Allow prohibited algorithms to be considered with command-line option
Casey Deccio
3 years ago
| 842 | 842 |
self._populate_ds_status(dns.rdatatype.DLV, supported_algs, supported_digest_algs)
|
| 843 | 843 |
self._populate_dnskey_status(trusted_keys)
|
| 844 | 844 |
|
| 845 | |
def populate_status(self, trusted_keys, supported_algs=None, supported_digest_algs=None, is_dlv=False, follow_mx=True):
|
|
845 |
def populate_status(self, trusted_keys, supported_algs=None, supported_digest_algs=None, is_dlv=False, follow_mx=True, validate_prohibited_algs=False):
|
| 846 | 846 |
# identify supported algorithms as intersection of explicitly supported
|
| 847 | 847 |
# and software supported
|
| 848 | 848 |
if supported_algs is not None:
|
|
| 853 | 853 |
supported_digest_algs.intersection_update(crypto._supported_digest_algs)
|
| 854 | 854 |
else:
|
| 855 | 855 |
supported_digest_algs = copy.copy(crypto._supported_digest_algs)
|
|
856 |
|
|
857 |
# unless we are overriding, mark prohibited algorithms as not supported
|
|
858 |
if not validate_prohibited_algs:
|
|
859 |
supported_algs.difference_update(Status.DNSKEY_ALGS_MUST_NOT_VALIDATE)
|
|
860 |
supported_digest_algs.difference_update(Status.DS_DIGEST_ALGS_MUST_NOT_VALIDATE)
|
| 856 | 861 |
|
| 857 | 862 |
self._populate_status(trusted_keys, supported_algs, supported_digest_algs, is_dlv, None, follow_mx)
|
| 858 | 863 |
|
| 197 | 197 |
type=self.comma_separated_ints_set,
|
| 198 | 198 |
action='store', metavar='<digest_alg>,[<digest_alg>...]',
|
| 199 | 199 |
help='Support only the specified DNSSEC digest algorithm(s)')
|
|
200 |
self.parser.add_argument('-b', '--validate-prohibited-algs',
|
|
201 |
const=True, default=False,
|
|
202 |
action='store_const',
|
|
203 |
help='Validate algorithms for which validation is otherwise prohibited')
|
| 200 | 204 |
self.parser.add_argument('-C', '--enforce-cookies',
|
| 201 | 205 |
const=True, default=False,
|
| 202 | 206 |
action='store_const',
|
|
| 456 | 460 |
|
| 457 | 461 |
G = DNSAuthGraph()
|
| 458 | 462 |
for name_obj in name_objs:
|
| 459 | |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms)
|
|
463 |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
|
| 460 | 464 |
for qname, rdtype in name_obj.queries:
|
| 461 | 465 |
if arghelper.args.rr_types is None:
|
| 462 | 466 |
# if rdtypes was not specified, then graph all, with some
|
| 220 | 220 |
type=self.comma_separated_ints_set,
|
| 221 | 221 |
action='store', metavar='<digest_alg>,[<digest_alg>...]',
|
| 222 | 222 |
help='Support only the specified DNSSEC digest algorithm(s)')
|
|
223 |
self.parser.add_argument('-b', '--validate-prohibited-algs',
|
|
224 |
const=True, default=False,
|
|
225 |
action='store_const',
|
|
226 |
help='Validate algorithms for which validation is otherwise prohibited')
|
| 223 | 227 |
self.parser.add_argument('-C', '--enforce-cookies',
|
| 224 | 228 |
const=True, default=False,
|
| 225 | 229 |
action='store_const',
|
|
| 453 | 457 |
|
| 454 | 458 |
d = OrderedDict()
|
| 455 | 459 |
for name_obj in name_objs:
|
| 456 | |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms)
|
|
460 |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
|
| 457 | 461 |
|
| 458 | 462 |
if arghelper.trusted_keys:
|
| 459 | 463 |
G = DNSAuthGraph()
|
| 355 | 355 |
type=self.comma_separated_ints_set,
|
| 356 | 356 |
action='store', metavar='<digest_alg>,[<digest_alg>...]',
|
| 357 | 357 |
help='Support only the specified DNSSEC digest algorithm(s)')
|
|
358 |
self.parser.add_argument('-b', '--validate-prohibited-algs',
|
|
359 |
const=True, default=False,
|
|
360 |
action='store_const',
|
|
361 |
help='Validate algorithms for which validation is otherwise prohibited')
|
| 358 | 362 |
self.parser.add_argument('-C', '--enforce-cookies',
|
| 359 | 363 |
const=True, default=False,
|
| 360 | 364 |
action='store_const',
|
|
| 589 | 593 |
|
| 590 | 594 |
G = DNSAuthGraph()
|
| 591 | 595 |
for name_obj in name_objs:
|
| 592 | |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms)
|
|
596 |
name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
|
| 593 | 597 |
for qname, rdtype in name_obj.queries:
|
| 594 | 598 |
if arghelper.args.rr_types is None:
|
| 595 | 599 |
# if rdtypes was not specified, then graph all, with some
|
| 91 | 91 |
unknown. Additionally, when a zone has only DS records with unsupported digest
|
| 92 | 92 |
algorithms, the zone is treated as "insecure", assuming the DS records are
|
| 93 | 93 |
properly authenticated.
|
|
94 |
.TP
|
|
95 |
.B -b, --validate-prohibited-algs
|
|
96 |
Validate algorithms for which validation is otherwise prohibited. Current
|
|
97 |
DNSSEC specification prohibits validators from validating older, weaker
|
|
98 |
algorithms associated with DNSKEY and DS records (see RFC 8624). If this
|
|
99 |
option is used, then a warning will be still be issued for DNSSEC records that
|
|
100 |
use these older algorithms, but the code will still assess their cryptographic
|
|
101 |
status, rather than ignoring them.
|
| 94 | 102 |
.TP
|
| 95 | 103 |
.B -C, --enforce-cookies
|
| 96 | 104 |
Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
|
| 88 | 88 |
algorithms, the zone is treated as "insecure", assuming the DS records are
|
| 89 | 89 |
properly authenticated.
|
| 90 | 90 |
.TP
|
|
91 |
.B -b, --validate-prohibited-algs
|
|
92 |
Validate algorithms for which validation is otherwise prohibited. Current
|
|
93 |
DNSSEC specification prohibits validators from validating older, weaker
|
|
94 |
algorithms associated with DNSKEY and DS records (see RFC 8624). If this
|
|
95 |
option is used, then a warning will be still be issued for DNSSEC records that
|
|
96 |
use these older algorithms, but the code will still assess their cryptographic
|
|
97 |
status, rather than ignoring them.
|
|
98 |
.TP
|
| 91 | 99 |
.B -C, --enforce-cookies
|
| 92 | 100 |
Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
|
| 93 | 101 |
when a query contains a COOKIE option with no server cookie or with an invalid
|
| 91 | 91 |
unknown. Additionally, when a zone has only DS records with unsupported digest
|
| 92 | 92 |
algorithms, the zone is treated as "insecure", assuming the DS records are
|
| 93 | 93 |
properly authenticated.
|
|
94 |
.TP
|
|
95 |
.B -b, --validate-prohibited-algs
|
|
96 |
Validate algorithms for which validation is otherwise prohibited. Current
|
|
97 |
DNSSEC specification prohibits validators from validating older, weaker
|
|
98 |
algorithms associated with DNSKEY and DS records (see RFC 8624). If this
|
|
99 |
option is used, then a warning will be still be issued for DNSSEC records that
|
|
100 |
use these older algorithms, but the code will still assess their cryptographic
|
|
101 |
status, rather than ignoring them.
|
| 94 | 102 |
.TP
|
| 95 | 103 |
.B -C, --enforce-cookies
|
| 96 | 104 |
Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
|