allow-update { any; };
};
+zone "zonecut.ent.secure.example" {
+ type primary;
+ file "zonecut.ent.secure.example.db.signed";
+ allow-update { any; };
+};
+
zone "bogus.example" {
type primary;
file "bogus.example.db.signed";
badalg NS ns3.badalg
ns3.badalg A 10.53.0.3
+zonecut.ent NS ns3.zonecut.ent
+ns3.zonecut.ent A 10.53.0.3
+
private NS ns.private
ns.private A 10.53.0.2
"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for ent.secure.example.
+zone=zonecut.ent.secure.example.
+infile=zonecut.ent.secure.example.db.in
+zonefile=zonecut.ent.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
#
zone=secure.example.
infile=secure.example.db.in
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ A 10.53.0.4
+ns3 A 10.53.0.3
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+ disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+ disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
# Note: We only reference the bind.keys file here to confirm that it
# is *not* being used. It contains the real root key, and we're
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+ disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+ disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
};
key rndc_key {
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";};
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+ disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+ disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
};
key rndc_key {
disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+ disable-algorithms "z.secure.example." { ECDSAP256SHA256; };
+ disable-algorithms "ent.secure.example." { ECDSAP256SHA256; };
};
key rndc_key {
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
+echo_i "check that zone contents are still secure despite disable-algorithms on query name (name below zone name) ($n)"
+ret=0
+dig_with_opts @10.53.0.4 z.secure.example >dig.out.ns4.test$n || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "check that zone contents are treated as insecure when disable-algorithms name is above zone name ($n)"
+ret=0
+dig_with_opts @10.53.0.4 zonecut.ent.secure.example >dig.out.ns4.test$n || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
+grep "; EDE: 1 (Unsupported DNSKEY Algorithm): " dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
echo_i "check that DS records are still treated as secure at the disable-algorithm name ($n)"
ret=0
dig_with_opts @10.53.0.4 badalg.secure.example DS >dig.out.ns4.test$n || ret=1
"ns3/dnskey-unsupported-2.example.db",
"ns3/dnskey-unsupported.example.db",
"ns3/dnskey-unsupported.example.db.tmp",
+ "ns3/ds-unsupported.example.db",
"ns3/dynamic.example.db",
"ns3/digest-alg-unsupported.example.db",
"ns3/enabled.managed.db",
"ns3/update-nsec3.example.db.signed",
"ns3/upper.example.db",
"ns3/upper.example.db.lower",
- "ns3/ds-unsupported.example.db",
+ "ns3/zonecut.ent.secure.example.db",
"ns4/managed.conf",
"ns4/managed-keys.bind",
"ns4/named.secroots",
projects / thirdparty / bind9.git / commitdiff
