From f0bfd276e02f861b7a98d569b03e267b0261f599 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 11 Mar 2024 11:52:03 +0100 Subject: [PATCH] Test secure chain that includes inactive KSK Add a regression test case for the scenario where a secure chain of trust includes an inactive KSK, that is a KSK that is not signing the DNSKEY RRset. --- bin/tests/system/dnssec/ns1/root.db.in | 2 ++ bin/tests/system/dnssec/ns1/sign.sh | 1 + bin/tests/system/dnssec/ns2/lazy-ksk.db.in | 27 ++++++++++++++ bin/tests/system/dnssec/ns2/named.conf.in | 7 ++++ bin/tests/system/dnssec/ns2/sign.sh | 41 ++++++++++++++++++++++ bin/tests/system/dnssec/tests.sh | 12 +++++++ 6 files changed, 90 insertions(+) create mode 100644 bin/tests/system/dnssec/ns2/lazy-ksk.db.in diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in index 526e36c38c..ca72f0ee32 100644 --- a/bin/tests/system/dnssec/ns1/root.db.in +++ b/bin/tests/system/dnssec/ns1/root.db.in @@ -28,6 +28,8 @@ managed. NS ns2.managed. ns2.managed. A 10.53.0.2 trusted. NS ns2.trusted. ns2.trusted. A 10.53.0.2 +lazy-ksk. NS ns2.lazy-ksk. +ns2.lazy-ksk. A 10.53.0.2 optout-tld NS ns6.optout-tld. ns6.optout-tld. A 10.53.0.6 in-addr.arpa. NS ns2.example. diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 32a1736811..286b27883d 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -29,6 +29,7 @@ echo_i "ns1/sign.sh" cp "../ns2/dsset-example." . cp "../ns2/dsset-in-addr.arpa." . cp "../ns2/dsset-too-many-iterations." . +cp "../ns2/dsset-lazy-ksk." . grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll." cp "../ns6/dsset-optout-tld." . diff --git a/bin/tests/system/dnssec/ns2/lazy-ksk.db.in b/bin/tests/system/dnssec/ns2/lazy-ksk.db.in new file mode 100644 index 0000000000..1527e07c6e --- /dev/null +++ b/bin/tests/system/dnssec/ns2/lazy-ksk.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 30 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 30 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +*.a A 10.0.0.3 +b A 10.0.0.2 +d A 10.0.0.4 diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 39f1cea26e..78d43c7208 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -206,4 +206,11 @@ zone "too-many-iterations" { file "too-many-iterations.db.signed"; }; +zone "lazy-ksk" { + type primary; + file "lazy-ksk.db"; + dnssec-policy "dnssec"; + allow-update { any; }; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 9793a86b99..680d296ac5 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -312,3 +312,44 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" >"$zonefile" "$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1 + +# +# A zone with a secure chain of trust of two KSKs, only one KSK is not signing. +# +zone=lazy-ksk +infile=lazy-ksk.db.in +zonefile=lazy-ksk.db +ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +ksk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cat "$infile" "$ksk1.key" "$ksk2.key" "$ksk3.key" "$zsk.key" >"$zonefile" +$DSFROMKEY "$ksk1.key" >"dsset-$zone." +$DSFROMKEY "$ksk2.key" >>"dsset-$zone." +$DSFROMKEY "$ksk3.key" >>"dsset-$zone." +# Keep the KSK with the highest key tag +id1=$(keyfile_to_key_id "$ksk1") +id2=$(keyfile_to_key_id "$ksk2") +id3=$(keyfile_to_key_id "$ksk3") +if [ $id1 -gt $id2 ]; then + if [ $id1 -gt $id3 ]; then + rm1="$ksk2" + rm2="$ksk3" + else # id3 -gt $id1 + rm1="$ksk2" + rm2="$ksk1" + fi +else # $id2 -gt $id1 + if [ $id2 -gt $id3 ]; then + rm1="$ksk1" + rm2="$ksk3" + else #id3 -gt $id2 + rm1="$ksk2" + rm2="$ksk1" + fi +fi + +rm "$rm1.key" +rm "$rm1.private" +rm "$rm2.key" +rm "$rm2.private" diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 64a86d2cdf..4e957486d6 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3664,6 +3664,18 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +# Check that a query for a domain that has a KSK that is not actively signing +# the DNSKEY RRset. This should not result in a broken trust chain if there is +# another KSK that is signing the DNSKEY RRset. +echo_i "checking that a secure chain with one active and one inactive KSK validates as secure ($n)" +ret=0 +dig_with_opts @10.53.0.4 a.lazy-ksk A >dig.out.ns4.test$n +grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + # TODO: test case for GL #1689. # If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) # we could write a test that signs a zone with supported and unsupported