Test extended DS digest type support

Add a zone using DS records that embed the private algorithm
identifier in the digest field.  There are 2 DS record for an
unsupported DNSSEC algorithm one of which that doesn't have a
matching DNSKEY.  This zone should validate as insecure as the
validator can establish that both DS records are for unsupported
DNSSEC algorithms.

diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index 3f32821454678b7dec5edc2ea84cdf4e0a7b2569..1efb1755b40fb6ed06b6b9b4204f1a11eb9b6bf2 100644 (file)
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -196,3 +196,6 @@ ns.extradsoid               A       10.53.0.3
 
 extradsunknownoid      NS      ns.extradsunknownoid
 ns.extradsunknownoid   A       10.53.0.3
+
+extended-ds-unknown-oid        NS      ns.extended-ds-unknown-oid
+ns.extended-ds-unknown-oid A   10.53.0.3

diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index e6ddad16a18f17beadee740df3189f409b620bbc..2658fd10b35091ce206b4c681b12cccb96e8e08a 100644 (file)
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -66,7 +66,8 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \
   dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
   dnskey-nsec3-unknown managed-future future revkey \
   dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \
-  rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid; do
+  rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid \
+  extended-ds-unknown-oid; do
   cp "../ns3/dsset-$subdomain.example." .
 done
 

diff --git a/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in b/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in
new file mode 100644 (file)
index 0000000..f6c4fab
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300       ; 5 minutes
+@                      IN SOA  mname1. . (
+                               2009102722 ; serial
+                               20         ; refresh (20 seconds)
+                               20         ; retry (20 seconds)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns
+ns                     A       10.53.0.3
+
+a                      A       10.0.0.1
+b                      A       10.0.0.2
+d                      A       10.0.0.4
+z                      A       10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e  A       10.0.0.27
+x                      CNAME   a

diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
index 9bb2ad8a53ee19d488c060c0480d52cb73c5ebfa..a9a1b207bf3cd66ffb5d52f34af5c1c79175cec7 100644 (file)
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -459,6 +459,11 @@ zone "extradsunknownoid.example" {
         file "extradsunknownoid.example.db.signed";
 };
 
+zone "extended-ds-unknown-oid.example" {
+        type primary;
+        file "extended-ds-unknown-oid.example.db.signed";
+};
+
 dnssec-policy "siginterval1" {
        keys {
                ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;

diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 9ff2cdd0d3ad6e974698ce65cb619d631b735cba..8cf46a2f06f658ac8bcae8ec4ca19b937fc1d573 100644 (file)
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -528,6 +528,42 @@ keyname=$("$KEYGEN" -L 300 -q -a RSASHA512OID "$zone")
 # add the resulting DS to the dsset.
 sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -2A -f - "$zone" >>"dsset-${zone}."
 
+#
+# A UNKNOWNOID with an extra DS zone.  Sign the zone using RSASHA512OID
+# then update the OID in the DNSKEY and RRSIGS to the unknown OID
+# 1.2.840.113549.1.1.14.  Add an additional DS with an extended digest
+# type that encoded the DNSKEY's private type identifier which does not
+# match the DNSKEY RRset with using this unknown OID.
+#
+zone=extended-ds-unknown-oid.example
+infile=extended-ds-unknown-oid.example.db.in
+zonefile=extended-ds-unknown-oid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+# Sign with known OID RSASHA512OID
+"$SIGNER" -z -o "$zone" -f "${zonefile}.stage1" "$zonefile" >/dev/null
+
+# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14
+sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"${zonefile}.stage1" >"${zonefile}.stage2"
+
+"$DSFROMKEY" -2A -f "${zonefile}.stage2" "$zone" >"dsset-${zone}."
+tag=$(awk '{print $4}' "dsset-${zone}.")
+
+# Update RRSIG tags
+sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* ${zone}./\1 ${tag} ${zone}./" <"${zonefile}.stage2" >"${zonefile}.signed"
+
+if $FEATURETEST --extended-ds-digest; then
+  # add a DS for a second key with the same algorithm
+  keyname=$("$KEYGEN" -L 300 -q -a RSASHA512OID "$zone")
+
+  # Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14 and
+  # add the resulting DS using digest type SHA-256-PRIVATE to the dsset.
+  sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -a SHA-256-PRIVATE -A -f - "$zone" >>"dsset-${zone}."
+fi
+
 #
 # A zone with the DNSKEY set only signed by the KSK
 #

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 65f0a1d61fff87ef8100b47fb6c4595f921b00a4..86441c6f94e9c5704364e81d8eab62c00afc39fa 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1020,6 +1020,20 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
+if $FEATURETEST --extended-ds-digest; then
+  echo_i "checking positive validation with extra ds using extended digest type for unknown private algorithm succeeds ($n)"
+  ret=0
+  dig_with_opts +noauth a.extended-ds-unknown-oid.example. \
+    @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+  dig_with_opts +noauth a.extended-ds-unknown-oid.example. \
+    @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+  digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+  grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
+  n=$((n + 1))
+  test "$ret" -eq 0 || echo_i "failed"
+  status=$((status + ret))
+fi
+
 # Check the bogus domain
 
 echo_i "checking failed validation ($n)"

diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py
index 0599c8eb6900b095d8c6c4381958065de463e70b..e4e0a085f58a43b5df5ae595e7e31b89d16d8142 100644 (file)
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@@ -102,6 +102,9 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/example.bk",
         "ns3/expired.example.db",
         "ns3/expiring.example.db",
+        "ns3/extended-ds-unknown-oid.example.db",
+        "ns3/extended-ds-unknown-oid.example.db.stage1",
+        "ns3/extended-ds-unknown-oid.example.db.stage2",
         "ns3/extradsoid.example.db",
         "ns3/extradsunknownoid.example.db",
         "ns3/extradsunknownoid.example.db.stage1",