Commit 3cd204c4 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] fixed revoked key regression

4436.	[bug]		Fixed a regression introduced in change #4337 which
			caused signed domains with revoked KSKs to fail
			validation. [RT #42147]
parent fb7e1d0e
4436. [bug] Fixed a regression introduced in change #4337 which
caused signed domains with revoked KSKs to fail
validation. [RT #42147]
4345. [contrib] perftcpdns mishandled the return values from 4345. [contrib] perftcpdns mishandled the return values from
clock_nanosleep. [RT #42131] clock_nanosleep. [RT #42131]
......
...@@ -77,6 +77,7 @@ rm -f ns3/split-smart.example.db ...@@ -77,6 +77,7 @@ rm -f ns3/split-smart.example.db
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
rm -f ns3/revkey.example.db
rm -f ns3/managed-future.example.db rm -f ns3/managed-future.example.db
rm -f ns4/managed-keys.bind* rm -f ns4/managed-keys.bind*
rm -f ns4/named.conf rm -f ns4/named.conf
......
...@@ -163,3 +163,6 @@ ns.future A 10.53.0.3 ...@@ -163,3 +163,6 @@ ns.future A 10.53.0.3
managed-future NS ns.managed-future managed-future NS ns.managed-future
ns.managed-future A 10.53.0.3 ns.managed-future A 10.53.0.3
revkey NS ns.revkey
ns.revkey A 10.53.0.3
...@@ -30,7 +30,7 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \ ...@@ -30,7 +30,7 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \ nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \ kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
ttlpatch split-dnssec split-smart expired expiring upper lower \ ttlpatch split-dnssec split-smart expired expiring upper lower \
dnskey-unknown dnskey-nsec3-unknown managed-future dnskey-unknown dnskey-nsec3-unknown managed-future revkey
do do
cp ../ns3/dsset-$subdomain.example. . cp ../ns3/dsset-$subdomain.example. .
done done
......
...@@ -13,8 +13,6 @@ ...@@ -13,8 +13,6 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE. ; PERFORMANCE OF THIS SOFTWARE.
; $Id: keyless.example.db.in,v 1.5 2007/06/19 23:47:02 tbox Exp $
$TTL 300 ; 5 minutes $TTL 300 ; 5 minutes
@ IN SOA mname1. . ( @ IN SOA mname1. . (
2000042407 ; serial 2000042407 ; serial
......
...@@ -298,6 +298,11 @@ zone "managed-future.example" { ...@@ -298,6 +298,11 @@ zone "managed-future.example" {
allow-update { any; }; allow-update { any; };
}; };
zone "revkey.example" {
type master;
file "revkey.example.db.signed";
};
include "siginterval.conf"; include "siginterval.conf";
include "trusted.conf"; include "trusted.conf";
...@@ -52,7 +52,7 @@ cat $infile $keyname1.key $keyname2.key >$zonefile ...@@ -52,7 +52,7 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=keyless.example. zone=keyless.example.
infile=keyless.example.db.in infile=generic.example.db.in
zonefile=keyless.example.db zonefile=keyless.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
...@@ -531,3 +531,19 @@ kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` ...@@ -531,3 +531,19 @@ kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
zskname=`$KEYGEN -q -r $RANDFILE $zone` zskname=`$KEYGEN -q -r $RANDFILE $zone`
cat $infile $kskname.key $zskname.key >$zonefile cat $infile $kskname.key $zskname.key >$zonefile
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 $SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A zone with a revoked key
#
zone=revkey.example.
infile=generic.example.db.in
zonefile=revkey.example.db
ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone`
ksk1=`$REVOKE $ksk1`
ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone`
zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone`
cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
...@@ -872,6 +872,25 @@ if [ -x ${DELV} ] ; then ...@@ -872,6 +872,25 @@ if [ -x ${DELV} ] ; then
status=`expr $status + $ret` status=`expr $status + $ret`
fi fi
echo "I:checking that validation succeeds when a revoked key is encountered ($n)"
ret=0
$DIG $DIGOPTS revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
if [ -x ${DELV} ] ; then
ret=0
echo "I:checking that validation succeeds when a revoked key is encountered using dns_client ($n)"
$DELV $DELVOPTS +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1
grep "fully validated" delv.out$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
fi
echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)" echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
ret=0 ret=0
#prime #prime
......
...@@ -1931,15 +1931,29 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname, ...@@ -1931,15 +1931,29 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
isc_buffer_init(&buffer, data, sizeof(data)); isc_buffer_init(&buffer, data, sizeof(data));
dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
dns_rdatatype_dnskey, dnskey, &buffer); dns_rdatatype_dnskey, dnskey, &buffer);
result = dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key); result = dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key);
if (result != ISC_R_SUCCESS) if (result != ISC_R_SUCCESS)
return; return;
result = dns_view_getsecroots(view, &sr); result = dns_view_getsecroots(view, &sr);
if (result == ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) {
dns_keytable_deletekeynode(sr, key); result = dns_keytable_deletekeynode(sr, key);
/*
* If key was found in secroots, then it was a
* configured trust anchor, and we want to fail
* secure. If there are no other configured keys,
* then leave a null key so that we can't validate
* anymore.
*/
if (result == ISC_R_SUCCESS)
dns_keytable_marksecure(sr, keyname); dns_keytable_marksecure(sr, keyname);
dns_keytable_detach(&sr); dns_keytable_detach(&sr);
} }
dst_key_free(&key); dst_key_free(&key);
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment