mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Check deprecated algorithms in dnssec-policy

Browse Source
This commit is contained in:
Mark Andrews 2025-06-30 15:56:21 +10:00
parent 95a82d0893
commit 86fb638085
3 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
bin/tests/system/checkconf/kasp-deprecated-fips.conf Normal file
View File

@ -0,0 +1,19 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy deprecated {
cds-digest-types { sha1; };
keys {
csk lifetime unlimited algorithm ecdsa256;
};
};

20
bin/tests/system/checkconf/kasp-deprecated.conf Normal file
View File

@ -0,0 +1,20 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy deprecated {
cds-digest-types { sha1; };
keys {
csk lifetime unlimited algorithm rsasha1;
csk lifetime unlimited algorithm nsec3rsasha1;
};
};

14
bin/tests/system/checkconf/tests.sh
View File

@ -685,6 +685,20 @@ if [ $lines -ne 5 ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking named-checkconf kasp deprecated algorithms and digests ($n)"
ret=0
if [ $RSASHA1_SUPPORTED = 0 ]; then
$CHECKCONF kasp-deprecated-fips.conf >checkconf.out$n 2>&1 || ret=1
else
$CHECKCONF kasp-deprecated.conf >checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: DNSSEC algorithm rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: DNSSEC algorithm nsec3rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1
fi
grep "dnssec-policy: deprecated CDS digest-type sha1" checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that a good 'kasp' configuration is accepted ($n)"
ret=0