fprintf(stderr, " -l <file>: configuration file with dnssec-policy "
"statement\n");
fprintf(stderr, " -a <algorithm>:\n");
- fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n");
+ fprintf(stderr,
+ " RSASHA1 (deprecated) | NSEC3RSASHA1 (deprecated) |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
- fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA);
- fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
+ fprintf(stderr, " RSASHA1 (deprecated) :\t[1024..%d]\n",
+ MAX_RSA);
+ fprintf(stderr, " NSEC3RSASHA1 (deprecated) :\t[1024..%d]\n",
+ MAX_RSA);
fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
}
switch (ctx->alg) {
- case DNS_KEYALG_RSASHA1:
- case DNS_KEYALG_NSEC3RSASHA1:
- case DNS_KEYALG_RSASHA256:
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ dns_secalg_format(ctx->alg, algstr, sizeof(algstr));
+ fprintf(stderr,
+ "WARNING: DNSKEY algorithm '%s' is deprecated. Please "
+ "migrate to another algorithm\n",
+ algstr);
+ break;
+ default:
+ break;
+ }
+
+ switch (ctx->alg) {
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ case DST_ALG_RSASHA256:
if (ctx->size != 0 && (ctx->size < 1024 || ctx->size > MAX_RSA))
{
fatal("RSA key size %d out of range", ctx->size);
}
break;
- case DNS_KEYALG_RSASHA512:
+ case DST_ALG_RSASHA512:
if (ctx->size != 0 && (ctx->size < 1024 || ctx->size > MAX_RSA))
{
fatal("RSA key size %d out of range", ctx->size);
}
break;
- case DNS_KEYALG_DH:
+ case DST_ALG_DH:
if (ctx->size != 0 && (ctx->size < 128 || ctx->size > 4096)) {
fatal("DH key size %d out of range", ctx->size);
}
dns_rdata_mx_t mx;
dns_rdata_ns_t ns;
dns_rdata_in_srv_t srv;
- dns_rdata_t rdata;
dns_name_t *name;
dns_name_t *bottom;
isc_result_t result;
bool ok = true, have_spf, have_txt;
+ char namebuf[DNS_NAME_FORMATSIZE];
+ bool logged_algorithm[DST_MAX_ALGS];
+ bool logged_digest_type[DNS_DSDIGEST_MAX + 1];
name = dns_fixedname_initname(&fixed);
bottom = dns_fixedname_initname(&fixedbottom);
dns_rdataset_init(&rdataset);
- dns_rdata_init(&rdata);
result = dns_db_createiterator(db, 0, &dbiterator);
if (result != ISC_R_SUCCESS) {
dns_dbiterator_pause(dbiterator);
+ /*
+ * Check for deprecated KEY algorithms
+ */
+ result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_key,
+ 0, 0, &rdataset, NULL);
+ if (result != ISC_R_SUCCESS) {
+ goto checkforns;
+ }
+
+ memset(logged_algorithm, 0, sizeof(logged_algorithm));
+ for (result = dns_rdataset_first(&rdataset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&rdataset))
+ {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdata_key_t key;
+ dns_rdataset_current(&rdataset, &rdata);
+
+ result = dns_rdata_tostruct(&rdata, &key, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ /*
+ * If we ever deprecate a private algorithm use
+ * dst_algorithm_fromdata() here.
+ */
+ switch (key.algorithm) {
+ case DNS_KEYALG_RSASHA1:
+ case DNS_KEYALG_NSEC3RSASHA1:
+ if (!logged_algorithm[key.algorithm]) {
+ char algbuf[DNS_SECALG_FORMATSIZE];
+ dns_name_format(name, namebuf,
+ sizeof(namebuf));
+ dns_secalg_format(key.algorithm, algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "%s/KEY deprecated "
+ "algorithm %u (%s)",
+ namebuf, key.algorithm,
+ algbuf);
+ logged_algorithm[key.algorithm] = true;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ dns_rdataset_disassociate(&rdataset);
+
+ checkforns:
/*
* Don't check the NS records at the origin.
*/
if (result != ISC_R_SUCCESS) {
goto checkfordname;
}
+
/*
* Remember bottom of zone due to NS.
*/
result = dns_rdataset_first(&rdataset);
while (result == ISC_R_SUCCESS) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &ns, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
result = dns_rdataset_next(&rdataset);
}
dns_rdataset_disassociate(&rdataset);
+
+ /*
+ * Check for deprecated DS digest types.
+ */
+ result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds,
+ 0, 0, &rdataset, NULL);
+ if (result != ISC_R_SUCCESS) {
+ goto next;
+ }
+
+ memset(logged_algorithm, 0, sizeof(logged_algorithm));
+ memset(logged_digest_type, 0, sizeof(logged_digest_type));
+ for (result = dns_rdataset_first(&rdataset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&rdataset))
+ {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdataset_current(&rdataset, &rdata);
+ dns_rdata_ds_t ds;
+
+ result = dns_rdata_tostruct(&rdata, &ds, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ switch (ds.digest_type) {
+ case DNS_DSDIGEST_SHA1:
+ if (!logged_digest_type[ds.digest_type]) {
+ char algbuf[DNS_DSDIGEST_FORMATSIZE];
+ dns_name_format(name, namebuf,
+ sizeof(namebuf));
+ dns_dsdigest_format(ds.digest_type,
+ algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "%s/DS deprecated digest "
+ "type %u (%s)",
+ namebuf, ds.digest_type,
+ algbuf);
+ logged_digest_type[ds.digest_type] =
+ true;
+ }
+ break;
+ }
+
+ /*
+ * If we ever deprecate a private algorithm use
+ * dst_algorithm_fromdata() here.
+ */
+ switch (ds.algorithm) {
+ case DNS_KEYALG_RSASHA1:
+ case DNS_KEYALG_NSEC3RSASHA1:
+ if (!logged_algorithm[ds.algorithm]) {
+ char algbuf[DNS_SECALG_FORMATSIZE];
+ dns_name_format(name, namebuf,
+ sizeof(namebuf));
+ dns_secalg_format(ds.algorithm, algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "%s/DS deprecated algorithm "
+ "%u (%s)",
+ namebuf, ds.algorithm,
+ algbuf);
+ logged_algorithm[ds.algorithm] = true;
+ }
+ break;
+ }
+ }
+ dns_rdataset_disassociate(&rdataset);
+
goto next;
checkfordname:
}
result = dns_rdataset_first(&rdataset);
while (result == ISC_R_SUCCESS) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &mx, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
}
result = dns_rdataset_first(&rdataset);
while (result == ISC_R_SUCCESS) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &srv, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
}
result = dns_rdataset_first(&rdataset);
while (result == ISC_R_SUCCESS) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
have_txt = isspf(&rdata);
dns_rdata_reset(&rdata);
notxt:
if (have_spf && !have_txt) {
- char namebuf[DNS_NAME_FORMATSIZE];
-
dns_name_format(name, namebuf, sizeof(namebuf));
dns_zone_log(zone, ISC_LOG_WARNING,
"'%s' found type "
dns_dbnode_t *node = NULL;
dns_dbversion_t *version = NULL;
dns_rdata_dnskey_t dnskey;
- dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
isc_result_t result;
+ bool logged_algorithm[DST_MAX_ALGS] = { 0 };
+ bool alldeprecated = true;
result = dns_db_findnode(db, &zone->origin, false, &node);
if (result != ISC_R_SUCCESS) {
for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset))
{
+ char algbuf[DNS_SECALG_FORMATSIZE];
+ dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
INSIST(result == ISC_R_SUCCESS);
algorithm, dnskey.algorithm,
dst_region_computeid(&r));
}
- dns_rdata_reset(&rdata);
+
+ switch (dnskey.algorithm) {
+ case DNS_KEYALG_RSAMD5:
+ case DNS_KEYALG_DSA:
+ case DNS_KEYALG_RSASHA1:
+ case DNS_KEYALG_NSEC3DSA:
+ case DNS_KEYALG_NSEC3RSASHA1:
+ case DNS_KEYALG_ECCGOST:
+ if (!logged_algorithm[dnskey.algorithm]) {
+ dns_secalg_format(dnskey.algorithm, algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "deprecated DNSKEY algorithm found: "
+ "%u (%s)\n",
+ dnskey.algorithm, algbuf);
+ logged_algorithm[dnskey.algorithm] = true;
+ }
+ break;
+ default:
+ alldeprecated = false;
+ break;
+ }
}
dns_rdataset_disassociate(&rdataset);
+ if (alldeprecated) {
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "all DNSKEY algorithms found are deprecated");
+ }
+
cleanup:
if (node != NULL) {
dns_db_detachnode(db, &node);
* record which must be by itself.
*/
if (dns_rdataset_isassociated(&cds)) {
+ bool logged_digest_type[DNS_DSDIGEST_MAX + 1] = { 0 };
bool delete = false;
memset(algorithms, notexpected, sizeof(algorithms));
for (result = dns_rdataset_first(&cds); result == ISC_R_SUCCESS;
}
CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL));
+
+ /*
+ * Log deprecated CDS digest types.
+ */
+ switch (structcds.digest_type) {
+ case DNS_DSDIGEST_SHA1:
+ if (!logged_digest_type[structcds.digest_type])
+ {
+ char algbuf[DNS_DSDIGEST_FORMATSIZE];
+ dns_dsdigest_format(
+ structcds.digest_type, algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "deprecated CDS digest type "
+ "%u (%s)",
+ structcds.digest_type,
+ algbuf);
+ logged_digest_type[structcds.digest_type] =
+ true;
+ }
+ break;
+ }
+
if (algorithms[structcds.algorithm] == 0) {
algorithms[structcds.algorithm] = expected;
}
projects / thirdparty / bind9.git / commitdiff
