Deprecate SHA-1 in `dnssec-checkds`

This changes the behaviour so that it explicitly lists DS records that
are present in the parent but do not have keys in the child. Any
inconsistency is reported as an error, which is somewhat stricter than
before.

This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update

diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook
index 113e47ceb064279892149281f31deda0d6bff6c0..bc18b616f69d629835b3a4ebaa2e7049ce13f72c 100644 (file)
--- a/bin/python/dnssec-checkds.docbook
+++ b/bin/python/dnssec-checkds.docbook
@@ -67,8 +67,26 @@
 
   <refsection><info><title>OPTIONS</title></info>
 
-
     <variablelist>
+
+      <varlistentry>
+       <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+       <listitem>
+         <para>
+           Specify a digest algorithm to use when converting the
+           zone's DNSKEY records to expected DS or DLV records. This
+           option can be repeated, so that multiple records are
+           checked for each DNSKEY record.
+          </para>
+          <para>
+            The <replaceable>algorithm</replaceable> must be one of
+            SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
+            and the hyphen may be omitted.  If no algorithm is specified,
+            the default is SHA-256.
+         </para>
+       </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-f <replaceable class="parameter">file</replaceable></term>
         <listitem>

diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in
index 1f1963f3aef543738313c0f45671bb37ce94117f..f20d6bf5647d4bed38549612b2ab56ec365d4d6f 100644 (file)
--- a/bin/python/isc/checkds.py.in
+++ b/bin/python/isc/checkds.py.in
@@ -114,19 +114,19 @@ def check(zone, args):
 
     klist = []
 
+    cmd = [args.dsfromkey]
+    for algo in args.algo:
+        cmd += ['-a', algo]
+    if args.lookaside:
+        cmd += ["-l", args.lookaside]
+
     if args.masterfile:
-        cmd = [args.dsfromkey, "-12f", args.masterfile]
-        if args.lookaside:
-            cmd += ["-l", args.lookaside]
-        cmd.append(zone)
+        cmd += ["-f", args.masterfile, zone]
         fp, _ = Popen(cmd, stdout=PIPE).communicate()
     else:
         intods, _ = Popen([args.dig, "+noall", "+answer", "-t", "dnskey",
                            "-q", zone], stdout=PIPE).communicate()
-        cmd = [args.dsfromkey, "-12f", "-"]
-        if args.lookaside:
-            cmd += ["-l", args.lookaside]
-        cmd.append(zone)
+        cmd += ["-f", "-", zone]
         fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods)
 
     for line in fp.splitlines():
@@ -138,23 +138,27 @@ def check(zone, args):
         print("No DNSKEY records found in zone apex")
         return False
 
-    found = False
-    for rr in klist:
-        if rr in rrlist:
-            print("%s for KSK %s/%03d/%05d (%s) found in parent" %
+    match = True
+    for rr in rrlist:
+        if rr not in klist:
+            print("KSK for %s %s/%03d/%05d (%s) missing from child" %
                   (rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
                    rr.keyid, SECRR.hashalgs[rr.hashalg]))
-            found = True
-        else:
+            match = False
+    for rr in klist:
+        if rr not in rrlist:
             print("%s for KSK %s/%03d/%05d (%s) missing from parent" %
                   (rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
                    rr.keyid, SECRR.hashalgs[rr.hashalg]))
+            match = False
+    for rr in klist:
+        if rr in rrlist:
+            print("%s for KSK %s/%03d/%05d (%s) found in parent" %
+                  (rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
+                   rr.keyid, SECRR.hashalgs[rr.hashalg]))
 
-    if not found:
-        print("No %s records were found for any DNSKEY" %
-                ("DLV" if args.lookaside else "DS"))
+    return match
 
-    return found
 
 ############################################################################
 # parse_args:
@@ -167,6 +171,8 @@ def parse_args():
     sbindir = 'bin' if os.name == 'nt' else 'sbin'
 
     parser.add_argument('zone', type=str, help='zone to check')
+    parser.add_argument('-a', '--algo', dest='algo', action='append',
+                        default=[], type=str, help='DS digest algorithm')
     parser.add_argument('-d', '--dig', dest='dig',
                         default=os.path.join(prefix(bindir), 'dig'),
                         type=str, help='path to \'dig\'')
@@ -196,5 +202,5 @@ def parse_args():
 ############################################################################
 def main():
     args = parse_args()
-    found = check(args.zone, args)
-    exit(0 if found else 1)
+    match = check(args.zone, args)
+    exit(0 if match else 1)

diff --git a/bin/tests/system/checkds/tests.sh b/bin/tests/system/checkds/tests.sh
index 2d2faba9cdbda9da6798405f67d42153920a4e33..1d46bc53c470983b38321d89f00278c7cd8b3c12 100644 (file)
--- a/bin/tests/system/checkds/tests.sh
+++ b/bin/tests/system/checkds/tests.sh
@@ -15,10 +15,10 @@ SYSTEMTESTTOP=..
 if [ "$CYGWIN" ]; then
     DIG=".\dig.bat"
     WINDSFROMKEY=`cygpath -w $DSFROMKEY`
-    CHECKDS="$CHECKDS -d $DIG -D $WINDSFROMKEY"
+    CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $WINDSFROMKEY"
 else
     DIG="./dig.sh"
-    CHECKDS="$CHECKDS -d $DIG -D $DSFROMKEY"
+    CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $DSFROMKEY"
 fi
 chmod +x $DIG
 
@@ -61,7 +61,7 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking for incorrect DS, lowronging up key via 'dig' ($n)"
+echo_i "checking for incorrect DS, looking up key via 'dig' ($n)"
 ret=0
 $CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1
 grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -79,7 +79,7 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking for incorrect DLV, lowronging up key via 'dig' ($n)"
+echo_i "checking for incorrect DLV, looking up key via 'dig' ($n)"
 ret=0
 $CHECKDS -l dlv.example wrong.example > checkds.out.$n 2>&1 || ret=1
 grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -97,10 +97,9 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-
 echo_i "checking for partially missing DS, looking up key via 'dig' ($n)"
 ret=0
-$CHECKDS missing.example > checkds.out.$n 2>&1 || ret=1
+$CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1
 grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -111,7 +110,7 @@ status=`expr $status + $ret`
 
 echo_i "checking for partially missing DS, obtaining key from file ($n)"
 ret=0
-$CHECKDS -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 || ret=1
+$CHECKDS -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1
 grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -122,7 +121,7 @@ status=`expr $status + $ret`
 
 echo_i "checking for partially missing DLV, looking up key via 'dig' ($n)"
 ret=0
-$CHECKDS -l dlv.example missing.example > checkds.out.$n 2>&1 || ret=1
+$CHECKDS -l dlv.example missing.example > checkds.out.$n 2>&1 && ret=1
 grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -133,7 +132,7 @@ status=`expr $status + $ret`
 
 echo_i "checking for partially missing DLV, obtaining key from file ($n)"
 ret=0
-$CHECKDS -l dlv.example -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 || ret=1
+$CHECKDS -l dlv.example -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1
 grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -145,7 +144,8 @@ status=`expr $status + $ret`
 echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)"
 ret=0
 $CHECKDS none.example > checkds.out.$n 2>&1 && ret=1
-grep 'No DS' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -153,7 +153,8 @@ status=`expr $status + $ret`
 echo_i "checking for entirely missing DS, obtaining key from file ($n)"
 ret=0
 $CHECKDS -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1
-grep 'No DS' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -161,7 +162,8 @@ status=`expr $status + $ret`
 echo_i "checking for entirely missing DLV, looking up key via 'dig' ($n)"
 ret=0
 $CHECKDS -l dlv.example none.example > checkds.out.$n 2>&1 && ret=1
-grep 'No DLV' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -169,7 +171,8 @@ status=`expr $status + $ret`
 echo_i "checking for entirely missing DLV, obtaining key from file ($n)"
 ret=0
 $CHECKDS -l dlv.example -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1
-grep 'No DLV' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`