diff options
Diffstat (limited to 'dnsviz/analysis/status.py')
-rw-r--r-- | dnsviz/analysis/status.py | 69 |
1 files changed, 63 insertions, 6 deletions
diff --git a/dnsviz/analysis/status.py b/dnsviz/analysis/status.py index a2197a8..5ba2595 100644 --- a/dnsviz/analysis/status.py +++ b/dnsviz/analysis/status.py @@ -169,6 +169,16 @@ RRSIG_SIG_LENGTH_ERRORS = { DS_DIGEST_ALGS_STRONGER_THAN_SHA1 = (2, 4) DS_DIGEST_ALGS_IGNORING_SHA1 = (2,) +# RFC 8624 Section 3.1 +DNSKEY_ALGS_NOT_RECOMMENDED = (5, 7, 10) +DNSKEY_ALGS_MUST_NOT_SIGN = (1, 3, 6, 12) +DNSKEY_ALGS_MUST_NOT_VALIDATE = (1, 3, 6) + +# RFC 8624 Section 3.2 +DS_DIGEST_ALGS_NOT_RECOMMENDED = () +DS_DIGEST_ALGS_MUST_NOT_SIGN = (0, 1, 3) +DS_DIGEST_ALGS_MUST_NOT_VALIDATE = () + class RRSIGStatus(object): def __init__(self, rrset, rrsig, dnskey, zone_name, reference_ts, supported_algs): self.rrset = rrset @@ -186,13 +196,37 @@ class RRSIGStatus(object): self.validation_status = RRSIG_STATUS_VALID if self.signature_valid is None or self.dnskey.rdata.algorithm not in supported_algs: + # Either we can't validate the cryptographic signature, or we are + # explicitly directed to ignore the algorithm. if self.dnskey is None: + # In this case, there is no corresponding DNSKEY, so we make + # the status "INDETERMINATE". if self.validation_status == RRSIG_STATUS_VALID: self.validation_status = RRSIG_STATUS_INDETERMINATE_NO_DNSKEY + else: - if self.validation_status == RRSIG_STATUS_VALID: - self.validation_status = RRSIG_STATUS_INDETERMINATE_UNKNOWN_ALGORITHM - self.warnings.append(Errors.AlgorithmNotSupported(algorithm=self.rrsig.algorithm)) + # If there is a DNSKEY, then we look at *why* we are ignoring + # the cryptographic signature. + if self.dnskey.rdata.algorithm in DNSKEY_ALGS_MUST_NOT_VALIDATE: + # In this case, specification dictates that the algorithm + # MUST NOT be validated, so we mark it as ignored. + if self.validation_status == RRSIG_STATUS_VALID: + self.validation_status = RRSIG_STATUS_ALGORITHM_IGNORED + else: + # In this case, we can't validate this particular + # algorithm, either because the code doesn't support it, + # or because we have been explicitly directed to ignore it. + # In either case, mark it as "UNKNOWN", and warn that it is + # not supported. + if self.validation_status == RRSIG_STATUS_VALID: + self.validation_status = RRSIG_STATUS_INDETERMINATE_UNKNOWN_ALGORITHM + self.warnings.append(Errors.AlgorithmNotSupported(algorithm=self.rrsig.algorithm)) + + # Independent of whether or not we considered the cryptographic + # validation, issue a warning if we are using an algorithm for which + # validation has been prohibited. + if self.dnskey.rdata.algorithm in DNSKEY_ALGS_MUST_NOT_VALIDATE: + self.warnings.append(Errors.AlgorithmMustNotValidate(algorithm=self.rrsig.algorithm)) if self.rrset.ttl_cmp: if self.rrset.rrset.ttl != self.rrset.rrsig_info[self.rrsig].ttl: @@ -351,13 +385,36 @@ class DSStatus(object): self.validation_status = DS_STATUS_VALID if self.digest_valid is None or self.ds.digest_type not in supported_digest_algs: + # Either we cannot reproduce a digest with this type, or we are + # explicitly directed to ignore the digest type. if self.dnskey is None: + # In this case, there is no corresponding DNSKEY, so we make + # the status "INDETERMINATE". if self.validation_status == DS_STATUS_VALID: self.validation_status = DS_STATUS_INDETERMINATE_NO_DNSKEY else: - if self.validation_status == DS_STATUS_VALID: - self.validation_status = DS_STATUS_INDETERMINATE_UNKNOWN_ALGORITHM - self.warnings.append(Errors.DigestAlgorithmNotSupported(algorithm=ds.digest_type)) + # If there is a DNSKEY, then we look at *why* we are ignoring + # the digest of the DNSKEY. + if self.ds.digest_type in DS_DIGEST_ALGS_MUST_NOT_VALIDATE: + # In this case, specification dictates that the algorithm + # MUST NOT be validated, so we mark it as ignored. + if self.validation_status == DS_STATUS_VALID: + self.validation_status = DS_STATUS_ALGORITHM_IGNORED + else: + # In this case, we can't validate this particular + # digest type, either because the code doesn't support it, + # or because we have been explicitly directed to ignore it. + # In either case, mark it as "UNKNOWN", and warn that it is + # not supported. + if self.validation_status == DS_STATUS_VALID: + self.validation_status = DS_STATUS_INDETERMINATE_UNKNOWN_ALGORITHM + self.warnings.append(Errors.DigestAlgorithmNotSupported(algorithm=self.ds.digest_type)) + + # Independent of whether or not we considered the digest for + # validation, issue a warning if we are using a digest type for which + # validation has been prohibited. + if self.ds.digest_type in DS_DIGEST_ALGS_MUST_NOT_VALIDATE: + self.warnings.append(Errors.DigestAlgorithmMustNotValidate(algorithm=self.ds.digest_type)) if self.dnskey is not None and \ self.dnskey.rdata.flags & fmt.DNSKEY_FLAGS['revoke']: |