From: Mark Andrews <marka@isc.org>
Date: Mon, 30 Jun 2025 05:09:32 +0000 (+1000)
Subject: Check that named-checkzone reports deprecated algorithms
X-Git-Tag: v9.21.11~46^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d406677f1b930c034128af6348a3e42ec367cd3;p=thirdparty%2Fbind9.git

Check that named-checkzone reports deprecated algorithms
---

diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh
index db9b5706549..861a660c6d7 100644
--- a/bin/tests/system/checkzone/tests.sh
+++ b/bin/tests/system/checkzone/tests.sh
@@ -260,5 +260,25 @@ n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+echo_i "Checking for RSASHA1 deprecated warning ($n)"
+ret=0
+$CHECKZONE example zones/warn.deprecated.rsasha1.db >test.out.$n || ret=1
+grep "deprecated DNSKEY algorithm found: 5 (RSASHA1)" test.out.$n >/dev/null || ret=1
+grep "all DNSKEY algorithms found are deprecated" test.out.$n >/dev/null || ret=1
+grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking for NSECRSASHA1 deprected warning ($n)"
+ret=0
+$CHECKZONE example zones/warn.deprecated.nsec3rsasha1.db >test.out.$n || ret=1
+grep "deprecated DNSKEY algorithm found: 7 (NSEC3RSASHA1)" test.out.$n >/dev/null || ret=1
+grep "all DNSKEY algorithms found are deprecated" test.out.$n >/dev/null || ret=1
+grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db
new file mode 100644
index 00000000000..1490935c68a
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db
@@ -0,0 +1,71 @@
+; File written on Mon Jun 30 14:55:37 2025
+; dnssec-signzone version 9.21.3-dev
+example.		3600	IN SOA	. . (
+					0          ; serial
+					0          ; refresh (0 seconds)
+					0          ; retry (0 seconds)
+					0          ; expire (0 seconds)
+					3600       ; minimum (1 hour)
+					)
+			3600	RRSIG	SOA 7 1 3600 (
+					20901231235959 20250630035537 41424 example.
+					oqX2MaQSaMj2YPYWA/8echxn7QHBerVEs426
+					z8IJ88lv8Ih3Rrsldur6hXCieYI46wK3xOft
+					p0VMAw9iIK5T49PXnaf7+hdaIJFDTAvuhzco
+					e1IcdfmS26a6rRZHG8QKNjVjn/Du3J2gbdoB
+					ubyio+7BY45Mk1S0sb0QzkmfTRZodULfvlW7
+					BkmC9k0ixU1f1R+k26I0TJHYwH6Tw3O/0nPG
+					SkUKnIcgqjzXsnUN1XGR+gD9TVF8Hp+JYWCz
+					5fFTR733OiScIK+Xlon+ydg1GixW1rOR2MOP
+					lowGJIHeE8nDYEgncKv91wFCp1IRHjgN/6zg
+					c6JBClYMhe0RS66I6A== )
+			3600	NS	.
+			3600	RRSIG	NS 7 1 3600 (
+					20901231235959 20250630035411 41424 example.
+					pQUeJTZvpEPBZOdatA79eUE+qunKTasFyjgT
+					xB+hpvXujxFqf6FDs/TdfE9jGo5T8Rwb3Gu0
+					7+uo5ATwKuQL0TywDVm7DMj07iWoXpCGWge9
+					q+iZ9sVXTzGKbb+1f8w9b/E9qW/s9Uir/tZq
+					pPWhEgy61ip/pjkcyoIi3wQtffBMckApBgao
+					Nk6YPi0TSl3W+cQUDkT2BeCoZDHuhuvS+Z3x
+					URTu5FnqT3YPKJ5xb4N3mr4um4oI9sy+TJIj
+					yuSW/ie0Bzy8x8ha1capfhlbPsZI6SKe0ldR
+					vC9dr0gertISQzAnl9GqxFne6Ya5DyYHKye+
+					khVrRKAu2YIFRWYrOg== )
+			3600	NSEC	example. NS SOA RRSIG NSEC DNSKEY
+			3600	RRSIG	NSEC 7 1 3600 (
+					20901231235959 20250630035537 41424 example.
+					IMgNRFY4qWHDFz/gWiXn6jrCSW4Az/5sE7ML
+					dyJgY8OHtM2Kq+ThRsgZn7gN47T7QJv8Dvc3
+					oYNRH7R6sjGJBZmfoqfdZmJOrR1bdKhHjhHR
+					0b3NuXlVAG7eqMu4eJvsKZCUTKxa3+iFStw/
+					pTsHWEVT9ozMaAfQdzM86Pq6x8VVQCRwuw9g
+					JWkjt0/4VGA/tTj713o0/7Ju0055wSVnFNvH
+					XaAW2PG9nRDyFvoOq1lFSFEPm9gXDFfDmTZn
+					40v+qIer/vPGMkHyizZAbZ0qnM7lwNAhDukz
+					catwpgsbpMWHrBUgnDCbxpzfl24n7wmHyCUa
+					ArewJH9UphjytrxHjw== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAakdlaNNa6UNEKTh7g0TPBLuEecXezJ2
+					mz7kaBxIEx7t3IPxWymt5XezCtR7NilHW+zo
+					d42hzKrtqFilt5SBrsjnWr5ipczEySEYCtOz
+					Jx0P9xLj8MjCf5D6+elSY4zm9gtqlIo6ryhf
+					SuCJQ9XZOIFD10/8efr0HYxkc0N4msZhVcuB
+					yJ650Pjc0EFWEe2yseM+uXZCIc/0Q4OayMJA
+					5GEJwvq/POH/POU7HlQR5RKzT0babm4Jvmpx
+					F1jf7gSRL44LgVLl/m4fKjseK1w0shOxhrwc
+					gAXI5ZMpspN9Mnhy+HNemkw9xyw3XkAtcTuN
+					yUHvCLEyaklh6latwxFQTLM=
+					) ; ZSK; alg = NSEC3RSASHA1 ; key id = 41424
+			3600	RRSIG	DNSKEY 7 1 3600 (
+					20901231235959 20250630035411 41424 example.
+					G2lr1Q+xjDnefyPbxLTy0yZ8wUg1+GcaBb9H
+					7YX0FzZroRLTNr8SN2VYge4CbNZkTIC98dmV
+					TRwoBp4HbrWY5jDGT2oQS1zDc92dz0TuD0Ys
+					JMI2/IEVpA9wBcqsRssmAwzSuh4dMLqfMkrm
+					KzWk7CRNxqC1JXJ1MgbRCRuES22HGO3O7ZXZ
+					HjsFANBQt+7PebgdmAtS61RvztyJE+o6LyaA
+					qA9qawqYDBi7Lcar/U+arrfg77kQ8BmC+ZZV
+					toLkus9VsM9GShmMo2/KMu+PYWHKWUuHwRas
+					v9hSvLh/+b7mymssp/WtmX79a3WXlHovNP2v
+					Sh2S4RjDq4lFsyqTAA== )
diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db
new file mode 100644
index 00000000000..6b18f5f1553
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db
@@ -0,0 +1,71 @@
+; File written on Mon Jun 30 14:57:52 2025
+; dnssec-signzone version 9.21.3-dev
+example.		3600	IN SOA	. . (
+					0          ; serial
+					0          ; refresh (0 seconds)
+					0          ; retry (0 seconds)
+					0          ; expire (0 seconds)
+					3600       ; minimum (1 hour)
+					)
+			3600	RRSIG	SOA 5 1 3600 (
+					20901231235959 20250630035752 3495 example.
+					gq16Xp8iCErMp/R6jdzvws3MMvWAMowfYOa5
+					K3Dwo3MXUruWhsDa4XjH3CJIk4LtSRDWcVSj
+					/STy/R4CEvz83/2VMjQ7L73hFZZNVrMHKrLi
+					SfRhnUueOHiYrv8sLM2ZHy0EYM/gULmcX51j
+					j0XJlSf9DfkT/nh3ZwqS+lD/RA+1Gg73xVkS
+					tRh5AZMWAGrjyBMOC0iW9qexqINmM0nR40K7
+					5L+17OL2Ay/Fp7zliN+g9bAEfgITQlFRO32Y
+					sZrPRguzavP5xad4m3GOCAQoTQJpnci7id2u
+					DhIwkh6+7Do3zjZOQy74IvbuPVUS5nVRiEd8
+					XqF3Z7hHMYWWCEdslw== )
+			3600	NS	.
+			3600	RRSIG	NS 5 1 3600 (
+					20901231235959 20250630034615 3495 example.
+					FrY8Bi8StW34PADKfVn2uPDIgDzbhyinoQDw
+					HjklP8PFXvl2VLhroGZy5EfoGQlC+eOL7Ffb
+					ZlKMvSOtGHpIIdqWg6GmGBWqCYoC3EoaFVXh
+					A2SBxOPdcbGbwzVk6MWnrpFRsxwMqX+7vjJg
+					eB7XVh1tZf90N6Yfswfy/UFf5Qbaj69gE7/7
+					Eu3lkNNsFr5UVLPU4K4/dzNalllZjZ++w68T
+					5Y97UmIJH+aXpNndibJU9c25F1/ou5NJLQQN
+					LxyWXIi1CRaF88sjQwXemO8xutnh2b3ULKI0
+					pelDtKThLWWYAMhgMnhr5HktL69++cMZiZ4z
+					3heBavJIPY2QTYOLZw== )
+			3600	NSEC	example. NS SOA RRSIG NSEC DNSKEY
+			3600	RRSIG	NSEC 5 1 3600 (
+					20901231235959 20250630035752 3495 example.
+					N5mNbNXTSbLOya8baU6SaGao8bPquA4rO2hb
+					5mkYjM+wzAJRNKSrViA5Ev7iFJolXKM+NCV3
+					fpKtT+5v8mqhGZf80H1Z7inmAMX+Gz9B0YfO
+					yhmSTD7qnIgoxw+W/dFAeBx18XyCRDBRlGyj
+					2FEqZa46AVuDaYgQoUJLfM4SkOhbsDdDfQV1
+					uQinjRnhvOQEOd0wYRbqR7S8BMqppnahwyai
+					lH5tx8qsBVFTR7P8D5UlTfHCBM+d0VI5jXjt
+					45eCwzqQBTl4ot4Tbc/nGaUvPU5ffkW8fmsk
+					BygQeKd97xPnzK0tt1KJaYGTiqc3UgUId929
+					XniHMB6YmxkpIb2qrg== )
+			3600	DNSKEY	256 3 5 (
+					AwEAAZmABvQsJBvsRu2fMlU1CtN58u7+yO5x
+					ioxkg8O2mH29NDFoMKtxZKlk74+hT8m0aAKV
+					hqEywM9S2NaWEXctv2lF6t/f8E8YJkY+cnLb
+					iZmxuJmScxce8u32KlX0MiKN2JQHIokDTz7m
+					2AqUaLTnERyIXNUHJfHx1nzvhhz4G7TV41Pk
+					U1MSX3gCrgsSQ7IUzLOsyy6iQn4wFml+eXlO
+					qmypFvjRDhmjXAHms3nSOgDmDu6kF+9R0ccL
+					Lh4YAEYZlx2UoDigcEtRfMeYQwb76tC7xAkx
+					EEJAUo+oRkaw2in8kVjpwuXSWF5WlX+Cpie9
+					o3r+4EpI/IV6z63QO9zqMEE=
+					) ; ZSK; alg = RSASHA1 ; key id = 3495
+			3600	RRSIG	DNSKEY 5 1 3600 (
+					20901231235959 20250630034615 3495 example.
+					gpKH6gf+47UNqMlTdtylpSW/yRNEyPtpj7Tu
+					Y939pwRPgQcPBscIwcZzezV0r4y2O5xMTKQ1
+					fQZTidfCwvessYTxYJYSjE1i+pChblLmqY/j
+					JNjwUv0nH9rs8ZSXRSFiqPsC7tl4jBQsD1N+
+					UdV3a/rEFCON1C+KirQlrdSq+/bAic0A4afZ
+					g746kgnLsNCu/FnVucfoOBGaAk6na9dYIt0+
+					l7IKI+4dg+tHsaGdRVv2h2JXO6g1I2LtCiIB
+					FlKxFDCrMFV9+xduLFNnNxVsvnK7RtlAAPo5
+					n4WBinbW5CpGJnc7n/0BknnecqZb63qkQgia
+					50FJvVZCJ4WTZ+Hh0g== )