--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-salt" {
+ keys {
+ csk lifetime unlimited algorithm rsasha1;
+ };
+ nsec3param ;
+};
+
+zone "example.net" {
+ type master;
+ file "example.db";
+ dnssec-policy "bad-salt";
+};
+
dnssec-policy "rsasha1" {
keys {
- csk lifetime P10Y algorithm rsasha1 1024;
+ csk lifetime P10Y algorithm nsec3rsasha1 1024;
};
nsec3param iterations 150;
};
dnssec-policy "rsasha1-bad" {
keys {
- csk lifetime P10Y algorithm rsasha1 1024;
+ csk lifetime P10Y algorithm nsec3rsasha1 1024;
};
nsec3param iterations 151;
};
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
n=`expr $n + 1`
echo_i "checking named-checkconf kasp key errors ($n)"
ret=0
#define DNS_R_KEYNOTACTIVE (ISC_RESULTCLASS_DNS + 122)
#define DNS_R_NSEC3ITERRANGE (ISC_RESULTCLASS_DNS + 123)
#define DNS_R_NSEC3BADSALT (ISC_RESULTCLASS_DNS + 124)
+#define DNS_R_NSEC3BADALG (ISC_RESULTCLASS_DNS + 125)
-#define DNS_R_NRESULTS 125 /*%< Number of results */
+#define DNS_R_NRESULTS 126 /*%< Number of results */
/*
* DNS wire format rcodes.
"verify failure", /*%< 118 DNS_R_VERIFYFAILURE */
"at top of zone", /*%< 119 DNS_R_ATZONETOP */
- "no matching key found", /*%< 120 DNS_R_NOKEYMATCH */
- "too many keys matching", /*%< 121 DNS_R_TOOMANYKEYS */
- "key is not actively signing", /*%< 122 DNS_R_KEYNOTACTIVE */
+ "no matching key found", /*%< 120 DNS_R_NOKEYMATCH */
+ "too many keys matching", /*%< 121 DNS_R_TOOMANYKEYS */
+ "key is not actively signing", /*%< 122 DNS_R_KEYNOTACTIVE */
- "NSEC3 iterations out of range", /*%< 123 DNS_R_NSEC3ITERRANGE */
- "bad NSEC3 salt", /*%< 124 DNS_R_NSEC3BADSALT */
+ "NSEC3 iterations out of range", /*%< 123 DNS_R_NSEC3ITERRANGE */
+ "bad NSEC3 salt", /*%< 124 DNS_R_NSEC3BADSALT */
+ "cannot use NSEC3 with key algorithm", /*%< 125 DNS_R_NSEC3BADALG */
};
static const char *ids[DNS_R_NRESULTS] = {
"DNS_R_KEYNOTACTIVE",
"DNS_R_NSEC3ITERRANGE",
"DNS_R_NSEC3BADSALT",
+ "DNS_R_NSEC3BADALG",
};
static const char *rcode_text[DNS_R_NRCODERESULTS] = {
const cfg_obj_t *obj = NULL;
const char *salt = NULL;
uint32_t iter = DEFAULT_NSEC3PARAM_ITER;
+ uint32_t badalg = 0;
bool optout = false;
isc_result_t ret = ISC_R_SUCCESS;
kkey = ISC_LIST_NEXT(kkey, link))
{
unsigned int keysize = dns_kasp_key_size(kkey);
+ uint32_t keyalg = dns_kasp_key_algorithm(kkey);
+
if (keysize < min_keysize) {
min_keysize = keysize;
}
+
+ /* NSEC3 cannot be used with certain key algorithms. */
+ if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DH ||
+ keyalg == DNS_KEYALG_DSA || keyalg == DNS_KEYALG_RSASHA1)
+ {
+ badalg = keyalg;
+ }
}
dns_kasp_thaw(kasp);
+
+ if (badalg > 0) {
+ char algstr[DNS_SECALG_FORMATSIZE];
+ dns_secalg_format((dns_secalg_t)badalg, algstr, sizeof(algstr));
+ cfg_obj_log(
+ obj, logctx, ISC_LOG_ERROR,
+ "dnssec-policy: cannot use nsec3 with algorithm '%s'",
+ algstr);
+ return (DNS_R_NSEC3BADALG);
+ }
+
/* See RFC 5155 Section 10.3 for iteration limits. */
if (min_keysize <= 1024 && iter > 150) {
ret = DNS_R_NSEC3ITERRANGE;
projects / thirdparty / bind9.git / commitdiff
