Merge pull request #586 from vlevigneron/issue-zonemaster-engine-584

- Fixes #584
zonemaster · Oct 3, 2019 · a4d9584 · a4d9584
2 parents 798c625 + f8669be
commit a4d9584
Show file tree

Hide file tree

Showing 2 changed files with 145 additions and 2 deletions.
diff --git a/lib/Zonemaster/Engine/Test/DNSSEC.pm b/lib/Zonemaster/Engine/Test/DNSSEC.pm
@@ -1,6 +1,6 @@
 package Zonemaster::Engine::Test::DNSSEC;
 
-use version; our $VERSION = version->declare("v1.0.12");
+use version; our $VERSION = version->declare("v1.0.13");
 
 ###
 ### This test module implements DNSSEC tests.
@@ -149,6 +149,33 @@ Readonly::Hash our %algo_properties => (
     },
 );
 
+Readonly::Hash our %rsa_key_size_details => (
+    5 => {
+        min_size  => 512,
+        max_size  => 4096,
+        rec_size  => 2048,
+        reference => q{RFC 3110},
+    },
+    7 => {
+        min_size  => 512,
+        max_size  => 4096,
+        rec_size  => 2048,
+        reference => q{RFC 5155},
+    },
+    8 => {
+        min_size  => 512,
+        max_size  => 4096,
+        rec_size  => 2048,
+        reference => q{RFC 5702},
+    },
+    10 => {
+        min_size  => 1024,
+        max_size  => 4096,
+        rec_size  => 2048,
+        reference => q{RFC 5702},
+    },
+);
+
 ###
 ### Entry points
 ###
@@ -219,6 +246,10 @@ sub all {
             push @results, $class->dnssec11( $zone );
         }
 
+        if ( Zonemaster::Engine::Util::should_run_test( q{dnssec14} ) ) {
+            push @results, $class->dnssec14( $zone );
+        }
+
     }
 
     return @results;
@@ -338,14 +369,27 @@ sub metadata {
               NSEC3_SIGNED
               NSEC3_NOT_SIGNED
               HAS_NSEC3
-              HAS_NSEC3_OPTOUT )
+              HAS_NSEC3_OPTOUT
+              )
         ],
         dnssec11 => [
             qw(
               DELEGATION_NOT_SIGNED
               DELEGATION_SIGNED
               ),
         ],
+        dnssec14 => [
+            qw(
+              NO_RESPONSE
+              NO_RESPONSE_DNSKEY
+              DNSKEY_SMALLER_THAN_REC
+              DNSKEY_TOO_SMALL_FOR_ALGO
+              DNSKEY_TOO_LARGE_FOR_ALGO
+              IPV4_DISABLED
+              IPV6_DISABLED
+              KEY_SIZE_OK
+              ),
+        ],
     };
 } ## end sub metadata
 
@@ -1575,6 +1619,96 @@ sub dnssec11 {
     return @results;
 } ## end sub dnssec11
 
+sub dnssec14 {
+    my ( $class, $zone ) = @_;
+    my @results;
+    my @dnskey_rrs;
+
+    my @nss_del   = @{ Zonemaster::Engine::TestMethods->method4( $zone ) };
+    my @nss_child = @{ Zonemaster::Engine::TestMethods->method5( $zone ) };
+    my %nss       = map { $_->name->string . '/' . $_->address->short => $_ } @nss_del, @nss_child;
+
+    for my $key ( sort keys %nss ) {
+        my $ns = $nss{$key};
+        my $ns_args = {
+            ns      => $ns->name->string,
+            address => $ns->address->short,
+        };
+
+        if ( not Zonemaster::Engine::Profile->effective->get(q{net.ipv6}) and $ns->address->version == $IP_VERSION_6 ) {
+            push @results,
+              info(
+                IPV6_DISABLED => {
+                    ns      => $ns->name->string,
+                    address => $ns->address->short,
+                    rrtype => q{DNSKEY},
+                }
+              );
+            next;
+        }
+
+        if ( not Zonemaster::Engine::Profile->effective->get(q{net.ipv4}) and $ns->address->version == $IP_VERSION_4 ) {
+            push @results,
+              info(
+                IPV4_DISABLED => {
+                    ns      => $ns->name->string,
+                    address => $ns->address->short,
+                    rrtype => q{DNSKEY},
+                }
+              );
+            next;
+        }
+
+        my $key_p = $ns->query( $zone->name, 'DNSKEY', { dnssec => 1, usevc => 0 } );
+        if ( not $key_p ) {
+            push @results, info( NO_RESPONSE => $ns_args );
+            next;
+        }
+
+        my @keys = $key_p->get_records( 'DNSKEY', 'answer' );
+        if ( not @keys ) {
+            push @results, info( NO_RESPONSE_DNSKEY => $ns_args );
+            next;
+        } else {
+            push @dnskey_rrs, @keys;
+        }
+    }
+
+    foreach my $key ( @dnskey_rrs ) {
+        my $algo = $key->algorithm;  
+
+        next if not exists $rsa_key_size_details{$algo};
+
+        my $algo_args = {
+            algorithm   => $algo,
+            keytag      => $key->keytag,
+            keysize     => $key->keysize,
+            keysizemin  => $rsa_key_size_details{$algo}{min_size},
+            keysizemax  => $rsa_key_size_details{$algo}{max_size},
+            keysizerec  => $rsa_key_size_details{$algo}{rec_size},
+        };
+
+        if ( $key->keysize < $rsa_key_size_details{$algo}{min_size} ) {
+            push @results, info( DNSKEY_TOO_SMALL_FOR_ALGO => $algo_args );
+        }
+
+        if ( $key->keysize < $rsa_key_size_details{$algo}{rec_size} ) {
+            push @results, info( DNSKEY_SMALLER_THAN_REC => $algo_args );
+        }
+
+        if ( $key->keysize > $rsa_key_size_details{$algo}{max_size} ) {
+            push @results, info( DNSKEY_TOO_LARGE_FOR_ALGO => $algo_args );
+        }
+
+    } ## end foreach my $key ( @keys )
+
+    if ( scalar @dnskey_rrs and scalar @results == scalar grep { $_->tag eq 'NO_RESPONSE' } @results) {
+        push @results, info( KEY_SIZE_OK => {} );
+    }
+
+    return @results;
+} ## end sub dnssec14
+
 1;
 
 =head1 NAME
@@ -1661,6 +1795,10 @@ Check for the presence of either NSEC or NSEC3, with proper coverage and signatu
 
 Check that the delegation step from parent is properly signed.
 
+=item dnssec14($zone)
+
+Check for valid RSA DNSKEY key size
+
 =back
 
 =cut
diff --git a/share/profile.json b/share/profile.json
@@ -154,6 +154,9 @@
             "DNSKEY_SIGNATURE_NOT_OK" : "ERROR",
             "DNSKEY_SIGNATURE_OK" : "DEBUG",
             "DNSKEY_SIGNED" : "DEBUG",
+            "DNSKEY_SMALLER_THAN_REC" : "WARNING",
+            "DNSKEY_TOO_LARGE_FOR_ALGO" : "ERROR",
+            "DNSKEY_TOO_SMALL_FOR_ALGO" : "ERROR",
             "DS_BUT_NOT_DNSKEY" : "ERROR",
             "DS_DIGTYPE_NOT_OK" : "ERROR",
             "DS_DIGTYPE_OK" : "DEBUG",
@@ -175,6 +178,7 @@
             "IPV6_DISABLED" : "DEBUG",
             "ITERATIONS_OK" : "DEBUG",
             "KEY_DETAILS" : "DEBUG",
+            "KEY_SIZE_OK" : "INFO",
             "MANY_ITERATIONS" : "NOTICE",
             "NEITHER_DNSKEY_NOR_DS" : "NOTICE",
             "NO_COMMON_KEYTAGS" : "ERROR",
@@ -369,6 +373,7 @@
         "dnssec09",
         "dnssec10",
         "dnssec11",
+        "dnssec14",
         "delegation01",
         "delegation02",
         "delegation03",