Check that excessive iterations in logged by named when

loading an existing zone or transfering from the primary.
2025-08-30 22:15:20 +00:00 · 2021-02-17 16:33:49 +11:00
parent 8ec16c378d
commit 46eb21c546
10 changed files with 76 additions and 4 deletions
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -178,8 +178,9 @@ static bool remove_orphansigs = false;
 static bool remove_inactkeysigs = false;
 static bool output_dnssec_only = false;
 static bool output_stdout = false;
-bool set_maxttl = false;
+static bool set_maxttl = false;
 static dns_ttl_t maxttl = 0;
 static bool no_max_check = false;
 #define INCSTAT(counter)            \
 	if (printstats) {           \
@@ -3439,6 +3440,12 @@ main(int argc, char *argv[]) {
 		case 'H':
 			set_iter = true;
 			/* too-many is NOT DOCUMENTED */
 			if (strcmp(isc_commandline_argument, "too-many") == 0) {
 				nsec3iter = 151;
 				no_max_check = true;
 				break;
 			}
 			nsec3iter = strtoul(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0') {
 				fatal("iterations must be numeric");
@@ -3876,10 +3883,15 @@ main(int argc, char *argv[]) {
 		}
 		if (nsec3iter > dns_nsec3_maxiterations()) {
-			fatal("NSEC3 iterations too big for weakest DNSKEY "
+			if (no_max_check) {
-			      "strength. Maximum iterations allowed %u.",
+				fprintf(stderr,
 					"Ignoring max iterations check.\n");
 			} else {
 				fatal("NSEC3 iterations too big. Maximum "
 				      "iterations allowed %u.",
 				      dns_nsec3_maxiterations());
 			}
 		}
 	} else {
 		hashlist_init(&hashlist, 0, 0); /* silence clang */
 	}
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -25,6 +25,7 @@ rm -f ./canonical?.*
 rm -f ./delv.out*
 rm -f ./delve.out*
 rm -f ./dig.out.*
 rm -f ./ns2/too-many-iterations.db
 rm -f ./dnssectools.out*
 rm -f ./dsfromkey.out.*
 rm -f ./keygen.err
--- a/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@@ -31,3 +31,5 @@ ns6.optout-tld.		A	10.53.0.6
 in-addr.arpa.		NS	ns2.example.
 inprogress.		NS	ns10.inprogress.
 ns10.inprogress.	A	10.53.0.10
 too-many-iterations.	NS	ns2.too-many-iterations.
 ns2.too-many-iterations.	A	10.53.0.2
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -26,6 +26,7 @@ echo_i "ns1/sign.sh"
 cp "../ns2/dsset-example$TP" .
 cp "../ns2/dsset-in-addr.arpa$TP" .
 cp "../ns2/dsset-too-many-iterations$TP" .
 grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP"
 cp "../ns6/dsset-optout-tld$TP" .
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@@ -191,4 +191,9 @@ zone "hours-vs-days" {
 	allow-update { any; };
 };
 zone "too-many-iterations" {
 	type master;
 	file "too-many-iterations.db.signed";
 };
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -318,3 +318,14 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 $SETTIME -P sync now "$key1" > /dev/null
 cat "$infile" > "$zonefile.signed"
 #
 # Negative result from this zone should come back as insecure.
 #
 zone=too-many-iterations
 infile=too-many-iterations.db.in
 zonefile=too-many-iterations.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
 "$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1
--- a/bin/tests/system/dnssec/ns2/too-many-iterations.db.in
+++ b/bin/tests/system/dnssec/ns2/too-many-iterations.db.in
@@ -0,0 +1,25 @@
 ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
 ; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 $TTL 30	; 5 minutes
@			IN SOA	mname1. . (
 				2000042407 ; serial
 				20         ; refresh (20 seconds)
 				20         ; retry (20 seconds)
 				1814400    ; expire (3 weeks)
 				30       ; minimum (1 hour)
 				)
 			NS	ns2
 ns2			A	10.53.0.2
 ns3			A	10.53.0.3
 a			A	10.0.0.1
 *.a			A	10.0.0.3
 b			A	10.0.0.2
 d			A	10.0.0.4
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -363,6 +363,12 @@ zone "revoked.trusted" {
 	file "revoked.trusted.db.signed";
 };
 zone "too-many-iterations" {
 	type secondary;
 	primaries { 10.53.0.2; };
 	file "too-many-iterations.bk";
 };
 include "siginterval.conf";
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns4/named4.conf.in
+++ b/bin/tests/system/dnssec/ns4/named4.conf.in
@@ -42,6 +42,7 @@ view rec {
 	recursion yes;
 	dnssec-validation yes;
 	dnssec-accept-expired yes;
 	minimal-responses no;
 	zone "." {
 		type hint;
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -4323,5 +4323,13 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)"
 ret=0
 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1
 grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1