From: Matthijs Mekking Date: Tue, 5 Nov 2019 16:22:35 +0000 (+0100) Subject: dnssec-policy inheritance from options/view X-Git-Tag: v9.15.6~26^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f464d15a0342dafa200957acf401daa97c4da3f;p=thirdparty%2Fbind9.git dnssec-policy inheritance from options/view 'dnssec-policy' can now also be set on the options and view level and a zone that does not set 'dnssec-policy' explicitly will inherit it from the view or options level. This requires a new keyword to be introduced: 'none'. If set to 'none' the zone will not be DNSSEC maintained, in other words it will stay unsigned. You can use this to break the inheritance. Of course you can also break the inheritance by referring to a different policy. The keywords 'default' and 'none' are not allowed when configuring your own dnssec-policy statement. Add appropriate tests for checking the configuration (checkconf) and add tests to the kasp system test to verify the inheritance works. Edit the kasp system test such that it can deal with unsigned zones and views (so setting a TSIG on the query). --- diff --git a/bin/named/config.c b/bin/named/config.c index 6ea56d88813..aeabf490572 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -58,6 +58,7 @@ options {\n\ "\ # deallocate-on-exit ;\n\ # directory \n\ + dnssec-policy \"none\";\n\ dump-file \"named_dump.db\";\n\ edns-udp-size 4096;\n\ # fake-iquery ;\n" diff --git a/bin/named/server.c b/bin/named/server.c index c788deb19e1..ca216599fff 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6260,7 +6260,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, ((cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS && cfg_obj_asboolean(signing)) || (cfg_map_get(zoptions, "dnssec-policy", &signing) == - ISC_R_SUCCESS && signing != NULL))) + ISC_R_SUCCESS && signing != NULL && + strcmp(cfg_obj_asstring(signing), "none") != 0))) { dns_zone_getraw(zone, &raw); if (raw == NULL) { diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 0978902573c..cb0ec51fcf9 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1197,18 +1197,21 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, if (ztype != dns_zone_stub && ztype != dns_zone_staticstub && ztype != dns_zone_redirect) { obj = NULL; - result = cfg_map_get(zoptions, "dnssec-policy", &obj); + result = named_config_get(maps, "dnssec-policy", &obj); if (result == ISC_R_SUCCESS) { kaspname = cfg_obj_asstring(obj); - result = dns_kasplist_find(kasplist, kaspname, &kasp); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(obj, named_g_lctx, - ISC_LOG_ERROR, - "'dnssec-policy '%s' not found ", - kaspname); - RETERR(result); + if (strcmp(kaspname, "none") != 0) { + result = dns_kasplist_find(kasplist, kaspname, + &kasp); + if (result != ISC_R_SUCCESS) { + cfg_obj_log(obj, named_g_lctx, + ISC_LOG_ERROR, + "'dnssec-policy '%s' not " + "found ", kaspname); + RETERR(result); + } + dns_zone_setkasp(zone, kasp); } - dns_zone_setkasp(zone, kasp); } obj = NULL; diff --git a/bin/tests/system/checkconf/bad-kasp1.conf b/bin/tests/system/checkconf/bad-kasp1.conf index bad8ff20900..686160f983c 100644 --- a/bin/tests/system/checkconf/bad-kasp1.conf +++ b/bin/tests/system/checkconf/bad-kasp1.conf @@ -9,12 +9,14 @@ * information regarding copyright ownership. */ -options { - dnssec-policy "notatzonelevel"; +// Using the keyword 'default' is not allowed. +dnssec-policy "default" { + signatures-refresh P5D; }; zone "example.net" { type master; file "example.db"; + dnssec-policy "default"; }; diff --git a/bin/tests/system/checkconf/bad-kasp5.conf b/bin/tests/system/checkconf/bad-kasp5.conf new file mode 100644 index 00000000000..a399079db5b --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp5.conf @@ -0,0 +1,22 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// Using the keyword 'none' is not allowed. +dnssec-policy "none" { + signatures-refresh P5D; +}; + +zone "example.net" { + type master; + file "example.db"; + dnssec-policy "none"; +}; + diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 041e6bfae80..04c1cef1999 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -35,13 +35,25 @@ dnssec-policy "test" { options { dnssec-policy "default"; }; +options { + dnssec-policy "default"; +}; zone "example1" { type master; - dnssec-policy "test"; file "example1.db"; }; zone "example2" { type master; - dnssec-policy "default"; file "example2.db"; + dnssec-policy "test"; +}; +zone "example3" { + type master; + file "example3.db"; + dnssec-policy "default"; +}; +zone "example4" { + type master; + file "example4.db"; + dnssec-policy "none"; }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index b6136d6f3bc..37d3de6504e 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -14,6 +14,24 @@ */ /* cut here */ +dnssec-policy "test" { + dnskey-ttl 3600; + keys { + ksk key-directory lifetime P1Y algorithm 13 256; + zsk key-directory lifetime P30D algorithm 13; + csk key-directory lifetime P30D algorithm 8 2048; + }; + publish-safety PT3600S; + retire-safety PT3600S; + signatures-refresh P3D; + signatures-validity P2W; + signatures-validity-dnskey P14D; + zone-max-ttl 86400; + zone-propagation-delay PT5M; + parent-ds-ttl 7200; + parent-propagation-delay PT1H; + parent-registration-delay P1D; +}; options { avoid-v4-udp-ports { 100; @@ -60,6 +78,7 @@ options { validate-except { "corp"; }; + dnssec-policy "test"; transfer-source 0.0.0.0 dscp 63; zone-statistics none; }; @@ -140,6 +159,28 @@ view "third" { }; }; }; +view "fourth" { + zone "dnssec-test" { + type master; + file "dnssec-test.db"; + dnssec-policy "test"; + }; + zone "dnssec-default" { + type master; + file "dnssec-default.db"; + dnssec-policy "default"; + }; + zone "dnssec-inherit" { + type master; + file "dnssec-inherit.db"; + }; + zone "dnssec-none" { + type master; + file "dnssec-none.db"; + dnssec-policy "none"; + }; + dnssec-policy "default"; +}; view "chaos" chaos { zone "hostname.bind" chaos { type master; diff --git a/bin/tests/system/checkconf/good.zonelist b/bin/tests/system/checkconf/good.zonelist index e4504fc6721..dff4d170cac 100644 --- a/bin/tests/system/checkconf/good.zonelist +++ b/bin/tests/system/checkconf/good.zonelist @@ -8,4 +8,8 @@ clone IN third in-view first dnssec IN third master p IN third primary s IN third secondary +dnssec-test IN fourth master +dnssec-default IN fourth master +dnssec-inherit IN fourth master +dnssec-none IN fourth master hostname.bind chaos chaos master diff --git a/bin/tests/system/kasp/README b/bin/tests/system/kasp/README index d543c1a7791..ceafd197721 100644 --- a/bin/tests/system/kasp/README +++ b/bin/tests/system/kasp/README @@ -9,3 +9,5 @@ ns1 is reserved for the root server. ns2 is running primary service for ns3. ns3 is an authoritative server for the various test domains. + +ns4 and ns5 are authoritative servers for various test domains related to views. diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index c9ef776eb68..803dd703cd6 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -21,5 +21,6 @@ rm -f ns*/K*.private ns*/K*.key ns*/K*.state rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* rm -f ns*/managed-keys.bind +rm -f ns*/*.mkeys # NS3 specific rm -f ns3/zones ns3/*.db.infile diff --git a/bin/tests/system/kasp/ns2/named.conf.in b/bin/tests/system/kasp/ns2/named.conf.in index 640def73b3b..cad71da5b4a 100644 --- a/bin/tests/system/kasp/ns2/named.conf.in +++ b/bin/tests/system/kasp/ns2/named.conf.in @@ -21,6 +21,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; recursion no; + dnssec-policy "none"; }; key rndc_key { @@ -32,6 +33,21 @@ controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +/* Inherit dnssec-policy (which is none) */ + +zone "unsigned.tld" { + type master; + file "unsigned.tld.db"; +}; + +/* Override dnssec-policy */ + +zone "signed.tld" { + type master; + dnssec-policy "default"; + file "signed.tld.db"; +}; + /* Primary service for ns3 */ zone "secondary.kasp" { diff --git a/bin/tests/system/kasp/ns2/setup.sh b/bin/tests/system/kasp/ns2/setup.sh index d495e05f52d..588735d0a6a 100644 --- a/bin/tests/system/kasp/ns2/setup.sh +++ b/bin/tests/system/kasp/ns2/setup.sh @@ -14,8 +14,20 @@ echo_i "ns2/setup.sh" -echo_i "setting up zone: $zone" zone="secondary.kasp" +echo_i "setting up zone: $zone" zonefile="${zone}.db" infile="${zonefile}.in" cp $infile $zonefile + +zone="signed.tld" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +infile="template.tld.db.in" +cp $infile $zonefile + +zone="unsigned.tld" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +infile="template.tld.db.in" +cp $infile $zonefile diff --git a/bin/tests/system/kasp/ns2/template.tld.db.in b/bin/tests/system/kasp/ns2/template.tld.db.in new file mode 100644 index 00000000000..7d8b924f641 --- /dev/null +++ b/bin/tests/system/kasp/ns2/template.tld.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA secondary.kasp. hostmaster.kasp. ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in index 1e11814542c..c9ae05894b5 100644 --- a/bin/tests/system/kasp/ns3/named.conf.in +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -11,6 +11,9 @@ // NS3 +include "policies/kasp.conf"; +include "policies/autosign.conf"; + options { query-source address 10.53.0.3; notify-source 10.53.0.3; @@ -21,6 +24,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; recursion no; + dnssec-policy "rsasha1"; }; key rndc_key { @@ -32,9 +36,6 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -include "policies/kasp.conf"; -include "policies/autosign.conf"; - /* Zones that are getting initially signed */ /* The default case: No keys created, using default policy. */ @@ -51,6 +52,19 @@ zone "rsasha1.kasp" { dnssec-policy "rsasha1"; }; +/* A zone that inherits dnssec-policy. */ +zone "inherit.kasp" { + type master; + file "inherit.kasp.db"; +}; + +/* A zone that overrides dnssec-policy. */ +zone "unsigned.kasp" { + type master; + file "unsigned.kasp.db"; + dnssec-policy "none"; +}; + /* A master zone with dnssec-policy but keys already created. */ zone "dnssec-keygen.kasp" { type master; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 782747b4b84..5a4b44bca58 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -43,12 +43,19 @@ U="UNRETENTIVE" # Set up zones that will be initially signed. # for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \ - rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 + rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 inherit do setup "${zn}.kasp" cp template.db.in $zonefile done +# Set up zone that stays unsigned. +zone="unsigned.kasp" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +infile="${zone}.db.infile" +cp template.db.in $zonefile + # Some of these zones already have keys. zone="dnssec-keygen.kasp" $KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in new file mode 100644 index 00000000000..c8d4094f855 --- /dev/null +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -0,0 +1,117 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +key "sha1" { + algorithm "hmac-sha1"; + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +}; + +key "sha224" { + algorithm "hmac-sha224"; + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; +}; + +key "sha256" { + algorithm "hmac-sha256"; + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; +}; + +dnssec-policy "test" { + keys { + csk key-directory lifetime 0 algorithm 14; + }; +}; + +options { + query-source address 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; + dnssec-policy "test"; +}; + +view "inherit" { + match-clients { key "sha1"; }; + + /* Inherit dnssec-policy 'test' */ + zone "inherit.inherit.signed" { + type master; + file "inherit.inherit.signed.db"; + }; + + /* Override dnssec-policy */ + zone "override.inherit.signed" { + type master; + dnssec-policy "default"; + file "override.inherit.signed.db"; + }; + + /* Unset dnssec-policy */ + zone "none.inherit.signed" { + type master; + dnssec-policy "none"; + file "none.inherit.signed.db"; + }; +}; + +view "override" { + match-clients { key "sha224"; }; + dnssec-policy "default"; + + /* Inherit dnssec-policy 'test' */ + zone "inherit.override.signed" { + type master; + file "inherit.override.signed.db"; + }; + + /* Override dnssec-policy */ + zone "override.override.signed" { + type master; + dnssec-policy "test"; + file "override.override.signed.db"; + }; + + /* Unset dnssec-policy */ + zone "none.override.signed" { + type master; + dnssec-policy "none"; + file "none.override.signed.db"; + }; +}; + +view "none" { + match-clients { key "sha256"; }; + dnssec-policy "none"; + + /* Inherit dnssec-policy 'none' */ + zone "inherit.none.signed" { + type master; + file "inherit.none.signed.db"; + }; + + /* Override dnssec-policy */ + zone "override.none.signed" { + type master; + dnssec-policy "test"; + file "override.none.signed.db"; + }; + + /* Unset dnssec-policy */ + zone "none.none.signed" { + type master; + dnssec-policy "none"; + file "none.none.signed.db"; + }; +}; diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh new file mode 100644 index 00000000000..ca830dd0288 --- /dev/null +++ b/bin/tests/system/kasp/ns4/setup.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns4/setup.sh" + +# +# Set up zones that potentially will be initially signed. +# +for zn in inherit.inherit override.inherit none.inherit \ + inherit.override override.override none.override \ + inherit.none override.none none.none +do + zone="$zn.signed" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile +done diff --git a/bin/tests/system/kasp/ns4/template.db.in b/bin/tests/system/kasp/ns4/template.db.in new file mode 100644 index 00000000000..59946e07ba7 --- /dev/null +++ b/bin/tests/system/kasp/ns4/template.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/ns5/named.conf.in b/bin/tests/system/kasp/ns5/named.conf.in new file mode 100644 index 00000000000..2c9c8f62142 --- /dev/null +++ b/bin/tests/system/kasp/ns5/named.conf.in @@ -0,0 +1,117 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +key "sha1" { + algorithm "hmac-sha1"; + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +}; + +key "sha224" { + algorithm "hmac-sha224"; + secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; +}; + +key "sha256" { + algorithm "hmac-sha256"; + secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; +}; + +dnssec-policy "test" { + keys { + csk key-directory lifetime 0 algorithm 14; + }; +}; + +options { + query-source address 10.53.0.5; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.5; }; + listen-on-v6 { none; }; + recursion no; + dnssec-policy "none"; +}; + +view "inherit" { + match-clients { key "sha1"; }; + + /* Inherit dnssec-policy 'none' */ + zone "inherit.inherit.unsigned" { + type master; + file "inherit.inherit.unsigned.db"; + }; + + /* Override dnssec-policy */ + zone "override.inherit.unsigned" { + type master; + dnssec-policy "default"; + file "override.inherit.unsigned.db"; + }; + + /* Unset dnssec-policy */ + zone "none.inherit.unsigned" { + type master; + dnssec-policy "none"; + file "none.inherit.unsigned.db"; + }; +}; + +view "override" { + match-clients { key "sha224"; }; + dnssec-policy "default"; + + /* Inherit dnssec-policy 'default' */ + zone "inherit.override.unsigned" { + type master; + file "inherit.override.unsigned.db"; + }; + + /* Override dnssec-policy */ + zone "override.override.unsigned" { + type master; + dnssec-policy "test"; + file "override.override.unsigned.db"; + }; + + /* Unset dnssec-policy */ + zone "none.override.unsigned" { + type master; + dnssec-policy "none"; + file "none.override.unsigned.db"; + }; +}; + +view "none" { + match-clients { key "sha256"; }; + dnssec-policy "none"; + + /* Inherit dnssec-policy 'none' */ + zone "inherit.none.unsigned" { + type master; + file "inherit.none.unsigned.db"; + }; + + /* Override dnssec-policy */ + zone "override.none.unsigned" { + type master; + dnssec-policy "test"; + file "override.none.unsigned.db"; + }; + + /* Unset dnssec-policy */ + zone "none.none.unsigned" { + type master; + dnssec-policy "none"; + file "none.none.unsigned.db"; + }; +}; diff --git a/bin/tests/system/kasp/ns5/setup.sh b/bin/tests/system/kasp/ns5/setup.sh new file mode 100644 index 00000000000..b6f274e6a77 --- /dev/null +++ b/bin/tests/system/kasp/ns5/setup.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns5/setup.sh" + +# +# Set up zones that potentially will be initially signed. +# +for zn in inherit.inherit override.inherit none.inherit \ + inherit.override override.override none.override \ + inherit.none override.none none.none +do + zone="$zn.unsigned" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + cp template.db.in $zonefile +done diff --git a/bin/tests/system/kasp/ns5/template.db.in b/bin/tests/system/kasp/ns5/template.db.in new file mode 100644 index 00000000000..2f73182e728 --- /dev/null +++ b/bin/tests/system/kasp/ns5/template.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns5 +ns5 A 10.53.0.5 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 6bdf0035a8b..0d93046ae1f 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -20,14 +20,23 @@ mkdir keys copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf -# ns2: Setup zones +# Setup zones ( cd ns2 $SHELL setup.sh ) -# ns3: Setup zones ( cd ns3 $SHELL setup.sh ) +( + cd ns4 + $SHELL setup.sh +) +( + cd ns5 + $SHELL setup.sh +) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index a79a871cc6b..5fa2178e995 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -21,6 +21,14 @@ n=0 ############################################################################### DEFAULT_TTL=300 +############################################################################### +# Query properties # +############################################################################### +TSIG="" +SHA1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" +SHA224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" +SHA256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" + ############################################################################### # Key properties # ############################################################################### @@ -82,7 +90,12 @@ key_clear "KEY3" # Call dig with default options. dig_with_opts() { - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + _tsig="" + if [ -n "$TSIG" ]; then + _tsig="-y $TSIG" + fi + + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT $_tsig "$@" } # RNDC. @@ -108,7 +121,9 @@ get_keyids() { _start="${_dir}/K${_zone}.+${_algorithm}+" _end=".key" - ls ${_start}*${_end} | sed "s/$_dir\/K${_zone}.+${_algorithm}+\([0-9]\{5\}\)${_end}/\1/" + if [ $_algorithm -ne 0 ]; then + ls ${_start}*${_end} | sed "s/$_dir\/K${_zone}.+${_algorithm}+\([0-9]\{5\}\)${_end}/\1/" + fi } # By default log errors and don't quit immediately. @@ -124,15 +139,17 @@ log_error() { # $3: Policy name # $4: DNSKEY TTL # $5: Number of keys +# $6: Name server # # This will set the following environment variables for testing: -# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS +# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS, SERVER zone_properties() { DIR=$1 ZONE=$2 POLICY=$3 DNSKEY_TTL=$4 NUM_KEYS=$5 + SERVER=$6 } # Set key properties for testing keys. @@ -492,7 +509,7 @@ dnssec_verify() n=$((n+1)) echo_i "dnssec-verify zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed" + dig_with_opts $ZONE @${SERVER} AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed" $VERIFY -z -o $ZONE dig.out.axfr.test$n > /dev/null || log_error "dnssec verify zone $ZONE failed" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -505,7 +522,7 @@ dnssec_verify() # # dnssec-keygen # -zone_properties "keys" "kasp" "kasp" "200" +zone_properties "keys" "kasp" "kasp" "200" "10.53.0.1" n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" @@ -557,7 +574,7 @@ _log=1 n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 -zone_properties "." "kasp" "default" "3600" +zone_properties "." "kasp" "default" "3600" "10.53.0.1" key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" @@ -572,7 +589,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 -zone_properties "." "kasp" "default" "3600" +zone_properties "." "kasp" "default" "3600" "10.53.0.1" key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" @@ -672,7 +689,7 @@ status=$((status+ret)) # # Check the zone with default kasp policy has loaded and is signed. -zone_properties "ns3" "default.kasp" "_default" "3600" +zone_properties "ns3" "default.kasp" "default" "3600" "1" "10.53.0.3" key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" # The first key is immediately published and activated. key_timings "KEY1" "published" "active" "none" "none" "none" "none" @@ -695,7 +712,7 @@ qtype="DNSKEY" n=$((n+1)) echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 -dig_with_opts $ZONE @10.53.0.3 $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" +dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${qtype}.*257.*.3.*${KEY1[$ALG_NUM]}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response" lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l) @@ -709,7 +726,7 @@ qtype="SOA" n=$((n+1)) echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 -dig_with_opts $ZONE @10.53.0.3 $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" +dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${qtype}.*mname1\..*\." dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response" lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l) @@ -730,14 +747,14 @@ while [ $i -lt 5 ] do ret=0 - dig_with_opts "a.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" + dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response" grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response" lines=$(get_keys_which_signed A dig.out.$DIR.test$n.a | wc -l) test "$lines" -eq 1 || log_error "bad number ($lines) of RRSIG records in DNS response" get_keys_which_signed A dig.out.$DIR.test$n.a | grep "^${KEY_ID}$" > /dev/null || log_error "A RRset not signed with key ${KEY_ID}" - dig_with_opts "d.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" + dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response" grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response" lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l) @@ -756,7 +773,7 @@ status=$((status+ret)) # # Zone: rsasha1.kasp. # -zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no" key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no" @@ -895,7 +912,7 @@ check_cds() { n=$((n+1)) echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" if [ "${KEY1[$STATE_DS]}" == "rumoured" ] || [ "${KEY1[$STATE_DS]}" == "omnipresent" ]; then @@ -933,9 +950,33 @@ check_apex() { n=$((n+1)) echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response" + + if [ "${KEY1[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY1[$STATE_DNSKEY]}" == "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY1[$ID]}" + check_signatures $_qtype dig.out.$DIR.test$n $KSK + numkeys=$((numkeys+1)) + elif [ "${KEY1[$EXPECT]}" == "yes" ]; then + grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY1[$ID]}" + fi + + if [ "${KEY2[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY2[$STATE_DNSKEY]}" == "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY2[$ID]}" + check_signatures $_qtype dig.out.$DIR.test$n $KSK + numkeys=$((numkeys+1)) + elif [ "${KEY2[$EXPECT]}" == "yes" ]; then + grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY2[$ID]}" + fi + + if [ "${KEY3[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY3[$STATE_DNSKEY]}" == "omnipresent" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY3[$ID]}" + check_signatures $_qtype dig.out.$DIR.test$n $KSK + numkeys=$((numkeys+1)) + elif [ "${KEY3[$EXPECT]}" == "yes" ]; then + grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY3[$ID]}" + fi + lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l) check_signatures $_qtype dig.out.$DIR.test$n $KSK test "$ret" -eq 0 || echo_i "failed" @@ -946,7 +987,7 @@ check_apex() { n=$((n+1)) echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response" lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l) @@ -964,7 +1005,7 @@ check_subdomain() { n=$((n+1)) echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts a.$ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig a.${ZONE} ${_qtype} failed" + dig_with_opts a.$ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig a.${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" dig.out.$DIR.test$n > /dev/null || log_error "missing a.${ZONE} ${_qtype} record in response" lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l) @@ -978,10 +1019,43 @@ check_apex check_subdomain dnssec_verify +# +# Zone: unsigned.kasp. +# +zone_properties "ns3" "unsigned.kasp" "none" "0" "0" "10.53.0.3" +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +check_keys +check_apex +check_subdomain + +# +# Zone: inherit.kasp. +# +zone_properties "ns3" "inherit.kasp" "rsasha1" "1234" "3" "10.53.0.3" +key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes" +key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no" +key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no" +# The first keys are immediately published and activated. +# Because lifetime > 0, retired timing is also set. +key_timings "KEY1" "published" "active" "retired" "none" "none" +key_timings "KEY2" "published" "active" "retired" "none" "none" +key_timings "KEY3" "published" "active" "retired" "none" "none" +# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. +# ZSK: DNSKEY, RRSIG (zsk) published. +key_states "KEY1" "omnipresent" "rumoured" "none" "rumoured" "hidden" +key_states "KEY2" "omnipresent" "rumoured" "rumoured" "none" "none" +key_states "KEY3" "omnipresent" "rumoured" "rumoured" "none" "none" +check_keys +check_apex +check_subdomain +dnssec_verify + # # Zone: dnssec-keygen.kasp. # -zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -991,7 +1065,7 @@ dnssec_verify # # Zone: some-keys.kasp. # -zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1001,7 +1075,7 @@ dnssec_verify # # Zone: legacy-keys.kasp. # -zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1013,7 +1087,7 @@ dnssec_verify # # There are more pregenerated keys than needed, hence the number of keys is # six, not three. -zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6" +zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1023,7 +1097,7 @@ dnssec_verify # # Zone: secondary.kasp. # -zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3" +zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3" "10.53.0.3" # KSK properties, timings and states same as above. check_keys check_apex @@ -1042,12 +1116,12 @@ while [ $i -lt 5 ] do ret=0 - dig_with_opts "a.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" + dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed" grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response" grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response" check_signatures $_qtype dig.out.$DIR.test$n.a $ZSK - dig_with_opts "d.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" + dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed" grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response" grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response" lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l) @@ -1069,7 +1143,7 @@ status=$((status+ret)) # # Zone: rsasha1-nsec3.kasp. # -zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" +zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "1024" "yes" "no" key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no" @@ -1082,7 +1156,7 @@ dnssec_verify # # Zone: rsasha256.kasp. # -zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" +zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "1024" "yes" "no" key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no" @@ -1095,7 +1169,7 @@ dnssec_verify # # Zone: rsasha512.kasp. # -zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" +zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "1024" "yes" "no" key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no" @@ -1108,7 +1182,7 @@ dnssec_verify # # Zone: ecdsa256.kasp. # -zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3" +zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_properties "KEY2" "zsk" "157680000" "13" "ECDSAP256SHA256" "256" "yes" "no" key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no" @@ -1121,7 +1195,7 @@ dnssec_verify # # Zone: ecdsa512.kasp. # -zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3" +zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3" "10.53.0.3" key_properties "KEY1" "ksk" "315360000" "14" "ECDSAP384SHA384" "384" "no" "yes" key_properties "KEY2" "zsk" "157680000" "14" "ECDSAP384SHA384" "384" "yes" "no" key_properties "KEY3" "zsk" "31536000" "14" "ECDSAP384SHA384" "384" "yes" "no" @@ -1136,7 +1210,7 @@ dnssec_verify # # Zone: expired-sigs.autosign. # -zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2" +zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2" "10.53.0.3" # Both KSK and ZSK stay OMNIPRESENT. key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1161,7 +1235,7 @@ check_rrsig_refresh() { n=$((n+1)) echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" # If this exact RRSIG is also in the zone file it is not refreshed. @@ -1181,7 +1255,7 @@ check_rrsig_refresh() { n=$((n+1)) echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts "${_label}.${ZONE}" @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" _rrsig=`cat rrsig.out.$ZONE.$_qtype` @@ -1197,7 +1271,7 @@ check_rrsig_refresh # # Zone: fresh-sigs.autosign. # -zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2" +zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1213,7 +1287,7 @@ check_rrsig_reuse() { n=$((n+1)) echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" + dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" # If this exact RRSIG is also in the zone file it is not refreshed. @@ -1233,7 +1307,7 @@ check_rrsig_reuse() { n=$((n+1)) echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" ret=0 - dig_with_opts "${_label}.${ZONE}" @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" + dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed" grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response" _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < rrsig.out.$ZONE.$_qtype) @@ -1249,7 +1323,7 @@ check_rrsig_reuse # # Zone: unfresh-sigs.autosign. # -zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2" +zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3" # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1260,7 +1334,7 @@ check_rrsig_refresh # # Zone: zsk-missing.autosign. # -zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2" +zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2" "10.53.0.3" # KSK stays OMNIPRESENT. key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1271,7 +1345,7 @@ key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" # # Zone: zsk-retired.autosign. # -zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3" +zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3" "10.53.0.3" # KSK properties, timings and states same as above. # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. @@ -1284,6 +1358,178 @@ key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "no" "no" key_timings "KEY3" "published" "active" "retired" "none" "none" key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" +# +# Test dnssec-policy inheritance. +# + +# These zones should be unsigned: +# ns2/unsigned.tld +# ns4/none.inherit.signed +# ns4/none.override.signed +# ns4/inherit.none.signed +# ns4/none.none.signed +# ns5/inherit.inherit.unsigned +# ns5/none.inherit.unsigned +# ns5/none.override.unsigned +# ns5/inherit.none.unsigned +# ns5/none.none.unsigned +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" + +zone_properties "ns2" "unsigned.tld" "none" "0" "0" "10.53.0.2" +TSIG="" +check_keys +check_apex +check_subdomain + +zone_properties "ns4" "none.inherit.signed" "none" "0" "0" "10.53.0.4" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain + +zone_properties "ns4" "none.override.signed" "none" "0" "0" "10.53.0.4" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain + +zone_properties "ns4" "inherit.none.signed" "none" "0" "0" "10.53.0.4" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain + +zone_properties "ns4" "none.none.signed" "none" "0" "0" "10.53.0.4" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "inherit.inherit.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "none.inherit.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "none.override.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "inherit.none.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain + +zone_properties "ns5" "none.none.unsigned" "none" "0" "0" "10.53.0.5" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain + +# These zones should be signed with the default policy: +# ns2/signed.tld +# ns4/override.inherit.signed +# ns4/inherit.override.signed +# ns5/override.inherit.signed +# ns5/inherit.override.signed +key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" +key_timings "KEY1" "published" "active" "none" "none" "none" "none" +key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" + +zone_properties "ns2" "signed.tld" "default" "3600" "1" "10.53.0.2" +TSIG="" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns4" "override.inherit.signed" "default" "3600" "1" "10.53.0.4" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns4" "inherit.override.signed" "default" "3600" "1" "10.53.0.4" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns5" "override.inherit.unsigned" "default" "3600" "1" "10.53.0.5" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns5" "inherit.override.unsigned" "default" "3600" "1" "10.53.0.5" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain +dnssec_verify + +# These zones should be signed with the test policy: +# ns4/inherit.inherit.signed +# ns4/override.override.signed +# ns4/override.none.signed +# ns5/override.override.unsigned +# ns5/override.none.unsigned +key_properties "KEY1" "csk" "0" "14" "ECDSAP384SHA384" "384" "yes" "yes" +key_timings "KEY1" "published" "active" "none" "none" "none" "none" +key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" + +zone_properties "ns4" "inherit.inherit.signed" "test" "3600" "1" "10.53.0.4" +TSIG="hmac-sha1:sha1:$SHA1" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns4" "override.override.signed" "test" "3600" "1" "10.53.0.4" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns4" "override.none.signed" "test" "3600" "1" "10.53.0.4" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns5" "override.override.unsigned" "test" "3600" "1" "10.53.0.5" +TSIG="hmac-sha224:sha224:$SHA224" +check_keys +check_apex +check_subdomain +dnssec_verify + +zone_properties "ns5" "override.none.unsigned" "test" "3600" "1" "10.53.0.5" +TSIG="hmac-sha256:sha256:$SHA256" +check_keys +check_apex +check_subdomain +dnssec_verify + +# Clear TSIG. +TSIG="" + # # Testing ZSK Pre-Publication rollover. # @@ -1291,7 +1537,7 @@ key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" # # Zone: step1.zsk-prepub.autosign. # -zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" +zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" "10.53.0.3" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1337,7 +1583,7 @@ check_next_key_event 2498400 # # Zone: step2.zsk-prepub.autosign. # -zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3" +zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" # KSK (KEY1) doesn't change. # ZSK (KEY2) remains active, no change in properties/timings/states. # New ZSK (KEY3) is prepublished. @@ -1357,7 +1603,7 @@ check_next_key_event 93600 # # Zone: step3.zsk-prepub.autosign. # -zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3" +zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" # KSK (KEY1) doesn't change. # ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. @@ -1385,7 +1631,7 @@ check_next_key_event 867600 # # Zone: step4.zsk-prepub.autosign. # -zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3" +zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" # KSK (KEY1) doesn't change. # ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY2) DNSKEY is no longer needed. @@ -1407,7 +1653,7 @@ check_next_key_event 7200 # # Zone: step5.zsk-prepub.autosign. # -zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3" +zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" # KSK (KEY1) doesn't change. # ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY3) DNSKEY is now completely HIDDEN and removed. @@ -1431,7 +1677,7 @@ check_next_key_event 1627200 # # Zone: step1.ksk-doubleksk.autosign. # -zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2" +zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2" "10.53.0.3" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1456,7 +1702,7 @@ check_next_key_event 5000400 # # Zone: step2.ksk-doubleksk.autosign. # -zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" +zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" # ZSK (KEY2) doesn't change. # KSK (KEY1) remains active, no change in properties/timings/states. # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). @@ -1476,7 +1722,7 @@ check_next_key_event 97200 # # Zone: step3.ksk-doubleksk.autosign. # -zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" +zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" # ZSK (KEY2) doesn't change. # KSK (KEY1) DS will be removed, so it is UNRETENTIVE. key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive" @@ -1499,7 +1745,7 @@ check_next_key_event 266400 # # Zone: step4.ksk-doubleksk.autosign. # -zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" +zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" # ZSK (KEY2) doesn't change. # KSK (KEY1) DNSKEY can be removed. key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "no" @@ -1519,7 +1765,7 @@ check_next_key_event 10800 # # Zone: step5.ksk-doubleksk.autosign. # -zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" +zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" # ZSK (KEY2) doesn't change. # KSK (KEY1) DNSKEY is now HIDDEN. key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden" @@ -1542,7 +1788,7 @@ check_next_key_event 4813200 # # Zone: step1.csk-roll.autosign. # -zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1" +zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1" "10.53.0.3" # The CSK (KEY1) starts in OMNIPRESENT. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1566,7 +1812,7 @@ check_next_key_event 15973200 # Zone: step2.csk-roll.autosign. # # Set key properties for testing keys. -zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # CSK (KEY1) remains active, no change in properties/timings/states. # New CSK (KEY2) is prepublished (and signs DNSKEY RRset). key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" @@ -1586,7 +1832,7 @@ check_next_key_event 10800 # Zone: step3.csk-roll.autosign. # # Set key properties for testing keys. -zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" @@ -1613,7 +1859,7 @@ check_next_key_event 100800 # # Zone: step4.csk-roll.autosign. # -zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public # but can remove the KRRSIG records. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" @@ -1634,7 +1880,7 @@ check_next_key_event 7200 # # Zone: step5.csk-roll.autosign. # -zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) KRRSIG records are now all hidden. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "omnipresent" "unretentive" "hidden" "hidden" @@ -1654,7 +1900,7 @@ check_next_key_event 2149200 # # Zone: step6.csk-roll.autosign. # -zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) DNSKEY can be removed. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "unretentive" "hidden" "hidden" "hidden" @@ -1674,7 +1920,7 @@ check_next_key_event 7200 # # Zone: step7.csk-roll.autosign. # -zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" @@ -1699,7 +1945,7 @@ check_next_key_event 13708800 # # Zone: step1.csk-roll2.autosign. # -zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1" +zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1" "10.53.0.3" # The CSK (KEY1) starts in OMNIPRESENT. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1723,7 +1969,7 @@ check_next_key_event 15454800 # Zone: step2.csk-roll2.autosign. # # Set key properties for testing keys. -zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2" +zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # CSK (KEY1) remains active, no change in properties/timings/states. # New CSK (KEY2) is prepublished (and signs DNSKEY RRset). key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" @@ -1743,7 +1989,7 @@ check_next_key_event 10800 # Zone: step3.csk-roll2.autosign. # # Set key properties for testing keys. -zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2" +zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" @@ -1771,7 +2017,7 @@ check_next_key_event 136800 # # Zone: step4.csk-roll2.autosign. # -zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2" +zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # The old CSK (KEY1) ZRRSIG is now HIDDEN. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "hidden" "omnipresent" "unretentive" @@ -1795,7 +2041,7 @@ check_next_key_event 478800 # # Zone: step5.csk-roll2.autosign. # -zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2" +zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # The old CSK (KEY1) DNSKEY can be removed. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "unretentive" "hidden" "unretentive" "hidden" @@ -1815,7 +2061,7 @@ check_next_key_event 7200 # # Zone: step6.csk-roll2.autosign. # -zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2" +zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 73fb59bf829..402a6790534 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -842,6 +842,21 @@ check_name(const char *str) { return (dns_name_fromstring(dns_fixedname_name(&fixed), str, 0, NULL)); } +static bool +kasp_name_allowed(const cfg_listelt_t *element) +{ + const char* name = cfg_obj_asstring(cfg_tuple_get( + cfg_listelt_value(element), "name")); + + if (strcmp("none", name) == 0) { + return false; + } + if (strcmp("default", name) == 0) { + return false; + } + return true; +} + static isc_result_t check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, optlevel_t optlevel) @@ -950,14 +965,15 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, } /* - * Check dnssec-policy at the view/options level + * Check dnssec-policy. */ obj = NULL; (void)cfg_map_get(options, "dnssec-policy", &obj); if (obj != NULL) { - bool bad_kasp = true; - if (optlevel == optlevel_zone && cfg_obj_isstring(obj)) { - bad_kasp = false; + bool bad_kasp = false; + bool bad_name = false; + if (optlevel != optlevel_config && !cfg_obj_isstring(obj)) { + bad_kasp = true; } else if (optlevel == optlevel_config) { if (cfg_obj_islist(obj)) { for (element = cfg_list_first(obj); @@ -967,18 +983,29 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, if (!cfg_obj_istuple( cfg_listelt_value(element))) { - break; + bad_kasp = true; + } + if (!kasp_name_allowed(element)) { + bad_name = true; } } - bad_kasp = false; } } if (bad_kasp) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-policy may only be activated at " - "the top level and referenced to at the " - "zone level"); + "dnssec-policy may only be configured at " + "the top level, please use name reference " + "at the zone level"); + if (result == ISC_R_SUCCESS) { + result = ISC_R_FAILURE; + } + } + + if (bad_name) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "dnssec-policy name may not be 'none' or " + "'default' (which is the built-in policy)"); if (result == ISC_R_SUCCESS) { result = ISC_R_FAILURE; } @@ -2135,6 +2162,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, if (strcmp(kaspname, "default") == 0) { has_dnssecpolicy = true; + } else if (strcmp(kaspname, "none") == 0) { + has_dnssecpolicy = false; } else { (void)cfg_map_get(config, "dnssec-policy", &kasps); for (element = cfg_list_first(kasps); element != NULL; @@ -2147,15 +2176,16 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, has_dnssecpolicy = true; } } - } - if (!has_dnssecpolicy) { - cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR, - "zone '%s': option 'dnssec-policy %s' " - "has no matching dnssec-policy config", - znamestr, kaspname); - if (result == ISC_R_SUCCESS) { - result = ISC_R_FAILURE; + if (!has_dnssecpolicy) { + cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR, + "zone '%s': option " + "'dnssec-policy %s' has no " + "matching dnssec-policy config", + znamestr, kaspname); + if (result == ISC_R_SUCCESS) { + result = ISC_R_FAILURE; + } } } } diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index b39eb9c44c5..75350ffa68b 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -126,6 +126,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx, cfg_obj_asstring(cfg_tuple_get(config, "name")) : "default"; + REQUIRE(strcmp(kaspname, "none") != 0); + result = dns_kasplist_find(kasplist, kaspname, &kasp); if (result == ISC_R_SUCCESS) { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 746ee47a234..e0e5217d559 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2165,6 +2165,9 @@ zone_clauses[] = { { "dnssec-loadkeys-interval", &cfg_type_uint32, CFG_ZONE_MASTER | CFG_ZONE_SLAVE }, + { "dnssec-policy", &cfg_type_astring, + CFG_ZONE_MASTER | CFG_ZONE_SLAVE + }, { "dnssec-secure-to-insecure", &cfg_type_boolean, CFG_ZONE_MASTER }, @@ -2335,9 +2338,6 @@ zone_only_clauses[] = { { "dlz", &cfg_type_astring, CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_REDIRECT }, - { "dnssec-policy", &cfg_type_astring, - CFG_ZONE_MASTER | CFG_ZONE_SLAVE - }, { "file", &cfg_type_qstring, CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_ZONE_HINT | CFG_ZONE_REDIRECT diff --git a/util/copyrights b/util/copyrights index 3608a3a60ec..9d5aa28c465 100644 --- a/util/copyrights +++ b/util/copyrights @@ -698,6 +698,8 @@ ./bin/tests/system/kasp/clean.sh SH 2019 ./bin/tests/system/kasp/ns2/setup.sh SH 2019 ./bin/tests/system/kasp/ns3/setup.sh SH 2019 +./bin/tests/system/kasp/ns4/setup.sh SH 2019 +./bin/tests/system/kasp/ns5/setup.sh SH 2019 ./bin/tests/system/kasp/setup.sh SH 2019 ./bin/tests/system/kasp/tests.sh SH 2019 ./bin/tests/system/keepalive/clean.sh SH 2017,2018,2019