From 5f464d15a0342dafa200957acf401daa97c4da3f Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 5 Nov 2019 17:22:35 +0100 Subject: [PATCH] dnssec-policy inheritance from options/view 'dnssec-policy' can now also be set on the options and view level and a zone that does not set 'dnssec-policy' explicitly will inherit it from the view or options level. This requires a new keyword to be introduced: 'none'. If set to 'none' the zone will not be DNSSEC maintained, in other words it will stay unsigned. You can use this to break the inheritance. Of course you can also break the inheritance by referring to a different policy. The keywords 'default' and 'none' are not allowed when configuring your own dnssec-policy statement. Add appropriate tests for checking the configuration (checkconf) and add tests to the kasp system test to verify the inheritance works. Edit the kasp system test such that it can deal with unsigned zones and views (so setting a TSIG on the query). --- bin/named/config.c | 1 + bin/named/server.c | 3 +- bin/named/zoneconf.c | 21 +- bin/tests/system/checkconf/bad-kasp1.conf | 6 +- bin/tests/system/checkconf/bad-kasp5.conf | 22 ++ bin/tests/system/checkconf/good-kasp.conf | 16 +- bin/tests/system/checkconf/good.conf | 41 ++ bin/tests/system/checkconf/good.zonelist | 4 + bin/tests/system/kasp/README | 2 + bin/tests/system/kasp/clean.sh | 1 + bin/tests/system/kasp/ns2/named.conf.in | 16 + bin/tests/system/kasp/ns2/setup.sh | 14 +- bin/tests/system/kasp/ns2/template.tld.db.in | 25 ++ bin/tests/system/kasp/ns3/named.conf.in | 20 +- bin/tests/system/kasp/ns3/setup.sh | 9 +- bin/tests/system/kasp/ns4/named.conf.in | 117 ++++++ bin/tests/system/kasp/ns4/setup.sh | 28 ++ bin/tests/system/kasp/ns4/template.db.in | 25 ++ bin/tests/system/kasp/ns5/named.conf.in | 117 ++++++ bin/tests/system/kasp/ns5/setup.sh | 28 ++ bin/tests/system/kasp/ns5/template.db.in | 25 ++ bin/tests/system/kasp/setup.sh | 13 +- bin/tests/system/kasp/tests.sh | 370 +++++++++++++++---- lib/bind9/check.c | 64 +++- lib/isccfg/kaspconf.c | 2 + lib/isccfg/namedconf.c | 6 +- util/copyrights | 2 + 27 files changed, 895 insertions(+), 103 deletions(-) create mode 100644 bin/tests/system/checkconf/bad-kasp5.conf create mode 100644 bin/tests/system/kasp/ns2/template.tld.db.in create mode 100644 bin/tests/system/kasp/ns4/named.conf.in create mode 100644 bin/tests/system/kasp/ns4/setup.sh create mode 100644 bin/tests/system/kasp/ns4/template.db.in create mode 100644 bin/tests/system/kasp/ns5/named.conf.in create mode 100644 bin/tests/system/kasp/ns5/setup.sh create mode 100644 bin/tests/system/kasp/ns5/template.db.in diff --git a/bin/named/config.c b/bin/named/config.c index 6ea56d8881..aeabf49057 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -58,6 +58,7 @@ options {\n\ "\ # deallocate-on-exit ;\n\ # directory \n\ + dnssec-policy \"none\";\n\ dump-file \"named_dump.db\";\n\ edns-udp-size 4096;\n\ # fake-iquery ;\n" diff --git a/bin/named/server.c b/bin/named/server.c index c788deb19e..ca216599ff 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6260,7 +6260,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, ((cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS && cfg_obj_asboolean(signing)) || (cfg_map_get(zoptions, "dnssec-policy", &signing) == - ISC_R_SUCCESS && signing != NULL))) + ISC_R_SUCCESS && signing != NULL && + strcmp(cfg_obj_asstring(signing), "none") != 0))) { dns_zone_getraw(zone, &raw); if (raw == NULL) { diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 0978902573..cb0ec51fcf 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1197,18 +1197,21 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, if (ztype != dns_zone_stub && ztype != dns_zone_staticstub && ztype != dns_zone_redirect) { obj = NULL; - result = cfg_map_get(zoptions, "dnssec-policy", &obj); + result = named_config_get(maps, "dnssec-policy", &obj); if (result == ISC_R_SUCCESS) { kaspname = cfg_obj_asstring(obj); - result = dns_kasplist_find(kasplist, kaspname, &kasp); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(obj, named_g_lctx, - ISC_LOG_ERROR, - "'dnssec-policy '%s' not found ", - kaspname); - RETERR(result); + if (strcmp(kaspname, "none") != 0) { + result = dns_kasplist_find(kasplist, kaspname, + &kasp); + if (result != ISC_R_SUCCESS) { + cfg_obj_log(obj, named_g_lctx, + ISC_LOG_ERROR, + "'dnssec-policy '%s' not " + "found ", kaspname); + RETERR(result); + } + dns_zone_setkasp(zone, kasp); } - dns_zone_setkasp(zone, kasp); } obj = NULL; diff --git a/bin/tests/system/checkconf/bad-kasp1.conf b/bin/tests/system/checkconf/bad-kasp1.conf index bad8ff2090..686160f983 100644 --- a/bin/tests/system/checkconf/bad-kasp1.conf +++ b/bin/tests/system/checkconf/bad-kasp1.conf @@ -9,12 +9,14 @@ * information regarding copyright ownership. */ -options { - dnssec-policy "notatzonelevel"; +// Using the keyword 'default' is not allowed. +dnssec-policy "default" { + signatures-refresh P5D; }; zone "example.net" { type master; file "example.db"; + dnssec-policy "default"; }; diff --git a/bin/tests/system/checkconf/bad-kasp5.conf b/bin/tests/system/checkconf/bad-kasp5.conf new file mode 100644 index 0000000000..a399079db5 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp5.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// Using the keyword 'none' is not allowed. +dnssec-policy "none" { + signatures-refresh P5D; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "none"; +}; + diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 041e6bfae8..04c1cef199 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -35,13 +35,25 @@ dnssec-policy "test" { options { dnssec-policy "default"; }; +options { + dnssec-policy "default"; +}; zone "example1" { type master; - dnssec-policy "test"; file "example1.db"; }; zone "example2" { type master; - dnssec-policy "default"; file "example2.db"; + dnssec-policy "test"; +}; +zone "example3" { + type master; + file "example3.db"; + dnssec-policy "default"; +}; +zone "example4" { + type master; + file "example4.db"; + dnssec-policy "none"; }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index b6136d6f3b..37d3de6504 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -14,6 +14,24 @@ */ /* cut here */ +dnssec-policy "test" { + dnskey-ttl 3600; + keys { + ksk key-directory lifetime P1Y algorithm 13 256; + zsk key-directory lifetime P30D algorithm 13; + csk key-directory lifetime P30D algorithm 8 2048; + }; + publish-safety PT3600S; + retire-safety PT3600S; + signatures-refresh P3D; + signatures-validity P2W; + signatures-validity-dnskey P14D; + zone-max-ttl 86400; + zone-propagation-delay PT5M; + parent-ds-ttl 7200; + parent-propagation-delay PT1H; + parent-registration-delay P1D; +}; options { avoid-v4-udp-ports { 100; @@ -60,6 +78,7 @@ options { validate-except { "corp"; }; + dnssec-policy "test"; transfer-source 0.0.0.0 dscp 63; zone-statistics none; }; @@ -140,6 +159,28 @@ view "third" { }; }; }; +view "fourth" { + zone "dnssec-test" { + type master; + file "dnssec-test.db"; + dnssec-policy "test"; + }; + zone "dnssec-default" { + type master; + file "dnssec-default.db"; + dnssec-policy "default"; + }; + zone "dnssec-inherit" { + type master; + file "dnssec-inherit.db"; + }; + zone "dnssec-none" { + type master; + file "dnssec-none.db"; + dnssec-policy "none"; + }; + dnssec-policy "default"; +}; view "chaos" chaos { zone "hostname.bind" chaos { type master; diff --git a/bin/tests/system/checkconf/good.zonelist b/bin/tests/system/checkconf/good.zonelist index e4504fc672..dff4d170ca 100644 --- a/bin/tests/system/checkconf/good.zonelist +++ b/bin/tests/system/checkconf/good.zonelist @@ -8,4 +8,8 @@ clone IN third in-view first dnssec IN third master p IN third primary s IN third secondary +dnssec-test IN fourth master +dnssec-default IN fourth master +dnssec-inherit IN fourth master +dnssec-none IN fourth master hostname.bind chaos chaos master diff --git a/bin/tests/system/kasp/README b/bin/tests/system/kasp/README index d543c1a779..ceafd19772 100644 --- a/bin/tests/system/kasp/README +++ b/bin/tests/system/kasp/README @@ -9,3 +9,5 @@ ns1 is reserved for the root server. ns2 is running primary service for ns3. ns3 is an authoritative server for the various test domains. + +ns4 and ns5 are authoritative servers for various test domains related to views. diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index c9ef776eb6..803dd703cd 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -21,5 +21,6 @@ rm -f ns*/K*.private ns*/K*.key ns*/K*.state rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* rm -f ns*/managed-keys.bind +rm -f ns*/*.mkeys # NS3 specific rm -f ns3/zones ns3/*.db.infile diff --git a/bin/tests/system/kasp/ns2/named.conf.in b/bin/tests/system/kasp/ns2/named.conf.in index 640def73b3..cad71da5b4 100644 --- a/bin/tests/system/kasp/ns2/named.conf.in +++ b/bin/tests/system/kasp/ns2/named.conf.in @@ -21,6 +21,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; recursion no; + dnssec-policy "none"; }; key rndc_key { @@ -32,6 +33,21 @@ controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +/* Inherit dnssec-policy (which is none) */ + +zone "unsigned.tld" { + type master; + file "unsigned.tld.db"; +}; + +/* Override dnssec-policy */ + +zone "signed.tld" { + type master; + dnssec-policy "default"; + file "signed.tld.db"; +}; + /* Primary service for ns3 */ zone "secondary.kasp" { diff --git a/bin/tests/system/kasp/ns2/setup.sh b/bin/tests/system/kasp/ns2/setup.sh index d495e05f52..588735d0a6 100644 --- a/bin/tests/system/kasp/ns2/setup.sh +++ b/bin/tests/system/kasp/ns2/setup.sh @@ -14,8 +14,20 @@ echo_i "ns2/setup.sh" -echo_i "setting up zone: $zone" zone="secondary.kasp" +echo_i "setting up zone: $zone" zonefile="${zone}.db" infile="${zonefile}.in" cp $infile $zonefile + +zone="signed.tld" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +infile="template.tld.db.in" +cp $infile $zonefile + +zone="unsigned.tld" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +infile="template.tld.db.in" +cp $infile $zonefile diff --git a/bin/tests/system/kasp/ns2/template.tld.db.in b/bin/tests/system/kasp/ns2/template.tld.db.in new file mode 100644 index 0000000000..7d8b924f64 --- /dev/null +++ b/bin/tests/system/kasp/ns2/template.tld.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.kasp. hostmaster.kasp. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in index 1e11814542..c9ae05894b 100644 --- a/bin/tests/system/kasp/ns3/named.conf.in +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -11,6 +11,9 @@ // NS3 +include "policies/kasp.conf"; +include "policies/autosign.conf"; + options { query-source address 10.53.0.3; notify-source 10.53.0.3; @@ -21,6 +24,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; recursion no; + dnssec-policy "rsasha1"; }; key rndc_key { @@ -32,9 +36,6 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -include "policies/kasp.conf"; -include "policies/autosign.conf"; - /* Zones that are getting initially signed */ /* The default case: No keys created, using default policy. */ @@ -51,6 +52,19 @@ zone "rsasha1.kasp" { dnssec-policy "rsasha1"; }; +/* A zone that inherits dnssec-policy. */ +zone "inherit.kasp" { + type master; + file "inherit.kasp.db"; +}; + +/* A zone that overrides dnssec-policy. */ +zone "unsigned.kasp" { + type master; + file "unsigned.kasp.db"; + dnssec-policy "none"; +}; + /* A master zone with dnssec-policy but keys already created. */ zone "dnssec-keygen.kasp" { type master; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 782747b4b8..5a4b44bca5 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -43,12 +43,19 @@ U="UNRETENTIVE" # Set up zones that will be initially signed. # for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \ - rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 + rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 inherit do setup "${zn}.kasp" cp template.db.in $zonefile done +# Set up zone that stays unsigned. +zone="unsigned.kasp" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +infile="${zone}.db.infile" +cp template.db.in $zonefile + # Some of these zones already have keys. zone="dnssec-keygen.kasp" $KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in new file mode 100644 index 0000000000..c8d4094f85 --- /dev/null +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -0,0 +1,117 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +key "sha1" { + algorithm "hmac-sha1"; + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +}; + +key "sha224" { + algorithm "hmac-sha224"; + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; +}; + +key "sha256" { + algorithm "hmac-sha256"; + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; +}; + +dnssec-policy "test" { + keys { + csk key-directory lifetime 0 algorithm 14; + }; +}; + +options { + query-source address 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + dnssec-policy "test"; +}; + +view "inherit" { + match-clients { key "sha1"; }; + + /* Inherit dnssec-policy 'test' */ + zone "inherit.inherit.signed" { + type master; + file "inherit.inherit.signed.db"; + }; + + /* Override dnssec-policy */ + zone "override.inherit.signed" { + type master; + dnssec-policy "default"; + file "override.inherit.signed.db"; + }; + + /* Unset dnssec-policy */ + zone "none.inherit.signed" { + type master; + dnssec-policy "none"; + file "none.inherit.signed.db"; + }; +}; + +view "override" { + match-clients { key "sha224"; }; + dnssec-policy "default"; + + /* Inherit dnssec-policy 'test' */ + zone "inherit.override.signed" { + type master; + file "inherit.override.signed.db"; + }; + + /* Override dnssec-policy */ + zone "override.override.signed" { + type master; + dnssec-policy "test"; + file "override.override.signed.db"; + }; + + /* Unset dnssec-policy */ + zone "none.override.signed" { + type master; + dnssec-policy "none"; + file "none.override.signed.db"; + }; +}; + +view "none" { + match-clients { key "sha256"; }; + dnssec-policy "none"; + + /* Inherit dnssec-policy 'none' */ + zone "inherit.none.signed" { + type master; + file "inherit.none.signed.db"; + }; + + /* Override dnssec-policy */ + zone "override.none.signed" { + type master; + dnssec-policy "test"; + file "override.none.signed.db"; + }; + + /* Unset dnssec-policy */ + zone "none.none.signed" { + type master; + dnssec-policy "none"; + file "none.none.signed.db"; + }; +}; diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh new file mode 100644 index 0000000000..ca830dd028 --- /dev/null +++ b/bin/tests/system/kasp/ns4/setup.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns4/setup.sh" + +# +# Set up zones that potentially will be initially signed. +# +for zn in inherit.inherit override.inherit none.inherit \ + inherit.override override.override none.override \ + inherit.none override.none none.none +do + zone="$zn.signed" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile +done diff --git a/bin/tests/system/kasp/ns4/template.db.in b/bin/tests/system/kasp/ns4/template.db.in new file mode 100644 index 0000000000..59946e07ba --- /dev/null +++ b/bin/tests/system/kasp/ns4/template.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/ns5/named.conf.in b/bin/tests/system/kasp/ns5/named.conf.in new file mode 100644 index 0000000000..2c9c8f6214 --- /dev/null +++ b/bin/tests/system/kasp/ns5/named.conf.in @@ -0,0 +1,117 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +key "sha1" { + algorithm "hmac-sha1"; + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +}; + +key "sha224" { + algorithm "hmac-sha224"; + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; +}; + +key "sha256" { + algorithm "hmac-sha256"; + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; +}; + +dnssec-policy "test" { + keys { + csk key-directory lifetime 0 algorithm 14; + }; +}; + +options { + query-source address 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + dnssec-policy "none"; +}; + +view "inherit" { + match-clients { key "sha1"; }; + + /* Inherit dnssec-policy 'none' */ + zone "inherit.inherit.unsigned" { + type master; + file "inherit.inherit.unsigned.db"; + }; + + /* Override dnssec-policy */ + zone "override.inherit.unsigned" { + type master; + dnssec-policy "default"; + file "override.inherit.unsigned.db"; + }; + + /* Unset dnssec-policy */ + zone "none.inherit.unsigned" { + type master; + dnssec-policy "none"; + file "none.inherit.unsigned.db"; + }; +}; + +view "override" { + match-clients { key "sha224"; }; + dnssec-policy "default"; + + /* Inherit dnssec-policy 'default' */ + zone "inherit.override.unsigned" { + type master; + file "inherit.override.unsigned.db"; + }; + + /* Override dnssec-policy */ + zone "override.override.unsigned" { + type master; + dnssec-policy "test"; + file "override.override.unsigned.db"; + }; + + /* Unset dnssec-policy */ + zone "none.override.unsigned" { + type master; + dnssec-policy "none"; + file "none.override.unsigned.db"; + }; +}; + +view "none" { + match-clients { key "sha256"; }; + dnssec-policy "none"; + + /* Inherit dnssec-policy 'none' */ + zone "inherit.none.unsigned" { + type master; + file "inherit.none.unsigned.db"; + }; + + /* Override dnssec-policy */ + zone "override.none.unsigned" { + type master; + dnssec-policy "test"; + file "override.none.unsigned.db"; + }; + + /* Unset dnssec-policy */ + zone "none.none.unsigned" { + type master; + dnssec-policy "none"; + file "none.none.unsigned.db"; + }; +}; diff --git a/bin/tests/system/kasp/ns5/setup.sh b/bin/tests/system/kasp/ns5/setup.sh new file mode 100644 index 0000000000..b6f274e6a7 --- /dev/null +++ b/bin/tests/system/kasp/ns5/setup.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns5/setup.sh" + +# +# Set up zones that potentially will be initially signed. +# +for zn in inherit.inherit override.inherit none.inherit \ + inherit.override override.override none.override \ + inherit.none override.none none.none +do + zone="$zn.unsigned" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile +done diff --git a/bin/tests/system/kasp/ns5/template.db.in b/bin/tests/system/kasp/ns5/template.db.in new file mode 100644 index 0000000000..2f73182e72 --- /dev/null +++ b/bin/tests/system/kasp/ns5/template.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 +ns5 A 10.53.0.5 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 6bdf0035a8..0d93046ae1 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -20,14 +20,23 @@ mkdir keys copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf -# ns2: Setup zones +# Setup zones ( cd ns2 $SHELL setup.sh ) -# ns3: Setup zones ( cd ns3 $SHELL setup.sh ) +( + cd ns4 + $SHELL setup.sh +) +( + cd ns5 + $SHELL setup.sh +) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index a79a871cc6..5fa2178e99 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -21,6 +21,14 @@ n=0 ############################################################################### DEFAULT_TTL=300 +############################################################################### +# Query properties # +############################################################################### +TSIG="" +SHA1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" +SHA224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" +SHA256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" + ############################################################################### # Key properties # ############################################################################### @@ -82,7 +90,12 @@ key_clear "KEY3" # Call dig with default options. dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + _tsig="" + if [ -n "$TSIG" ]; then + _tsig="-y $TSIG" + fi + + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT $_tsig "$@" } # RNDC. @@ -108,7 +121,9 @@ get_keyids() { _start="${_dir}/K${_zone}.+${_algorithm}+" _end=".key" - ls ${_start}*${_end} | sed "s/$_dir\/K${_zone}.+${_algorithm}+\([0-9]\{5\}\)${_end}/\1/" + if [ $_algorithm -ne 0 ]; then + ls ${_start}*${_end} | sed "s/$_dir\/K${_zone}.+${_algorithm}+\([0-9]\{5\}\)${_end}/\1/" + fi } # By default log errors and don't quit immediately. @@ -124,15 +139,17 @@ log_error() { # $3: Policy name # $4: DNSKEY TTL # $5: Number of keys +# $6: Name server # # This will set the following environment variables for testing: -# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS +# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS, SERVER zone_properties() { DIR=$1 ZONE=$2 POLICY=$3 DNSKEY_TTL=$4 NUM_KEYS=$5 + SERVER=$6 } # Set key properties for testing keys. @@ -492,7 +509,7 @@ dnssec_verify() n=$((n+1)) echo_i "dnssec-verify zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed" + dig_with_opts $ZONE @${SERVER} AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed" $VERIFY -z -o $ZONE dig.out.axfr.test$n > /dev/null || log_error "dnssec verify zone $ZONE failed" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -505,7 +522,7 @@ dnssec_verify() # # dnssec-keygen # -zone_properties "keys" "kasp" "kasp" "200" +zone_properties "keys" "kasp" "kasp" "200" "10.53.0.1" n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" @@ -557,7 +574,7 @@ _log=1 n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 -zone_properties "." "kasp" "default" "3600" +zone_properties "." "kasp" "default" "3600" "10.53.0.1" key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" @@ -572,7 +589,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 -zone_properties "." "kasp" "default" "3600" +zone_properties "." "kasp" "default" "3600" "10.53.0.1" key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" @@ -672,7 +689,7 @@ status=$((status+ret)) # # Check the zone with default kasp policy has loaded and is signed. -zone_properties "ns3" "default.kasp" "_default" "3600" +zone_properties "ns3" "default.kasp" "default" "3600" "1" "10.53.0.3" key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" # The first key is immediately published and activated. key_timings "KEY1" "published" "active" "none" "none" "none" "none" @@ -695,7 +712,7 @@ qtype="DNSKEY" n=$((n+1)) echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 -dig_with_opts $ZONE @10.53.0.3 $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" +dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${qtype}.*257.*.3.*${KEY1[$ALG_NUM]}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response" lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l) @@ -709,7 +726,7 @@ qtype="SOA" n=$((n+1)) echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 -dig_with_opts $ZONE @10.53.0.3 $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" +dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${qtype}.*mname1\..*\." dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response" lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l) @@ -730,14 +747,14 @@ while [ $i -lt 5 ] do ret=0 - dig_with_opts "a.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" + dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response" grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response" lines=$(get_keys_which_signed A dig.out.$DIR.test$n.a | wc -l) test "$lines" -eq 1 || log_error "bad number ($lines) of RRSIG records in DNS response" get_keys_which_signed A dig.out.$DIR.test$n.a | grep "^${KEY_ID}$" > /dev/null || log_error "A RRset not signed with key ${KEY_ID}" - dig_with_opts "d.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" + dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response" grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response" lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l) @@ -756,7 +773,7 @@ status=$((status+ret)) # # Zone: rsasha1.kasp. # -zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no" key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no" @@ -895,7 +912,7 @@ check_cds() { n=$((n+1)) echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" if [ "${KEY1[$STATE_DS]}" == "rumoured" ] || [ "${KEY1[$STATE_DS]}" == "omnipresent" ]; then @@ -933,9 +950,33 @@ check_apex() { n=$((n+1)) echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response" + + if [ "${KEY1[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY1[$STATE_DNSKEY]}" == "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY1[$ID]}" + check_signatures $_qtype dig.out.$DIR.test$n $KSK + numkeys=$((numkeys+1)) + elif [ "${KEY1[$EXPECT]}" == "yes" ]; then + grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY1[$ID]}" + fi + + if [ "${KEY2[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY2[$STATE_DNSKEY]}" == "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY2[$ID]}" + check_signatures $_qtype dig.out.$DIR.test$n $KSK + numkeys=$((numkeys+1)) + elif [ "${KEY2[$EXPECT]}" == "yes" ]; then + grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY2[$ID]}" + fi + + if [ "${KEY3[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY3[$STATE_DNSKEY]}" == "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY3[$ID]}" + check_signatures $_qtype dig.out.$DIR.test$n $KSK + numkeys=$((numkeys+1)) + elif [ "${KEY3[$EXPECT]}" == "yes" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY3[$ID]}" + fi + lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l) check_signatures $_qtype dig.out.$DIR.test$n $KSK test "$ret" -eq 0 || echo_i "failed" @@ -946,7 +987,7 @@ check_apex() { n=$((n+1)) echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response" lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l) @@ -964,7 +1005,7 @@ check_subdomain() { n=$((n+1)) echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts a.$ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig a.${ZONE} ${_qtype} failed" + dig_with_opts a.$ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig a.${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" dig.out.$DIR.test$n > /dev/null || log_error "missing a.${ZONE} ${_qtype} record in response" lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l) @@ -978,10 +1019,43 @@ check_apex check_subdomain dnssec_verify +# +# Zone: unsigned.kasp. +# +zone_properties "ns3" "unsigned.kasp" "none" "0" "0" "10.53.0.3" +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +check_keys +check_apex +check_subdomain + +# +# Zone: inherit.kasp. +# +zone_properties "ns3" "inherit.kasp" "rsasha1" "1234" "3" "10.53.0.3" +key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes" +key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no" +key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no" +# The first keys are immediately published and activated. +# Because lifetime > 0, retired timing is also set. +key_timings "KEY1" "published" "active" "retired" "none" "none" +key_timings "KEY2" "published" "active" "retired" "none" "none" +key_timings "KEY3" "published" "active" "retired" "none" "none" +# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. +# ZSK: DNSKEY, RRSIG (zsk) published. +key_states "KEY1" "omnipresent" "rumoured" "none" "rumoured" "hidden" +key_states "KEY2" "omnipresent" "rumoured" "rumoured" "none" "none" +key_states "KEY3" "omnipresent" "rumoured" "rumoured" "none" "none" +check_keys +check_apex +check_subdomain +dnssec_verify + # # Zone: dnssec-keygen.kasp. # -zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -991,7 +1065,7 @@ dnssec_verify # # Zone: some-keys.kasp. # -zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1001,7 +1075,7 @@ dnssec_verify # # Zone: legacy-keys.kasp. # -zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1013,7 +1087,7 @@ dnssec_verify # # There are more pregenerated keys than needed, hence the number of keys is # six, not three. -zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6" +zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1023,7 +1097,7 @@ dnssec_verify # # Zone: secondary.kasp. # -zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3" "10.53.0.3" # KSK properties, timings and states same as above. check_keys check_apex @@ -1042,12 +1116,12 @@ while [ $i -lt 5 ] do ret=0 - dig_with_opts "a.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" + dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response" grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response" check_signatures $_qtype dig.out.$DIR.test$n.a $ZSK - dig_with_opts "d.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" + dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response" grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response" lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l) @@ -1069,7 +1143,7 @@ status=$((status+ret)) # # Zone: rsasha1-nsec3.kasp. # -zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" +zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "1024" "yes" "no" key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no" @@ -1082,7 +1156,7 @@ dnssec_verify # # Zone: rsasha256.kasp. # -zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" +zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "1024" "yes" "no" key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no" @@ -1095,7 +1169,7 @@ dnssec_verify # # Zone: rsasha512.kasp. # -zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" +zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "1024" "yes" "no" key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no" @@ -1108,7 +1182,7 @@ dnssec_verify # # Zone: ecdsa256.kasp. # -zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3" +zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_properties "KEY2" "zsk" "157680000" "13" "ECDSAP256SHA256" "256" "yes" "no" key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no" @@ -1121,7 +1195,7 @@ dnssec_verify # # Zone: ecdsa512.kasp. # -zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3" +zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "14" "ECDSAP384SHA384" "384" "no" "yes" key_properties "KEY2" "zsk" "157680000" "14" "ECDSAP384SHA384" "384" "yes" "no" key_properties "KEY3" "zsk" "31536000" "14" "ECDSAP384SHA384" "384" "yes" "no" @@ -1136,7 +1210,7 @@ dnssec_verify # # Zone: expired-sigs.autosign. # -zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2" +zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2" "10.53.0.3" # Both KSK and ZSK stay OMNIPRESENT. key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1161,7 +1235,7 @@ check_rrsig_refresh() { n=$((n+1)) echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" # If this exact RRSIG is also in the zone file it is not refreshed. @@ -1181,7 +1255,7 @@ check_rrsig_refresh() { n=$((n+1)) echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts "${_label}.${ZONE}" @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" _rrsig=`cat rrsig.out.$ZONE.$_qtype` @@ -1197,7 +1271,7 @@ check_rrsig_refresh # # Zone: fresh-sigs.autosign. # -zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2" +zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1213,7 +1287,7 @@ check_rrsig_reuse() { n=$((n+1)) echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" # If this exact RRSIG is also in the zone file it is not refreshed. @@ -1233,7 +1307,7 @@ check_rrsig_reuse() { n=$((n+1)) echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts "${_label}.${ZONE}" @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < rrsig.out.$ZONE.$_qtype) @@ -1249,7 +1323,7 @@ check_rrsig_reuse # # Zone: unfresh-sigs.autosign. # -zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2" +zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1260,7 +1334,7 @@ check_rrsig_refresh # # Zone: zsk-missing.autosign. # -zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2" +zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2" "10.53.0.3" # KSK stays OMNIPRESENT. key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1271,7 +1345,7 @@ key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" # # Zone: zsk-retired.autosign. # -zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3" +zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3" "10.53.0.3" # KSK properties, timings and states same as above. # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. @@ -1284,6 +1358,178 @@ key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "no" "no" key_timings "KEY3" "published" "active" "retired" "none" "none" key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" +# +# Test dnssec-policy inheritance. +# + +# These zones should be unsigned: +# ns2/unsigned.tld +# ns4/none.inherit.signed +# ns4/none.override.signed +# ns4/inherit.none.signed +# ns4/none.none.signed +# ns5/inherit.inherit.unsigned +# ns5/none.inherit.unsigned +# ns5/none.override.unsigned +# ns5/inherit.none.unsigned +# ns5/none.none.unsigned +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" + +zone_properties "ns2" "unsigned.tld" "none" "0" "0" "10.53.0.2" +TSIG="" +check_keys +check_apex +check_subdomain + +zone_properties "ns4" "none.inherit.signed" "none" "0" "0" "10.53.0.4" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain + +zone_properties "ns4" "none.override.signed" "none" "0" "0" "10.53.0.4" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain + +zone_properties "ns4" "inherit.none.signed" "none" "0" "0" "10.53.0.4" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain + +zone_properties "ns4" "none.none.signed" "none" "0" "0" "10.53.0.4" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "inherit.inherit.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "none.inherit.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "none.override.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "inherit.none.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "none.none.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain + +# These zones should be signed with the default policy: +# ns2/signed.tld +# ns4/override.inherit.signed +# ns4/inherit.override.signed +# ns5/override.inherit.signed +# ns5/inherit.override.signed +key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" +key_timings "KEY1" "published" "active" "none" "none" "none" "none" +key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" + +zone_properties "ns2" "signed.tld" "default" "3600" "1" "10.53.0.2" +TSIG="" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns4" "override.inherit.signed" "default" "3600" "1" "10.53.0.4" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns4" "inherit.override.signed" "default" "3600" "1" "10.53.0.4" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns5" "override.inherit.unsigned" "default" "3600" "1" "10.53.0.5" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns5" "inherit.override.unsigned" "default" "3600" "1" "10.53.0.5" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain +dnssec_verify + +# These zones should be signed with the test policy: +# ns4/inherit.inherit.signed +# ns4/override.override.signed +# ns4/override.none.signed +# ns5/override.override.unsigned +# ns5/override.none.unsigned +key_properties "KEY1" "csk" "0" "14" "ECDSAP384SHA384" "384" "yes" "yes" +key_timings "KEY1" "published" "active" "none" "none" "none" "none" +key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" + +zone_properties "ns4" "inherit.inherit.signed" "test" "3600" "1" "10.53.0.4" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns4" "override.override.signed" "test" "3600" "1" "10.53.0.4" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns4" "override.none.signed" "test" "3600" "1" "10.53.0.4" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns5" "override.override.unsigned" "test" "3600" "1" "10.53.0.5" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns5" "override.none.unsigned" "test" "3600" "1" "10.53.0.5" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain +dnssec_verify + +# Clear TSIG. +TSIG="" + # # Testing ZSK Pre-Publication rollover. # @@ -1291,7 +1537,7 @@ key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" # # Zone: step1.zsk-prepub.autosign. # -zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" +zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" "10.53.0.3" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1337,7 +1583,7 @@ check_next_key_event 2498400 # # Zone: step2.zsk-prepub.autosign. # -zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3" +zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" # KSK (KEY1) doesn't change. # ZSK (KEY2) remains active, no change in properties/timings/states. # New ZSK (KEY3) is prepublished. @@ -1357,7 +1603,7 @@ check_next_key_event 93600 # # Zone: step3.zsk-prepub.autosign. # -zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3" +zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" # KSK (KEY1) doesn't change. # ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. @@ -1385,7 +1631,7 @@ check_next_key_event 867600 # # Zone: step4.zsk-prepub.autosign. # -zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3" +zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" # KSK (KEY1) doesn't change. # ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY2) DNSKEY is no longer needed. @@ -1407,7 +1653,7 @@ check_next_key_event 7200 # # Zone: step5.zsk-prepub.autosign. # -zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3" +zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" # KSK (KEY1) doesn't change. # ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY3) DNSKEY is now completely HIDDEN and removed. @@ -1431,7 +1677,7 @@ check_next_key_event 1627200 # # Zone: step1.ksk-doubleksk.autosign. # -zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2" +zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2" "10.53.0.3" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1456,7 +1702,7 @@ check_next_key_event 5000400 # # Zone: step2.ksk-doubleksk.autosign. # -zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" +zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" # ZSK (KEY2) doesn't change. # KSK (KEY1) remains active, no change in properties/timings/states. # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). @@ -1476,7 +1722,7 @@ check_next_key_event 97200 # # Zone: step3.ksk-doubleksk.autosign. # -zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" +zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" # ZSK (KEY2) doesn't change. # KSK (KEY1) DS will be removed, so it is UNRETENTIVE. key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive" @@ -1499,7 +1745,7 @@ check_next_key_event 266400 # # Zone: step4.ksk-doubleksk.autosign. # -zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" +zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" # ZSK (KEY2) doesn't change. # KSK (KEY1) DNSKEY can be removed. key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "no" @@ -1519,7 +1765,7 @@ check_next_key_event 10800 # # Zone: step5.ksk-doubleksk.autosign. # -zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" +zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" # ZSK (KEY2) doesn't change. # KSK (KEY1) DNSKEY is now HIDDEN. key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden" @@ -1542,7 +1788,7 @@ check_next_key_event 4813200 # # Zone: step1.csk-roll.autosign. # -zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1" +zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1" "10.53.0.3" # The CSK (KEY1) starts in OMNIPRESENT. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1566,7 +1812,7 @@ check_next_key_event 15973200 # Zone: step2.csk-roll.autosign. # # Set key properties for testing keys. -zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # CSK (KEY1) remains active, no change in properties/timings/states. # New CSK (KEY2) is prepublished (and signs DNSKEY RRset). key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" @@ -1586,7 +1832,7 @@ check_next_key_event 10800 # Zone: step3.csk-roll.autosign. # # Set key properties for testing keys. -zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" @@ -1613,7 +1859,7 @@ check_next_key_event 100800 # # Zone: step4.csk-roll.autosign. # -zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public # but can remove the KRRSIG records. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" @@ -1634,7 +1880,7 @@ check_next_key_event 7200 # # Zone: step5.csk-roll.autosign. # -zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) KRRSIG records are now all hidden. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "omnipresent" "unretentive" "hidden" "hidden" @@ -1654,7 +1900,7 @@ check_next_key_event 2149200 # # Zone: step6.csk-roll.autosign. # -zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) DNSKEY can be removed. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "unretentive" "hidden" "hidden" "hidden" @@ -1674,7 +1920,7 @@ check_next_key_event 7200 # # Zone: step7.csk-roll.autosign. # -zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" @@ -1699,7 +1945,7 @@ check_next_key_event 13708800 # # Zone: step1.csk-roll2.autosign. # -zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1" +zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1" "10.53.0.3" # The CSK (KEY1) starts in OMNIPRESENT. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1723,7 +1969,7 @@ check_next_key_event 15454800 # Zone: step2.csk-roll2.autosign. # # Set key properties for testing keys. -zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2" +zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # CSK (KEY1) remains active, no change in properties/timings/states. # New CSK (KEY2) is prepublished (and signs DNSKEY RRset). key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" @@ -1743,7 +1989,7 @@ check_next_key_event 10800 # Zone: step3.csk-roll2.autosign. # # Set key properties for testing keys. -zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2" +zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" @@ -1771,7 +2017,7 @@ check_next_key_event 136800 # # Zone: step4.csk-roll2.autosign. # -zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2" +zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # The old CSK (KEY1) ZRRSIG is now HIDDEN. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "hidden" "omnipresent" "unretentive" @@ -1795,7 +2041,7 @@ check_next_key_event 478800 # # Zone: step5.csk-roll2.autosign. # -zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2" +zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # The old CSK (KEY1) DNSKEY can be removed. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "unretentive" "hidden" "unretentive" "hidden" @@ -1815,7 +2061,7 @@ check_next_key_event 7200 # # Zone: step6.csk-roll2.autosign. # -zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 73fb59bf82..402a679053 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -842,6 +842,21 @@ check_name(const char *str) { return (dns_name_fromstring(dns_fixedname_name(&fixed), str, 0, NULL)); } +static bool +kasp_name_allowed(const cfg_listelt_t *element) +{ + const char* name = cfg_obj_asstring(cfg_tuple_get( + cfg_listelt_value(element), "name")); + + if (strcmp("none", name) == 0) { + return false; + } + if (strcmp("default", name) == 0) { + return false; + } + return true; +} + static isc_result_t check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, optlevel_t optlevel) @@ -950,14 +965,15 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, } /* - * Check dnssec-policy at the view/options level + * Check dnssec-policy. */ obj = NULL; (void)cfg_map_get(options, "dnssec-policy", &obj); if (obj != NULL) { - bool bad_kasp = true; - if (optlevel == optlevel_zone && cfg_obj_isstring(obj)) { - bad_kasp = false; + bool bad_kasp = false; + bool bad_name = false; + if (optlevel != optlevel_config && !cfg_obj_isstring(obj)) { + bad_kasp = true; } else if (optlevel == optlevel_config) { if (cfg_obj_islist(obj)) { for (element = cfg_list_first(obj); @@ -967,18 +983,29 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, if (!cfg_obj_istuple( cfg_listelt_value(element))) { - break; + bad_kasp = true; + } + if (!kasp_name_allowed(element)) { + bad_name = true; } } - bad_kasp = false; } } if (bad_kasp) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-policy may only be activated at " - "the top level and referenced to at the " - "zone level"); + "dnssec-policy may only be configured at " + "the top level, please use name reference " + "at the zone level"); + if (result == ISC_R_SUCCESS) { + result = ISC_R_FAILURE; + } + } + + if (bad_name) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "dnssec-policy name may not be 'none' or " + "'default' (which is the built-in policy)"); if (result == ISC_R_SUCCESS) { result = ISC_R_FAILURE; } @@ -2135,6 +2162,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, if (strcmp(kaspname, "default") == 0) { has_dnssecpolicy = true; + } else if (strcmp(kaspname, "none") == 0) { + has_dnssecpolicy = false; } else { (void)cfg_map_get(config, "dnssec-policy", &kasps); for (element = cfg_list_first(kasps); element != NULL; @@ -2147,15 +2176,16 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, has_dnssecpolicy = true; } } - } - if (!has_dnssecpolicy) { - cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR, - "zone '%s': option 'dnssec-policy %s' " - "has no matching dnssec-policy config", - znamestr, kaspname); - if (result == ISC_R_SUCCESS) { - result = ISC_R_FAILURE; + if (!has_dnssecpolicy) { + cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR, + "zone '%s': option " + "'dnssec-policy %s' has no " + "matching dnssec-policy config", + znamestr, kaspname); + if (result == ISC_R_SUCCESS) { + result = ISC_R_FAILURE; + } } } } diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index b39eb9c44c..75350ffa68 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -126,6 +126,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx, cfg_obj_asstring(cfg_tuple_get(config, "name")) : "default"; + REQUIRE(strcmp(kaspname, "none") != 0); + result = dns_kasplist_find(kasplist, kaspname, &kasp); if (result == ISC_R_SUCCESS) { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 746ee47a23..e0e5217d55 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2165,6 +2165,9 @@ zone_clauses[] = { { "dnssec-loadkeys-interval", &cfg_type_uint32, CFG_ZONE_MASTER | CFG_ZONE_SLAVE }, + { "dnssec-policy", &cfg_type_astring, + CFG_ZONE_MASTER | CFG_ZONE_SLAVE + }, { "dnssec-secure-to-insecure", &cfg_type_boolean, CFG_ZONE_MASTER }, @@ -2335,9 +2338,6 @@ zone_only_clauses[] = { { "dlz", &cfg_type_astring, CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_REDIRECT }, - { "dnssec-policy", &cfg_type_astring, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE - }, { "file", &cfg_type_qstring, CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_ZONE_HINT | CFG_ZONE_REDIRECT diff --git a/util/copyrights b/util/copyrights index 3608a3a60e..9d5aa28c46 100644 --- a/util/copyrights +++ b/util/copyrights @@ -698,6 +698,8 @@ ./bin/tests/system/kasp/clean.sh SH 2019 ./bin/tests/system/kasp/ns2/setup.sh SH 2019 ./bin/tests/system/kasp/ns3/setup.sh SH 2019 +./bin/tests/system/kasp/ns4/setup.sh SH 2019 +./bin/tests/system/kasp/ns5/setup.sh SH 2019 ./bin/tests/system/kasp/setup.sh SH 2019 ./bin/tests/system/kasp/tests.sh SH 2019 ./bin/tests/system/keepalive/clean.sh SH 2017,2018,2019