DANE: support under GnuTLS. Bug 1523

GnuTLS version 3.0.0 onwards; still Experimental
author: Jeremy Harris <jgh146exb@wizmail.org> 2017-12-19 15:06:49 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2017-12-19 15:22:42 +0000
commit: 899b8bbc6d360af6362c2a41d40b786279f41492 (patch)
tree: 15a1f12f46b59c6c1d88e774a02ade152e842de0 /test/dnszones-src
parent: dc9c8f8b52cbf2e8424f5e98f63d29aa7fb81fe7 (diff)
1 files changed, 27 insertions, 8 deletions
diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index 4cf3a108e..0b8e3f1f4 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -419,35 +419,35 @@ DNSSEC l-sec   A 127.0.0.1
 AA a-aa        A V4NET.0.0.100
 
 ; ------- Testing DANE ------------
+; Since these refer to certs in the exim-ca tree, they must be regenerated any time that tree is.
+;
 
 ; full suite dns chain, sha512
 ;
-; openssl x509 -in aux-fixed/cert1 -noout -pubkey \
+; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \
 ; | openssl pkey -pubin -outform DER \
 ; | openssl dgst -sha512 \
 ; | awk '{print $2}'
 ;
 DNSSEC mxdane512ee          MX  1  dane512ee
 DNSSEC dane512ee            A      HOSTIPV4
-DNSSEC _1225._tcp.dane512ee TLSA  3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d
+DNSSEC _1225._tcp.dane512ee TLSA  3 1 2 69e8a5ddf24df2c51dc503959d26e621be4ce3853f71890512de3ae3390c5749ef3368dd4d274669b0653da8c3663f12ca092cd98e5e242e4de57ee6aa01cde1
 
 ; A-only, sha256
 ;
-; openssl x509 -in aux-fixed/cert1 -noout -pubkey \
+; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \
 ; | openssl pkey -pubin -outform DER \
 ; | openssl dgst -sha256 \
 ; | awk '{print $2}'
 ;
 DNSSEC dane256ee            A      HOSTIPV4
-DNSSEC _1225._tcp.dane256ee TLSA  3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3
+DNSSEC _1225._tcp.dane256ee TLSA  3 1 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8
 
 ; full MX, sha256, TA-mode
 ;
 ; openssl x509 -in aux-fixed/exim-ca/example.com/CA/CA.pem -fingerprint -sha256 -noout \
 ;  | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
 ;
-; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is.
-;
 DNSSEC mxdane256ta          MX  1  dane256ta
 DNSSEC dane256ta            A      HOSTIPV4
 DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 cb0fa6a633e52c787657f5ca0da1030800223cac459577b9b6a55ac9733348e5
@@ -465,8 +465,6 @@ DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 cb0fa6a633e52c787657f5ca0da1030800223cac4
 ; | openssl dgst -sha256 \
 ; | awk '{print $2}'
 ;
-; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is.
-;
 DNSSEC mxdane256tak          MX  1  dane256tak
 DNSSEC dane256tak            A      HOSTIPV4
 DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 73e279c0f5f5a9ee9851bbbc39023603d7b266acfd0764419c3b07cc380b79f9
@@ -491,6 +489,27 @@ DNSSEC dane.no.2            A       127.0.0.1
 DNSSEC danebroken1          A       127.0.0.1
 _1225._tcp.danebroken1      CNAME   test.fail.dns.
 
+; a broken dane config (or under attack) where the TLSA record is wrong
+; (127.0.0.1 for merely dane-requested, but having gotten the TLSA it is supposedly definitive)
+DNSSEC danebroken2          A       127.0.0.1
+DNSSEC _1225._tcp.danebroken2 TLSA 2 0 1 cb0fa60000000000000000000000000000000000000000000000000000000000
+
+; a broken dane config (or under attack) where the TLSA record is correct but not DNSSEC-assured
+; (record copied from dane256ee above)
+; 3 for dane-requested, 4 for dane-required
+DNSSEC danebroken3          A       127.0.0.1
+_1225._tcp.danebroken3 TLSA 2 0 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8
+DNSSEC danebroken4          A       HOSTIPV4
+_1225._tcp.danebroken4 TLSA 2 0 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8
+
+; a broken dane config (or under attack) where the address record is correct but not DNSSEC-assured
+; (TLSA record copied from dane256ee above)
+; 5 for dane-requested, 6 for dane-required
+danebroken5          A       127.0.0.1
+DNSSEC _1225._tcp.danebroken5 TLSA 2 0 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8
+danebroken6          A       HOSTIPV4
+DNSSEC _1225._tcp.danebroken6 TLSA 2 0 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8
+
 ; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups
 ; 3 for dane-required, 4 for merely requested
 ; the TLSA data here is dummy; ignored
author	Jeremy Harris <jgh146exb@wizmail.org>	2017-12-19 15:06:49 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2017-12-19 15:22:42 +0000
commit	899b8bbc6d360af6362c2a41d40b786279f41492 (patch)
tree	15a1f12f46b59c6c1d88e774a02ade152e842de0 /test/dnszones-src
parent	dc9c8f8b52cbf2e8424f5e98f63d29aa7fb81fe7 (diff)