ns.rsasha1-1024 A 10.53.0.3
dname-at-apex-nsec3 NS ns3
+
+rsasha256oid NS ns.rsasha256oid
+ns.rsasha256oid A 10.53.0.3
+
+rsasha512oid NS ns.rsasha512oid
+ns.rsasha512oid A 10.53.0.3
+
+unknownoid NS ns.unknownoid
+ns.unknownoid A 10.53.0.3
+
+extradsoid NS ns.extradsoid
+ns.extradsoid A 10.53.0.3
+
+extradsunknownoid NS ns.extradsunknownoid
+ns.extradsunknownoid A 10.53.0.3
ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
dnskey-nsec3-unknown managed-future future revkey \
- dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024; do
+ dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \
+ rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid; do
cp "../ns3/dsset-$subdomain.example." .
done
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
file "rsasha1-1024.example.db";
};
+zone "rsasha256oid.example" {
+ type primary;
+ file "rsasha256oid.example.db.signed";
+};
+
+zone "rsasha512oid.example" {
+ type primary;
+ file "rsasha512oid.example.db.signed";
+};
+
+zone "unknownoid.example" {
+ type primary;
+ file "unknownoid.example.db.signed";
+};
+
zone "target.peer-ns-spoof" {
type primary;
file "target.peer-ns-spoof.db.signed";
};
+zone "extradsoid.example" {
+ type primary;
+ file "extradsoid.example.db.signed";
+};
+
+zone "extradsunknownoid.example" {
+ type primary;
+ file "extradsunknownoid.example.db.signed";
+};
+
dnssec-policy "siginterval1" {
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
"$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
+#
+# A RSASHA256OID zone.
+#
+zone=rsasha256oid.example.
+infile=rsasha256oid.example.db.in
+zonefile=rsasha256oid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA256OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
+# A RSASHA512OID zone.
+#
+zone=rsasha512oid.example.
+infile=rsasha512oid.example.db.in
+zonefile=rsasha512oid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
+# A UNKNOWNOID zone. Sign the zone using RSASHA512OID then
+# update the OID in the DNSKEY and RRSIGS to the unknown OID
+# 1.2.840.113549.1.1.14
+#
+zone=unknownoid.example
+infile=unknownoid.example.db.in
+zonefile=unknownoid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+# Sign with known OID RSASHA512OID
+"$SIGNER" -z -o "$zone" -f "${zonefile}.stage1" "$zonefile" >/dev/null
+
+# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14
+sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"${zonefile}.stage1" >"${zonefile}.stage2"
+
+"$DSFROMKEY" -2A -f "${zonefile}.stage2" "$zone" >"dsset-${zone}."
+
+# extract the updated DNSKEY's tag
+tag=$(awk '{print $4}' "dsset-${zone}.")
+
+# Update RRSIG tags
+sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* unknownoid.example./\1 ${tag} unknownoid.example./" <"${zonefile}.stage2" >"${zonefile}.signed"
+
+#
+# A PRIVATEOID zone with a extra DS record for a non-existent DNSKEY.
+#
+zone=extradsoid.example.
+infile=extradsoid.example.db.in
+zonefile=extradsoid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+# add a DS for a second key with the same algorithm
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+"$DSFROMKEY" -2A "$keyname.key" >>"dsset-$zone"
+
+#
+# A UNKNOWNOID with an extra DS zone. Sign the zone using RSASHA512OID
+# then update the OID in the DNSKEY and RRSIGS to the unknown OID
+# 1.2.840.113549.1.1.14. Add an additional DS which does not match
+# the DNSKEY RRset with using this unknown OID.
+#
+zone=extradsunknownoid.example
+infile=extradsunknownoid.example.db.in
+zonefile=extradsunknownoid.example.db
+
+keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+# Sign with known OID RSASHA512OID
+"$SIGNER" -z -o "$zone" -f "${zonefile}.stage1" "$zonefile" >/dev/null
+
+# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14
+sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"${zonefile}.stage1" >"${zonefile}.stage2"
+
+"$DSFROMKEY" -2A -f "${zonefile}.stage2" "$zone" >"dsset-${zone}."
+tag=$(awk '{print $4}' "dsset-${zone}.")
+
+# Update RRSIG tags
+sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* extradsunknownoid.example./\1 ${tag} extradsunknownoid.example./" <"${zonefile}.stage2" >"${zonefile}.signed"
+
+# add a DS for a second key with the same algorithm
+keyname=$("$KEYGEN" -L 300 -q -a RSASHA512OID "$zone")
+
+# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14 and
+# add the resulting DS to the dsset.
+sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -2A -f - "$zone" >>"dsset-${zone}."
+
#
# A zone with the DNSKEY set only signed by the KSK
#
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
+echo_i "checking positive validation with private algorithm works ($n)"
+ret=0
+dig_with_opts +noauth a.rsasha256oid.example. \
+ @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.rsasha256oid.example. \
+ @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+if [ -x "${DELV}" ]; then
+ ret=0
+ echo_i "checking positive validation NSEC3 using dns_client ($n)"
+ delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1
+ grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1
+ grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1
+ n=$((n + 1))
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+fi
+
+echo_i "checking positive validation with unknown private algorithm works ($n)"
+ret=0
+dig_with_opts +noauth a.unknownoid.example. \
+ @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.unknownoid.example. \
+ @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking positive validation with extra ds for private algorithm ($n)"
+ret=0
+dig_with_opts +noauth a.extradsoid.example. \
+ @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.extradsoid.example. \
+ @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking positive validation with extra ds for unknown private algorithm fails ($n)"
+ret=0
+dig_with_opts +noauth a.extradsunknownoid.example. \
+ @10.53.0.3 a >dig.out.ns3.test$n || ret=1
+dig_with_opts +noauth a.extradsunknownoid.example. \
+ @10.53.0.4 a >dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1
+grep 'No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID algorithm, tag [1-9][0-9]*$' ns4/named.run >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
# Check the bogus domain
echo_i "checking failed validation ($n)"
"ns3/auto-nsec3.example.db",
"ns3/badds.example.db",
"ns3/bogus.example.db",
+ "ns3/digest-alg-unsupported.example.db",
"ns3/disabled.managed.db",
"ns3/disabled.trusted.db",
"ns3/dname-at-apex-nsec3.example.db",
"ns3/dnskey-unsupported-2.example.db",
"ns3/dnskey-unsupported.example.db",
"ns3/dnskey-unsupported.example.db.tmp",
+ "ns3/ds-unsupported.example.db",
"ns3/dynamic.example.db",
- "ns3/digest-alg-unsupported.example.db",
"ns3/enabled.managed.db",
"ns3/enabled.trusted.db",
"ns3/example.bk",
"ns3/expired.example.db",
"ns3/expiring.example.db",
+ "ns3/extradsoid.example.db",
+ "ns3/extradsunknownoid.example.db",
+ "ns3/extradsunknownoid.example.db.stage1",
+ "ns3/extradsunknownoid.example.db.stage2",
"ns3/future.example.db",
"ns3/keyless.example.db",
"ns3/kskonly.example.db",
"ns3/revoked.trusted.db",
"ns3/rfc2335.example.bk",
"ns3/rsasha256.example.db",
+ "ns3/rsasha256oid.example.db",
"ns3/rsasha512.example.db",
+ "ns3/rsasha512oid.example.db",
"ns3/secure.below-cname.example.db",
"ns3/secure.example.db",
"ns3/secure.managed.db",
"ns3/trusted-future.key",
"ns3/ttlpatch.example.db",
"ns3/ttlpatch.example.db.patched",
+ "ns3/unknownoid.example.db",
+ "ns3/unknownoid.example.db.stage1",
+ "ns3/unknownoid.example.db.stage2",
"ns3/unsupported.managed.db",
"ns3/unsupported.managed.db.tmp",
"ns3/unsupported.trusted.db",
"ns3/update-nsec3.example.db.signed",
"ns3/upper.example.db",
"ns3/upper.example.db.lower",
- "ns3/ds-unsupported.example.db",
"ns4/broken.conf",
"ns4/managed.conf",
"ns4/managed-keys.bind",
projects / thirdparty / bind9.git / commitdiff
