Commit d4fabf99 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

dnssec: setting opt-out bit if NSEC3 opt-out configured

parent fce76326
......@@ -276,7 +276,7 @@ static int set_nsec3param(knot_rrset_t *rrset, const dnssec_nsec3_params_t *para
wire_ctx_t wire = wire_ctx_init(rdata, rdata_len);
wire_ctx_write_u8(&wire, params->algorithm);
wire_ctx_write_u8(&wire, params->flags);
wire_ctx_write_u8(&wire, 0); // (RFC 5155 Section 4.1.2)
wire_ctx_write_u16(&wire, params->iterations);
wire_ctx_write_u8(&wire, params->salt.size);
wire_ctx_write(&wire, params->salt.data, params->salt.size);
......@@ -355,6 +355,7 @@ static dnssec_nsec3_params_t nsec3param_init(const knot_kasp_policy_t *policy,
params.algorithm = DNSSEC_NSEC3_ALGORITHM_SHA1;
params.iterations = policy->nsec3_iterations;
params.salt = zone->nsec3_salt;
params.flags = (policy->nsec3_opt_out ? KNOT_NSEC3_FLAG_OPT_OUT : 0);
}
return params;
......
......@@ -154,11 +154,4 @@ typedef enum {
KNOT_DNSSEC_ALG_PRIVATEOID = 254
} knot_dnssec_algorithm_t;
/*!
* \brief NSEC3 hash algorithm numbers.
*/
typedef enum {
KNOT_NSEC3_ALGORITHM_SHA1 = 1
} knot_nsec3_hash_algorithm_t;
/*! @} */
/* Copyright (C) 2011 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -32,6 +32,12 @@
#include "libknot/rdataset.h"
#include "libknot/rrtype/nsec3param.h"
/*!
* \brief NSEC3 rdata constants.
*/
#define KNOT_NSEC3_ALGORITHM_SHA1 1
#define KNOT_NSEC3_FLAG_OPT_OUT 1
static inline
uint8_t knot_nsec3_algorithm(const knot_rdataset_t *rrs, size_t pos)
{
......
......@@ -10,7 +10,7 @@ zone_name = "example.com."
t = Test()
def check_deleg(deleg, nsec3_bitmap, msg):
def check_deleg(deleg, nsec3_bitmap, opt_out_flag, msg):
t.sleep(2)
resp = master.dig(deleg + "." + zone_name, "A", dnssec=True, bufsize=4096)
first_nsec3 = str(resp.resp.authority[1]) # assert this is the first NSEC3 in the response
......@@ -19,6 +19,10 @@ def check_deleg(deleg, nsec3_bitmap, msg):
if first_bitmap != nsec3_bitmap:
set_err("NSEC3 bitmap for '%s'" % msg)
first_flags = first_nsec3.split()[5];
if first_flags != str(opt_out_flag):
set_err("NSEC3 opt-out flag %s != %s for '%s'" % (first_flags, str(opt_out_flag), msg))
detail_log(SEP)
master.zone_backup(zone, flush=True)
master.zone_verify(zone)
......@@ -45,25 +49,25 @@ master.zone_verify(zone)
up = master.update(zone)
up.add("deleg1", 3600, "NS", "nothing")
up.send("NOERROR")
check_deleg("deleg1", "NS", "non-optout update")
check_deleg("deleg1", "NS", 0, "non-optout update")
# opt-out off, zone re-sign
master.ctl("zone-sign")
check_deleg("deleg1", "NS", "non-optout re-sign")
check_deleg("deleg1", "NS", 0, "non-optout re-sign")
# opt-out on, zone re-sign
master.dnssec(zone).nsec3_opt_out = True
master.gen_confile()
master.reload()
check_deleg("deleg1", "NS SOA MX RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY", "optout re-sign")
check_deleg("deleg1", "NS SOA MX RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY", 1, "optout re-sign")
# opt-out on, delegation added in changeset
up = master.update(zone)
up.add("deleg2", 3600, "NS", "nothing")
up.send("NOERROR")
check_deleg("deleg2", "NS SOA MX RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY", "optout update")
check_deleg("deleg2", "NS SOA MX RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY", 1, "optout update")
t.end()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment