From 86fb638085cf6487fa3b3af6f96ebfdca26c0fa8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 30 Jun 2025 15:56:21 +1000 Subject: [PATCH] Check deprecated algorithms in dnssec-policy --- .../checkconf/kasp-deprecated-fips.conf | 19 ++++++++++++++++++ .../system/checkconf/kasp-deprecated.conf | 20 +++++++++++++++++++ bin/tests/system/checkconf/tests.sh | 14 +++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 bin/tests/system/checkconf/kasp-deprecated-fips.conf create mode 100644 bin/tests/system/checkconf/kasp-deprecated.conf diff --git a/bin/tests/system/checkconf/kasp-deprecated-fips.conf b/bin/tests/system/checkconf/kasp-deprecated-fips.conf new file mode 100644 index 0000000000..6159940dcc --- /dev/null +++ b/bin/tests/system/checkconf/kasp-deprecated-fips.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy deprecated { + cds-digest-types { sha1; }; + keys { + csk lifetime unlimited algorithm ecdsa256; + }; +}; diff --git a/bin/tests/system/checkconf/kasp-deprecated.conf b/bin/tests/system/checkconf/kasp-deprecated.conf new file mode 100644 index 0000000000..ba7e72b8d6 --- /dev/null +++ b/bin/tests/system/checkconf/kasp-deprecated.conf @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy deprecated { + cds-digest-types { sha1; }; + keys { + csk lifetime unlimited algorithm rsasha1; + csk lifetime unlimited algorithm nsec3rsasha1; + }; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 08d706a06e..efb781188b 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -685,6 +685,20 @@ if [ $lines -ne 5 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking named-checkconf kasp deprecated algorithms and digests ($n)" +ret=0 +if [ $RSASHA1_SUPPORTED = 0 ]; then + $CHECKCONF kasp-deprecated-fips.conf >checkconf.out$n 2>&1 || ret=1 +else + $CHECKCONF kasp-deprecated.conf >checkconf.out$n 2>&1 || ret=1 + grep "dnssec-policy: DNSSEC algorithm rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1 + grep "dnssec-policy: DNSSEC algorithm nsec3rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1 +fi +grep "dnssec-policy: deprecated CDS digest-type sha1" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "check that a good 'kasp' configuration is accepted ($n)" ret=0