mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 01:59:26 +00:00
3990. [testing] Add tests for unknown DNSSEC algorithm handling.
[RT #37541]
This commit is contained in:
Mark Andrews
parent
eb5243365c
commit
a5c7cfbac4
3
CHANGES
3
CHANGES
@ -1,3 +1,6 @@
|
||||
3990. [testing] Add tests for unknown DNSSEC algorithm handling.
|
||||
[RT #37541]
|
||||
|
||||
3989. [cleanup] Remove redundent dns_db_resigned calls. [RT #35748]
|
||||
|
||||
3988. [func] Allow the zone serial of a dynamically updatable
|
||||
|
||||
@ -77,3 +77,7 @@ rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
|
||||
rm -f Kexample.*
|
||||
rm -f keygen.err
|
||||
rm -f ns3/future.example.db ns3/trusted-future.key
|
||||
rm -f ns3/dnskey-nsec3-unknown.example.db
|
||||
rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
|
||||
rm -f ns3/dnskey-unknown.example.db
|
||||
rm -f ns3/dnskey-unknown.example.db.tmp
|
||||
|
||||
@ -102,6 +102,12 @@ ns.nsec3-unknown A 10.53.0.3
|
||||
optout-unknown NS ns.optout-unknown
|
||||
ns.optout-unknown A 10.53.0.3
|
||||
|
||||
dnskey-unknown NS ns.dnskey-unknown
|
||||
ns.dnskey-unknown A 10.53.0.3
|
||||
|
||||
dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown
|
||||
ns.dnskey-nsec3-unknown A 10.53.0.3
|
||||
|
||||
multiple NS ns.multiple
|
||||
ns.multiple A 10.53.0.3
|
||||
|
||||
|
||||
@ -29,7 +29,8 @@ zonefile=example.db
|
||||
for subdomain in secure badds bogus dynamic keyless nsec3 optout \
|
||||
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
|
||||
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
|
||||
ttlpatch split-dnssec split-smart expired expiring upper lower
|
||||
ttlpatch split-dnssec split-smart expired expiring upper lower \
|
||||
dnskey-unknown dnskey-nsec3-unknown
|
||||
do
|
||||
cp ../ns3/dsset-$subdomain.example. .
|
||||
done
|
||||
|
||||
@ -0,0 +1,33 @@
|
||||
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; Permission to use, copy, modify, and/or distribute this software for any
|
||||
; purpose with or without fee is hereby granted, provided that the above
|
||||
; copyright notice and this permission notice appear in all copies.
|
||||
;
|
||||
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns
|
||||
ns A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
d A 10.0.0.4
|
||||
z A 10.0.0.26
|
||||
a.a.a.a A 10.0.0.3
|
||||
*.e A 10.0.0.6
|
||||
child NS ns2.example.
|
||||
32
bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
Normal file
32
bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in
Normal file
@ -0,0 +1,32 @@
|
||||
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; Permission to use, copy, modify, and/or distribute this software for any
|
||||
; purpose with or without fee is hereby granted, provided that the above
|
||||
; copyright notice and this permission notice appear in all copies.
|
||||
;
|
||||
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns
|
||||
ns A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
d A 10.0.0.4
|
||||
z A 10.0.0.26
|
||||
a.a.a.a A 10.0.0.3
|
||||
*.e A 10.0.0.6
|
||||
child NS ns2.example.
|
||||
@ -155,6 +155,17 @@ zone "optout-unknown.example" {
|
||||
file "optout-unknown.example.db.signed";
|
||||
};
|
||||
|
||||
zone "dnskey-unknown.example" {
|
||||
type master;
|
||||
file "dnskey-unknown.example.db.signed";
|
||||
};
|
||||
|
||||
zone "dnskey-nsec3-unknown.example" {
|
||||
type master;
|
||||
nsec3-test-zone yes;
|
||||
file "dnskey-nsec3-unknown.example.db.signed";
|
||||
};
|
||||
|
||||
zone "multiple.example" {
|
||||
type master;
|
||||
file "multiple.example.db.signed";
|
||||
|
||||
@ -175,7 +175,7 @@ cat $infile $keyname.key >$zonefile
|
||||
$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
#
|
||||
# A nsec3 zone (non-optout) with unknown hash algorithm.
|
||||
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
|
||||
#
|
||||
zone=nsec3-unknown.example.
|
||||
infile=nsec3-unknown.example.db.in
|
||||
@ -188,7 +188,7 @@ cat $infile $keyname.key >$zonefile
|
||||
$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
#
|
||||
# A optout nsec3 zone.
|
||||
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
|
||||
#
|
||||
zone=optout-unknown.example.
|
||||
infile=optout-unknown.example.db.in
|
||||
@ -200,6 +200,42 @@ cat $infile $keyname.key >$zonefile
|
||||
|
||||
$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||
|
||||
#
|
||||
# A zone with a unknown DNSKEY algorithm.
|
||||
# Algorithm 7 is replaced by 100 in the zone and dsset.
|
||||
#
|
||||
zone=dnskey-unknown.example.
|
||||
infile=dnskey-unknown.example.db.in
|
||||
zonefile=dnskey-unknown.example.db
|
||||
|
||||
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
||||
|
||||
cat $infile $keyname.key >$zonefile
|
||||
|
||||
$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
|
||||
|
||||
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
|
||||
|
||||
$DSFROMKEY -A -f ${zonefile}.signed $zone > dsset-${zone}
|
||||
|
||||
#
|
||||
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
|
||||
# Algorithm 7 is replaced by 100 in the zone and dsset.
|
||||
#
|
||||
zone=dnskey-nsec3-unknown.example.
|
||||
infile=dnskey-nsec3-unknown.example.db.in
|
||||
zonefile=dnskey-nsec3-unknown.example.db
|
||||
|
||||
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
|
||||
|
||||
cat $infile $keyname.key >$zonefile
|
||||
|
||||
$SIGNER -P -3 - -r $RANDFILE -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
|
||||
|
||||
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
|
||||
|
||||
$DSFROMKEY -A -f ${zonefile}.signed $zone > dsset-${zone}
|
||||
|
||||
#
|
||||
# A multiple parameter nsec3 zone.
|
||||
#
|
||||
|
||||
@ -2711,5 +2711,71 @@ else
|
||||
n=`expr $n + 1`
|
||||
fi
|
||||
|
||||
echo "I:checking that positive unknown NSEC3 hash algorithm does validate ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example SOA > dig.out.ns3.test$n
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example SOA > dig.out.ns4.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example SOA > dig.out.ns4.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that negative unknown NSEC3 hash algorithm does not validate ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 nsec3-unknown.example A > dig.out.ns3.test$n
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 nsec3-unknown.example A > dig.out.ns4.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example A > dig.out.ns3.test$n
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 optout-unknown.example A > dig.out.ns4.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: SERVFAIL," dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that unknown DNSKEY algorithm validates as insecure ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-unknown.example A > dig.out.ns3.test$n
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-unknown.example A > dig.out.ns4.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 dnskey-nsec3-unknown.example A > dig.out.ns3.test$n
|
||||
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.4 dnskey-nsec3-unknown.example A > dig.out.ns4.test$n
|
||||
grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
|
||||
grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:exit status: $status"
|
||||
exit $status
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user