Allow prohibited algorithms to be considered with command-line option
Casey Deccio
3 years ago
842 | 842 |
self._populate_ds_status(dns.rdatatype.DLV, supported_algs, supported_digest_algs)
|
843 | 843 |
self._populate_dnskey_status(trusted_keys)
|
844 | 844 |
|
845 | |
def populate_status(self, trusted_keys, supported_algs=None, supported_digest_algs=None, is_dlv=False, follow_mx=True):
|
|
845 |
def populate_status(self, trusted_keys, supported_algs=None, supported_digest_algs=None, is_dlv=False, follow_mx=True, validate_prohibited_algs=False):
|
846 | 846 |
# identify supported algorithms as intersection of explicitly supported
|
847 | 847 |
# and software supported
|
848 | 848 |
if supported_algs is not None:
|
|
853 | 853 |
supported_digest_algs.intersection_update(crypto._supported_digest_algs)
|
854 | 854 |
else:
|
855 | 855 |
supported_digest_algs = copy.copy(crypto._supported_digest_algs)
|
|
856 |
|
|
857 |
# unless we are overriding, mark prohibited algorithms as not supported
|
|
858 |
if not validate_prohibited_algs:
|
|
859 |
supported_algs.difference_update(Status.DNSKEY_ALGS_MUST_NOT_VALIDATE)
|
|
860 |
supported_digest_algs.difference_update(Status.DS_DIGEST_ALGS_MUST_NOT_VALIDATE)
|
856 | 861 |
|
857 | 862 |
self._populate_status(trusted_keys, supported_algs, supported_digest_algs, is_dlv, None, follow_mx)
|
858 | 863 |
|
197 | 197 |
type=self.comma_separated_ints_set,
|
198 | 198 |
action='store', metavar='<digest_alg>,[<digest_alg>...]',
|
199 | 199 |
help='Support only the specified DNSSEC digest algorithm(s)')
|
|
200 |
self.parser.add_argument('-b', '--validate-prohibited-algs',
|
|
201 |
const=True, default=False,
|
|
202 |
action='store_const',
|
|
203 |
help='Validate algorithms for which validation is otherwise prohibited')
|
200 | 204 |
self.parser.add_argument('-C', '--enforce-cookies',
|
201 | 205 |
const=True, default=False,
|
202 | 206 |
action='store_const',
|
|
456 | 460 |
|
457 | 461 |
G = DNSAuthGraph()
|
458 | 462 |
for name_obj in name_objs:
|
459 | |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms)
|
|
463 |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
|
460 | 464 |
for qname, rdtype in name_obj.queries:
|
461 | 465 |
if arghelper.args.rr_types is None:
|
462 | 466 |
# if rdtypes was not specified, then graph all, with some
|
220 | 220 |
type=self.comma_separated_ints_set,
|
221 | 221 |
action='store', metavar='<digest_alg>,[<digest_alg>...]',
|
222 | 222 |
help='Support only the specified DNSSEC digest algorithm(s)')
|
|
223 |
self.parser.add_argument('-b', '--validate-prohibited-algs',
|
|
224 |
const=True, default=False,
|
|
225 |
action='store_const',
|
|
226 |
help='Validate algorithms for which validation is otherwise prohibited')
|
223 | 227 |
self.parser.add_argument('-C', '--enforce-cookies',
|
224 | 228 |
const=True, default=False,
|
225 | 229 |
action='store_const',
|
|
453 | 457 |
|
454 | 458 |
d = OrderedDict()
|
455 | 459 |
for name_obj in name_objs:
|
456 | |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms)
|
|
460 |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
|
457 | 461 |
|
458 | 462 |
if arghelper.trusted_keys:
|
459 | 463 |
G = DNSAuthGraph()
|
355 | 355 |
type=self.comma_separated_ints_set,
|
356 | 356 |
action='store', metavar='<digest_alg>,[<digest_alg>...]',
|
357 | 357 |
help='Support only the specified DNSSEC digest algorithm(s)')
|
|
358 |
self.parser.add_argument('-b', '--validate-prohibited-algs',
|
|
359 |
const=True, default=False,
|
|
360 |
action='store_const',
|
|
361 |
help='Validate algorithms for which validation is otherwise prohibited')
|
358 | 362 |
self.parser.add_argument('-C', '--enforce-cookies',
|
359 | 363 |
const=True, default=False,
|
360 | 364 |
action='store_const',
|
|
589 | 593 |
|
590 | 594 |
G = DNSAuthGraph()
|
591 | 595 |
for name_obj in name_objs:
|
592 | |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms)
|
|
596 |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
|
593 | 597 |
for qname, rdtype in name_obj.queries:
|
594 | 598 |
if arghelper.args.rr_types is None:
|
595 | 599 |
# if rdtypes was not specified, then graph all, with some
|
91 | 91 |
unknown. Additionally, when a zone has only DS records with unsupported digest
|
92 | 92 |
algorithms, the zone is treated as "insecure", assuming the DS records are
|
93 | 93 |
properly authenticated.
|
|
94 |
.TP
|
|
95 |
.B -b, --validate-prohibited-algs
|
|
96 |
Validate algorithms for which validation is otherwise prohibited. Current
|
|
97 |
DNSSEC specification prohibits validators from validating older, weaker
|
|
98 |
algorithms associated with DNSKEY and DS records (see RFC 8624). If this
|
|
99 |
option is used, then a warning will be still be issued for DNSSEC records that
|
|
100 |
use these older algorithms, but the code will still assess their cryptographic
|
|
101 |
status, rather than ignoring them.
|
94 | 102 |
.TP
|
95 | 103 |
.B -C, --enforce-cookies
|
96 | 104 |
Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
|
88 | 88 |
algorithms, the zone is treated as "insecure", assuming the DS records are
|
89 | 89 |
properly authenticated.
|
90 | 90 |
.TP
|
|
91 |
.B -b, --validate-prohibited-algs
|
|
92 |
Validate algorithms for which validation is otherwise prohibited. Current
|
|
93 |
DNSSEC specification prohibits validators from validating older, weaker
|
|
94 |
algorithms associated with DNSKEY and DS records (see RFC 8624). If this
|
|
95 |
option is used, then a warning will be still be issued for DNSSEC records that
|
|
96 |
use these older algorithms, but the code will still assess their cryptographic
|
|
97 |
status, rather than ignoring them.
|
|
98 |
.TP
|
91 | 99 |
.B -C, --enforce-cookies
|
92 | 100 |
Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
|
93 | 101 |
when a query contains a COOKIE option with no server cookie or with an invalid
|
91 | 91 |
unknown. Additionally, when a zone has only DS records with unsupported digest
|
92 | 92 |
algorithms, the zone is treated as "insecure", assuming the DS records are
|
93 | 93 |
properly authenticated.
|
|
94 |
.TP
|
|
95 |
.B -b, --validate-prohibited-algs
|
|
96 |
Validate algorithms for which validation is otherwise prohibited. Current
|
|
97 |
DNSSEC specification prohibits validators from validating older, weaker
|
|
98 |
algorithms associated with DNSKEY and DS records (see RFC 8624). If this
|
|
99 |
option is used, then a warning will be still be issued for DNSSEC records that
|
|
100 |
use these older algorithms, but the code will still assess their cryptographic
|
|
101 |
status, rather than ignoring them.
|
94 | 102 |
.TP
|
95 | 103 |
.B -C, --enforce-cookies
|
96 | 104 |
Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
|