From: Mark Andrews Date: Fri, 16 May 2025 05:50:53 +0000 (+1000) Subject: Add tests using PRIVATEOID algorithms X-Git-Tag: v9.21.10~47^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d554c0c030f6941ac6bc8274f872342d4f64985;p=thirdparty%2Fbind9.git Add tests using PRIVATEOID algorithms There are 4 tests: 1) a zone using a known private OID. Validations should succeed and return AD=1. 2) a zone using an unknown private OID. Validation should succeed and return AD=0 as the DS to DNSKEY has provably unsupported algorithm. 3) a zone using a known private OID and an extra DS record. Validation should succeed as there is DS to DNSKEY with a known algorithm linkage. 4) a zone using an unknown private OID and an extra DS record. Validation should fail as only one of the DS records can be matched to a provable unknown algorithm. The algorithm of the second DS is indeterminate. --- diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index a7ec0e471c8..3f328214546 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -181,3 +181,18 @@ rsasha1-1024 NS ns.rsasha1-1024 ns.rsasha1-1024 A 10.53.0.3 dname-at-apex-nsec3 NS ns3 + +rsasha256oid NS ns.rsasha256oid +ns.rsasha256oid A 10.53.0.3 + +rsasha512oid NS ns.rsasha512oid +ns.rsasha512oid A 10.53.0.3 + +unknownoid NS ns.unknownoid +ns.unknownoid A 10.53.0.3 + +extradsoid NS ns.extradsoid +ns.extradsoid A 10.53.0.3 + +extradsunknownoid NS ns.extradsunknownoid +ns.extradsunknownoid A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 31494222654..e6ddad16a18 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -65,7 +65,8 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \ ttlpatch split-dnssec split-smart expired expiring upper lower \ dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \ dnskey-nsec3-unknown managed-future future revkey \ - dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024; do + dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \ + rsasha256oid rsasha512oid unknownoid extradsoid extradsunknownoid; do cp "../ns3/dsset-$subdomain.example." . done diff --git a/bin/tests/system/dnssec/ns3/extradsoid.example.db.in b/bin/tests/system/dnssec/ns3/extradsoid.example.db.in new file mode 100644 index 00000000000..f6c4fabdd31 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/extradsoid.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in b/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in new file mode 100644 index 00000000000..f6c4fabdd31 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/extradsunknownoid.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index c7f76b4638f..9bb2ad8a53e 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -429,11 +429,36 @@ zone "rsasha1-1024.example" { file "rsasha1-1024.example.db"; }; +zone "rsasha256oid.example" { + type primary; + file "rsasha256oid.example.db.signed"; +}; + +zone "rsasha512oid.example" { + type primary; + file "rsasha512oid.example.db.signed"; +}; + +zone "unknownoid.example" { + type primary; + file "unknownoid.example.db.signed"; +}; + zone "target.peer-ns-spoof" { type primary; file "target.peer-ns-spoof.db.signed"; }; +zone "extradsoid.example" { + type primary; + file "extradsoid.example.db.signed"; +}; + +zone "extradsunknownoid.example" { + type primary; + file "extradsunknownoid.example.db.signed"; +}; + dnssec-policy "siginterval1" { keys { ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; diff --git a/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in new file mode 100644 index 00000000000..f6c4fabdd31 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha256oid.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in new file mode 100644 index 00000000000..f6c4fabdd31 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/rsasha512oid.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 8f52e1f5146..9ff2cdd0d3a 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -424,6 +424,110 @@ cat "$infile" "$keyname.key" >"$zonefile" "$SIGNER" -P -o "$zone" "$zonefile" >/dev/null +# +# A RSASHA256OID zone. +# +zone=rsasha256oid.example. +infile=rsasha256oid.example.db.in +zonefile=rsasha256oid.example.db + +keyname=$("$KEYGEN" -q -a RSASHA256OID "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null + +# +# A RSASHA512OID zone. +# +zone=rsasha512oid.example. +infile=rsasha512oid.example.db.in +zonefile=rsasha512oid.example.db + +keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null + +# +# A UNKNOWNOID zone. Sign the zone using RSASHA512OID then +# update the OID in the DNSKEY and RRSIGS to the unknown OID +# 1.2.840.113549.1.1.14 +# +zone=unknownoid.example +infile=unknownoid.example.db.in +zonefile=unknownoid.example.db + +keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +# Sign with known OID RSASHA512OID +"$SIGNER" -z -o "$zone" -f "${zonefile}.stage1" "$zonefile" >/dev/null + +# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14 +sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"${zonefile}.stage1" >"${zonefile}.stage2" + +"$DSFROMKEY" -2A -f "${zonefile}.stage2" "$zone" >"dsset-${zone}." + +# extract the updated DNSKEY's tag +tag=$(awk '{print $4}' "dsset-${zone}.") + +# Update RRSIG tags +sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* unknownoid.example./\1 ${tag} unknownoid.example./" <"${zonefile}.stage2" >"${zonefile}.signed" + +# +# A PRIVATEOID zone with a extra DS record for a non-existent DNSKEY. +# +zone=extradsoid.example. +infile=extradsoid.example.db.in +zonefile=extradsoid.example.db + +keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null + +# add a DS for a second key with the same algorithm +keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") + +"$DSFROMKEY" -2A "$keyname.key" >>"dsset-$zone" + +# +# A UNKNOWNOID with an extra DS zone. Sign the zone using RSASHA512OID +# then update the OID in the DNSKEY and RRSIGS to the unknown OID +# 1.2.840.113549.1.1.14. Add an additional DS which does not match +# the DNSKEY RRset with using this unknown OID. +# +zone=extradsunknownoid.example +infile=extradsunknownoid.example.db.in +zonefile=extradsunknownoid.example.db + +keyname=$("$KEYGEN" -q -a RSASHA512OID "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +# Sign with known OID RSASHA512OID +"$SIGNER" -z -o "$zone" -f "${zonefile}.stage1" "$zonefile" >/dev/null + +# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14 +sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"${zonefile}.stage1" >"${zonefile}.stage2" + +"$DSFROMKEY" -2A -f "${zonefile}.stage2" "$zone" >"dsset-${zone}." +tag=$(awk '{print $4}' "dsset-${zone}.") + +# Update RRSIG tags +sed "s/\(2[0-9]* 2[0-9]*\) [1-9][0-9]* extradsunknownoid.example./\1 ${tag} extradsunknownoid.example./" <"${zonefile}.stage2" >"${zonefile}.signed" + +# add a DS for a second key with the same algorithm +keyname=$("$KEYGEN" -L 300 -q -a RSASHA512OID "$zone") + +# Change OID from 1.2.840.113549.1.1.13 to 1.2.840.113549.1.1.14 and +# add the resulting DS to the dsset. +sed 's/CwYJKoZIhvcN/CwYJKoZIhvcO/' <"$keyname.key" | "$DSFROMKEY" -2A -f - "$zone" >>"dsset-${zone}." + # # A zone with the DNSKEY set only signed by the KSK # diff --git a/bin/tests/system/dnssec/ns3/unknownoid.example.db.in b/bin/tests/system/dnssec/ns3/unknownoid.example.db.in new file mode 100644 index 00000000000..f6c4fabdd31 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/unknownoid.example.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 3d248469521..65f0a1d61ff 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -960,6 +960,66 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +echo_i "checking positive validation with private algorithm works ($n)" +ret=0 +dig_with_opts +noauth a.rsasha256oid.example. \ + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.rsasha256oid.example. \ + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +if [ -x "${DELV}" ]; then + ret=0 + echo_i "checking positive validation NSEC3 using dns_client ($n)" + delv_with_opts @10.53.0.4 a a.nsec3.example >delv.out$n || ret=1 + grep "a.nsec3.example..*10.0.0.1" delv.out$n >/dev/null || ret=1 + grep "a.nsec3.example..*RRSIG.A [0-9][0-9]* 3 300.*" delv.out$n >/dev/null || ret=1 + n=$((n + 1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) +fi + +echo_i "checking positive validation with unknown private algorithm works ($n)" +ret=0 +dig_with_opts +noauth a.unknownoid.example. \ + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.unknownoid.example. \ + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking positive validation with extra ds for private algorithm ($n)" +ret=0 +dig_with_opts +noauth a.extradsoid.example. \ + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.extradsoid.example. \ + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking positive validation with extra ds for unknown private algorithm fails ($n)" +ret=0 +dig_with_opts +noauth a.extradsunknownoid.example. \ + @10.53.0.3 a >dig.out.ns3.test$n || ret=1 +dig_with_opts +noauth a.extradsunknownoid.example. \ + @10.53.0.4 a >dig.out.ns4.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n >/dev/null || ret=1 +grep "status: SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1 +grep 'No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID algorithm, tag [1-9][0-9]*$' ns4/named.run >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + # Check the bogus domain echo_i "checking failed validation ($n)" diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index ac952824525..0599c8eb690 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -84,6 +84,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/auto-nsec3.example.db", "ns3/badds.example.db", "ns3/bogus.example.db", + "ns3/digest-alg-unsupported.example.db", "ns3/disabled.managed.db", "ns3/disabled.trusted.db", "ns3/dname-at-apex-nsec3.example.db", @@ -94,13 +95,17 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/dnskey-unsupported-2.example.db", "ns3/dnskey-unsupported.example.db", "ns3/dnskey-unsupported.example.db.tmp", + "ns3/ds-unsupported.example.db", "ns3/dynamic.example.db", - "ns3/digest-alg-unsupported.example.db", "ns3/enabled.managed.db", "ns3/enabled.trusted.db", "ns3/example.bk", "ns3/expired.example.db", "ns3/expiring.example.db", + "ns3/extradsoid.example.db", + "ns3/extradsunknownoid.example.db", + "ns3/extradsunknownoid.example.db.stage1", + "ns3/extradsunknownoid.example.db.stage2", "ns3/future.example.db", "ns3/keyless.example.db", "ns3/kskonly.example.db", @@ -123,7 +128,9 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/revoked.trusted.db", "ns3/rfc2335.example.bk", "ns3/rsasha256.example.db", + "ns3/rsasha256oid.example.db", "ns3/rsasha512.example.db", + "ns3/rsasha512oid.example.db", "ns3/secure.below-cname.example.db", "ns3/secure.example.db", "ns3/secure.managed.db", @@ -138,6 +145,9 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/trusted-future.key", "ns3/ttlpatch.example.db", "ns3/ttlpatch.example.db.patched", + "ns3/unknownoid.example.db", + "ns3/unknownoid.example.db.stage1", + "ns3/unknownoid.example.db.stage2", "ns3/unsupported.managed.db", "ns3/unsupported.managed.db.tmp", "ns3/unsupported.trusted.db", @@ -146,7 +156,6 @@ pytestmark = pytest.mark.extra_artifacts( "ns3/update-nsec3.example.db.signed", "ns3/upper.example.db", "ns3/upper.example.db.lower", - "ns3/ds-unsupported.example.db", "ns4/broken.conf", "ns4/managed.conf", "ns4/managed-keys.bind",