n 1 >"$DSFILE"
+$DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE"
+
+#
+# A zone which is fine by itself (supported algorithm) but that is used
 # to mimic unsupported DS digest (see ns8).
 #
 zone=ds-unsupported.example.
--- a/bin/tests/system/dnssec/ns4/named1.conf.in
+++ b/bin/tests/system/dnssec/ns4/named1.conf.in
@@ -29,6 +29,8 @@ options {
 	nta-recheck 9s;
 	validate-except { corp; };

+	disable-algorithms "digest-alg-unsupported.example." { ED448; };
+	disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
 	disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
 	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };

--- a/bin/tests/system/dnssec/ns4/named2.conf.in
+++ b/bin/tests/system/dnssec/ns4/named2.conf.in
@@ -25,6 +25,8 @@ options {
 	dnssec-validation auto;
 	bindkeys-file "managed.conf";
 	minimal-responses no;
+	disable-algorithms "digest-alg-unsupported.example." { ED448; };
+	disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
 	disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
 	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
 };
--- a/bin/tests/system/dnssec/ns4/named3.conf.in
+++ b/bin/tests/system/dnssec/ns4/named3.conf.in
@@ -26,6 +26,8 @@ options {
 	bindkeys-file "managed.conf";
 	dnssec-accept-expired yes;
 	minimal-responses no;
+	disable-algorithms "digest-alg-unsupported.example." { ED448; };
+	disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
 	disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
 	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
 };
--- a/bin/tests/system/dnssec/ns4/named4.conf.in
+++ b/bin/tests/system/dnssec/ns4/named4.conf.in
@@ -21,6 +21,8 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
+	disable-algorithms "digest-alg-unsupported.example." { ED448; };
+	disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
 	disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
 	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
 };
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3701,6 +3701,16 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

+echo_i "checking both EDE code 1 and 2 for unsupported digest on one DNSKEY and alg on the other ($n)"
+ret=0
+dig_with_opts @10.53.0.4 a.digest-alg-unsupported.example >dig.out.ns4.test$n || ret=1
+grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ED448 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
+grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-1 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)"
 ret=0
 dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY >dig.out.test$n
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@@ -83,6 +83,7 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/dnskey-unsupported.example.db",
        "ns3/dnskey-unsupported.example.db.tmp",
        "ns3/dynamic.example.db",
+        "ns3/digest-alg-unsupported.example.db",
        "ns3/enabled.managed.db",
        "ns3/enabled.trusted.db",
        "ns3/example.bk",