From 3d2692d6bc6d0c31183aabea7861c72e6ef5c06a Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 10 Feb 2021 15:30:23 +0100 Subject: [PATCH] zonemd, review comments, add comments to unit test, scope verbose output. --- services/authzone.c | 9 ++++++--- testcode/unitzonemd.c | 10 +++++++++- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/services/authzone.c b/services/authzone.c index 6ddf524f8..0495958d3 100644 --- a/services/authzone.c +++ b/services/authzone.c @@ -1879,7 +1879,6 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z, size_t i; struct regional* region = NULL; struct sldns_buffer* buf = NULL; - char zstr[255+1]; uint32_t soa_serial = 0; region = env->scratch; regional_free_all(region); @@ -1930,6 +1929,7 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z, hash, hashlen, region, buf, reason)) { /* success */ if(verbosity >= VERB_ALGO) { + char zstr[255+1]; dname_str(z->name, zstr); verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr); } @@ -1940,8 +1940,11 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z, /* fail, we may have reason */ if(!*reason) *reason = "no ZONEMD records found"; - dname_str(z->name, zstr); - verbose(VERB_ALGO, "auth-zone %s ZONEMD failed: %s", zstr, *reason); + if(verbosity >= VERB_ALGO) { + char zstr[255+1]; + dname_str(z->name, zstr); + verbose(VERB_ALGO, "auth-zone %s ZONEMD failed: %s", zstr, *reason); + } return 0; } diff --git a/testcode/unitzonemd.c b/testcode/unitzonemd.c index 544d032f2..a8949a8c4 100644 --- a/testcode/unitzonemd.c +++ b/testcode/unitzonemd.c @@ -332,17 +332,19 @@ static void zonemd_verify_test(char* zname, char* zfile, char* tastr, static void zonemd_verify_tests(void) { unit_show_func("services/authzone.c", "auth_zone_verify_zonemd"); + /* give trustanchor for unsigned zone, should fail */ zonemd_verify_test("example.org", "testdata/zonemd.example1.zone", "example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af", "20180302005009", "verify DNSKEY RRset with trust anchor failed: have trust anchor, but zone has no DNSKEY"); + /* unsigned zone without ZONEMD in it */ zonemd_verify_test("example.org", "testdata/zonemd.example1.zone", NULL, "20180302005009", "no ZONEMD present"); - /* no trust anchor, so it succeeds */ + /* no trust anchor, so it succeeds for zone with a correct ZONEMD */ zonemd_verify_test("example.com", "testdata/zonemd.example2.zone", NULL, @@ -356,18 +358,24 @@ static void zonemd_verify_tests(void) "ZONEMD verification successful"); /* load a DNSSEC signed zone, but no trust anchor */ + /* this zonefile has an incorrect ZONEMD digest, with correct + * DNSSEC signature. */ zonemd_verify_test("example.com", "testdata/zonemd.example3.zone", NULL, "20180302005009", "incorrect digest"); /* load a DNSSEC zone with NSEC3, but no trust anchor */ + /* this zonefile has an incorrect ZONEMD digest, with correct + * DNSSEC signature. */ zonemd_verify_test("example.com", "testdata/zonemd.example4.zone", NULL, "20180302005009", "incorrect digest"); /* valid zonemd, in dnssec signed zone, no trust anchor*/ + /* this zonefile has a correct ZONEMD digest and + * correct DNSSEC signature */ zonemd_verify_test("example.com", "testdata/zonemd.example5.zone", NULL, -- 2.47.2