Commit 4c05f9a6 authored by Mark Andrews's avatar Mark Andrews
Browse files

3048. [bug] Fully seperate view key mangement. [RT #23419]

parent 2e1000c3
3048. [bug] Fully seperate view key mangement. [RT #23419]
3047. [bug] DNSKEY NODATA responses not cached fixed in
validator.c. Tests added to dnssec system test.
[RT #22908]
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: conf.sh.in,v 1.61 2011/02/23 03:08:09 marka Exp $
# $Id: conf.sh.in,v 1.62 2011/03/01 22:44:03 marka Exp $
#
# Common configuration data for system tests, to be sourced into
......@@ -53,8 +53,8 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl allow_query addzone autosign cacheclean checkconf checknames
database dlv @DLZ_SYSTEM_TEST@ dlzexternal dns64 dnssec forward
glue gost ixfr limits lwresd masterfile masterformat metadata
database dlv dlvauto @DLZ_SYSTEM_TEST@ dlzexternal dns64 dnssec
forward glue gost ixfr limits lwresd masterfile masterformat metadata
notify nsupdate pending pkcs11 redirect resolver rpz rrsetorder
sortlist smartsign staticstub stub tkey tsig tsiggss
unknown upforwd views xfer xferquota zonechecks"
......
# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.2 2011/03/01 22:44:04 marka Exp $
rm -f random.data
rm -f ns1/K*
rm -f ns1/*.signed
rm -f ns1/*.db
rm -f ns1/dlv.conf
rm -f ns1/*.mkeys.jnl
rm -f ns1/*.mkeys
rm -f */named.run
rm -f */named.memstats
rm -f ns1/dsset-*.
rm -f ns2/*.mkeys
rm -f ns2/*.mkeys.jnl
rm -f dig.out.ns?.test*
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: dlv.isc.org.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
$TTL 300
@ IN SOA a.root-servers.nil. hostmaster.isc.org. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
@ NS a.root-servers.nil.
/*
* Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2011/03/01 22:44:04 marka Exp $ */
// NS1
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type master;
file "root.db";
};
zone "dlv.isc.org" {
type master;
file "dlv.isc.org.db.signed";
};
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db.in,v 1.2 2011/03/01 22:44:04 marka Exp $
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
dlv.isc.org. NS a.root-servers.nil.
#!/bin/sh -e
#
# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.2 2011/03/01 22:44:04 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=../random.data
zone=dlv.isc.org
infile=dlv.isc.org.db.in
zonefile=dlv.isc.org.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
cp root.db.in root.db
# Configure the resolving server with a trusted key.
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
managed-keys {
"$dn" initial-key $flags $proto $alg "$key";
};
EOF
' > dlv.conf
/*
* Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2011/03/01 22:44:04 marka Exp $ */
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
notify no;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "../ns1/dlv.conf";
dnssec-lookaside "auto";
};
view "in" {
recursion yes;
zone "." {
type hint;
file "../../common/root.hint";
};
};
view "ch" ch {
match-clients { 127.0.0.1; };
};
#!/bin/sh -e
#
# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.2 2011/03/01 22:44:04 marka Exp $
sh clean.sh
../../../tools/genrandom 400 random.data
cd ns1 && sh sign.sh
# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.2 2011/03/01 22:44:04 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
status=0
n=1
#
# When this was initialy reported there was a REQUIRE failure on restarting.
#
echo "I:checking dnssec-lookaside "'"auto"'"; with views of multiple classes ($n)"
if [ -s ns2/named.pid ]
then
ret=0
kill -TERM `cat ns2/named.pid`
sleep 1
(cd ns2; $NAMED -f -d 100 -c named.conf >> named.run 2>&1 & )
sleep 2
$DIG $DIGOPTS soa . @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
else
echo "I:failed"
status=1
fi
exit $status
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.592 2011/02/23 23:47:20 tbox Exp $ */
/* $Id: zone.c,v 1.593 2011/03/01 22:44:04 marka Exp $ */
/*! \file */
......@@ -2853,16 +2853,15 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
}
/*
* Add key to the security roots for all views.
* Add key to the security roots.
*/
static void
trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
trust_key(dns_zone_t *zone, dns_name_t *keyname,
dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx) {
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
unsigned char data[4096];
isc_buffer_t buffer;
dns_view_t *view;
dns_keytable_t *sr = NULL;
dst_key_t *dstkey = NULL;
......@@ -2871,17 +2870,13 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
dns_rdatatype_dnskey, dnskey, &buffer);
for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
view = ISC_LIST_NEXT(view, link)) {
result = dns_view_getsecroots(view, &sr);
if (result != ISC_R_SUCCESS)
continue;
result = dns_view_getsecroots(zone->view, &sr);
if (result != ISC_R_SUCCESS)
goto failure;
CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
dns_keytable_detach(&sr);
}
CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
dns_keytable_detach(&sr);
failure:
if (dstkey != NULL)
......@@ -2892,37 +2887,16 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
}
/*
* Remove key from the security roots for all views.
*/
static void
untrust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_mem_t *mctx,
dns_rdata_dnskey_t *dnskey)
{
dns_view_t *view;
for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
view = ISC_LIST_NEXT(view, link))
dns_view_untrust(view, keyname, dnskey, mctx);
}
/*
* Add a null key to the security roots for all views, so that all queries
* Add a null key to the security roots for so that all queries
* to the zone will fail.
*/
static void
fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) {
fail_secure(dns_zone_t *zone, dns_name_t *keyname) {
isc_result_t result;
dns_view_t *view;
for (view = ISC_LIST_HEAD(*viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link)) {
dns_keytable_t *sr = NULL;
result = dns_view_getsecroots(view, &sr);
if (result != ISC_R_SUCCESS)
continue;
dns_keytable_t *sr = NULL;
result = dns_view_getsecroots(zone->view, &sr);
if (result == ISC_R_SUCCESS) {
dns_keytable_marksecure(sr, keyname);
dns_keytable_detach(&sr);
}
......@@ -2930,8 +2904,7 @@ fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) {
/*
* Scan a set of KEYDATA records from the key zone. The ones that are
* valid (i.e., the add holddown timer has expired) become trusted keys for
* all views.
* valid (i.e., the add holddown timer has expired) become trusted keys.
*/
static void
load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
......@@ -2940,22 +2913,14 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
dns_rdata_keydata_t keydata;
dns_rdata_dnskey_t dnskey;
isc_mem_t *mctx = zone->mctx;
dns_view_t *view = zone->view;
dns_viewlist_t *viewlist = view->viewlist;
int trusted = 0, revoked = 0, pending = 0;
isc_stdtime_t now;
dns_keytable_t *sr = NULL;
isc_stdtime_get(&now);
/* For each view, delete references to this key from secroots. */
for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
view = ISC_LIST_NEXT(view, link)) {
dns_keytable_t *sr = NULL;
result = dns_view_getsecroots(view, &sr);
if (result != ISC_R_SUCCESS)
continue;
result = dns_view_getsecroots(zone->view, &sr);
if (result == ISC_R_SUCCESS) {
dns_keytable_delete(sr, name);
dns_keytable_detach(&sr);
}
......@@ -2993,7 +2958,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
/* Add to keytables. */
trusted++;
trust_key(viewlist, name, &dnskey, mctx);
trust_key(zone, name, &dnskey, mctx);
}
if (trusted == 0 && pending != 0) {
......@@ -3006,7 +2971,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
revoked, pending);
dns_zone_log(zone, ISC_LOG_ERROR,
"All queries to '%s' will fail", namebuf);
fail_secure(viewlist, name);
fail_secure(zone, name);
}
}
......@@ -7507,8 +7472,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
deletekey = ISC_TRUE;
} else if (keydata.removehd == 0) {
/* Remove from secroots */
untrust_key(zone->view->viewlist,
keyname, mctx, &dnskey);
dns_view_untrust(zone->view, keyname,
&dnskey, mctx);
/* If initializing, delete now */
if (keydata.addhd == 0)
......@@ -7618,10 +7583,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
}
if (trustkey) {
/* Trust this key in all views */
/* Trust this key. */
dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
trust_key(zone->view->viewlist, keyname, &dnskey,
mctx);
trust_key(zone, keyname, &dnskey, mctx);
}
if (!deletekey)
......@@ -7638,7 +7602,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
* the security roots; then all queries to the zone will fail.
*/
if (pending != 0)
fail_secure(zone->view->viewlist, keyname);
fail_secure(zone, keyname);
failure:
if (changed) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment