diff options
author | Casey Deccio <casey@deccio.net> | 2021-01-08 00:46:53 +0300 |
---|---|---|
committer | Casey Deccio <casey@deccio.net> | 2021-01-09 03:07:33 +0300 |
commit | 8f4080c53cf7fe10b0a8eac59e94a796ab3d99fb (patch) | |
tree | 003a578cba282ae62de92f3ec0b7850e18610a64 | |
parent | 992baacead282d4f927cdc2ac56a2ba0005e8457 (diff) |
Allow prohibited algorithms to be considered with command-line option
-rw-r--r-- | dnsviz/analysis/offline.py | 7 | ||||
-rw-r--r-- | dnsviz/commands/graph.py | 6 | ||||
-rw-r--r-- | dnsviz/commands/grok.py | 6 | ||||
-rw-r--r-- | dnsviz/commands/print.py | 6 | ||||
-rw-r--r-- | doc/man/dnsviz-graph.1 | 8 | ||||
-rw-r--r-- | doc/man/dnsviz-grok.1 | 8 | ||||
-rw-r--r-- | doc/man/dnsviz-print.1 | 8 |
7 files changed, 45 insertions, 4 deletions
diff --git a/dnsviz/analysis/offline.py b/dnsviz/analysis/offline.py index 8b458df..dbea3db 100644 --- a/dnsviz/analysis/offline.py +++ b/dnsviz/analysis/offline.py @@ -843,7 +843,7 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis): self._populate_ds_status(dns.rdatatype.DLV, supported_algs, supported_digest_algs) self._populate_dnskey_status(trusted_keys) - def populate_status(self, trusted_keys, supported_algs=None, supported_digest_algs=None, is_dlv=False, follow_mx=True): + def populate_status(self, trusted_keys, supported_algs=None, supported_digest_algs=None, is_dlv=False, follow_mx=True, validate_prohibited_algs=False): # identify supported algorithms as intersection of explicitly supported # and software supported if supported_algs is not None: @@ -855,6 +855,11 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis): else: supported_digest_algs = copy.copy(crypto._supported_digest_algs) + # unless we are overriding, mark prohibited algorithms as not supported + if not validate_prohibited_algs: + supported_algs.difference_update(Status.DNSKEY_ALGS_MUST_NOT_VALIDATE) + supported_digest_algs.difference_update(Status.DS_DIGEST_ALGS_MUST_NOT_VALIDATE) + self._populate_status(trusted_keys, supported_algs, supported_digest_algs, is_dlv, None, follow_mx) def _populate_name_status(self, trace=None): diff --git a/dnsviz/commands/graph.py b/dnsviz/commands/graph.py index 8beb188..13558e0 100644 --- a/dnsviz/commands/graph.py +++ b/dnsviz/commands/graph.py @@ -198,6 +198,10 @@ class GraphArgHelper: type=self.comma_separated_ints_set, action='store', metavar='<digest_alg>,[<digest_alg>...]', help='Support only the specified DNSSEC digest algorithm(s)') + self.parser.add_argument('-b', '--validate-prohibited-algs', + const=True, default=False, + action='store_const', + help='Validate algorithms for which validation is otherwise prohibited') self.parser.add_argument('-C', '--enforce-cookies', const=True, default=False, action='store_const', @@ -457,7 +461,7 @@ def main(argv): G = DNSAuthGraph() for name_obj in name_objs: - name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms) + name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs) for qname, rdtype in name_obj.queries: if arghelper.args.rr_types is None: # if rdtypes was not specified, then graph all, with some diff --git a/dnsviz/commands/grok.py b/dnsviz/commands/grok.py index 37e612f..14fefc1 100644 --- a/dnsviz/commands/grok.py +++ b/dnsviz/commands/grok.py @@ -221,6 +221,10 @@ class GrokArgHelper: type=self.comma_separated_ints_set, action='store', metavar='<digest_alg>,[<digest_alg>...]', help='Support only the specified DNSSEC digest algorithm(s)') + self.parser.add_argument('-b', '--validate-prohibited-algs', + const=True, default=False, + action='store_const', + help='Validate algorithms for which validation is otherwise prohibited') self.parser.add_argument('-C', '--enforce-cookies', const=True, default=False, action='store_const', @@ -454,7 +458,7 @@ def main(argv): d = OrderedDict() for name_obj in name_objs: - name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms) + name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs) if arghelper.trusted_keys: G = DNSAuthGraph() diff --git a/dnsviz/commands/print.py b/dnsviz/commands/print.py index d2e4524..ceffdfc 100644 --- a/dnsviz/commands/print.py +++ b/dnsviz/commands/print.py @@ -356,6 +356,10 @@ class PrintArgHelper: type=self.comma_separated_ints_set, action='store', metavar='<digest_alg>,[<digest_alg>...]', help='Support only the specified DNSSEC digest algorithm(s)') + self.parser.add_argument('-b', '--validate-prohibited-algs', + const=True, default=False, + action='store_const', + help='Validate algorithms for which validation is otherwise prohibited') self.parser.add_argument('-C', '--enforce-cookies', const=True, default=False, action='store_const', @@ -590,7 +594,7 @@ def main(argv): G = DNSAuthGraph() for name_obj in name_objs: - name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms) + name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs) for qname, rdtype in name_obj.queries: if arghelper.args.rr_types is None: # if rdtypes was not specified, then graph all, with some diff --git a/doc/man/dnsviz-graph.1 b/doc/man/dnsviz-graph.1 index 2e49755..6971750 100644 --- a/doc/man/dnsviz-graph.1 +++ b/doc/man/dnsviz-graph.1 @@ -93,6 +93,14 @@ unknown. Additionally, when a zone has only DS records with unsupported digest algorithms, the zone is treated as "insecure", assuming the DS records are properly authenticated. .TP +.B -b, --validate-prohibited-algs +Validate algorithms for which validation is otherwise prohibited. Current +DNSSEC specification prohibits validators from validating older, weaker +algorithms associated with DNSKEY and DS records (see RFC 8624). If this +option is used, then a warning will be still be issued for DNSSEC records that +use these older algorithms, but the code will still assess their cryptographic +status, rather than ignoring them. +.TP .B -C, --enforce-cookies Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response when a query contains a COOKIE option with no server cookie or with an invalid diff --git a/doc/man/dnsviz-grok.1 b/doc/man/dnsviz-grok.1 index c6773f7..c9a441d 100644 --- a/doc/man/dnsviz-grok.1 +++ b/doc/man/dnsviz-grok.1 @@ -89,6 +89,14 @@ unknown. Additionally, when a zone has only DS records with unsupported digest algorithms, the zone is treated as "insecure", assuming the DS records are properly authenticated. .TP +.B -b, --validate-prohibited-algs +Validate algorithms for which validation is otherwise prohibited. Current +DNSSEC specification prohibits validators from validating older, weaker +algorithms associated with DNSKEY and DS records (see RFC 8624). If this +option is used, then a warning will be still be issued for DNSSEC records that +use these older algorithms, but the code will still assess their cryptographic +status, rather than ignoring them. +.TP .B -C, --enforce-cookies Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response when a query contains a COOKIE option with no server cookie or with an invalid diff --git a/doc/man/dnsviz-print.1 b/doc/man/dnsviz-print.1 index 0499e1d..6091405 100644 --- a/doc/man/dnsviz-print.1 +++ b/doc/man/dnsviz-print.1 @@ -93,6 +93,14 @@ unknown. Additionally, when a zone has only DS records with unsupported digest algorithms, the zone is treated as "insecure", assuming the DS records are properly authenticated. .TP +.B -b, --validate-prohibited-algs +Validate algorithms for which validation is otherwise prohibited. Current +DNSSEC specification prohibits validators from validating older, weaker +algorithms associated with DNSKEY and DS records (see RFC 8624). If this +option is used, then a warning will be still be issued for DNSSEC records that +use these older algorithms, but the code will still assess their cryptographic +status, rather than ignoring them. +.TP .B -C, --enforce-cookies Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response when a query contains a COOKIE option with no server cookie or with an invalid |