mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

Test secure chain that includes inactive KSK

Browse Source 
Add a regression test case for the scenario where a secure chain of
trust includes an inactive KSK, that is a KSK that is not signing the
DNSKEY RRset.
This commit is contained in:
Matthijs Mekking
2024-03-11 11:52:03 +01:00
parent 28536786de
commit f0bfd276e0
6 changed files with 90 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bin/tests/system/dnssec/ns1/root.db.in
View File

@@ -28,6 +28,8 @@ managed. NS ns2.managed.
ns2.managed. A 10.53.0.2 ns2.managed. A 10.53.0.2
trusted. NS ns2.trusted. trusted. NS ns2.trusted.
ns2.trusted. A 10.53.0.2 ns2.trusted. A 10.53.0.2
lazy-ksk. NS ns2.lazy-ksk.
ns2.lazy-ksk. A 10.53.0.2
optout-tld NS ns6.optout-tld. optout-tld NS ns6.optout-tld.
ns6.optout-tld. A 10.53.0.6 ns6.optout-tld. A 10.53.0.6
in-addr.arpa. NS ns2.example. in-addr.arpa. NS ns2.example.

1
bin/tests/system/dnssec/ns1/sign.sh
View File

@@ -29,6 +29,7 @@ echo_i "ns1/sign.sh"
cp "../ns2/dsset-example." . cp "../ns2/dsset-example." .
cp "../ns2/dsset-in-addr.arpa." . cp "../ns2/dsset-in-addr.arpa." .
cp "../ns2/dsset-too-many-iterations." . cp "../ns2/dsset-too-many-iterations." .
cp "../ns2/dsset-lazy-ksk." .
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll." grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll." >"dsset-algroll."
cp "../ns6/dsset-optout-tld." . cp "../ns6/dsset-optout-tld." .

27
bin/tests/system/dnssec/ns2/lazy-ksk.db.in Normal file
View File

@@ -0,0 +1,27 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 30 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
30 ; minimum (1 hour)
)
NS ns2
ns2 A 10.53.0.2
ns3 A 10.53.0.3
a A 10.0.0.1
*.a A 10.0.0.3
b A 10.0.0.2
d A 10.0.0.4

7
bin/tests/system/dnssec/ns2/named.conf.in
View File

@@ -206,4 +206,11 @@ zone "too-many-iterations" {
file "too-many-iterations.db.signed"; file "too-many-iterations.db.signed";
}; };
zone "lazy-ksk" {
type primary;
file "lazy-ksk.db";
dnssec-policy "dnssec";
allow-update { any; };
};
include "trusted.conf"; include "trusted.conf";

41
bin/tests/system/dnssec/ns2/sign.sh
View File

@@ -312,3 +312,44 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$key1.key" "$key2.key" >"$zonefile" cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1 "$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" >/dev/null 2>&1
#
# A zone with a secure chain of trust of two KSKs, only one KSK is not signing.
#
zone=lazy-ksk
infile=lazy-ksk.db.in
zonefile=lazy-ksk.db
ksk1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
ksk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
ksk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk1.key" "$ksk2.key" "$ksk3.key" "$zsk.key" >"$zonefile"
$DSFROMKEY "$ksk1.key" >"dsset-$zone."
$DSFROMKEY "$ksk2.key" >>"dsset-$zone."
$DSFROMKEY "$ksk3.key" >>"dsset-$zone."
# Keep the KSK with the highest key tag
id1=$(keyfile_to_key_id "$ksk1")
id2=$(keyfile_to_key_id "$ksk2")
id3=$(keyfile_to_key_id "$ksk3")
if [ $id1 -gt $id2 ]; then
if [ $id1 -gt $id3 ]; then
rm1="$ksk2"
rm2="$ksk3"
else # id3 -gt $id1
rm1="$ksk2"
rm2="$ksk1"
fi
else # $id2 -gt $id1
if [ $id2 -gt $id3 ]; then
rm1="$ksk1"
rm2="$ksk3"
else #id3 -gt $id2
rm1="$ksk2"
rm2="$ksk1"
fi
fi
rm "$rm1.key"
rm "$rm1.private"
rm "$rm2.key"
rm "$rm2.private"

12
bin/tests/system/dnssec/tests.sh
View File

@@ -3664,6 +3664,18 @@ n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret)) status=$((status + ret))
# Check that a query for a domain that has a KSK that is not actively signing
# the DNSKEY RRset. This should not result in a broken trust chain if there is
# another KSK that is signing the DNSKEY RRset.
echo_i "checking that a secure chain with one active and one inactive KSK validates as secure ($n)"
ret=0
dig_with_opts @10.53.0.4 a.lazy-ksk A >dig.out.ns4.test$n
grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
# TODO: test case for GL #1689. # TODO: test case for GL #1689.
# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5) # If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5)
# we could write a test that signs a zone with supported and unsupported # we could write a test that signs a zone with supported and unsupported