From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 19 Oct 2020 08:19:52 +0000 (+0200)
Subject: Add check for NSEC3 and key algorithms
X-Git-Tag: v9.17.8~27^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00c5dabea32204e27cbec835ff985c639a7d173d;p=thirdparty%2Fbind9.git

Add check for NSEC3 and key algorithms

NSEC3 is not backwards compatible with key algorithms that existed
before the RFC 5155 specification was published.
---

diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf
new file mode 100644
index 00000000000..515d79f2bda
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-salt" {
+	keys {
+		csk lifetime unlimited algorithm rsasha1;
+	};
+	nsec3param ;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "bad-salt";
+};
+
diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
index f537f50e927..49874e260bc 100644
--- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
@@ -11,14 +11,14 @@
 
 dnssec-policy "rsasha1" {
 	keys {
-		csk lifetime P10Y algorithm rsasha1 1024;
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
 	nsec3param iterations 150;
 };
 
 dnssec-policy "rsasha1-bad" {
 	keys {
-		csk lifetime P10Y algorithm rsasha1 1024;
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
 	nsec3param iterations 151;
 };
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index eb39d59b567..44926bccf15 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -528,6 +528,14 @@ if [ $lines != 3 ]; then ret=1; fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo_i "checking named-checkconf kasp key errors ($n)"
 ret=0
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index f6ec856308f..a37689cebba 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -160,8 +160,9 @@
 #define DNS_R_KEYNOTACTIVE	(ISC_RESULTCLASS_DNS + 122)
 #define DNS_R_NSEC3ITERRANGE	(ISC_RESULTCLASS_DNS + 123)
 #define DNS_R_NSEC3BADSALT	(ISC_RESULTCLASS_DNS + 124)
+#define DNS_R_NSEC3BADALG	(ISC_RESULTCLASS_DNS + 125)
 
-#define DNS_R_NRESULTS 125 /*%< Number of results */
+#define DNS_R_NRESULTS 126 /*%< Number of results */
 
 /*
  * DNS wire format rcodes.
diff --git a/lib/dns/result.c b/lib/dns/result.c
index 7df73f78e5a..eea02570154 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -166,12 +166,13 @@ static const char *text[DNS_R_NRESULTS] = {
 	"verify failure",	    /*%< 118 DNS_R_VERIFYFAILURE */
 	"at top of zone",	    /*%< 119 DNS_R_ATZONETOP */
 
-	"no matching key found",       /*%< 120 DNS_R_NOKEYMATCH */
-	"too many keys matching",      /*%< 121 DNS_R_TOOMANYKEYS */
-	"key is not actively signing", /*%< 122 DNS_R_KEYNOTACTIVE */
+	"no matching key found",	 /*%< 120 DNS_R_NOKEYMATCH */
+	"too many keys matching",	 /*%< 121 DNS_R_TOOMANYKEYS */
+	"key is not actively signing",	 /*%< 122 DNS_R_KEYNOTACTIVE */
 
-	"NSEC3 iterations out of range", /*%< 123 DNS_R_NSEC3ITERRANGE */
-	"bad NSEC3 salt",		 /*%< 124 DNS_R_NSEC3BADSALT */
+	"NSEC3 iterations out of range",       /*%< 123 DNS_R_NSEC3ITERRANGE */
+	"bad NSEC3 salt",		       /*%< 124 DNS_R_NSEC3BADSALT */
+	"cannot use NSEC3 with key algorithm", /*%< 125 DNS_R_NSEC3BADALG */
 };
 
 static const char *ids[DNS_R_NRESULTS] = {
@@ -304,6 +305,7 @@ static const char *ids[DNS_R_NRESULTS] = {
 	"DNS_R_KEYNOTACTIVE",
 	"DNS_R_NSEC3ITERRANGE",
 	"DNS_R_NSEC3BADSALT",
+	"DNS_R_NSEC3BADALG",
 };
 
 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index af52c9c64f9..39b97f8d545 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -173,6 +173,7 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 	const cfg_obj_t *obj = NULL;
 	const char *salt = NULL;
 	uint32_t iter = DEFAULT_NSEC3PARAM_ITER;
+	uint32_t badalg = 0;
 	bool optout = false;
 	isc_result_t ret = ISC_R_SUCCESS;
 
@@ -186,11 +187,31 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 	     kkey = ISC_LIST_NEXT(kkey, link))
 	{
 		unsigned int keysize = dns_kasp_key_size(kkey);
+		uint32_t keyalg = dns_kasp_key_algorithm(kkey);
+
 		if (keysize < min_keysize) {
 			min_keysize = keysize;
 		}
+
+		/* NSEC3 cannot be used with certain key algorithms. */
+		if (keyalg == DNS_KEYALG_RSAMD5 || keyalg == DNS_KEYALG_DH ||
+		    keyalg == DNS_KEYALG_DSA || keyalg == DNS_KEYALG_RSASHA1)
+		{
+			badalg = keyalg;
+		}
 	}
 	dns_kasp_thaw(kasp);
+
+	if (badalg > 0) {
+		char algstr[DNS_SECALG_FORMATSIZE];
+		dns_secalg_format((dns_secalg_t)badalg, algstr, sizeof(algstr));
+		cfg_obj_log(
+			obj, logctx, ISC_LOG_ERROR,
+			"dnssec-policy: cannot use nsec3 with algorithm '%s'",
+			algstr);
+		return (DNS_R_NSEC3BADALG);
+	}
+
 	/* See RFC 5155 Section 10.3 for iteration limits. */
 	if (min_keysize <= 1024 && iter > 150) {
 		ret = DNS_R_NSEC3ITERRANGE;