Check disable-algorithms with non-zone names

Test that if disable-algorithms is configured on a name that is below
the zonecut, it still validates (z.secure.example).

Test that if disable-algorithms is configured on a name that is above
the zonecut, it is treated as insecure (zonecut.ent.secure.example).

diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2
index bfaa553369c2fbf2b40aec58f018be53aa5ea4b6..1a0edc14bb8286c2d22ffe984e673aa50d8adbd1 100644 (file)
--- a/bin/tests/system/dnssec/ns3/named.conf.j2
+++ b/bin/tests/system/dnssec/ns3/named.conf.j2
@@ -99,6 +99,12 @@ zone "badalg.secure.example" {
        allow-update { any; };
 };
 
+zone "zonecut.ent.secure.example" {
+       type primary;
+       file "zonecut.ent.secure.example.db.signed";
+       allow-update { any; };
+};
+
 zone "bogus.example" {
        type primary;
        file "bogus.example.db.signed";

diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in
index fa8e398ff0c9505ecc74942d3a8cec4122d061ed..104d39ff6c309c567cac4131b5c8bd11ad29aea5 100644 (file)
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -34,6 +34,9 @@ x                     CNAME   a
 badalg                 NS      ns3.badalg
 ns3.badalg             A       10.53.0.3
 
+zonecut.ent            NS      ns3.zonecut.ent
+ns3.zonecut.ent                A       10.53.0.3
+
 private                        NS      ns.private
 ns.private             A       10.53.0.2
 

diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index c611b61e4fe616e1dee8c2596b4060bc4160dc8c..5512888b2f43085881cd304903f7767d60f9e4a0 100644 (file)
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -98,6 +98,18 @@ cat "$infile" "$keyname.key" >"$zonefile"
 
 "$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
 
+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for ent.secure.example.
+zone=zonecut.ent.secure.example.
+infile=zonecut.ent.secure.example.db.in
+zonefile=zonecut.ent.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
 #
 zone=secure.example.
 infile=secure.example.db.in

diff --git a/bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in b/bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in
new file mode 100644 (file)
index 0000000..93cb343
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300       ; 5 minutes
+@                      IN SOA  mname1. . (
+                               2000042407 ; serial
+                               20         ; refresh (20 seconds)
+                               20         ; retry (20 seconds)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns3
+                       A       10.53.0.4
+ns3                    A       10.53.0.3

diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2
index 9a67908bde0f0f07e0ee727810fab3420f60dffc..bc3e2fd87bdb8b923c741b138b4680ca36610ef2 100644 (file)
--- a/bin/tests/system/dnssec/ns4/named.conf.j2
+++ b/bin/tests/system/dnssec/ns4/named.conf.j2
@@ -50,6 +50,8 @@ options {
        disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
        disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
        disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+       disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+       disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
 };
 
 {% if not managed_key %}

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index 025ec80f3bc6ff2b41167317428ee0ba8e55d58c..338f7f4e71c7cbc9f0683f29c1b096c2e9a5a0e9 100644 (file)
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -1327,6 +1327,25 @@ def test_unknown_algorithms():
             res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
         )
 
+    # check that zone contents are still secure despite disable-algorithms
+    # on query name (name below zone name).
+    msg = isctest.query.create("z.secure.example", "A")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.rr_count_eq(res.answer, 2)
+    isctest.check.noerror(res)
+    isctest.check.adflag(res)
+
+    # check that zone contents are trated insecure (name above zone name).
+    msg = isctest.query.create("zonecut.ent.secure.example", "A")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.rr_count_eq(res.answer, 2)
+    isctest.check.noerror(res)
+    isctest.check.noadflag(res)
+    if hasattr(res, "extended_errors"):
+        assert (
+            res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
+        )
+
     # check that DS records are still treated as secure at the
     # disable-algorithm name
     msg = isctest.query.create("badalg.secure.example", "DS")