. $SYSTEMTESTTOP/conf.sh
DIGOPTS="+tcp +dnssec -p ${PORT}"
+DIGUDPOPTS="+dnssec -p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
status=0
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
- keys=`grep '^Done signing' signing.out.test$n | wc -l`
+ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1
+ keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
[ $keys = 2 ] || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
for i in 1 2 3 4 5 6 7 8 9 10
do
ans=0
- $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
- num=`grep "Done signing with" signing.out.test$n | wc -l`
+ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1
+ num=`grep "Done signing with" signing.out.test$n.$i | wc -l`
[ $num = 1 ] && break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ans=0
- $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1
- grep "No signing records found" signing.out.test$n > /dev/null || ans=1
+ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n.$i 2>&1
+ grep "No signing records found" signing.out.test$n.$i > /dev/null || ans=1
[ $ans = 1 ] || break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n
- grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ $DIG $DIGOPTS @10.53.0.3 added.bits A > dig.out.ns3.test$n.$i
+ grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
- grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
- grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
+ $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i
+ grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "2011072400" dig.out.ns3.test$n.$i > /dev/null || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n 2>&1
- keys=`grep '^Done signing' signing.out.test$n | wc -l`
+ $RNDCCMD 10.53.0.3 signing -list noixfr > signing.out.test$n.$i 2>&1
+ keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
[ $keys = 2 ] || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n
- grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
+ $DIG $DIGOPTS @10.53.0.3 added.noixfr A > dig.out.ns3.test$n.$i
+ grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
- grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
- grep "2011072400" dig.out.ns3.test$n > /dev/null || ret=1
+ $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n.$i
+ grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "2011072400" dig.out.ns3.test$n.$i > /dev/null || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
- keys=`grep '^Done signing' signing.out.test$n | wc -l`
+ $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1
+ keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
[ $keys = 2 ] || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
for i in 1 2 3 4 5 6 7 8 9
do
ans=0
- $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
- num=`grep "Done signing with" signing.out.test$n | wc -l`
+ $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1
+ num=`grep "Done signing with" signing.out.test$n.$i | wc -l`
[ $num = 1 ] && break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ans=0
- $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n 2>&1
- grep "No signing records found" signing.out.test$n > /dev/null || ans=1
+ $RNDCCMD 10.53.0.3 signing -list master > signing.out.test$n.$i 2>&1
+ grep "No signing records found" signing.out.test$n.$i > /dev/null || ans=1
[ $ans = 1 ] || break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9
do
ans=0
- $DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n
- grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+ $DIG $DIGOPTS @10.53.0.3 e.master A > dig.out.ns3.test$n.$i
+ grep "10.0.0.5" dig.out.ns3.test$n.$i > /dev/null || ans=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1
[ $ans = 1 ] || break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9
do
ans=0
- $DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n
- grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+ $DIG $DIGOPTS @10.53.0.3 c.master A > dig.out.ns3.test$n.$i
+ grep "10.0.0.3" dig.out.ns3.test$n.$i > /dev/null || ans=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1
[ $ans = 1 ] || break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n 2>&1
- keys=`grep '^Done signing' signing.out.test$n | wc -l`
+ $RNDCCMD 10.53.0.3 signing -list dynamic > signing.out.test$n.$i 2>&1
+ keys=`grep '^Done signing' signing.out.test$n.$i | wc -l`
[ $keys = 2 ] || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
for i in 1 2 3 4 5 6 7 8 9 10
do
ans=0
- $DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n
- grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
- grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1
+ $DIG $DIGOPTS @10.53.0.3 e.dynamic > dig.out.ns3.test$n.$i
+ grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ans=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ans=1
+ grep "1.2.3.4" dig.out.ns3.test$n.$i > /dev/null || ans=1
[ $ans = 0 ] && break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
- grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
- grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
+ $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i
+ grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "2011072450" dig.out.ns3.test$n.$i > /dev/null || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n
- grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
- grep "2011072450" dig.out.ns3.test$n > /dev/null || ret=1
+ $DIG $DIGOPTS @10.53.0.3 noixfr SOA > dig.out.ns3.test$n.$i
+ grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "2011072450" dig.out.ns3.test$n.$i > /dev/null || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
- $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n
- grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
- grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
- grep "2011072460" dig.out.ns3.test$n > /dev/null || ret=1
+ $DIG $DIGOPTS @10.53.0.3 bits SOA > dig.out.ns3.test$n.$i
+ grep "status: NOERROR" dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "ANSWER: 2," dig.out.ns3.test$n.$i > /dev/null || ret=1
+ grep "2011072460" dig.out.ns3.test$n.$i > /dev/null || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
for i in 0 1 2 3 4 5 6 7 8 9
do
ans=0
- $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n
- grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
- grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
+ $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n.$i
+ grep "status: NXDOMAIN" dig.out.ns3.pre.test$n.$i > /dev/null || ans=1
+ grep "NSEC3" dig.out.ns3.pre.test$n.$i > /dev/null || ans=1
[ $ans = 0 ] && break
sleep 1
done
for i in 0 1 2 3 4 5 6 7 8 9
do
ans=0
- $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
- grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
- grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
+ $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i
+ grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ans=1
+ grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ans=1
[ $ans = 0 ] && break
sleep 1
done
for i in 1 2 3 4 5 6 7 8 9 10
do
- $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n || ret=1
- soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
+ $DIG $DIGOPTS @10.53.0.3 soa inactivezsk > dig.out.ns3.post.test$n.$i || ret=1
+ soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n.$i`
test ${soa1:-0} -ne ${soa2:-0} && break
sleep 1
done
ans=1
for i in 1 2 3 4 5 6 7 8 9 10
do
- $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1
- num=`grep "Done signing with" signing.out.test$n | wc -l`
+ $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n.$i 2>&1
+ num=`grep "Done signing with" signing.out.test$n.$i | wc -l`
if [ $num -eq 2 ]; then
ans=0
break
--- /dev/null
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+# Unsupported algorithms in BIND 9
+
+Following RFC 6944 and jumping ahead to draft-ietf-dnsop-algorithm-update-04,
+BIND 9 takes preparations to remove support for deprecated DNSSEC algorithms.
+These include RSAMD5, DSA, and ECC-GOST.
+
+How does this impact BIND 9 behavior? In order to determine this, we first
+need to establish in what contexts can DNSSEC algorithms be used. Two logical
+categories of such contexts can be identified: signing and validation.
+
+## DNSSEC signing
+
+### DNSSEC tools
+
+BIND 9 DNSSEC tools do not allow generating new keys using unsupported
+algorithms:
+
+ $ dnssec-keygen -a RSAMD5 example.
+ dnssec-keygen: fatal: unsupported algorithm: 1
+
+The tools also refuse to work with previously generated keys using unsupported
+algorithms:
+
+ $ dnssec-dsfromkey Kexample.+001+53634
+ dnssec-dsfromkey: fatal: can't load Kexample.+001+53634.key: algorithm is unsupported
+
+ $ dnssec-signzone example.db Kexample.+001+53634
+ dnssec-signzone: fatal: cannot load dnskey Kexample.+001+53634: algorithm is unsupported
+
+A DNSKEY RR with an unsupported algorithm may be *included* in a zone, as long
+as it is not used for *signing* that zone.
+
+BIND 9 also does not allow unsupported algorithms to be used with `auto-dnssec`:
+
+ zone "example" IN {
+ type master;
+ file "db/example.db";
+ key-directory "keys/example";
+ inline-signing yes;
+ auto-dnssec maintain;
+ }
+ ...
+ dns_dnssec_findmatchingkeys: error reading key file Kexample.+001+53634.private: algorithm is unsupported
+
+(DISCUSS: We might want to fail hard for such configurations.)
+
+## DNSSEC validation
+
+A validator has more possible interactions with unsupported algorithms:
+
+ * a key using one of these algorithms may be configured as a trust anchor,
+ * a DLV record for such a key may be placed in a DLV zone.
+ * upstream answers may contain signatures using such algorithms,
+
+### Disabled algorithms
+
+The `disable-algorithms` clause in `named.conf` can be used to prevent the
+specified algorithms from being used when validating responses at and below a
+certain name. For example, the following configuration:
+
+ disable-algorithms "example." { RSASHA512; };
+
+will mark RSASHA512 as disabled at and below `example.`. This effectively
+means that for this domain and all domains below it, the RSASHA512 algorithm is
+treated as unsupported.
+
+### Trust anchors
+
+In BIND 9, trust anchors can be configured using two clauses:
+
+ * `trusted-keys`, which contains hardcoded (static) trust anchors,
+ * `managed-keys`, which will be kept up to date automatically, following the
+ zone's key rollovers (according to the algorithm specified in RFC 5011).
+
+When put into the above clauses, keys using unsupported algorithms will be
+ignored:
+
+ trusted.conf:3: skipping trusted key for 't.example.': algorithm is unsupported
+ managed.conf:3: skipping managed key for 'm.example.': algorithm is unsupported
+
+BIND 9 also ignores any configured trust anchor whose owner name and algorithm
+match any `disable-algorithms` clause present in `named.conf`.
+
+If a given trust point is left with no trust anchors using supported
+algorithms, BIND 9 will act as if the trust point was not configured at all and
+if there are no trust points configured higher up the tree, names at the trust
+point and below it will be treated as insecure.
+
+Note that prior to BIND 9.13.6, configured trust anchors that matched disabled
+algorithms were not ignored and that lead to SERVFAILs for associated domains.
+This behavior has changed to be more consistent with unsupported algorithms:
+BIND 9 will ignore such trust anchors, and responses for those domains will
+now be treated as insecure.
+
+### DLV
+
+If a DLV record in a DLV zone points to a DNSKEY using an unsupported algorithm
+or an algorithm which has been disabled for the relevant part of the tree using
+a `disable-algorithms` clause in `named.conf`, the corresponding zone will be
+treated as insecure.
+
+However, if the trust anchor specified for the DLV zone itself uses an
+unsupported or disabled algorithm, no DLV record in that DLV zone can be
+treated as secure and thus attempts to resolve names in the domains pointed to
+by the records in that DLV zone will yield SERVFAIL responses. Consider the
+following example:
+
+ trusted-keys {
+ "dlv.example." 257 3 1 ...;
+ };
+
+ options {
+ ...
+ dnssec-lookaside "foo." trust-anchor "dlv.example";
+ };
+
+The example above specifies a DLV trust anchor using the RSAMD5 algorithm
+(algorithm number 1), which effectively prevents resolution of data in any zone
+at and below `foo.` that is listed in `dlv.example` (and does not have a valid,
+non-DLV chain of trust established otherwise). This outcome is different than
+for a trust anchor which uses an unsupported or disabled algorithm and is not
+associated with a `dnssec-lookaside` clause; the reason for this is that in the
+case of a DLV-referenced, unusable key, the trust point is still defined, but
+has no keys associated with it, whereas non-DLV-referenced, unusable keys are
+ignored altogether and do not cause an associated trust point to be defined.
+
+### Algorithm rollover
+
+A zone for which BIND 9 has a trust anchor configured may decide to do an
+algorithm rollover to an unsupported algorithm. If configured with
+`managed-keys`, BIND 9 will ignore the newly introduced DNSKEY if it does
+not support the algorithm. That means that the moment the predecessor DNSKEY
+gets revoked, BIND 9 will no longer have any trust anchors for the given zone
+and it will treat the trust point as if it does not exist, meaning that
+the corresponding zone will now validate as insecure.
projects / thirdparty / bind9.git / commitdiff
