From 22cdb21932a5e9f3aac5ab77dedb1a845a585768 Mon Sep 17 00:00:00 2001 From: Casey Deccio Date: Thu, 7 Jan 2021 22:16:54 -0700 Subject: Warn if zones are signed with prohibited algorithms --- dnsviz/analysis/errors.py | 72 +++++++++++++++++++++++++++++++++++++++++++++++ dnsviz/analysis/status.py | 11 +++++++- 2 files changed, 82 insertions(+), 1 deletion(-) diff --git a/dnsviz/analysis/errors.py b/dnsviz/analysis/errors.py index b01b342..54356cc 100644 --- a/dnsviz/analysis/errors.py +++ b/dnsviz/analysis/errors.py @@ -271,6 +271,44 @@ class AlgorithmValidationProhibited(RRSIGError): super(AlgorithmValidationProhibited, self).__init__(**kwargs) self.template_kwargs['algorithm_text'] = dns.dnssec.algorithm_to_text(self.template_kwargs['algorithm']) +class AlgorithmProhibited(RRSIGError): + ''' + >>> e = AlgorithmProhibited(algorithm=5) + >>> e.args + [5] + >>> e.description + 'DNSSEC specification prohibits signing with DNSSEC algorithm 5 (RSASHA1).' + ''' + + _abstract = False + code = 'ALGORITHM_PROHIBITED' + description_template = "DNSSEC specification prohibits signing with DNSSEC algorithm %(algorithm)d (%(algorithm_text)s)." + references = ['RFC 8624, Sec. 3.1'] + required_params = ['algorithm'] + + def __init__(self, **kwargs): + super(AlgorithmProhibited, self).__init__(**kwargs) + self.template_kwargs['algorithm_text'] = dns.dnssec.algorithm_to_text(self.template_kwargs['algorithm']) + +class AlgorithmNotRecommended(RRSIGError): + ''' + >>> e = AlgorithmNotRecommended(algorithm=5) + >>> e.args + [5] + >>> e.description + 'DNSSEC specification recommends not signing with DNSSEC algorithm 5 (RSASHA1).' + ''' + + _abstract = False + code = 'ALGORITHM_NOT_RECOMMENDED' + description_template = "DNSSEC specification recommends not signing with DNSSEC algorithm %(algorithm)d (%(algorithm_text)s)." + references = ['RFC 8624, Sec. 3.1'] + required_params = ['algorithm'] + + def __init__(self, **kwargs): + super(AlgorithmNotRecommended, self).__init__(**kwargs) + self.template_kwargs['algorithm_text'] = dns.dnssec.algorithm_to_text(self.template_kwargs['algorithm']) + class DNSKEYRevokedRRSIG(RRSIGError): ''' >>> e = DNSKEYRevokedRRSIG() @@ -550,6 +588,40 @@ class DigestAlgorithmValidationProhibited(DSDigestError): super(DigestAlgorithmValidationProhibited, self).__init__(**kwargs) self.template_kwargs['algorithm_text'] = fmt.DS_DIGEST_TYPES.get(self.template_kwargs['algorithm'], self.template_kwargs['algorithm']) +class DigestAlgorithmProhibited(DSDigestError): + ''' + >>> e = DigestAlgorithmProhibited(algorithm=5) + >>> e.description + 'DNSSEC specification prohibits publishing DS records that use digest algorithm 5 (5).' + ''' + + _abstract = False + code = 'DIGEST_ALGORITHM_PROHIBITED' + description_template = "DNSSEC specification prohibits publishing DS records that use digest algorithm %(algorithm)d (%(algorithm_text)s)." + references = ['RFC 8624, Sec. 3.2'] + required_params = ['algorithm'] + + def __init__(self, **kwargs): + super(DigestAlgorithmProhibited, self).__init__(**kwargs) + self.template_kwargs['algorithm_text'] = fmt.DS_DIGEST_TYPES.get(self.template_kwargs['algorithm'], self.template_kwargs['algorithm']) + +class DigestAlgorithmNotRecommended(DSDigestError): + ''' + >>> e = DigestAlgorithmNotRecommended(algorithm=5) + >>> e.description + 'DNSSEC specification recommends not publishing DS records that use digest algorithm 5 (5).' + ''' + + _abstract = False + code = 'DIGEST_ALGORITHM_NOT_RECOMMENDED' + description_template = "DNSSEC specification recommends not publishing DS records that use digest algorithm %(algorithm)d (%(algorithm_text)s)." + references = ['RFC 8624, Sec. 3.2'] + required_params = ['algorithm'] + + def __init__(self, **kwargs): + super(DigestAlgorithmNotRecommended, self).__init__(**kwargs) + self.template_kwargs['algorithm_text'] = fmt.DS_DIGEST_TYPES.get(self.template_kwargs['algorithm'], self.template_kwargs['algorithm']) + class DNSKEYRevokedDS(DSDigestError): ''' >>> e = DNSKEYRevokedDS() diff --git a/dnsviz/analysis/status.py b/dnsviz/analysis/status.py index 3d21be2..ea81ebf 100644 --- a/dnsviz/analysis/status.py +++ b/dnsviz/analysis/status.py @@ -224,9 +224,13 @@ class RRSIGStatus(object): # Independent of whether or not we considered the cryptographic # validation, issue a warning if we are using an algorithm for which - # validation has been prohibited. + # validation or signing has been prohibited. if self.dnskey.rdata.algorithm in DNSKEY_ALGS_VALIDATION_PROHIBITED: self.warnings.append(Errors.AlgorithmValidationProhibited(algorithm=self.rrsig.algorithm)) + if self.dnskey.rdata.algorithm in DNSKEY_ALGS_PROHIBITED: + self.warnings.append(Errors.AlgorithmProhibited(algorithm=self.rrsig.algorithm)) + if self.dnskey.rdata.algorithm in DNSKEY_ALGS_NOT_RECOMMENDED: + self.warnings.append(Errors.AlgorithmNotRecommended(algorithm=self.rrsig.algorithm)) if self.rrset.ttl_cmp: if self.rrset.rrset.ttl != self.rrset.rrsig_info[self.rrsig].ttl: @@ -491,6 +495,11 @@ class DSStatus(object): else: self.warnings.append(Errors.DSDigestAlgorithmMaybeIgnored(algorithm=1, new_algorithm=digest_alg)) + # For all other digest types, just add a warning here + elif self.ds.digest_type in DS_DIGEST_ALGS_PROHIBITED: + self.warnings.append(Errors.DigestAlgorithmProhibited(algorithm=self.ds.digest_type)) + elif self.ds.digest_type in DS_DIGEST_ALGS_NOT_RECOMMENDED: + self.warnings.append(Errors.DigestAlgorithmNotRecommended(algorithm=self.ds.digest_type)) def __str__(self): -- cgit v1.2.3