Commit 0f91e968 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] fall back to builtin keys if bind.keys is empty

4570.	[cleanup]	named did not correctly fall back to the built-in
			initializing keys if the bind.keys file was present
			but empty. [RT #44531]
parent 44e087b6
4570. [cleanup] named did not correctly fall back to the built-in
initializing keys if the bind.keys file was present
but empty. [RT #44531]
4569. [func] Store both local and remote addresses in dnstap
logging, and modify dnstap-read output format to
print them. [RT #43595]
......
......@@ -841,6 +841,29 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
return (result);
}
/*%
* Check whether a key has been successfully loaded.
*/
static isc_boolean_t
keyloaded(dns_view_t *view, const dns_name_t *name) {
isc_result_t result;
dns_keytable_t *secroots = NULL;
dns_keynode_t *keynode = NULL;
result = dns_view_getsecroots(view, &secroots);
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
result = dns_keytable_find(secroots, name, &keynode);
if (keynode != NULL)
dns_keytable_detachkeynode(secroots, &keynode);
if (secroots != NULL)
dns_keytable_detach(&secroots);
return (ISC_TF(result == ISC_R_SUCCESS));
}
/*%
* Configure DNSSEC keys for a view.
*
......@@ -914,21 +937,40 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"using built-in DLV key for view %s",
view->name);
/*
* If bind.keys exists, it overrides the managed-keys
* clause hard-coded in ns_g_config.
* If bind.keys exists and is populated, it overrides
* the managed-keys clause hard-coded in ns_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"obtaining DLV key for view %s "
"from '%s'",
view->name, ns_g_server->bindkeysfile);
(void)cfg_map_get(bindkeys, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(bindkeys, "managed-keys",
&builtin_managed_keys);
} else {
if ((builtin_keys == NULL) &&
(builtin_managed_keys == NULL))
isc_log_write(ns_g_lctx,
DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER,
ISC_LOG_WARNING,
"dnssec-lookaside auto: "
"WARNING: key for dlv.isc.org "
"not found");
}
if ((builtin_keys == NULL) &&
(builtin_managed_keys == NULL))
{
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"using built-in DLV key for view %s",
view->name);
(void)cfg_map_get(ns_g_config, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(ns_g_config, "managed-keys",
......@@ -941,27 +983,54 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (builtin_managed_keys != NULL)
CHECK(load_view_keys(builtin_managed_keys, vconfig,
view, ISC_TRUE, view->dlv, mctx));
if (!keyloaded(view, view->dlv)) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"DLV key not loaded");
result = ISC_R_FAILURE;
goto cleanup;
}
}
if (auto_root && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
const cfg_obj_t *builtin_managed_keys = NULL;
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"using built-in root key for view %s",
view->name);
/*
* If bind.keys exists, it overrides the managed-keys
* clause hard-coded in ns_g_config.
* If bind.keys exists and is populated, it overrides
* the managed-keys clause hard-coded in ns_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"obtaining root key for view %s "
"from '%s'",
view->name, ns_g_server->bindkeysfile);
(void)cfg_map_get(bindkeys, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(bindkeys, "managed-keys",
&builtin_managed_keys);
} else {
if ((builtin_keys == NULL) &&
(builtin_managed_keys == NULL))
isc_log_write(ns_g_lctx,
DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER,
ISC_LOG_WARNING,
"dnssec-validation auto: "
"WARNING: root zone key "
"not found");
}
if ((builtin_keys == NULL) &&
(builtin_managed_keys == NULL))
{
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"using built-in root key for view %s",
view->name);
(void)cfg_map_get(ns_g_config, "trusted-keys",
&builtin_keys);
(void)cfg_map_get(ns_g_config, "managed-keys",
......@@ -975,6 +1044,14 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
CHECK(load_view_keys(builtin_managed_keys, vconfig,
view, ISC_TRUE, dns_rootname,
mctx));
if (!keyloaded(view, dns_rootname)) {
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"root key not loaded");
result = ISC_R_FAILURE;
goto cleanup;
}
}
CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
......@@ -7149,6 +7226,11 @@ load_configuration(const char *filename, ns_server_t *server,
result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
&cfg_type_bindkeys, &bindkeys);
CHECK(result);
} else {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"unable to open '%s' using built-in keys",
server->bindkeysfile);
}
/* Ensure exclusive access to configuration data. */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment