From: Matthijs Mekking Date: Tue, 23 Sep 2025 13:36:56 +0000 (+0200) Subject: Check disable-algorithms with non-zone names X-Git-Tag: v9.21.14~22^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81d3a29e4ef0730871bdc4954a5c4b6fd3e030b8;p=thirdparty%2Fbind9.git Check disable-algorithms with non-zone names Test that if disable-algorithms is configured on a name that is below the zonecut, it still validates (z.secure.example). Test that if disable-algorithms is configured on a name that is above the zonecut, it is treated as insecure (zonecut.ent.secure.example). --- diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2 index bfaa553369c..1a0edc14bb8 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.j2 +++ b/bin/tests/system/dnssec/ns3/named.conf.j2 @@ -99,6 +99,12 @@ zone "badalg.secure.example" { allow-update { any; }; }; +zone "zonecut.ent.secure.example" { + type primary; + file "zonecut.ent.secure.example.db.signed"; + allow-update { any; }; +}; + zone "bogus.example" { type primary; file "bogus.example.db.signed"; diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index fa8e398ff0c..104d39ff6c3 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -34,6 +34,9 @@ x CNAME a badalg NS ns3.badalg ns3.badalg A 10.53.0.3 +zonecut.ent NS ns3.zonecut.ent +ns3.zonecut.ent A 10.53.0.3 + private NS ns.private ns.private A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index c611b61e4fe..5512888b2f4 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -98,6 +98,18 @@ cat "$infile" "$keyname.key" >"$zonefile" "$SIGNER" -z -o "$zone" "$zonefile" >/dev/null +# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is +# disabled for ent.secure.example. +zone=zonecut.ent.secure.example. +infile=zonecut.ent.secure.example.db.in +zonefile=zonecut.ent.secure.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null + # zone=secure.example. infile=secure.example.db.in diff --git a/bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in b/bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in new file mode 100644 index 00000000000..93cb34385c6 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/zonecut.ent.secure.example.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 + A 10.53.0.4 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2 index 9a67908bde0..bc3e2fd87bd 100644 --- a/bin/tests/system/dnssec/ns4/named.conf.j2 +++ b/bin/tests/system/dnssec/ns4/named.conf.j2 @@ -50,6 +50,8 @@ options { disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; }; disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; }; disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "z.secure.example." { ECDSAP256SHA256; }; + disable-algorithms "ent.secure.example." { ECDSAP256SHA256; }; }; {% if not managed_key %} diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index 025ec80f3bc..338f7f4e71c 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -1327,6 +1327,25 @@ def test_unknown_algorithms(): res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM ) + # check that zone contents are still secure despite disable-algorithms + # on query name (name below zone name). + msg = isctest.query.create("z.secure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.rr_count_eq(res.answer, 2) + isctest.check.noerror(res) + isctest.check.adflag(res) + + # check that zone contents are trated insecure (name above zone name). + msg = isctest.query.create("zonecut.ent.secure.example", "A") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.rr_count_eq(res.answer, 2) + isctest.check.noerror(res) + isctest.check.noadflag(res) + if hasattr(res, "extended_errors"): + assert ( + res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM + ) + # check that DS records are still treated as secure at the # disable-algorithm name msg = isctest.query.create("badalg.secure.example", "DS")