Use signer name when disabling DNSSEC algorithms

When disabling algorithms, use the signer name to determine if the
algorithm is disabled or not.  This allows for algorithms to be
cleanly disabled on a zone level basis.  Previously, just using the
records owner name, "disable-algorithms" could impact resolution of
names that where not disabled.  This does now mean that
"disable-algorithms" can not be used to disable part of a zone anymore.

diff --git a/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in b/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in
new file mode 100644 (file)
index 0000000..93cb343
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300       ; 5 minutes
+@                      IN SOA  mname1. . (
+                               2000042407 ; serial
+                               20         ; refresh (20 seconds)
+                               20         ; retry (20 seconds)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns3
+                       A       10.53.0.4
+ns3                    A       10.53.0.3

diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2
index 6c9e18976cf1ced6020ae8734f3ed178ae54378c..bfaa553369c2fbf2b40aec58f018be53aa5ea4b6 100644 (file)
--- a/bin/tests/system/dnssec/ns3/named.conf.j2
+++ b/bin/tests/system/dnssec/ns3/named.conf.j2
@@ -93,6 +93,12 @@ zone "secure.example" {
        allow-update { any; };
 };
 
+zone "badalg.secure.example" {
+       type primary;
+       file "badalg.secure.example.db.signed";
+       allow-update { any; };
+};
+
 zone "bogus.example" {
        type primary;
        file "bogus.example.db.signed";

diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in
index decb1eb3f0396c39592aa8eec8ac078d92594ae5..fa8e398ff0c9505ecc74942d3a8cec4122d061ed 100644 (file)
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -30,7 +30,9 @@ g                     A       10.0.0.7
 z                      A       10.0.0.26
 a.a.a.a.a.a.a.a.a.a.e  A       10.0.0.27
 x                      CNAME   a
-badalg                 A       10.53.0.4
+
+badalg                 NS      ns3.badalg
+ns3.badalg             A       10.53.0.3
 
 private                        NS      ns.private
 ns.private             A       10.53.0.2

diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index b7ec530e3c9a20120303c6f33ae218135e194a37..c611b61e4fe616e1dee8c2596b4060bc4160dc8c 100644 (file)
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -85,6 +85,20 @@ cp template.db.in insecure.optout.example.db
 cp extrakey.example.db.in extrakey.example.db
 
 # now the signed zones:
+
+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for it.
+zone=badalg.secure.example.
+infile=badalg.secure.example.db.in
+zonefile=badalg.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
 zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
@@ -93,7 +107,7 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cn
 dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "dnameandkey.$zone")
 keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 
-cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
+cat "$infile" dsset-badalg.secure.example. "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
 
 "$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
 cat "$zonefile" "$zonefile".signed >"$zonefile".tmp

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index 95d1dbb5c49a6e6399980118ba5d1884d6c30540..fdd529c310b9f3efb32398441f049aae64f3db68 100644 (file)
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -1326,6 +1326,14 @@ def test_unknown_algorithms():
             res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
         )
 
+    # check that DS records are still treated as secure at the
+    # disable-algorithm name
+    msg = isctest.query.create("badalg.secure.example", "DS")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.rr_count_eq(res.answer, 2)
+    isctest.check.noerror(res)
+    isctest.check.adflag(res)
+
     # check both EDE code 1 and 2 for unsupported digest on one DNSKEY
     # and unsupported algorithm on the other
     msg = isctest.query.create("a.digest-alg-unsupported.example", "A")

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 6ce9607f22ff495b4d18ca6c3c2868f2d45d11bb..e81146763bd2a463046c5cbd71d6c46603b745b9 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1675,8 +1675,9 @@ validate_answer_process(void *arg) {
         * was known and "sufficiently good".
         */
        if (!dns_resolver_algorithm_supported(
-                   val->view->resolver, val->name, val->siginfo->algorithm,
-                   val->siginfo->signature, val->siginfo->siglen))
+                   val->view->resolver, &val->siginfo->signer,
+                   val->siginfo->algorithm, val->siginfo->signature,
+                   val->siginfo->siglen))
        {
                if (val->unsupported_algorithm == 0) {
                        val->unsupported_algorithm = val->siginfo->algorithm;

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 26a5c2c8b449c37531986df980f5e480276360f4..47d02947c3fa79adaae760fac72e317cf1a11467 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -2541,8 +2541,8 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
                result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
                if (!dns_resolver_algorithm_supported(
-                           client->inner.view->resolver, name, rrsig.algorithm,
-                           rrsig.signature, rrsig.siglen))
+                           client->inner.view->resolver, &rrsig.signer,
+                           rrsig.algorithm, rrsig.signature, rrsig.siglen))
                {
                        char txt[DNS_NAME_FORMATSIZE + 32];
                        isc_buffer_t buffer;