From: Matthijs Mekking Date: Thu, 28 Aug 2025 08:12:33 +0000 (+0200) Subject: Test named-checkconf -k X-Git-Tag: v9.21.14~24^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3918a8ca4cb5aa7ce665a7813913ff8f63656a07;p=thirdparty%2Fbind9.git Test named-checkconf -k Test named-checkconf -k option, that checks the dnssec-policy against the configured keystores. --- diff --git a/bin/tests/system/checkconf-keys/bad-algorithm.conf.j2 b/bin/tests/system/checkconf-keys/bad-algorithm.conf.j2 new file mode 100644 index 00000000000..47f6b4f7fc0 --- /dev/null +++ b/bin/tests/system/checkconf-keys/bad-algorithm.conf.j2 @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "alternative-kz" { + keys { + ksk key-directory lifetime unlimited algorithm RSASHA256; + zsk key-directory lifetime unlimited algorithm RSASHA256; + }; +}; + +zone "bad-algorithm.kz.example" { + type primary; + file "bad-algorithm.kz.example.db"; + dnssec-policy "alternative-kz"; +}; diff --git a/bin/tests/system/checkconf-keys/bad-keystore.conf.j2 b/bin/tests/system/checkconf-keys/bad-keystore.conf.j2 new file mode 100644 index 00000000000..3b10d3e66c8 --- /dev/null +++ b/bin/tests/system/checkconf-keys/bad-keystore.conf.j2 @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key-store "ksk" { + directory "ksk"; +}; + +key-store "zsk" { + directory "zsk"; +}; + +dnssec-policy "keystores-kz" { + keys { + ksk key-store "ksk" lifetime unlimited algorithm ECDSAP256SHA256; + zsk key-store "zsk" lifetime unlimited algorithm ECDSAP256SHA256; + }; +}; + +zone "bad-keystores.kz.example" { + type primary; + file "bad-keystores.kz.example.db"; + dnssec-policy "keystores-kz"; +}; diff --git a/bin/tests/system/checkconf-keys/bad-length.conf.j2 b/bin/tests/system/checkconf-keys/bad-length.conf.j2 new file mode 100644 index 00000000000..c27706359b1 --- /dev/null +++ b/bin/tests/system/checkconf-keys/bad-length.conf.j2 @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "alternative-csk" { + keys { + csk key-directory lifetime unlimited algorithm RSASHA256 2048; + }; +}; + +zone "bad-length.csk.example" { + type primary; + file "bad-length.csk.example.db"; + dnssec-policy "alternative-csk"; +}; diff --git a/bin/tests/system/checkconf-keys/bad-missing-keyfile.conf.j2 b/bin/tests/system/checkconf-keys/bad-missing-keyfile.conf.j2 new file mode 100644 index 00000000000..2ee9098eb0e --- /dev/null +++ b/bin/tests/system/checkconf-keys/bad-missing-keyfile.conf.j2 @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "default-kz" { + keys { + ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256; + zsk key-directory lifetime unlimited algorithm ECDSAP256SHA256; + }; +}; + +zone "missing-keyfile.kz.example" { + type primary; + file "missing-keyfile.kz.example.db"; + dnssec-policy "default-kz"; +}; diff --git a/bin/tests/system/checkconf-keys/bad-role.conf.j2 b/bin/tests/system/checkconf-keys/bad-role.conf.j2 new file mode 100644 index 00000000000..464996cbc74 --- /dev/null +++ b/bin/tests/system/checkconf-keys/bad-role.conf.j2 @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "default-kz" { + keys { + ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256; + zsk key-directory lifetime unlimited algorithm ECDSAP256SHA256; + }; +}; + +zone "bad-role.kz.example" { + type primary; + file "bad-role.kz.example.db"; + dnssec-policy "default-kz"; +}; diff --git a/bin/tests/system/checkconf-keys/bad-superfluous-keyfile.conf.j2 b/bin/tests/system/checkconf-keys/bad-superfluous-keyfile.conf.j2 new file mode 100644 index 00000000000..a399553d50e --- /dev/null +++ b/bin/tests/system/checkconf-keys/bad-superfluous-keyfile.conf.j2 @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "default-kz" { + keys { + ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256; + zsk key-directory lifetime unlimited algorithm ECDSAP256SHA256; + }; +}; + +zone "superfluous-keyfile.kz.example" { + type primary; + file "superfluous-keyfile.kz.example.db"; + dnssec-policy "default-kz"; +}; diff --git a/bin/tests/system/checkconf-keys/bad-tagrange.conf.j2 b/bin/tests/system/checkconf-keys/bad-tagrange.conf.j2 new file mode 100644 index 00000000000..1d6af168995 --- /dev/null +++ b/bin/tests/system/checkconf-keys/bad-tagrange.conf.j2 @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "tagrange-csk" { + keys { + csk key-directory lifetime unlimited algorithm ECDSAP256SHA256 tag-range 0 32767; + }; +}; + +zone "bad-tagrange.csk.example" { + type primary; + file "bad-tagrange.csk.example.db"; + dnssec-policy "tagrange-csk"; +}; diff --git a/bin/tests/system/checkconf-keys/named.conf.j2 b/bin/tests/system/checkconf-keys/named.conf.j2 new file mode 100644 index 00000000000..92bf50ae0a8 --- /dev/null +++ b/bin/tests/system/checkconf-keys/named.conf.j2 @@ -0,0 +1,84 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key-store "ksk" { + directory "ksk"; +}; + +key-store "zsk" { + directory "zsk"; +}; + +dnssec-policy "alternative-kz" { + keys { + ksk key-directory lifetime unlimited algorithm RSASHA256 2048; + zsk key-directory lifetime unlimited algorithm RSASHA256 2048; + }; +}; + +dnssec-policy "alternative-csk" { + keys { + csk key-directory lifetime unlimited algorithm RSASHA256 2048; + }; +}; + +dnssec-policy "default-kz" { + keys { + ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256; + zsk key-directory lifetime unlimited algorithm ECDSAP256SHA256; + }; +}; + +dnssec-policy "default-csk" { + keys { + csk key-directory lifetime unlimited algorithm ECDSAP256SHA256; + }; +}; + + +dnssec-policy "keystores-kz" { + keys { + ksk key-store "ksk" lifetime unlimited algorithm ECDSAP256SHA256; + zsk key-store "zsk" lifetime unlimited algorithm ECDSAP256SHA256; + }; +}; + +zone "alternative.kz.example" { + type primary; + file "alternative.kz.example.db"; + dnssec-policy "alternative-kz"; +}; + +zone "alternative.csk.example" { + type primary; + file "alternative.csk.example.db"; + dnssec-policy "alternative-csk"; +}; + +zone "default.kz.example" { + type primary; + file "default.kz.example.db"; + dnssec-policy "default-kz"; +}; + +zone "default.csk.example" { + type primary; + file "default.csk.example.db"; + dnssec-policy "default-csk"; +}; + +zone "keystores.kz.example" { + type primary; + file "keystores.kz.example.db"; + dnssec-policy "keystores-kz"; +}; diff --git a/bin/tests/system/checkconf-keys/setup.sh b/bin/tests/system/checkconf-keys/setup.sh new file mode 100644 index 00000000000..08a79a636ab --- /dev/null +++ b/bin/tests/system/checkconf-keys/setup.sh @@ -0,0 +1,72 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +mkdir ksk +mkdir zsk + +zone="alternative.kz.example" +cp template.db.in "${zone}.db" +$KEYGEN -a RSASHA256 -b 2048 $zone 2>keygen.out.$zone.1 +$KEYGEN -a RSASHA256 -b 2048 -fK $zone 2>keygen.out.$zone.2 + +zone="alternative.csk.example" +cp template.db.in "${zone}.db" +$KEYGEN -a RSASHA256 -b 2048 -fK $zone 2>keygen.out.$zone.2 + +zone="default.kz.example" +cp template.db.in "${zone}.db" +$KEYGEN -a 13 $zone 2>keygen.out.$zone.1 +$KEYGEN -a 13 -fK $zone 2>keygen.out.$zone.2 + +zone="default.csk.example" +cp template.db.in "${zone}.db" +$KEYGEN -a 13 -fK $zone 2>keygen.out.$zone.2 + +zone="keystores.kz.example" +cp template.db.in "${zone}.db" +$KEYGEN -a 13 -fK -K ksk $zone 2>keygen.out.$zone.2 +$KEYGEN -a 13 -K zsk $zone 2>keygen.out.$zone.2 + +zone="superfluous-keyfile.kz.example" +cp template.db.in "${zone}.db" +$KEYGEN -a 13 $zone 2>keygen.out.$zone.1 +$KEYGEN -a 13 -fK $zone 2>keygen.out.$zone.2 +$KEYGEN -a 13 $zone 2>keygen.out.$zone.3 # superfluous + +zone="missing-keyfile.kz.example" +cp template.db.in "${zone}.db" +$KEYGEN -a 13 $zone 2>keygen.out.$zone.1 +# no ksk + +zone="bad-algorithm.kz.example" +cp template.db.in "${zone}.db" +$KEYGEN -a 13 $zone 2>keygen.out.$zone.1 +$KEYGEN -a 13 -fK $zone 2>keygen.out.$zone.2 + +zone="bad-length.csk.example" +cp template.db.in "${zone}.db" +$KEYGEN -a 8 -b 4096 -fK $zone 2>keygen.out.$zone.2 + +zone="bad-tagrange.csk.example" +cp template.db.in "${zone}.db" +$KEYGEN -a 13 -M 32768:65535 -fK $zone 2>keygen.out.$zone.2 + +zone="bad-role.kz.example" +cp template.db.in "${zone}.db" +$KEYGEN -a 13 -fK $zone 2>keygen.out.$zone.1 +$KEYGEN -a 13 -fK $zone 2>keygen.out.$zone.2 diff --git a/bin/tests/system/checkconf-keys/template.db.in b/bin/tests/system/checkconf-keys/template.db.in new file mode 100644 index 00000000000..010b05b3cb3 --- /dev/null +++ b/bin/tests/system/checkconf-keys/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/checkconf-keys/tests_checkconf_keys.py b/bin/tests/system/checkconf-keys/tests_checkconf_keys.py new file mode 100644 index 00000000000..bc8406c981a --- /dev/null +++ b/bin/tests/system/checkconf-keys/tests_checkconf_keys.py @@ -0,0 +1,123 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os + +import pytest + +import isctest + +pytestmark = pytest.mark.extra_artifacts( + [ + "bad-*.conf", + "K*.key", + "K*.private", + "K*.state", + "keygen.out.*", + "named.conf", + "*.db", + "ksk/", + "zsk/", + ] +) + +CHECKCONF = os.environ["CHECKCONF"] + + +def test_dnssecpolicy_keystore(): + # Good configuration. + isctest.run.cmd([CHECKCONF, "-k", "named.conf"]) + + # Superfluous key file. + zone = "superfluous-keyfile.kz.example" + out = isctest.run.cmd( + [CHECKCONF, "-k", "bad-superfluous-keyfile.conf"], raise_on_exception=False + ) + err = out.stdout.decode("utf-8") + assert f"zone '{zone}': wrong number of key files (3, expected 2)" in err + + # Missing key file. + zone = "missing-keyfile.kz.example" + out = isctest.run.cmd( + [CHECKCONF, "-k", "bad-missing-keyfile.conf"], raise_on_exception=False + ) + err = out.stdout.decode("utf-8") + assert f"zone '{zone}': wrong number of key files (1, expected 2)" in err + + # Mismatch algorithm. + zone = "bad-algorithm.kz.example" + out = isctest.run.cmd( + [CHECKCONF, "-k", "bad-algorithm.conf"], raise_on_exception=False + ) + err = out.stdout.decode("utf-8") + keys = isctest.kasp.keydir_to_keylist(zone) + assert len(keys) == 2 + assert ( + f"zone '{zone}': key file '{zone}/ECDSAP256SHA256/{keys[0].tag}' does not match dnssec-policy alternative-kz" + in err + ) + assert ( + f"zone '{zone}': key file '{zone}/ECDSAP256SHA256/{keys[1].tag}' does not match dnssec-policy alternative-kz" + in err + ) + assert ( + f"zone '{zone}': no key file found matching dnssec-policy alternative-kz key:'ksk algorithm:RSASHA256 length:2048 tag-range:0-65535'" + in err + ) + assert ( + f"zone '{zone}': no key file found matching dnssec-policy alternative-kz key:'zsk algorithm:RSASHA256 length:2048 tag-range:0-65535'" + in err + ) + + # Mismatch length + zone = "bad-length.csk.example" + out = isctest.run.cmd( + [CHECKCONF, "-k", "bad-length.conf"], raise_on_exception=False + ) + err = out.stdout.decode("utf-8") + keys = isctest.kasp.keydir_to_keylist(zone) + assert len(keys) == 1 + assert ( + f"zone '{zone}': key file '{zone}/RSASHA256/{keys[0].tag}' does not match dnssec-policy alternative-csk" + in err + ) + assert ( + f"zone '{zone}': no key file found matching dnssec-policy alternative-csk key:'csk algorithm:RSASHA256 length:2048 tag-range:0-65535'" + in err + ) + + # Mismatch tag range + zone = "bad-tagrange.csk.example" + out = isctest.run.cmd( + [CHECKCONF, "-k", "bad-tagrange.conf"], raise_on_exception=False + ) + err = out.stdout.decode("utf-8") + keys = isctest.kasp.keydir_to_keylist(zone) + assert len(keys) == 1 + assert ( + f"zone '{zone}': key file '{zone}/ECDSAP256SHA256/{keys[0].tag}' does not match dnssec-policy tagrange-csk" + in err + ) + assert ( + f"zone '{zone}': no key file found matching dnssec-policy tagrange-csk key:'csk algorithm:ECDSAP256SHA256 length:256 tag-range:0-32767'" + in err + ) + + # Mismatch role + zone = "bad-role.kz.example" + out = isctest.run.cmd([CHECKCONF, "-k", "bad-role.conf"], raise_on_exception=False) + err = out.stdout.decode("utf-8") + keys = isctest.kasp.keydir_to_keylist(zone) + assert len(keys) == 2 + assert ( + f"zone '{zone}': no key file found matching dnssec-policy default-kz key:'zsk algorithm:ECDSAP256SHA256 length:256 tag-range:0-65535'" + in err + )