dnssec: Check validation with short RSA key size FIPS mode

use a pregenerated zone signed with RSASHA1 keys at 1024 bits.

bin/tests/system/dnssec/clean.sh

@@ -27,7 +27,6 @@ rm -f ./canonical?.*
 rm -f ./delv.out*
 rm -f ./delve.out*
 rm -f ./dig.out.*
-rm -f ./ns2/too-many-iterations.db
 rm -f ./dnssectools.out*
 rm -f ./dsfromkey.out.*
 rm -f ./keygen.err
@@ -54,7 +53,9 @@ rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db
 rm -f ./ns2/in-addr.arpa.db
 rm -f ./ns2/nsec3chain-test.db
 rm -f ./ns2/single-nsec3.db
+rm -f ./ns2/too-many-iterations.db
 rm -f ./ns2/updatecheck-kskonly.secure.*
+rm -f ./ns3/NSEC ./ns3/NSEC3
 rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db
 rm -f ./ns3/badds.example.db
 rm -f ./ns3/dname-at-apex-nsec3.example.db
@@ -83,6 +84,8 @@ rm -f ./ns3/optout.nsec3.example.db
 rm -f ./ns3/optout.optout.example.db
 rm -f ./ns3/publish-inactive.example.db
 rm -f ./ns3/revkey.example.db
+rm -f ./ns3/rsasha1-1024.example.tmp
+rm -f ./ns3/rsasha1.example.tmp
 rm -f ./ns3/rsasha256.example.db ./ns3/rsasha512.example.db
 rm -f ./ns3/secure.below-cname.example.db
 rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
@@ -96,7 +99,6 @@ rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed
 rm -f ./ns3/ttlpatch.example.db.patched
 rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db
 rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
-rm -f ./ns3/NSEC ./ns3/NSEC3
 rm -f ./ns4/named_dump.db*
 rm -f ./ns6/optout-tld.db
 rm -f ./ns7/multiple.example.bk ./ns7/nsec3.example.bk ./ns7/optout.example.bk
@@ -109,9 +111,9 @@ rm -f ./signer/*.signed.post*
 rm -f ./signer/*.signed.pre*
 rm -f ./signer/example.db.after ./signer/example.db.before
 rm -f ./signer/example.db.changed
+rm -f ./signer/general/*.jnl
 rm -f ./signer/general/dsset*
 rm -f ./signer/general/signed.zone
-rm -f ./signer/general/*.jnl
 rm -f ./signer/general/signer.err.*
 rm -f ./signer/general/signer.out.*
 rm -f ./signer/nsec3param.out

bin/tests/system/dnssec/ns2/example.db.in

@@ -171,4 +171,7 @@ ns.revkey		A	10.53.0.3
 rsasha1			NS	ns.rsasha1
 ns.rsasha1		A	10.53.0.3
 
+rsasha1-1024		NS	ns.rsasha1-1024
+ns.rsasha1-1024		A	10.53.0.3
+
 dname-at-apex-nsec3	NS	ns3

bin/tests/system/dnssec/ns2/sign.sh

@@ -63,7 +63,7 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
 	ttlpatch split-dnssec split-smart expired expiring upper lower \
 	dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
 	dnskey-nsec3-unknown managed-future revkey \
-	dname-at-apex-nsec3 occluded rsasha1
+	dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024
 do
 	cp "../ns3/dsset-$subdomain.example." .
 done

bin/tests/system/dnssec/ns3/named.conf.in

@@ -383,6 +383,11 @@ zone "rsasha1.example" {
 	file "rsasha1.example.db";
 };
 
+zone "rsasha1-1024.example" {
+	type primary;
+	file "rsasha1-1024.example.db";
+};
+
 include "siginterval.conf";
 
 include "trusted.conf";

bin/tests/system/dnssec/ns3/rsasha1-1024.example.db

@@ -0,0 +1,63 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; File written on Tue Jan 11 18:07:57 2022
+; dnssec_signzone version 9.17.21
+rsasha1-1024.example.			      300 IN SOA	mname1. . 2000042407 20 20 1814400 3600
+rsasha1-1024.example.			      300 IN RRSIG	SOA 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. kM6ztqAaLkxcRxYWrw2oe3qofzoIRjDv/tLD/A5edreqzzwj7H6Ihm0s JHfzqVOWBTwYzX0XgD0PXCqMdkXP7QlcWGYK7uCWnisayZIwNCdkywPC sS2ky1d0eK1A7kJ9nEH/eOgLba5uFZcAo8+9dD/6o6Rt1jTeTQkL4RHI UC8=
+; resign=20900129082204
+rsasha1-1024.example.			      300 IN NS		ns.rsasha1-1024.example.
+rsasha1-1024.example.			      300 IN RRSIG	NS 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. jxbsZlgK4B6IkCrZuNDVv/EIqgCU8pTOyWEt2DqvzRI8AeL3I+U9Nbcz 9gmQRaNEtffLVR/sfht6v1ms4AFJKd0xLSZj9ywsZKCmG12UxfNIoZ49 4d1ono8hGYU8xr1Qh1BU2HwgGY1JF4OyO28cgrkT2F9dAvG8MSMEW5Sg 9A8=
+; resign=20900129082204
+rsasha1-1024.example.			      300 IN NSEC	a.rsasha1-1024.example. NS SOA RRSIG NSEC DNSKEY
+rsasha1-1024.example.			      300 IN RRSIG	NSEC 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. AfEX9beXrft4d1moQD1VP3Em9cMgJmx2EYBKMlW5e5XFNk2Z5Wj1N//3 sBuUPNppxUilUEydqH5psVw7IMhrz8Q1+bhABNV7cPm1EOuq0NuQJ2LN JNlTnjfaRT6IAtY7d+NOCO2eKlDzMC/q8t2oaB+iHhgO7yc5+fxMGyQ/ PVc=
+; resign=20900129082204
+rsasha1-1024.example.			      300 IN DNSKEY	256 3 5 AwEAAaYD3SqsLtFHSfDhA8HhNKQJOToRptRmFhsYbqre+lq/BLpLQNkA 7Kq+chsUhOe+8OHMfkNXfr3XFyuUA3rBg15kq57NZ5gLzkHyeGqB9Ths M5pdwDCqPjJKP43W2+EXXHWsg5P94yldWcvMx1v80vrxGvUimfiQSznE hok/6oqR
+rsasha1-1024.example.			      300 IN DNSKEY	257 3 5 AwEAAeEe/ohrvXtDqYgrz5Q1WAKRstnnH0xi/4Mne49PLO56TcVPf6sg xpv/SaHSlQGJnVbQBLebPemKDAC1vVOUqdTDxHJbLuO28brIWMzf0pc1 5G2RNtrQf44E4yaibSROhyBmWoerUHTPGJw6BGDI4fb/CVWujFQ1ieBy WC0p1NWH
+rsasha1-1024.example.			      300 IN RRSIG	DNSKEY 5 2 300 20900129082204 20220111060757 22290 rsasha1-1024.example. nBLPJfoZe4G3wOe17bBSMooRZHe523pjdaTAK2PmXEa8exXH+OWCHh7f Jnh/SI89Hp9a2ru1Skze3FcUcTj/SlwtEuWpxOs9B1R29P1xVPCwkAfb xsmtmE6u5+oeLGrt88zA/kpjx6t0sFbU7A8/qxlpuoH+hdAu1jI2tlP4 d30=
+rsasha1-1024.example.			      300 IN RRSIG	DNSKEY 5 2 300 20900129082204 20220111060757 1151 rsasha1-1024.example. 0oNrcBsFySVjBT60SX3m7cKIPmuCOUH0ZFucrmEVXJLGpNOXe37aXbnC Iz+NHcaaeZQP/w4aYSTyQvZs6Vl5Tufeic3SWalzTGv0f01mIIk24v1a h4ePUB8w0b0+/qq89zl6Ccr2/PgTaLvjuSGYcgX15cigqPRcKQNYCwO1 Vsk=
+; resign=20900129082204
+z.rsasha1-1024.example.			      300 IN A		10.0.0.26
+z.rsasha1-1024.example.			      300 IN RRSIG	A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Zf/ynA7APXpNjcMPusIjRan0/ITLmeeY7GJfhCLeD3lEjnAd7dWRl7sC N5sBzUG78Mtgm39Ov/Kj2EwQjFcwcMUmppan3NzS+1YtYuZqlN9iAW+b UUfv8UQUHvM3x/hW4kNCPd2PHIzV2uedIp7VG3Lz72FvjHxECbI7g79V 18c=
+; resign=20900129082204
+z.rsasha1-1024.example.			      300 IN NSEC	rsasha1-1024.example. A RRSIG NSEC
+z.rsasha1-1024.example.			      300 IN RRSIG	NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. FPlYMJ41r79tkhIkDTX9/uVtcKXfHa+5oXb8fdo7/2CugjBfp5uihn57 3gMmY7Mi2aVsW64hRkehPJr+sTUOk5+ILhO2Qhjdrm2DpHgeSK29BTQr Okn9ruvpLhRFHwI/DllnKvBOyCmKSzJZE7PDOrqouGclNue07IXz+K2R bME=
+; resign=20900129082204
+b.rsasha1-1024.example.			      300 IN A		10.0.0.2
+b.rsasha1-1024.example.			      300 IN RRSIG	A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. gQmhCIwai57iscF2s5CJ5DbSy0Z9TiOWYGeFeZITxQ/koFOOjyuZXAZn 6f7mTUcFPhNm4AT/PJAs/L/tzcE16pcVwwDnHszdY28XwEU6OqaXUB3E T/Qu4Sh0BWet9U6JcSSqLG5317qJxqSGfnIJOXMucYi3MH3W8uSpapr+ 4Qk=
+; resign=20900129082204
+b.rsasha1-1024.example.			      300 IN NSEC	d.rsasha1-1024.example. A RRSIG NSEC
+b.rsasha1-1024.example.			      300 IN RRSIG	NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. Do6VghMEcHk35Q7fI2VrrQBYhChT4pnw791qUFhHZeol5fIKtEnrlviA RN2fbEY+7OrQQXo7Ywxo7nTD9sYsFgOwGKqKJ+yLNPcr++0csbkgt5rU ch1Lv+t7jOUuUX8IzgjOoCH5j9eoU5QtGkEBxf6z0nvlsLJaTWwTqvbr 7aU=
+; resign=20900129082204
+a.rsasha1-1024.example.			      300 IN A		10.0.0.1
+a.rsasha1-1024.example.			      300 IN RRSIG	A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. CaPXSTPLNeQ4MyRylYP/Ztb6kRT9/QdgpTnZxUHCjSdWEBXsrkEr55/z dBSQ8zGGOfCxlOkmgH/UrR7JmHTQrIqsb/iVq+6D0mfvNJDyNpT92bo8 r+C62/9NXLlkS5zcpyNG8Ls66EQ7dcFa6SxwdxF1qaoeBjJvkrGUMnzP UFo=
+; resign=20900129082204
+a.rsasha1-1024.example.			      300 IN NSEC	b.rsasha1-1024.example. A RRSIG NSEC
+a.rsasha1-1024.example.			      300 IN RRSIG	NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. DJlfCVMSPZ6KUIUhWUBt7LOCB8vBbxOFaR4PoHs/fLpGBWrQj46sjLKO W/TImquBg3ygYTOIyWEzVb177HryRmx65AKnfGLbzaTdTgHzcELwg88t EYFT4ODalqTn68o2RfWtNl95FNqJR/kguxxzFVgpN4zfGKXdhTWAA4JW zG0=
+; resign=20900129082204
+a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example.   300 IN A		10.0.0.27
+a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example.   300 IN RRSIG	A 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. PVFCHIXgDCZOHsTsr3G9wMnPPmiY4CfOXC3b1ZF2qEDqloIT+YX5oKKE uiT6fCBteS6Cq8XTXdezXjqTqxrdY4qMMOBDnIZhf8eOxjFzMEUKKZuH 9c5rt8u35TihuIdKv9OPXdWuTJ4dVSEZjNNxvh3VoMW6XFagYmu3f8Gr 0rg=
+; resign=20900129082204
+a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example.   300 IN NSEC	ns.rsasha1-1024.example. A RRSIG NSEC
+a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example.   300 IN RRSIG	NSEC 5 13 300 20900129082204 20220111060757 22290 rsasha1-1024.example. VOOEksRwMWNO2ESMrcMyPFAHuXyYgeLVODy46DwDx8PTli3/UwOH1e3l qd3Poh2K/OFP2v8TuzkXXnPW48Lg90haHtG9yLr5UUNoKntmBC9PFeqt P/qdOBiHszvcyyjJ4gabEX2gn+o/sL/klQV4m3mB4Vf5sg2dfX8Qyuw6 nDQ=
+; resign=20900129082204
+d.rsasha1-1024.example.			      300 IN A		10.0.0.4
+d.rsasha1-1024.example.			      300 IN RRSIG	A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. XcxbM4wA+yTOAwPePwRIg6E58HuMr5qIkdghNn/R5ck1JdirLbMB/Wpp Si+5a4q9F02Bs8uZv2YXtXRIa32i1/L6OPeU3RFQfvkpHbQNTvPtsuAL bmFGB/zdR6XQpqC6G+ip9qY+mk2hXwCZZ24NW90O9qYlE8Rp145/dIVM DPo=
+; resign=20900129082204
+d.rsasha1-1024.example.			      300 IN NSEC	a.a.a.a.a.a.a.a.a.a.e.rsasha1-1024.example. A RRSIG NSEC
+d.rsasha1-1024.example.			      300 IN RRSIG	NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. fmBjPGTNWOXAs51XO1fIRCKAbf9TLTV04TmlgLm50oOouEXsXpwKo6tb MbCGI2f+u986mtzLW4gWY+rcAPrMCndu5BPIYPk/Ngd6zqylWJzAfKyg PIqO0lf6jg0J3FfP39fw9bf+xB+AI1PWBrVZ55LotBYgIBZYhQ1LKPZ2 iyU=
+; resign=20900129082204
+ns.rsasha1-1024.example.		      300 IN A		10.53.0.3
+ns.rsasha1-1024.example.		      300 IN RRSIG	A 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. beHl0WxLgPYkzKs/tdQnphXDzHx6FqdQRlVtJIYHGoWmWe4X6JWg4ENB a0xPeOGFQPBMgNuKbwyjAVmX0B3Su4LiBM7GcmfJbd4YRNCa4hQvhDpG o5A54Pxo2Qdo9Cffhzva5z4iO+DNnmBsfKGPna4sO2lRNfIxXlxCTbnE zps=
+; resign=20900129082204
+ns.rsasha1-1024.example.		      300 IN NSEC	z.rsasha1-1024.example. A RRSIG NSEC
+ns.rsasha1-1024.example.		      300 IN RRSIG	NSEC 5 3 300 20900129082204 20220111060757 22290 rsasha1-1024.example. aZTImJ5QFufIQEIuX+5ZYVW2Yq4ctxeX9zm9yrQaUODvVRm3X3WjncrU hkgDaW3a/j8RRG0cdAnzSWCzIMz0Yv4kWxrxCEJyIgmVUQ3fzxzpGwMF ZwCtNb9aWmImcAugTnjocn5+iCiyTEVipZmTASEyN0Bgp5Q4oFChnzIj kjk=
+; resign=20900129082204

bin/tests/system/dnssec/ns3/rsasha1-1024.example.db.in

@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27

bin/tests/system/dnssec/ns3/sign-rsasha1-1024.sh

@@ -0,0 +1,27 @@
+#!/bin/sh -ef
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# RSASHA1 is validate only in FIPS mode so we need to have a pre-signed
+# version of the zone to test with in FIPS mode.  This requires a non
+# FIPS build which supports RSASHA1 to be used to generate it.
+
+. ../../conf.sh
+
+zone=rsasha1-1024.example
+k1=$("$KEYGEN" -a rsasha1 -b 1024 $zone)
+k2=$("$KEYGEN" -a rsasha1 -b 1024 -f KSK $zone)
+cat $zone.db.in $k1.key $k2.key > $zone.tmp
+# use maximum expirey period (-e 2^31-1-3600)
+# use output format full for easy extraction of KSK (-O full)
+"$SIGNER" -e +2147480047 -o $zone -f $zone.db -O full $zone.tmp
+rm -f $k1.key $k1.private $k2.key $k2.private $zone.tmp

bin/tests/system/dnssec/ns3/sign.sh

@@ -684,3 +684,8 @@ zone=rsasha1.example
 zonefile=rsasha1.example.db
 awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" |
 $DSFROMKEY -f - "$zone" > "dsset-${zone}."
+
+zone=rsasha1-1024.example
+zonefile=rsasha1-1024.example.db
+awk '$4 == "DNSKEY" && $5 == 257 { print }' "$zonefile" |
+$DSFROMKEY -f - "$zone" > "dsset-${zone}."

bin/tests/system/dnssec/tests.sh

@@ -1111,6 +1111,17 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+# Should work with FIPS mode as we are only validating
+echo_i "checking positive validation RSASHA1 (1024 bits) NSEC ($n)"
+ret=0
+dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.rsasha1-1024.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "checking positive validation RSASHA256 NSEC ($n)"
 ret=0
 dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1