Also ignore configured revoked trusted anchors

bin/named/server.c

@@ -163,23 +163,23 @@
  * using it has a 'result' variable and a 'cleanup' label.
  */
 #define CHECK(op) \
-	do { result = (op);					 \
-	       if (result != ISC_R_SUCCESS) goto cleanup;	 \
+	do { result = (op);					  \
+	       if (result != ISC_R_SUCCESS) goto cleanup;	  \
 	} while (0)
 
 #define TCHECK(op) \
-	do { tresult = (op);					 \
-		if (tresult != ISC_R_SUCCESS) {			 \
-			isc_buffer_clear(*text);		 \
-			goto cleanup;	 			 \
-		}						 \
+	do { tresult = (op);					  \
+		if (tresult != ISC_R_SUCCESS) {			  \
+			isc_buffer_clear(*text);		  \
+			goto cleanup;	 			  \
+		}						  \
 	} while (0)
 
 #define CHECKM(op, msg) \
 	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS) {			  \
 			isc_log_write(named_g_lctx,		  \
-				      NAMED_LOGCATEGORY_GENERAL,	  \
+				      NAMED_LOGCATEGORY_GENERAL,  \
 				      NAMED_LOGMODULE_SERVER,	  \
 				      ISC_LOG_ERROR,		  \
 				      "%s: %s", msg,		  \
@@ -192,7 +192,7 @@
 	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS) {			  \
 			isc_log_write(named_g_lctx,		  \
-				      NAMED_LOGCATEGORY_GENERAL,	  \
+				      NAMED_LOGCATEGORY_GENERAL,  \
 				      NAMED_LOGMODULE_SERVER,	  \
 				      ISC_LOG_ERROR,		  \
 				      "%s '%s': %s", msg, file,	  \
@@ -759,6 +759,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
 
 	if (flags > 0xffff)
 		CHECKM(ISC_R_RANGE, "key flags");
+	if (flags & DNS_KEYFLAG_REVOKE)
+		CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set");
 	if (proto > 0xff)
 		CHECKM(ISC_R_RANGE, "key protocol");
 	if (alg > 0xff)
@@ -811,7 +813,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
 			    "ignoring %s key for '%s': no crypto support",
 			    managed ? "managed" : "trusted",
 			    keynamestr);
-	} else if (result == DST_R_UNSUPPORTEDALG) {
+	} else if (result == DST_R_UNSUPPORTEDALG ||
+		   result == DST_R_BADKEYTYPE) {
 		cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
 			    "skipping %s key for '%s': %s",
 			    managed ? "managed" : "trusted",
@@ -861,7 +864,8 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 			key = cfg_listelt_value(elt2);
 			result = dstkey_fromconfig(view, vconfig, key, managed,
 						   &dstkey, mctx);
-			if (result == DST_R_UNSUPPORTEDALG) {
+			if (result == DST_R_UNSUPPORTEDALG ||
+			    result == DST_R_BADKEYTYPE) {
 				result = ISC_R_SUCCESS;
 				continue;
 			}

bin/tests/system/dnssec/ns2/key.db.in

@@ -38,3 +38,6 @@ ns3.disabled		A	10.53.0.3
 enabled			NS	ns3.enabled
 ns3.enabled		A	10.53.0.3
 
+; A secure subdomain with a revoked trust anchor
+revoked			NS	ns3.revoked
+ns3.revoked		A	10.53.0.3

bin/tests/system/dnssec/ns3/named.conf.in

@@ -333,6 +333,11 @@ zone "unsupported.managed" {
 	file "unsupported.managed.db.signed";
 };
 
+zone "revoked.managed" {
+	type master;
+	file "revoked.managed.db.signed";
+};
+
 zone "secure.trusted" {
 	type master;
 	file "secure.trusted.db.signed";
@@ -353,6 +358,11 @@ zone "unsupported.trusted" {
 	file "unsupported.trusted.db.signed";
 };
 
+zone "revoked.trusted" {
+	type master;
+	file "revoked.trusted.db.signed";
+};
+
 include "siginterval.conf";
 
 include "trusted.conf";

bin/tests/system/dnssec/tests.sh

@@ -3703,8 +3703,10 @@ echo_i "checking that keys with unsupported algorithms and disabled algorithms a
 ret=0
 grep -q "ignoring trusted key for 'disabled\.trusted\.': algorithm is disabled" ns8/named.run || ret=1
 grep -q "ignoring trusted key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run || ret=1
+grep -q "ignoring trusted key for 'revoked\.trusted\.': bad key type" ns8/named.run || ret=1
 grep -q "ignoring managed key for 'disabled\.managed\.': algorithm is disabled" ns8/named.run || ret=1
 grep -q "ignoring managed key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run || ret=1
+grep -q "ignoring trusted key for 'revoked\.trusted\.': bad key type" ns8/named.run || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
@@ -3841,20 +3843,5 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
-# Note: after this check, ns4 will not be validating any more; do not add any
-# further validation tests employing ns4 below this check.
-echo_i "check that validation defaults to off when dnssec-enable is off ($n)"
-ret=0
-# Sanity check - validation should be enabled.
-rndccmd 10.53.0.4 validation status | grep "enabled" > /dev/null || ret=1
-# Set "dnssec-enable" to "no" and reconfigure.
-copy_setports ns4/named5.conf.in ns4/named.conf
-rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
-# Check validation status again.
-rndccmd 10.53.0.4 validation status | grep "disabled" > /dev/null || ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1