From: Mark Andrews Date: Thu, 7 Aug 2025 04:37:33 +0000 (+1000) Subject: Use signer name when disabling DNSSEC algorithms X-Git-Tag: v9.21.14~22^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0945f6337fb4a27fb7104838ee51d3722e1e9a0;p=thirdparty%2Fbind9.git Use signer name when disabling DNSSEC algorithms When disabling algorithms, use the signer name to determine if the algorithm is disabled or not. This allows for algorithms to be cleanly disabled on a zone level basis. Previously, just using the records owner name, "disable-algorithms" could impact resolution of names that where not disabled. This does now mean that "disable-algorithms" can not be used to disable part of a zone anymore. --- diff --git a/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in b/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in new file mode 100644 index 00000000000..93cb34385c6 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/badalg.secure.example.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 + A 10.53.0.4 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2 index 6c9e18976cf..bfaa553369c 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.j2 +++ b/bin/tests/system/dnssec/ns3/named.conf.j2 @@ -93,6 +93,12 @@ zone "secure.example" { allow-update { any; }; }; +zone "badalg.secure.example" { + type primary; + file "badalg.secure.example.db.signed"; + allow-update { any; }; +}; + zone "bogus.example" { type primary; file "bogus.example.db.signed"; diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index decb1eb3f03..fa8e398ff0c 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -30,7 +30,9 @@ g A 10.0.0.7 z A 10.0.0.26 a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 x CNAME a -badalg A 10.53.0.4 + +badalg NS ns3.badalg +ns3.badalg A 10.53.0.3 private NS ns.private ns.private A 10.53.0.2 diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index b7ec530e3c9..c611b61e4fe 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -85,6 +85,20 @@ cp template.db.in insecure.optout.example.db cp extrakey.example.db.in extrakey.example.db # now the signed zones: + +# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is +# disabled for it. +zone=badalg.secure.example. +infile=badalg.secure.example.db.in +zonefile=badalg.secure.example.db + +keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") + +cat "$infile" "$keyname.key" >"$zonefile" + +"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null + +# zone=secure.example. infile=secure.example.db.in zonefile=secure.example.db @@ -93,7 +107,7 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cn dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "dnameandkey.$zone") keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile" +cat "$infile" dsset-badalg.secure.example. "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile" "$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null cat "$zonefile" "$zonefile".signed >"$zonefile".tmp diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index 95d1dbb5c49..fdd529c310b 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -1326,6 +1326,14 @@ def test_unknown_algorithms(): res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM ) + # check that DS records are still treated as secure at the + # disable-algorithm name + msg = isctest.query.create("badalg.secure.example", "DS") + res = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.rr_count_eq(res.answer, 2) + isctest.check.noerror(res) + isctest.check.adflag(res) + # check both EDE code 1 and 2 for unsupported digest on one DNSKEY # and unsupported algorithm on the other msg = isctest.query.create("a.digest-alg-unsupported.example", "A") diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 6ce9607f22f..e81146763bd 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1675,8 +1675,9 @@ validate_answer_process(void *arg) { * was known and "sufficiently good". */ if (!dns_resolver_algorithm_supported( - val->view->resolver, val->name, val->siginfo->algorithm, - val->siginfo->signature, val->siginfo->siglen)) + val->view->resolver, &val->siginfo->signer, + val->siginfo->algorithm, val->siginfo->signature, + val->siginfo->siglen)) { if (val->unsupported_algorithm == 0) { val->unsupported_algorithm = val->siginfo->algorithm; diff --git a/lib/ns/query.c b/lib/ns/query.c index 26a5c2c8b44..47d02947c3f 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -2541,8 +2541,8 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, result = dns_rdata_tostruct(&rdata, &rrsig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!dns_resolver_algorithm_supported( - client->inner.view->resolver, name, rrsig.algorithm, - rrsig.signature, rrsig.siglen)) + client->inner.view->resolver, &rrsig.signer, + rrsig.algorithm, rrsig.signature, rrsig.siglen)) { char txt[DNS_NAME_FORMATSIZE + 32]; isc_buffer_t buffer;