From: Ondřej Surý Date: Sat, 1 Nov 2025 11:00:59 +0000 (+0100) Subject: Add a system test with one good and one bad algorithm X-Git-Tag: v9.21.15~4^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=488d7bfc75f2988c6e461b8677bc0e27e58bd82e;p=thirdparty%2Fbind9.git Add a system test with one good and one bad algorithm The case where there would be one supported algorithm and one already unsupported (like RSAMD5 or RSASHA1) was missing. --- diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 47c2eb7f0eb..07429366eeb 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -202,3 +202,7 @@ ns3.extradsunknownoid A 10.53.0.3 extended-ds-unknown-oid NS ns3.extended-ds-unknown-oid ns3.extended-ds-unknown-oid A 10.53.0.3 + +; A secure subdomain with extra bad key +extrabadkey NS ns3.extrabadkey +ns3.extrabadkey A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index e3f18af15e0..da9f5f07fc0 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -92,7 +92,7 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \ dnskey-nsec3-unknown managed-future future revkey \ dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \ rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid \ - extended-ds-unknown-oid; do + extended-ds-unknown-oid extrabadkey; do cp "../ns3/dsset-$subdomain.example." . done diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2 index 1a0edc14bb8..9cbc58892c8 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.j2 +++ b/bin/tests/system/dnssec/ns3/named.conf.j2 @@ -141,6 +141,12 @@ zone "extrakey.example" { allow-update { any; }; }; +zone "extrabadkey.example" { + type primary; + file "extrabadkey.example.db.signed"; + allow-update { any; }; +}; + zone "insecure.nsec3.example" { type primary; file "insecure.nsec3.example.db"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 5512888b2f4..ea81381eb23 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -905,3 +905,34 @@ ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 + +# +# +# +zone=extrabadkey.example. +infile=template.db.in +zonefile=extrabadkey.example.db + +# Add KSK and ZSK that we will mangle to RSAMD5 +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" +"$SIGNER" -g -O full -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Mangle the signatures to RSAMD5 and save them for future use +sed -ne "s/\(IN[[:space:]]*RRSIG[[:space:]]*[A-Z]*\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /p" <"$zonefile.signed" >"$zonefile.signed.rsamd5" + +# Now add normal KSK and ZSK to the zone file +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" + +# Mangle the DNSKEY algorithm numbers and add them to the signed zone file +cat "$ksk.key" "$zsk.key" | sed -e "s/\(IN[[:space:]]*DNSKEY[[:space:]]*[0-9]* 3\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /" >>"$zonefile" + +# Sign normally +"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1 + +# Add the mangled signatures to signed zone file +cat "$zonefile.signed.rsamd5" >>"$zonefile.signed" +rm "$zonefile.signed.rsamd5" diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index e6d8ccc7343..a27a8999873 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -1385,3 +1385,11 @@ def test_rrsigs_for_glue(): record.rdtype == rdatatype.RRSIG and record.covers == rdatatype.A for record in res.answer ) + + +def test_extra_bad_algorithm(): + msg = isctest.query.create("a.extrabadkey.example", "A") + res1 = isctest.query.tcp(msg, "10.53.0.3") + res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.same_answer(res1, res2) + isctest.check.adflag(res2)