From: Mark Andrews Date: Wed, 28 May 2025 10:02:48 +0000 (+1000) Subject: Test extended DS digest type support X-Git-Tag: v9.21.10~47^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38ef960fd0acd7889e6ed014def72b52f523c207;p=thirdparty%2Fbind9.git Test extended DS digest type support Add a zone using DS records that embed the private algorithm identifier in the digest field. There are 2 DS record for an unsupported DNSSEC algorithm one of which that doesn't have a matching DNSKEY. This zone should validate as insecure as the validator can establish that both DS records are for unsupported DNSSEC algorithms. --- diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 3f328214546..1efb1755b40 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -196,3 +196,6 @@ ns.extradsoid A 10.53.0.3 extradsunknownoid NS ns.extradsunknownoid ns.extradsunknownoid A 10.53.0.3 + +extended-ds-unknown-oid NS ns.extended-ds-unknown-oid +ns.extended-ds-unknown-oid A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index e6ddad16a18..2658fd10b35 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -66,7 +66,8 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ dnskey-nsec3-unknown managed-future future revkey \ dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \ - rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid; do + rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid \ + extended-ds-unknown-oid; do cp "../ns3/dsset-$subdomain.example." . done diff --git a/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in b/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in new file mode 100644 index 00000000000..f6c4fabdd31 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/extended-ds-unknown-oid.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index 9bb2ad8a53e..a9a1b207bf3 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -459,6 +459,11 @@ zone "extradsunknownoid.example" { file "extradsunknownoid.example.db.signed"; }; +zone "extended-ds-unknown-oid.example" { + type primary; + file "extended-ds-unknown-oid.example.db.signed"; +}; + dnssec-policy "siginterval1" { keys { ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 9ff2cdd0d3a..8cf46a2f06f 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -528,6 +528,42 @@ keyname=$("$KEYGEN" -L 300 -q -a RSASHA512OID "$zone") # add the resulting DS to the dsset. sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -2A -f - "$zone" >>"dsset-${zone}." +# +# A UNKNOWNOID with an extra DS zone. Sign the zone using RSASHA512OID +# then update the OID in the DNSKEY and RRSIGS to the unknown OID +# 1.2.840.113549.1.1.14. Add an additional DS with an extended digest +# type that encoded the DNSKEY's private type identifier which does not +# match the DNSKEY RRset with using this unknown OID. +# +zone=extended-ds-unknown-oid.example +infile=extended-ds-unknown-oid.example.db.in +zonefile=extended-ds-unknown-oid.example.db + +keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +# Sign with known OID RSASHA512OID +"$SIGNER" -z -o "$zone" -f "${zonefile}.stage1" "$zonefile" >/dev/null + +# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14 +sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"${zonefile}.stage1" >"${zonefile}.stage2" + +"$DSFROMKEY" -2A -f "${zonefile}.stage2" "$zone" >"dsset-${zone}." +tag=$(awk '{print $4}' "dsset-${zone}.") + +# Update RRSIG tags +sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* ${zone}./\1 ${tag} ${zone}./" <"${zonefile}.stage2" >"${zonefile}.signed" + +if $FEATURETEST --extended-ds-digest; then + # add a DS for a second key with the same algorithm + keyname=$("$KEYGEN" -L 300 -q -a RSASHA512OID "$zone") + + # Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14 and + # add the resulting DS using digest type SHA-256-PRIVATE to the dsset. + sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -a SHA-256-PRIVATE -A -f - "$zone" >>"dsset-${zone}." +fi + # # A zone with the DNSKEY set only signed by the KSK # diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 65f0a1d61ff..86441c6f94e 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1020,6 +1020,20 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +if $FEATURETEST --extended-ds-digest; then + echo_i "checking positive validation with extra ds using extended digest type for unknown private algorithm succeeds ($n)" + ret=0 + dig_with_opts +noauth a.extended-ds-unknown-oid.example. \ + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 + dig_with_opts +noauth a.extended-ds-unknown-oid.example. \ + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 + digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 + grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) +fi + # Check the bogus domain echo_i "checking failed validation ($n)" diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index 0599c8eb690..e4e0a085f58 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -102,6 +102,9 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/example.bk", "ns3/expired.example.db", "ns3/expiring.example.db", + "ns3/extended-ds-unknown-oid.example.db", + "ns3/extended-ds-unknown-oid.example.db.stage1", + "ns3/extended-ds-unknown-oid.example.db.stage2", "ns3/extradsoid.example.db", "ns3/extradsunknownoid.example.db", "ns3/extradsunknownoid.example.db.stage1",