Commit 4d1ed128 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Also ignore configured revoked trusted anchors

parent 1d45ad8f
......@@ -163,23 +163,23 @@
* using it has a 'result' variable and a 'cleanup' label.
*/
#define CHECK(op) \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
} while (0)
#define TCHECK(op) \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
} while (0)
#define CHECKM(op, msg) \
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s: %s", msg, \
......@@ -192,7 +192,7 @@
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s '%s': %s", msg, file, \
......@@ -759,6 +759,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
if (flags > 0xffff)
CHECKM(ISC_R_RANGE, "key flags");
if (flags & DNS_KEYFLAG_REVOKE)
CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set");
if (proto > 0xff)
CHECKM(ISC_R_RANGE, "key protocol");
if (alg > 0xff)
......@@ -811,7 +813,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
"ignoring %s key for '%s': no crypto support",
managed ? "managed" : "trusted",
keynamestr);
} else if (result == DST_R_UNSUPPORTEDALG) {
} else if (result == DST_R_UNSUPPORTEDALG ||
result == DST_R_BADKEYTYPE) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"skipping %s key for '%s': %s",
managed ? "managed" : "trusted",
......@@ -861,7 +864,8 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
key = cfg_listelt_value(elt2);
result = dstkey_fromconfig(view, vconfig, key, managed,
&dstkey, mctx);
if (result == DST_R_UNSUPPORTEDALG) {
if (result == DST_R_UNSUPPORTEDALG ||
result == DST_R_BADKEYTYPE) {
result = ISC_R_SUCCESS;
continue;
}
......
......@@ -38,3 +38,6 @@ ns3.disabled A 10.53.0.3
enabled NS ns3.enabled
ns3.enabled A 10.53.0.3
; A secure subdomain with a revoked trust anchor
revoked NS ns3.revoked
ns3.revoked A 10.53.0.3
......@@ -333,6 +333,11 @@ zone "unsupported.managed" {
file "unsupported.managed.db.signed";
};
zone "revoked.managed" {
type master;
file "revoked.managed.db.signed";
};
zone "secure.trusted" {
type master;
file "secure.trusted.db.signed";
......@@ -353,6 +358,11 @@ zone "unsupported.trusted" {
file "unsupported.trusted.db.signed";
};
zone "revoked.trusted" {
type master;
file "revoked.trusted.db.signed";
};
include "siginterval.conf";
include "trusted.conf";
......@@ -3703,8 +3703,10 @@ echo_i "checking that keys with unsupported algorithms and disabled algorithms a
ret=0
grep -q "ignoring trusted key for 'disabled\.trusted\.': algorithm is disabled" ns8/named.run || ret=1
grep -q "ignoring trusted key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run || ret=1
grep -q "ignoring trusted key for 'revoked\.trusted\.': bad key type" ns8/named.run || ret=1
grep -q "ignoring managed key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1
grep -q "ignoring managed key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1
grep -q "ignoring trusted key for 'revoked\.trusted\.': bad key type" ns8/named.run || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......@@ -3841,20 +3843,5 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# Note: after this check, ns4 will not be validating any more; do not add any
# further validation tests employing ns4 below this check.
echo_i "check that validation defaults to off when dnssec-enable is off ($n)"
ret=0
# Sanity check - validation should be enabled.
rndccmd 10.53.0.4 validation status | grep "enabled" > /dev/null || ret=1
# Set "dnssec-enable" to "no" and reconfigure.
copy_setports ns4/named5.conf.in ns4/named.conf
rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
# Check validation status again.
rndccmd 10.53.0.4 validation status | grep "disabled" > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment