From: Mark Andrews <marka@isc.org>
Date: Mon, 30 Jun 2025 05:26:10 +0000 (+1000)
Subject: Check that named-checkzone reports deprecated digests
X-Git-Tag: v9.21.11~46^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95a82d08938fe3102757f5182bc017eb6a7eb68d;p=thirdparty%2Fbind9.git

Check that named-checkzone reports deprecated digests
---

diff --git a/.reuse/dep5 b/.reuse/dep5
index 07b87f2d30e..21f639cc38f 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -32,6 +32,12 @@ Files: **/*.after*
        bin/tests/system/checkzone/zones/bad-caa-rr.db
        bin/tests/system/checkzone/zones/bad1.db
        bin/tests/system/checkzone/zones/crashzone.db
+       bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db
+       bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db
+       bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db
+       bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db
+       bin/tests/system/checkzone/zones/warn.deprecated.nsec3rsasha1.db
+       bin/tests/system/checkzone/zones/warn.deprecated.rsasha1.db
        bin/tests/system/dnstap/large-answer.fstrm
        bin/tests/system/doth/CA/CA.cfg
        bin/tests/system/doth/CA/README
diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh
index 861a660c6d7..de4dd931d23 100644
--- a/bin/tests/system/checkzone/tests.sh
+++ b/bin/tests/system/checkzone/tests.sh
@@ -280,5 +280,41 @@ n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+echo_i "Checking for SHA1 CDS digest warning ($n)"
+ret=0
+$CHECKZONE example zones/warn.deprecated.cds-sha1.db >test.out.$n || ret=1
+grep "zone example/IN: deprecated CDS digest type 1 (SHA-1)" test.out.$n >/dev/null || ret=1
+grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking for SHA1 DS digest warning ($n)"
+ret=0
+$CHECKZONE example zones/warn.deprecated.digest-sha1.db >test.out.$n || ret=1
+grep "zone example/IN: child.example/DS deprecated digest type 1 (SHA-1)" test.out.$n >/dev/null || ret=1
+grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking for RSASHA1 DS algorithm warning ($n)"
+ret=0
+$CHECKZONE example zones/warn.deprecated.ds-alg.db >test.out.$n || ret=1
+grep "zone example/IN: child.example/DS deprecated algorithm 5 (RSASHA1)" test.out.$n >/dev/null || ret=1
+grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+echo_i "Checking for RSASHA1 KEY algorithm warning ($n)"
+ret=0
+$CHECKZONE example zones/warn.deprecated.key-alg.db >test.out.$n || ret=1
+grep "zone example/IN: example/KEY deprecated algorithm 5 (RSASHA1)" test.out.$n >/dev/null || ret=1
+grep "loaded serial 0 (DNSSEC signed)" test.out.$n >/dev/null || ret=1
+n=$((n + 1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db
new file mode 100644
index 00000000000..13da8308e19
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db
@@ -0,0 +1,44 @@
+; File written on Wed Jul  2 14:27:34 2025
+; dnssec-signzone version 9.21.3-dev
+example.		3600	IN SOA	. . (
+					0          ; serial
+					0          ; refresh (0 seconds)
+					0          ; retry (0 seconds)
+					0          ; expire (0 seconds)
+					3600       ; minimum (1 hour)
+					)
+			3600	RRSIG	SOA 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP
+					4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd
+					PArExFsuaKcWgQ== )
+			3600	NS	.
+			3600	RRSIG	NS 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb
+					XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w
+					t+AfDiT2Mak9Lg== )
+			3600	NSEC	example. NS SOA RRSIG NSEC DNSKEY CDS
+			3600	RRSIG	NSEC 13 1 3600 (
+					20901231235959 20250702032734 46204 example.
+					aPkaoO9OMYZwldpUPJeqFZoGCc8XQcmQHig2
+					zJmp2Qv2QGRH1faoWosYy5jwQskxtpoyE0Eh
+					yxEoUhHZNCKogQ== )
+			3600	DNSKEY	256 3 13 (
+					Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x
+					joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE
+					5CT4INCzzeTuZQ==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204
+			3600	RRSIG	DNSKEY 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx
+					9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa
+					OmTOsXrBWly7ng== )
+			3600	CDS	46204 13 1 (
+					712DD9926EDF2A5E81E76D3BC5F5637BEA06
+					2E67 )
+			3600	RRSIG	CDS 13 1 3600 (
+					20901231235959 20250702032734 46204 example.
+					nS9qKdj0dfWNe6U0ttuKSMiKMhxLq4Yo6WPT
+					9j/cmjbaOdKO1DBoDxzZ7G4M34msvBcKq31L
+					mn8qUlrzSOfD9A== )
diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db b/bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db
new file mode 100644
index 00000000000..da817b54f3b
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db
@@ -0,0 +1,51 @@
+; File written on Mon Jun 30 15:20:51 2025
+; dnssec-signzone version 9.21.3-dev
+example.		3600	IN SOA	. . (
+					0          ; serial
+					0          ; refresh (0 seconds)
+					0          ; retry (0 seconds)
+					0          ; expire (0 seconds)
+					3600       ; minimum (1 hour)
+					)
+			3600	RRSIG	SOA 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP
+					4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd
+					PArExFsuaKcWgQ== )
+			3600	NS	.
+			3600	RRSIG	NS 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb
+					XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w
+					t+AfDiT2Mak9Lg== )
+			3600	NSEC	child.example. NS SOA RRSIG NSEC DNSKEY
+			3600	RRSIG	NSEC 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					jgKjQOGLqw7JY1qsyjWZGxL/47mc9dMeZ7yB
+					KtrRfFCsT7mCe/lMV3u7FOwM2r9/ta8U9/j2
+					YRVJGECc6/rdcg== )
+			3600	DNSKEY	256 3 13 (
+					Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x
+					joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE
+					5CT4INCzzeTuZQ==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204
+			3600	RRSIG	DNSKEY 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx
+					9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa
+					OmTOsXrBWly7ng== )
+child.example.		3600	IN NS	.
+			3600	DS	30914 13 1 (
+					3FFB809FC091FDC931815B50E5DA9C00B5C1
+					454F )
+			3600	RRSIG	DS 13 2 3600 (
+					20901231235959 20250630042051 46204 example.
+					5Y/jx0eePoUztptSLwE9DeY2GlVNVHSr3lF4
+					R8IajnK7zXs2QtoRIdmKwWZ1um1JICh59Xk7
+					R/BXFAbO6FMaPA== )
+			3600	NSEC	example. NS DS RRSIG NSEC
+			3600	RRSIG	NSEC 13 2 3600 (
+					20901231235959 20250630042051 46204 example.
+					A662/raRKle9b45C5douUufAne7iRtKw0u7C
+					gcnf3tSrJS+plT3e/jHOE5ZRttkloHSDVhYT
+					7+Wv86G8MGt+3Q== )
diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db b/bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db
new file mode 100644
index 00000000000..9c5fb8db074
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db
@@ -0,0 +1,51 @@
+; File written on Wed Jul  2 12:22:09 2025
+; dnssec-signzone version 9.21.3-dev
+example.		3600	IN SOA	. . (
+					0          ; serial
+					0          ; refresh (0 seconds)
+					0          ; retry (0 seconds)
+					0          ; expire (0 seconds)
+					3600       ; minimum (1 hour)
+					)
+			3600	RRSIG	SOA 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP
+					4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd
+					PArExFsuaKcWgQ== )
+			3600	NS	.
+			3600	RRSIG	NS 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb
+					XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w
+					t+AfDiT2Mak9Lg== )
+			3600	NSEC	child.example. NS SOA RRSIG NSEC DNSKEY
+			3600	RRSIG	NSEC 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					jgKjQOGLqw7JY1qsyjWZGxL/47mc9dMeZ7yB
+					KtrRfFCsT7mCe/lMV3u7FOwM2r9/ta8U9/j2
+					YRVJGECc6/rdcg== )
+			3600	DNSKEY	256 3 13 (
+					Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x
+					joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE
+					5CT4INCzzeTuZQ==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204
+			3600	RRSIG	DNSKEY 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx
+					9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa
+					OmTOsXrBWly7ng== )
+child.example.		3600	IN NS	.
+			3600	DS	58246 5 2 (
+					641AFA5ACB8099E4E571585B7B9A416078FF
+					79D40D1C2E85F9179E28BF08D61D )
+			3600	RRSIG	DS 13 2 3600 (
+					20901231235959 20250702012209 46204 example.
+					g17c5sfC0OAucFLA0n9C5EfPActxuPMpHN6G
+					spGmkkDUaU5UosWkdcapd20Yb29NaEKvJO3Q
+					Qn6K53MKtWt7zQ== )
+			3600	NSEC	example. NS DS RRSIG NSEC
+			3600	RRSIG	NSEC 13 2 3600 (
+					20901231235959 20250630042051 46204 example.
+					A662/raRKle9b45C5douUufAne7iRtKw0u7C
+					gcnf3tSrJS+plT3e/jHOE5ZRttkloHSDVhYT
+					7+Wv86G8MGt+3Q== )
diff --git a/bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db b/bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db
new file mode 100644
index 00000000000..3dfa76eacf4
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/warn.deprecated.key-alg.db
@@ -0,0 +1,53 @@
+; File written on Wed Jul  2 16:48:02 2025
+; dnssec-signzone version 9.21.3-dev
+example.		3600	IN SOA	. . (
+					0          ; serial
+					0          ; refresh (0 seconds)
+					0          ; retry (0 seconds)
+					0          ; expire (0 seconds)
+					3600       ; minimum (1 hour)
+					)
+			3600	RRSIG	SOA 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					iC+sFesZi+uurPGRfP7faPfmQcHlQcz4oGKP
+					4Fqq6/ePy9s+FYpL6LILjnB9iPxc0w3BBvsd
+					PArExFsuaKcWgQ== )
+			3600	NS	.
+			3600	RRSIG	NS 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					q2qPtVYQsku7j5xqLyIleldPLnhJjvbjMkcb
+					XtnV2djkM1swGkZp67u4l7GHr9/b9lcM848w
+					t+AfDiT2Mak9Lg== )
+			3600	KEY	512 3 5 (
+					AwEAAZwLHbB7cjvlEt0evebAMsJtuNYXgiyt
+					qe3lu0RO/ChFdddyHv+O9M1zLrCnWMBSLHad
+					YHSXfG3BMyMAnBh7om+1pgrHCShlmMaxZ5cC
+					sug5buS3E8eVRVAf7Qje63owxm2iF3G9kKWY
+					FgfE+Ml5Uv7etHkmxqAmFb3jYuXzYWfMz1qY
+					rICsJnw7qcKzNphl71tDvJUYD5pDA7izhzs3
+					8tdDH8qMQgK/yNU3Q/RAOg2VRvYuwYOteCAx
+					6RB/z+rtNTKNbphrPrzSsekOurLo1B+AvDct
+					o/orbilbQ8qdq0cknKlqdMKuYcqQ1BbBMrdV
+					w1fBTLDwiFwiRBjYazPqPiE=
+					); alg = RSASHA1 ; key id = 13684
+			3600	RRSIG	KEY 13 1 3600 (
+					20901231235959 20250702054802 46204 example.
+					GvfNtx1F8crebI/QrPb2meHplhSpAsIDqJ48
+					iMg6aT22mGBagR698GS+9ehg0ExMumfIDPSO
+					k/1wtwRKYqrKow== )
+			3600	NSEC	example. NS SOA KEY RRSIG NSEC DNSKEY
+			3600	RRSIG	NSEC 13 1 3600 (
+					20901231235959 20250702054802 46204 example.
+					Nah5tUuwQiiDKWpdgtqPp7LppMOoDUJkyTZB
+					pAzmbT8UA7kNJN2K5kfkLJgPqWAt4h2P0Ys1
+					9lkLcXqYUH0x5g== )
+			3600	DNSKEY	256 3 13 (
+					Il3F88buwuAwswJl70b4xh8werV/2a2cDo6x
+					joU5+1H2dRXE/XRt4CEipBdt8Ss4fr8s6jBE
+					5CT4INCzzeTuZQ==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 46204
+			3600	RRSIG	DNSKEY 13 1 3600 (
+					20901231235959 20250630042051 46204 example.
+					KQWGucJalgX/cANLv0/g0LNweGdeE7gs8rrx
+					9yOiZqciu7wCfyRgk5ED1pNXOXsTqtIA0OGa
+					OmTOsXrBWly7ng== )