Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
4d1ed128
Commit
4d1ed128
authored
Jan 15, 2019
by
Matthijs Mekking
🏡
Browse files
Also ignore configured revoked trusted anchors
parent
1d45ad8f
Changes
4
Hide whitespace changes
Inline
Side-by-side
bin/named/server.c
View file @
4d1ed128
...
...
@@ -163,23 +163,23 @@
* using it has a 'result' variable and a 'cleanup' label.
*/
#define CHECK(op) \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
do { result = (op);
\
if (result != ISC_R_SUCCESS) goto cleanup;
\
} while (0)
#define TCHECK(op) \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
do { tresult = (op);
\
if (tresult != ISC_R_SUCCESS) {
\
isc_buffer_clear(*text);
\
goto cleanup;
\
}
\
} while (0)
#define CHECKM(op, msg) \
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL,
\
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s: %s", msg, \
...
...
@@ -192,7 +192,7 @@
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL,
\
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s '%s': %s", msg, file, \
...
...
@@ -759,6 +759,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
if
(
flags
>
0xffff
)
CHECKM
(
ISC_R_RANGE
,
"key flags"
);
if
(
flags
&
DNS_KEYFLAG_REVOKE
)
CHECKM
(
DST_R_BADKEYTYPE
,
"key flags revoke bit set"
);
if
(
proto
>
0xff
)
CHECKM
(
ISC_R_RANGE
,
"key protocol"
);
if
(
alg
>
0xff
)
...
...
@@ -811,7 +813,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
"ignoring %s key for '%s': no crypto support"
,
managed
?
"managed"
:
"trusted"
,
keynamestr
);
}
else
if
(
result
==
DST_R_UNSUPPORTEDALG
)
{
}
else
if
(
result
==
DST_R_UNSUPPORTEDALG
||
result
==
DST_R_BADKEYTYPE
)
{
cfg_obj_log
(
key
,
named_g_lctx
,
ISC_LOG_WARNING
,
"skipping %s key for '%s': %s"
,
managed
?
"managed"
:
"trusted"
,
...
...
@@ -861,7 +864,8 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
key
=
cfg_listelt_value
(
elt2
);
result
=
dstkey_fromconfig
(
view
,
vconfig
,
key
,
managed
,
&
dstkey
,
mctx
);
if
(
result
==
DST_R_UNSUPPORTEDALG
)
{
if
(
result
==
DST_R_UNSUPPORTEDALG
||
result
==
DST_R_BADKEYTYPE
)
{
result
=
ISC_R_SUCCESS
;
continue
;
}
...
...
bin/tests/system/dnssec/ns2/key.db.in
View file @
4d1ed128
...
...
@@ -38,3 +38,6 @@ ns3.disabled A 10.53.0.3
enabled NS ns3.enabled
ns3.enabled A 10.53.0.3
; A secure subdomain with a revoked trust anchor
revoked NS ns3.revoked
ns3.revoked A 10.53.0.3
bin/tests/system/dnssec/ns3/named.conf.in
View file @
4d1ed128
...
...
@@ -333,6 +333,11 @@ zone "unsupported.managed" {
file "unsupported.managed.db.signed";
};
zone "revoked.managed" {
type master;
file "revoked.managed.db.signed";
};
zone "secure.trusted" {
type master;
file "secure.trusted.db.signed";
...
...
@@ -353,6 +358,11 @@ zone "unsupported.trusted" {
file "unsupported.trusted.db.signed";
};
zone "revoked.trusted" {
type master;
file "revoked.trusted.db.signed";
};
include "siginterval.conf";
include "trusted.conf";
bin/tests/system/dnssec/tests.sh
View file @
4d1ed128
...
...
@@ -3703,8 +3703,10 @@ echo_i "checking that keys with unsupported algorithms and disabled algorithms a
ret
=
0
grep
-q
"ignoring trusted key for 'disabled
\.
trusted
\.
': algorithm is disabled"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring trusted key for 'unsupported
\.
trusted
\.
': algorithm is unsupported"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring trusted key for 'revoked
\.
trusted
\.
': bad key type"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring managed key for 'disabled
\.
managed
\.
': algorithm is disabled"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring managed key for 'unsupported
\.
managed
\.
': algorithm is unsupported"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring trusted key for 'revoked
\.
trusted
\.
': bad key type"
ns8/named.run
||
ret
=
1
n
=
$((
n+1
))
test
"
$ret
"
-eq
0
||
echo_i
"failed"
status
=
$((
status+ret
))
...
...
@@ -3841,20 +3843,5 @@ n=$((n+1))
test
"
$ret
"
-eq
0
||
echo_i
"failed"
status
=
$((
status+ret
))
# Note: after this check, ns4 will not be validating any more; do not add any
# further validation tests employing ns4 below this check.
echo_i
"check that validation defaults to off when dnssec-enable is off (
$n
)"
ret
=
0
# Sanity check - validation should be enabled.
rndccmd 10.53.0.4 validation status |
grep
"enabled"
>
/dev/null
||
ret
=
1
# Set "dnssec-enable" to "no" and reconfigure.
copy_setports ns4/named5.conf.in ns4/named.conf
rndccmd 10.53.0.4 reconfig 2>&1 |
sed
's/^/ns4 /'
| cat_i
# Check validation status again.
rndccmd 10.53.0.4 validation status |
grep
"disabled"
>
/dev/null
||
ret
=
1
n
=
$((
n+1
))
test
"
$ret
"
-eq
0
||
echo_i
"failed"
status
=
$((
status+ret
))
echo_i
"exit status:
$status
"
[
$status
-eq
0
]
||
exit
1
Matthijs Mekking
🏡
@matthijs
mentioned in commit
a224bea4
·
Apr 17, 2019
mentioned in commit
a224bea4
mentioned in commit a224bea4b2093218d0f959857a56f25ffae1331a
Toggle commit list
Matthijs Mekking
🏡
@matthijs
mentioned in commit
889f4e0b
·
Apr 18, 2019
mentioned in commit
889f4e0b
mentioned in commit 889f4e0b3aeb4627b5218a5630ea322f40e2895e
Toggle commit list
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment