Check that excessive iterations in logged by named when

loading an existing zone or transfering from the primary.
2025-08-30 14:07:59 +00:00 · 2021-02-17 16:33:49 +11:00 · 2021-02-17 16:33:49 +11:00 · 46eb21c546
commit 46eb21c546
parent 8ec16c378d
10 changed files with 76 additions and 4 deletions
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@ -178,8 +178,9 @@ static bool remove_orphansigs = false;
 static bool remove_inactkeysigs = false;
 static bool output_dnssec_only = false;
 static bool output_stdout = false;
-bool set_maxttl = false;
+static bool set_maxttl = false;
 static dns_ttl_t maxttl = 0;
+static bool no_max_check = false;

 #define INCSTAT(counter)            \
 	if (printstats) {           \
@ -3439,6 +3440,12 @@ main(int argc, char *argv[]) {

 		case 'H':
 			set_iter = true;
+			/* too-many is NOT DOCUMENTED */
+			if (strcmp(isc_commandline_argument, "too-many") == 0) {
+				nsec3iter = 151;
+				no_max_check = true;
+				break;
+			}
 			nsec3iter = strtoul(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0') {
 				fatal("iterations must be numeric");
@ -3876,9 +3883,14 @@ main(int argc, char *argv[]) {
 		}

 		if (nsec3iter > dns_nsec3_maxiterations()) {
-			fatal("NSEC3 iterations too big for weakest DNSKEY "
-			      "strength. Maximum iterations allowed %u.",
-			      dns_nsec3_maxiterations());
+			if (no_max_check) {
+				fprintf(stderr,
+					"Ignoring max iterations check.\n");
+			} else {
+				fatal("NSEC3 iterations too big. Maximum "
+				      "iterations allowed %u.",
+				      dns_nsec3_maxiterations());
+			}
 		}
 	} else {
 		hashlist_init(&hashlist, 0, 0); /* silence clang */
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@ -25,6 +25,7 @@ rm -f ./canonical?.*
 rm -f ./delv.out*
 rm -f ./delve.out*
 rm -f ./dig.out.*
+rm -f ./ns2/too-many-iterations.db
 rm -f ./dnssectools.out*
 rm -f ./dsfromkey.out.*
 rm -f ./keygen.err
--- a/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@ -31,3 +31,5 @@ ns6.optout-tld.		A	10.53.0.6
 in-addr.arpa.		NS	ns2.example.
 inprogress.		NS	ns10.inprogress.
 ns10.inprogress.	A	10.53.0.10
+too-many-iterations.	NS	ns2.too-many-iterations.
+ns2.too-many-iterations.	A	10.53.0.2
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@ -26,6 +26,7 @@ echo_i "ns1/sign.sh"

 cp "../ns2/dsset-example$TP" .
 cp "../ns2/dsset-in-addr.arpa$TP" .
+cp "../ns2/dsset-too-many-iterations$TP" .

 grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP"
 cp "../ns6/dsset-optout-tld$TP" .
--- a/bin/tests/system/dnssec/ns2/named.conf.in
+++ b/bin/tests/system/dnssec/ns2/named.conf.in
@ -191,4 +191,9 @@ zone "hours-vs-days" {
 	allow-update { any; };
 };

+zone "too-many-iterations" {
+	type master;
+	file "too-many-iterations.db.signed";
+};
+
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@ -318,3 +318,14 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 $SETTIME -P sync now "$key1" > /dev/null
 cat "$infile" > "$zonefile.signed"
+
+#
+# Negative result from this zone should come back as insecure.
+#
+zone=too-many-iterations
+infile=too-many-iterations.db.in
+zonefile=too-many-iterations.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
+"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1
--- a/bin/tests/system/dnssec/ns2/too-many-iterations.db.in
+++ b/bin/tests/system/dnssec/ns2/too-many-iterations.db.in
@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				30       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+*.a			A	10.0.0.3
+b			A	10.0.0.2
+d			A	10.0.0.4
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@ -363,6 +363,12 @@ zone "revoked.trusted" {
 	file "revoked.trusted.db.signed";
 };

+zone "too-many-iterations" {
+	type secondary;
+	primaries { 10.53.0.2; };
+	file "too-many-iterations.bk";
+};
+
 include "siginterval.conf";

 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns4/named4.conf.in
+++ b/bin/tests/system/dnssec/ns4/named4.conf.in
@ -42,6 +42,7 @@ view rec {
 	recursion yes;
 	dnssec-validation yes;
 	dnssec-accept-expired yes;
+	minimal-responses no;

 	zone "." {
 		type hint;
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -4323,5 +4323,13 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))

+echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)"
+ret=0
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1