When disabling algorithms, use the signer name to determine if the
algorithm is disabled or not. This allows for algorithms to be
cleanly disabled on a zone level basis. Previously, just using the
records owner name, "disable-algorithms" could impact resolution of
names that where not disabled. This does now mean that
"disable-algorithms" can not be used to disable part of a zone anymore.
(cherry picked from commit
a0945f6337fb4a27fb7104838ee51d3722e1e9a0)
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ A 10.53.0.4
+ns3 A 10.53.0.3
allow-update { any; };
};
+zone "badalg.secure.example" {
+ type primary;
+ file "badalg.secure.example.db.signed";
+ allow-update { any; };
+};
+
zone "bogus.example" {
type primary;
file "bogus.example.db.signed";
z A 10.0.0.26
a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
x CNAME a
-badalg A 10.53.0.4
+
+badalg NS ns3.badalg
+ns3.badalg A 10.53.0.3
private NS ns.private
ns.private A 10.53.0.2
echo_i "ns3/sign.sh: example zones"
+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for it.
+zone=badalg.secure.example.
+infile=badalg.secure.example.db.in
+zonefile=badalg.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
zone=secure.example.
infile=secure.example.db.in
zonefile=secure.example.db
dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
+cat "$infile" dsset-badalg.secure.example. "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
+echo_i "check that DS records are still treated as secure at the disable-algorithm name ($n)"
+ret=0
+dig_with_opts @10.53.0.4 badalg.secure.example DS >dig.out.ns4.test$n || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
echo_i "checking EDE code 1 for bad alg mnemonic ($n)"
ret=0
dig_with_opts @10.53.0.4 badalg.secure.example >dig.out.ns4.test$n || ret=1
"ns3/NSEC3",
"ns3/auto-nsec.example.db",
"ns3/auto-nsec3.example.db",
+ "ns3/badalg.secure.example.db",
"ns3/badds.example.db",
"ns3/bogus.example.db",
"ns3/disabled.managed.db",
* At this point we could check that the signature algorithm
* was known and "sufficiently good".
*/
- if (!dns_resolver_algorithm_supported(val->view->resolver, val->name,
+ if (!dns_resolver_algorithm_supported(val->view->resolver,
+ &val->siginfo->signer,
val->siginfo->algorithm))
{
if (val->unsupported_algorithm == 0) {
result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (!dns_resolver_algorithm_supported(client->view->resolver,
- name, rrsig.algorithm))
+ &rrsig.signer,
+ rrsig.algorithm))
{
char txt[DNS_NAME_FORMATSIZE + 32];
isc_buffer_t buffer;
projects / thirdparty / bind9.git / commitdiff
