Commit 4d1bbe30 authored by Mark Andrews's avatar Mark Andrews

4847. [bug] dnssec-dnskey-kskonly was not being honoured for

                        CDS and CDNSKEY. [RT #46755]
parent e5ac12b7
4847. [bug] dnssec-dnskey-kskonly was not being honoured for
CDS and CDNSKEY. [RT #46755]
4846. [test] Adjust timing values in runtime system test. Address
named.pid removal races in runtime system test.
[RT #46800]
......
......@@ -28,10 +28,12 @@ rm -f ns1/managed.key.id
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns2/algroll.db
rm -f ns2/badparam.db ns2/badparam.db.bad
rm -f ns2/cdnskey-kskonly.secure.db
rm -f ns2/cdnskey-update.secure.db
rm -f ns2/cdnskey.secure.db
rm -f ns2/cdnskey-x.secure.db
rm -f ns2/cdnskey.secure.db
rm -f ns2/cds-auto.secure.db ns2/cds-auto.secure.db.jnl
rm -f ns2/cds-kskonly.secure.db
rm -f ns2/cds-update.secure.db ns2/cds-update.secure.db.jnl
rm -f ns2/cds.secure.db ns2/cds-x.secure.db
rm -f ns2/dlv.db
......@@ -52,6 +54,7 @@ rm -f ns3/future.example.db ns3/trusted-future.key
rm -f ns3/inline.example.db.signed
rm -f ns3/kskonly.example.db
rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
rm -f ns3/managed-future.example.db
rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
rm -f ns3/nsec3.nsec3.example.db
rm -f ns3/nsec3.optout.example.db
......@@ -59,6 +62,7 @@ rm -f ns3/optout-unknown.example.db ns3/optout.example.db
rm -f ns3/optout.nsec3.example.db
rm -f ns3/optout.optout.example.db
rm -f ns3/publish-inactive.example.db
rm -f ns3/revkey.example.db
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns3/secure.below-cname.example.db
rm -f ns3/secure.nsec3.example.db
......@@ -70,8 +74,6 @@ rm -f ns3/split-smart.example.db
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
rm -f ns3/revkey.example.db
rm -f ns3/managed-future.example.db
rm -f ns4/managed-keys.bind*
rm -f ns4/named.conf
rm -f ns4/named.conf ns5/named.conf
......@@ -82,10 +84,10 @@ rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
rm -f nsupdate.out*
rm -f rndc.out.*
rm -f signer/*.db
rm -f signer/*.signed.post*
rm -f signer/*.signed.pre*
rm -f signer/example.db.after signer/example.db.before
rm -f signer/example.db.changed
rm -f signer/nsec3param.out
rm -f signer/signer.out.*
rm -f signing.out*
rm -f signer/*.signed.pre*
rm -f signer/*.signed.post*
; Copyright (C) 2015, 2016 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
; Copyright (C) 2015, 2016 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
......@@ -113,6 +113,13 @@ zone "cds-update.secure" {
allow-update { any; };
};
zone "cds-kskonly.secure" {
type master;
dnssec-dnskey-kskonly yes;
file "cds-kskonly.secure.db.signed";
allow-update { any; };
};
zone "cds-auto.secure" {
type master;
file "cds-auto.secure.db.signed";
......@@ -136,6 +143,13 @@ zone "cdnskey-update.secure" {
allow-update { any; };
};
zone "cdnskey-kskonly.secure" {
type master;
dnssec-dnskey-kskonly yes;
file "cdnskey-kskonly.secure.db.signed";
allow-update { any; };
};
zone "cdnskey-auto.secure" {
type master;
file "cdnskey-auto.secure.db.signed";
......
......@@ -212,6 +212,14 @@ key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=cds-kskonly.secure
infile=cds-kskonly.secure.db.in
zonefile=cds-kskonly.secure.db
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=cds-auto.secure
infile=cds-auto.secure.db.in
zonefile=cds-auto.secure.db
......@@ -247,6 +255,14 @@ key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=cdnskey-kskonly.secure
infile=cdnskey-kskonly.secure.db.in
zonefile=cdnskey-kskonly.secure.db
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=cdnskey-auto.secure
infile=cdnskey-auto.secure.db.in
zonefile=cdnskey-auto.secure.db
......
......@@ -3080,6 +3080,29 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that CDS records are signed only using KSK when added by"
echo "I: nsupdate when dnssec-dnskey-kskonly is yes ($n)"
ret=0
(
echo zone cds-kskonly.secure
echo server 10.53.0.2 5300
echo update delete cds-kskonly.secure CDS
echo send
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-kskonly.secure |
grep "DNSKEY.257" |
$DSFROMKEY -C -f - -T 1 cds-kskonly.secure |
sed "s/^/update add /"
echo send
) | $NSUPDATE
$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l`
test ${lines:-0} -eq 1 || ret=1
lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l`
test ${lines:-0} -eq 2 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)"
ret=0
$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n
......@@ -3225,6 +3248,26 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that CDNSKEY records are signed only using KSK when added by"
echo "I: nsupdate when dnssec-dnskey-kskonly is yes ($n)"
ret=0
(
echo zone cdnskey-kskonly.secure
echo server 10.53.0.2 5300
echo update delete cdnskey-kskonly.secure CDNSKEY
$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure |
sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
echo send
) | $NSUPDATE
$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
test ${lines:-0} -eq 1 || ret=1
lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
test ${lines:-0} -eq 1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking initialization with a revoked managed key ($n)"
ret=0
cp ns5/named2.conf ns5/named.conf
......
......@@ -1137,20 +1137,21 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
}
if (both) {
if (type == dns_rdatatype_dnskey) {
/*
* CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
*/
if (type == dns_rdatatype_dnskey ||
type == dns_rdatatype_cdnskey ||
type == dns_rdatatype_cds)
{
if (!KSK(keys[i]) && keyset_kskonly)
continue;
} else if (KSK(keys[i])) {
/*
* CDS and CDNSKEY are signed with KSK
* (RFC 7344, 4.1).
*/
if (type != dns_rdatatype_cds &&
type != dns_rdatatype_cdnskey)
continue;
continue;
}
} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
continue;
}
/* Calculate the signature, creating a RRSIG RDATA. */
CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
......
......@@ -6438,16 +6438,21 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
}
}
if (both) {
/*
* CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
*/
if (type == dns_rdatatype_dnskey ||
type == dns_rdatatype_cdnskey ||
type == dns_rdatatype_cds)
{
if (!KSK(keys[i]) && keyset_kskonly)
continue;
} else if (KSK(keys[i]))
continue;
} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
} else if (KSK(keys[i])) {
continue;
}
} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
continue;
}
/* Calculate the signature, creating a RRSIG RDATA. */
isc_buffer_clear(&buffer);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment