Add test for allowing update CDS/CDNSKEY

Add tests to the nsupdate system test to make sure that CDS and/or CDNSKEY that match an algorithm in the DNSKEY RRset are allowed. Also add tests that updates are rejected if the algorithm does not match. Remove the now redundant test cases from the dnssec system test. Update the checkzone system test: Change the algorithm of the CDS and CDNSKEY records so that the zone is still rejected.
2025-08-31 06:25:31 +00:00 · 2021-07-13 11:04:44 +02:00
parent 2292b48c2a
commit 6b79db1fdd
8 changed files with 105 additions and 43 deletions
--- a/bin/tests/system/checkzone/zones/bad-cdnskey.db
+++ b/bin/tests/system/checkzone/zones/bad-cdnskey.db
@@ -1,4 +1,4 @@
 example.	0	SOA	. . 0 0 0 0 0
 example.	0 	NS	.
 example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
-example. 	0	CDNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+example. 	0	CDNSKEY	257 3 14 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
--- a/bin/tests/system/checkzone/zones/bad-cds.db
+++ b/bin/tests/system/checkzone/zones/bad-cds.db
@@ -1,6 +1,4 @@
 example.	0	SOA	. . 0 0 0 0 0
 example.	0 	NS	.
 example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
-; Actual CDS
-; example.	0	CDS 	14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
-example.	0	CDS 	14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B
+example.	0	CDS 	14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3368,26 +3368,6 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))

-echo_i "check that a lone non matching CDS record is rejected ($n)"
-ret=0
-(
-echo zone cds-update.secure
-echo server 10.53.0.2 "$PORT"
-echo update delete cds-update.secure CDS
-dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure |
-grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' |
-$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
-sed "s/^/update add /"
-echo send
-) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true
-grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
-dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n
-lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
-test "${lines:-10}" -eq 0 || ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
 echo_i "check that a CDS deletion record is accepted ($n)"
 ret=0
 (
@@ -3601,25 +3581,6 @@ status=$((status+ret))
 # precedes the supported one in the DNSKEY RRset, and verify the result still
 # validates succesfully.

-echo_i "check that a lone non matching CDNSKEY record is rejected ($n)"
-ret=0
-(
-echo zone cdnskey-update.secure
-echo server 10.53.0.2 "$PORT"
-echo update delete cdnskey-update.secure CDNSKEY
-echo send
-dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-update.secure |
-sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 258/p'
-echo send
-) | $NSUPDATE > nsupdate.out.test$n 2>&1 || true
-grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
-dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n
-lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
-test "${lines:-10}" -eq 0 || ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
 echo_i "check that a CDNSKEY deletion record is accepted ($n)"
 ret=0
 (
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -43,6 +43,7 @@ rm -f ns3/delegation.test.db
 rm -f ns3/dnskey.test.db
 rm -f ns3/dsset-*
 rm -f ns3/example.db
+rm -f ns3/multisigner.test.db
 rm -f ns3/many.test.bk
 rm -f ns3/nsec3param.test.db
 rm -f ns3/too-big.test.db
--- a/bin/tests/system/nsupdate/ns3/multisigner.test.db.in
+++ b/bin/tests/system/nsupdate/ns3/multisigner.test.db.in
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+multisigner.test. 10 IN SOA multisigner.test. hostmaster.multisigner.test. 1 3600 900 2419200 3600
+multisigner.test. 10 IN NS multisigner.test.
+multisigner.test. 10 IN A 10.53.0.3
--- a/bin/tests/system/nsupdate/ns3/named.conf.in
+++ b/bin/tests/system/nsupdate/ns3/named.conf.in
@@ -61,3 +61,11 @@ zone "too-big.test" {
 	max-records 3;
 	file "too-big.test.db";
 };
+
+/* Zone for testing CDS and CDNSKEY updates from other provider */
+zone "multisigner.test" {
+	type primary;
+	allow-update { any; };
+	dnssec-policy "default";
+	file "multisigner.test.db";
+};
--- a/bin/tests/system/nsupdate/ns3/sign.sh
+++ b/bin/tests/system/nsupdate/ns3/sign.sh
@@ -43,3 +43,6 @@ keyname2=`$KEYGEN -q -a RSASHA256 -3 $zone`
 cat $infile $keyname1.key $keyname2.key >$zonefile

 $SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+
+# Just copy multisigner.db.in because it is signed with dnssec-policy.
+cp multisigner.test.db.in multisigner.test.db
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -52,6 +52,16 @@ while true; do
    fi
 done

+has_positive_response() {
+	zone=$1
+	type=$2
+	ns=$3
+	$DIG $DIGOPTS +tcp +norec $zone $type @$ns > dig.out.post.test$n || return 1
+	grep "status: NOERROR" dig.out.post.test$n > /dev/null || return 1
+	grep "ANSWER: 0," dig.out.post.test$n > /dev/null && return 1
+	return 0
+}
+
 ret=0
 echo_i "fetching first copy of zone before update"
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
@@ -1227,6 +1237,75 @@ grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
 grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }

+n=`expr $n + 1`
+ret=0
+echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
+send
+END
+msg=": bad CDS RRset"
+nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
+$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check that CDNSKEY with mismatched algorithm to DNSSEC multisigner zone is not allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+nextpart ns3/named.run > /dev/null
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
+send
+END
+msg=": bad CDNSKEY RRset"
+nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1
+$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
+send
+END
+retry_quiet 5 has_positive_response multisigner.test CDS 10.53.0.3 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)"
+$DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
+$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone multisigner.test
+update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
+send
+END
+retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 n=`expr $n + 1`
 ret=0
 echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"