fix DNSSEC EDE system tests on FIPS platform

author Colin Vidal <colin@isc.org>

Mon, 27 Jan 2025 11:52:19 +0000 (12:52 +0100)

committer Colin Vidal <colin@isc.org>

Thu, 30 Jan 2025 11:41:30 +0000 (11:41 +0000)
author Colin Vidal <colin@isc.org>
Mon, 27 Jan 2025 11:52:19 +0000 (12:52 +0100)
committer Colin Vidal <colin@isc.org>
Thu, 30 Jan 2025 11:41:30 +0000 (11:41 +0000)
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh

index 5689979cf1131a389c89c4ab705df7719b74115e..f61ea2838145bb0752cc7a422751cc96dc127ea8 100644 (file)
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -309,7 +309,7 @@ zonefile=digest-alg-unsupported.example.db
  cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
  dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
  keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-keyname2=$("$KEYGEN" -q -a ED448 -b "$DEFAULT_BITS" -n zone "$zone")
+keyname2=$("$KEYGEN" -q -a ECDSAP384SHA384 -b "$DEFAULT_BITS" -n zone "$zone")
  
  cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" "$keyname2.key" >"$zonefile"
  
@@ -319,7 +319,7 @@ mv "$zonefile".tmp "$zonefile".signed
  
  # override generated DS record file so we can set different digest to each keys
  DSFILE="dsset-${zone}"
-$DSFROMKEY -1 -A -f ${zonefile}.signed "$zone" | head -n 1 >"$DSFILE"
+$DSFROMKEY -a SHA-384 -A -f ${zonefile}.signed "$zone" | head -n 1 >"$DSFILE"
  $DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE"
  
  #
diff --git a/bin/tests/system/dnssec/ns4/named1.conf.in b/bin/tests/system/dnssec/ns4/named1.conf.in

index 4871f07879f992978a5774242f0d12ea86c6bece..e9264c169f72d32b1d53a9db24af6f10bdd4240d 100644 (file)
--- a/bin/tests/system/dnssec/ns4/named1.conf.in
+++ b/bin/tests/system/dnssec/ns4/named1.conf.in
@@ -29,9 +29,9 @@ options {
         nta-recheck 9s;
         validate-except { corp; };
  
-       disable-algorithms "digest-alg-unsupported.example." { ED448; };
-       disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
-       disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
+       disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
+       disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
+       disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
         disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
  
         # Note: We only reference the bind.keys file here to confirm that it
diff --git a/bin/tests/system/dnssec/ns4/named2.conf.in b/bin/tests/system/dnssec/ns4/named2.conf.in

index 7f1188830bc776d79be366a1a5dabf7a94ab0ed8..bf82385f7115244524e517b31f2aca79f674156a 100644 (file)
--- a/bin/tests/system/dnssec/ns4/named2.conf.in
+++ b/bin/tests/system/dnssec/ns4/named2.conf.in
@@ -25,9 +25,9 @@ options {
         dnssec-validation auto;
         bindkeys-file "managed.conf";
         minimal-responses no;
-       disable-algorithms "digest-alg-unsupported.example." { ED448; };
-       disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
-       disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
+       disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
+       disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";  };
+       disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
         disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
  };
  
diff --git a/bin/tests/system/dnssec/ns4/named3.conf.in b/bin/tests/system/dnssec/ns4/named3.conf.in

index d90ffb05319729e155027d9d9ba66707b04d2e1c..21fb38db9d8ffcaa139ecd1d7f4298e68cd64510 100644 (file)
--- a/bin/tests/system/dnssec/ns4/named3.conf.in
+++ b/bin/tests/system/dnssec/ns4/named3.conf.in
@@ -26,9 +26,9 @@ options {
         bindkeys-file "managed.conf";
         dnssec-accept-expired yes;
         minimal-responses no;
-       disable-algorithms "digest-alg-unsupported.example." { ED448; };
-       disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
-       disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
+       disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
+       disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";};
+       disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
         disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
  };
  
diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in

index 1a8d917ca86f5c7c9efe2ce92e3866c09d598baf..34f59b498a2090dd91bb6dc768ce18e49e9681e7 100644 (file)
--- a/bin/tests/system/dnssec/ns4/named4.conf.in
+++ b/bin/tests/system/dnssec/ns4/named4.conf.in
@@ -21,9 +21,9 @@ options {
         pid-file "named.pid";
         listen-on { 10.53.0.4; };
         listen-on-v6 { none; };
-       disable-algorithms "digest-alg-unsupported.example." { ED448; };
-       disable-ds-digests "digest-alg-unsupported.example." { "SHA1"; "SHA-1"; };
-       disable-ds-digests "ds-unsupported.example." {"SHA1"; "SHA-1"; "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
+       disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
+       disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
+       disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
         disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
  };
  
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh

index 9306e0e6d6c50230939e03fa823e8cca9eeba533..fc70f4c5681b00ac4a75cb47a626837f60e4248b 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3704,8 +3704,8 @@ status=$((status + ret))
  echo_i "checking both EDE code 1 and 2 for unsupported digest on one DNSKEY and alg on the other ($n)"
  ret=0
  dig_with_opts @10.53.0.4 a.digest-alg-unsupported.example >dig.out.ns4.test$n || ret=1
-grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ED448 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
-grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-1 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
+grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP384SHA384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
+grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
  grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
  n=$((n + 1))
  test "$ret" -eq 0 || echo_i "failed"
author	Colin Vidal <colin@isc.org>
	Mon, 27 Jan 2025 11:52:19 +0000 (12:52 +0100)
committer	Colin Vidal <colin@isc.org>
	Thu, 30 Jan 2025 11:41:30 +0000 (11:41 +0000)
bin/tests/system/dnssec/ns3/sign.sh		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns4/named1.conf.in		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns4/named2.conf.in		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns4/named3.conf.in		patch \| blob \| blame \| history
bin/tests/system/dnssec/ns4/named4.conf.in		patch \| blob \| blame \| history
bin/tests/system/dnssec/tests.sh		patch \| blob \| blame \| history