static bool remove_inactkeysigs = false;
static bool output_dnssec_only = false;
static bool output_stdout = false;
-bool set_maxttl = false;
+static bool set_maxttl = false;
static dns_ttl_t maxttl = 0;
+static bool no_max_check = false;
#define INCSTAT(counter) \
if (printstats) { \
case 'H':
set_iter = true;
+ /* too-many is NOT DOCUMENTED */
+ if (strcmp(isc_commandline_argument, "too-many") == 0) {
+ nsec3iter = 151;
+ no_max_check = true;
+ break;
+ }
nsec3iter = strtoul(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fatal("iterations must be numeric");
}
if (nsec3iter > dns_nsec3_maxiterations()) {
- fatal("NSEC3 iterations too big for weakest DNSKEY "
- "strength. Maximum iterations allowed %u.",
- dns_nsec3_maxiterations());
+ if (no_max_check) {
+ fprintf(stderr,
+ "Ignoring max iterations check.\n");
+ } else {
+ fatal("NSEC3 iterations too big. Maximum "
+ "iterations allowed %u.",
+ dns_nsec3_maxiterations());
+ }
}
} else {
hashlist_init(&hashlist, 0, 0); /* silence clang */
rm -f ./delv.out*
rm -f ./delve.out*
rm -f ./dig.out.*
+rm -f ./ns2/too-many-iterations.db
rm -f ./dnssectools.out*
rm -f ./dsfromkey.out.*
rm -f ./keygen.err
in-addr.arpa. NS ns2.example.
inprogress. NS ns10.inprogress.
ns10.inprogress. A 10.53.0.10
+too-many-iterations. NS ns2.too-many-iterations.
+ns2.too-many-iterations. A 10.53.0.2
cp "../ns2/dsset-example$TP" .
cp "../ns2/dsset-in-addr.arpa$TP" .
+cp "../ns2/dsset-too-many-iterations$TP" .
grep "$DEFAULT_ALGORITHM_NUMBER [12] " "../ns2/dsset-algroll$TP" > "dsset-algroll$TP"
cp "../ns6/dsset-optout-tld$TP" .
allow-update { any; };
};
+zone "too-many-iterations" {
+ type master;
+ file "too-many-iterations.db.signed";
+};
+
include "trusted.conf";
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
$SETTIME -P sync now "$key1" > /dev/null
cat "$infile" > "$zonefile.signed"
+
+#
+# Negative result from this zone should come back as insecure.
+#
+zone=too-many-iterations
+infile=too-many-iterations.db.in
+zonefile=too-many-iterations.db
+key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
+key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
+"$SIGNER" -P -3 - -H too-many -g -o "$zone" "$zonefile" > /dev/null 2>&1
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 30 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 30 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+*.a A 10.0.0.3
+b A 10.0.0.2
+d A 10.0.0.4
file "revoked.trusted.db.signed";
};
+zone "too-many-iterations" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ file "too-many-iterations.bk";
+};
+
include "siginterval.conf";
include "trusted.conf";
recursion yes;
dnssec-validation yes;
dnssec-accept-expired yes;
+ minimal-responses no;
zone "." {
type hint;
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
+echo_i "checking excessive NSEC3 iteration warnings in named.run ($n)"
+ret=0
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns2/named.run >/dev/null 2>&1 || ret=1
+grep "zone too-many-iterations/IN: excessive NSEC3PARAM iterations [0-9]* > 150" ns3/named.run >/dev/null 2>&1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
