From 8f4080c53cf7fe10b0a8eac59e94a796ab3d99fb Mon Sep 17 00:00:00 2001
From: Casey Deccio <casey@deccio.net>
Date: Thu, 7 Jan 2021 14:46:53 -0700
Subject: Allow prohibited algorithms to be considered with command-line option

---
 dnsviz/analysis/offline.py | 7 ++++++-
 dnsviz/commands/graph.py   | 6 +++++-
 dnsviz/commands/grok.py    | 6 +++++-
 dnsviz/commands/print.py   | 6 +++++-
 doc/man/dnsviz-graph.1     | 8 ++++++++
 doc/man/dnsviz-grok.1      | 8 ++++++++
 doc/man/dnsviz-print.1     | 8 ++++++++
 7 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/dnsviz/analysis/offline.py b/dnsviz/analysis/offline.py
index 8b458df..dbea3db 100644
--- a/dnsviz/analysis/offline.py
+++ b/dnsviz/analysis/offline.py
@@ -843,7 +843,7 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis):
             self._populate_ds_status(dns.rdatatype.DLV, supported_algs, supported_digest_algs)
         self._populate_dnskey_status(trusted_keys)
 
-    def populate_status(self, trusted_keys, supported_algs=None, supported_digest_algs=None, is_dlv=False, follow_mx=True):
+    def populate_status(self, trusted_keys, supported_algs=None, supported_digest_algs=None, is_dlv=False, follow_mx=True, validate_prohibited_algs=False):
         # identify supported algorithms as intersection of explicitly supported
         # and software supported
         if supported_algs is not None:
@@ -855,6 +855,11 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis):
         else:
             supported_digest_algs = copy.copy(crypto._supported_digest_algs)
 
+        # unless we are overriding, mark prohibited algorithms as not supported
+        if not validate_prohibited_algs:
+            supported_algs.difference_update(Status.DNSKEY_ALGS_MUST_NOT_VALIDATE)
+            supported_digest_algs.difference_update(Status.DS_DIGEST_ALGS_MUST_NOT_VALIDATE)
+
         self._populate_status(trusted_keys, supported_algs, supported_digest_algs, is_dlv, None, follow_mx)
 
     def _populate_name_status(self, trace=None):
diff --git a/dnsviz/commands/graph.py b/dnsviz/commands/graph.py
index 8beb188..13558e0 100644
--- a/dnsviz/commands/graph.py
+++ b/dnsviz/commands/graph.py
@@ -198,6 +198,10 @@ class GraphArgHelper:
                 type=self.comma_separated_ints_set,
                 action='store', metavar='<digest_alg>,[<digest_alg>...]',
                 help='Support only the specified DNSSEC digest algorithm(s)')
+        self.parser.add_argument('-b', '--validate-prohibited-algs',
+                const=True, default=False,
+                action='store_const',
+                help='Validate algorithms for which validation is otherwise prohibited')
         self.parser.add_argument('-C', '--enforce-cookies',
                 const=True, default=False,
                 action='store_const',
@@ -457,7 +461,7 @@ def main(argv):
 
         G = DNSAuthGraph()
         for name_obj in name_objs:
-            name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms)
+            name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
             for qname, rdtype in name_obj.queries:
                 if arghelper.args.rr_types is None:
                     # if rdtypes was not specified, then graph all, with some
diff --git a/dnsviz/commands/grok.py b/dnsviz/commands/grok.py
index 37e612f..14fefc1 100644
--- a/dnsviz/commands/grok.py
+++ b/dnsviz/commands/grok.py
@@ -221,6 +221,10 @@ class GrokArgHelper:
                 type=self.comma_separated_ints_set,
                 action='store', metavar='<digest_alg>,[<digest_alg>...]',
                 help='Support only the specified DNSSEC digest algorithm(s)')
+        self.parser.add_argument('-b', '--validate-prohibited-algs',
+                const=True, default=False,
+                action='store_const',
+                help='Validate algorithms for which validation is otherwise prohibited')
         self.parser.add_argument('-C', '--enforce-cookies',
                 const=True, default=False,
                 action='store_const',
@@ -454,7 +458,7 @@ def main(argv):
 
         d = OrderedDict()
         for name_obj in name_objs:
-            name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms)
+            name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
 
             if arghelper.trusted_keys:
                 G = DNSAuthGraph()
diff --git a/dnsviz/commands/print.py b/dnsviz/commands/print.py
index d2e4524..ceffdfc 100644
--- a/dnsviz/commands/print.py
+++ b/dnsviz/commands/print.py
@@ -356,6 +356,10 @@ class PrintArgHelper:
                 type=self.comma_separated_ints_set,
                 action='store', metavar='<digest_alg>,[<digest_alg>...]',
                 help='Support only the specified DNSSEC digest algorithm(s)')
+        self.parser.add_argument('-b', '--validate-prohibited-algs',
+                const=True, default=False,
+                action='store_const',
+                help='Validate algorithms for which validation is otherwise prohibited')
         self.parser.add_argument('-C', '--enforce-cookies',
                 const=True, default=False,
                 action='store_const',
@@ -590,7 +594,7 @@ def main(argv):
 
         G = DNSAuthGraph()
         for name_obj in name_objs:
-            name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms)
+            name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
             for qname, rdtype in name_obj.queries:
                 if arghelper.args.rr_types is None:
                     # if rdtypes was not specified, then graph all, with some
diff --git a/doc/man/dnsviz-graph.1 b/doc/man/dnsviz-graph.1
index 2e49755..6971750 100644
--- a/doc/man/dnsviz-graph.1
+++ b/doc/man/dnsviz-graph.1
@@ -93,6 +93,14 @@ unknown.  Additionally, when a zone has only DS records with unsupported digest
 algorithms, the zone is treated as "insecure", assuming the DS records are
 properly authenticated.
 .TP
+.B -b, --validate-prohibited-algs
+Validate algorithms for which validation is otherwise prohibited.  Current
+DNSSEC specification prohibits validators from validating older, weaker
+algorithms associated with DNSKEY and DS records (see RFC 8624).  If this
+option is used, then a warning will be still be issued for DNSSEC records that
+use these older algorithms, but the code will still assess their cryptographic
+status, rather than ignoring them.
+.TP
 .B -C, --enforce-cookies
 Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
 when a query contains a COOKIE option with no server cookie or with an invalid
diff --git a/doc/man/dnsviz-grok.1 b/doc/man/dnsviz-grok.1
index c6773f7..c9a441d 100644
--- a/doc/man/dnsviz-grok.1
+++ b/doc/man/dnsviz-grok.1
@@ -89,6 +89,14 @@ unknown.  Additionally, when a zone has only DS records with unsupported digest
 algorithms, the zone is treated as "insecure", assuming the DS records are
 properly authenticated.
 .TP
+.B -b, --validate-prohibited-algs
+Validate algorithms for which validation is otherwise prohibited.  Current
+DNSSEC specification prohibits validators from validating older, weaker
+algorithms associated with DNSKEY and DS records (see RFC 8624).  If this
+option is used, then a warning will be still be issued for DNSSEC records that
+use these older algorithms, but the code will still assess their cryptographic
+status, rather than ignoring them.
+.TP
 .B -C, --enforce-cookies
 Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
 when a query contains a COOKIE option with no server cookie or with an invalid
diff --git a/doc/man/dnsviz-print.1 b/doc/man/dnsviz-print.1
index 0499e1d..6091405 100644
--- a/doc/man/dnsviz-print.1
+++ b/doc/man/dnsviz-print.1
@@ -93,6 +93,14 @@ unknown.  Additionally, when a zone has only DS records with unsupported digest
 algorithms, the zone is treated as "insecure", assuming the DS records are
 properly authenticated.
 .TP
+.B -b, --validate-prohibited-algs
+Validate algorithms for which validation is otherwise prohibited.  Current
+DNSSEC specification prohibits validators from validating older, weaker
+algorithms associated with DNSKEY and DS records (see RFC 8624).  If this
+option is used, then a warning will be still be issued for DNSSEC records that
+use these older algorithms, but the code will still assess their cryptographic
+status, rather than ignoring them.
+.TP
 .B -C, --enforce-cookies
 Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
 when a query contains a COOKIE option with no server cookie or with an invalid
-- 
cgit v1.2.3