]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Replace DSA with Reserved algorithm
authorMatthijs Mekking <github@pletterpet.nl>
Wed, 19 Dec 2018 09:16:10 +0000 (10:16 +0100)
committerMatthijs Mekking <github@pletterpet.nl>
Wed, 19 Dec 2018 11:54:57 +0000 (12:54 +0100)
bin/tests/system/dnssec/ns3/dsa.key [deleted file]
bin/tests/system/dnssec/ns3/sign.sh
bin/tests/system/dnssec/ns3/unsupported-algorithm.key [new file with mode: 0644]
bin/tests/system/dnssec/tests.sh
util/copyrights

diff --git a/bin/tests/system/dnssec/ns3/dsa.key b/bin/tests/system/dnssec/ns3/dsa.key
deleted file mode 100644 (file)
index 1dfb289..0000000
+++ /dev/null
@@ -1 +0,0 @@
-dnskey-unsupported-2.example.  IN      DNSKEY  257 3 3 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b}
index d937f26e8d797ac36ddfa1caf156401a62beab6c..7555c9fe047026c942ea870fbcb9954f960882fe 100644 (file)
@@ -216,7 +216,7 @@ $DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
 
 #
 # A zone that is signed with an unsupported DNSKEY algorithm (3).
-# Algorithm 7 is replaced by 3 in the zone and dsset.
+# Algorithm 7 is replaced by 255 in the zone and dsset.
 #
 zone=dnskey-unsupported.example.
 infile=dnskey-unsupported.example.db.in
@@ -228,13 +228,13 @@ cat "$infile" "$keyname.key" > "$zonefile"
 
 "$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
 
-awk '$4 == "DNSKEY" { $7 = 3; print } $4 == "RRSIG" { $6 = 3; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
+awk '$4 == "DNSKEY" { $7 = 255; print } $4 == "RRSIG" { $6 = 255; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
 
 DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
 $DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
 
 #
-# A zone with a published unsupported DNSKEY algorithm (DSA).
+# A zone with a published unsupported DNSKEY algorithm (Reserved).
 # Different from above because this key is not intended for signing.
 #
 zone=dnskey-unsupported-2.example.
@@ -244,7 +244,7 @@ zonefile=dnskey-unsupported-2.example.db
 ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 
-cat "$infile" "$ksk.key" "$zsk.key" dsa.key > "$zonefile"
+cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
 
 # "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
 "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile"
diff --git a/bin/tests/system/dnssec/ns3/unsupported-algorithm.key b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key
new file mode 100644 (file)
index 0000000..cc8bb9a
--- /dev/null
@@ -0,0 +1 @@
+dnskey-unsupported-2.example.  IN      DNSKEY  257 3 255 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b}
index cfd3ab0d336c84e84c6dad8e0c7cd386aabe6b60..9368f9b9126d349ffaaea0156676fe085fce8c65 100644 (file)
@@ -3408,7 +3408,7 @@ echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)"
 ret=0
 dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n
 grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
-grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 3" dig.out.test$n > /dev/null || ret=1
+grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
index abbaa662a460571c672eedd5664e8d163754d1b3..58bea01cc6b7d47759e6e2c87bdedbafe203196a 100644 (file)
 ./bin/tests/system/dnssec/ns1/sign.sh          SH      2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018
 ./bin/tests/system/dnssec/ns2/rfc2335.example.db       X       2004,2018
 ./bin/tests/system/dnssec/ns2/sign.sh          SH      2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018
-./bin/tests/system/dnssec/ns3/dsa.key          X       2018
 ./bin/tests/system/dnssec/ns3/sign.sh          SH      2000,2001,2002,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
+./bin/tests/system/dnssec/ns3/unsupported-algorithm.key        X       2018
 ./bin/tests/system/dnssec/ns5/.gitignore       X       2015,2018
 ./bin/tests/system/dnssec/ns5/sign.sh          SH      2015,2016,2017,2018
 ./bin/tests/system/dnssec/ns6/named.args       X       2013,2014,2016,2018