Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
BIND
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
583
Issues
583
List
Boards
Labels
Service Desk
Milestones
Merge Requests
110
Merge Requests
110
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
ISC Open Source Projects
BIND
Commits
4d1ed128
Commit
4d1ed128
authored
Jan 15, 2019
by
Matthijs Mekking
🏡
2
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Also ignore configured revoked trusted anchors
parent
1d45ad8f
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
30 additions
and
26 deletions
+30
-26
bin/named/server.c
bin/named/server.c
+15
-11
bin/tests/system/dnssec/ns2/key.db.in
bin/tests/system/dnssec/ns2/key.db.in
+3
-0
bin/tests/system/dnssec/ns3/named.conf.in
bin/tests/system/dnssec/ns3/named.conf.in
+10
-0
bin/tests/system/dnssec/tests.sh
bin/tests/system/dnssec/tests.sh
+2
-15
No files found.
bin/named/server.c
View file @
4d1ed128
...
...
@@ -163,23 +163,23 @@
* using it has a 'result' variable and a 'cleanup' label.
*/
#define CHECK(op) \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
do { result = (op);
\
if (result != ISC_R_SUCCESS) goto cleanup;
\
} while (0)
#define TCHECK(op) \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
do { tresult = (op);
\
if (tresult != ISC_R_SUCCESS) {
\
isc_buffer_clear(*text);
\
goto cleanup;
\
}
\
} while (0)
#define CHECKM(op, msg) \
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL,
\
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s: %s", msg, \
...
...
@@ -192,7 +192,7 @@
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL,
\
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s '%s': %s", msg, file, \
...
...
@@ -759,6 +759,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
if (flags > 0xffff)
CHECKM(ISC_R_RANGE, "key flags");
if (flags & DNS_KEYFLAG_REVOKE)
CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set");
if (proto > 0xff)
CHECKM(ISC_R_RANGE, "key protocol");
if (alg > 0xff)
...
...
@@ -811,7 +813,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
"ignoring %s key for '%s': no crypto support",
managed ? "managed" : "trusted",
keynamestr);
} else if (result == DST_R_UNSUPPORTEDALG) {
} else if (result == DST_R_UNSUPPORTEDALG ||
result == DST_R_BADKEYTYPE) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"skipping %s key for '%s': %s",
managed ? "managed" : "trusted",
...
...
@@ -861,7 +864,8 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
key = cfg_listelt_value(elt2);
result = dstkey_fromconfig(view, vconfig, key, managed,
&dstkey, mctx);
if (result == DST_R_UNSUPPORTEDALG) {
if (result == DST_R_UNSUPPORTEDALG ||
result == DST_R_BADKEYTYPE) {
result = ISC_R_SUCCESS;
continue;
}
...
...
bin/tests/system/dnssec/ns2/key.db.in
View file @
4d1ed128
...
...
@@ -38,3 +38,6 @@ ns3.disabled A 10.53.0.3
enabled NS ns3.enabled
ns3.enabled A 10.53.0.3
; A secure subdomain with a revoked trust anchor
revoked NS ns3.revoked
ns3.revoked A 10.53.0.3
bin/tests/system/dnssec/ns3/named.conf.in
View file @
4d1ed128
...
...
@@ -333,6 +333,11 @@ zone "unsupported.managed" {
file "unsupported.managed.db.signed";
};
zone "revoked.managed" {
type master;
file "revoked.managed.db.signed";
};
zone "secure.trusted" {
type master;
file "secure.trusted.db.signed";
...
...
@@ -353,6 +358,11 @@ zone "unsupported.trusted" {
file "unsupported.trusted.db.signed";
};
zone "revoked.trusted" {
type master;
file "revoked.trusted.db.signed";
};
include "siginterval.conf";
include "trusted.conf";
bin/tests/system/dnssec/tests.sh
View file @
4d1ed128
...
...
@@ -3703,8 +3703,10 @@ echo_i "checking that keys with unsupported algorithms and disabled algorithms a
ret
=
0
grep
-q
"ignoring trusted key for 'disabled
\.
trusted
\.
': algorithm is disabled"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring trusted key for 'unsupported
\.
trusted
\.
': algorithm is unsupported"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring trusted key for 'revoked
\.
trusted
\.
': bad key type"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring managed key for 'disabled
\.
managed
\.
': algorithm is disabled"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring managed key for 'unsupported
\.
managed
\.
': algorithm is unsupported"
ns8/named.run
||
ret
=
1
grep
-q
"ignoring trusted key for 'revoked
\.
trusted
\.
': bad key type"
ns8/named.run
||
ret
=
1
n
=
$((
n+1
))
test
"
$ret
"
-eq
0
||
echo_i
"failed"
status
=
$((
status+ret
))
...
...
@@ -3841,20 +3843,5 @@ n=$((n+1))
test
"
$ret
"
-eq
0
||
echo_i
"failed"
status
=
$((
status+ret
))
# Note: after this check, ns4 will not be validating any more; do not add any
# further validation tests employing ns4 below this check.
echo_i
"check that validation defaults to off when dnssec-enable is off (
$n
)"
ret
=
0
# Sanity check - validation should be enabled.
rndccmd 10.53.0.4 validation status |
grep
"enabled"
>
/dev/null
||
ret
=
1
# Set "dnssec-enable" to "no" and reconfigure.
copy_setports ns4/named5.conf.in ns4/named.conf
rndccmd 10.53.0.4 reconfig 2>&1 |
sed
's/^/ns4 /'
| cat_i
# Check validation status again.
rndccmd 10.53.0.4 validation status |
grep
"disabled"
>
/dev/null
||
ret
=
1
n
=
$((
n+1
))
test
"
$ret
"
-eq
0
||
echo_i
"failed"
status
=
$((
status+ret
))
echo_i
"exit status:
$status
"
[
$status
-eq
0
]
||
exit
1
Matthijs Mekking
🏡
@matthijs
mentioned in commit
a224bea4
·
Apr 17, 2019
mentioned in commit
a224bea4
mentioned in commit a224bea4b2093218d0f959857a56f25ffae1331a
Toggle commit list
Matthijs Mekking
🏡
@matthijs
mentioned in commit
889f4e0b
·
Apr 18, 2019
mentioned in commit
889f4e0b
mentioned in commit 889f4e0b3aeb4627b5218a5630ea322f40e2895e
Toggle commit list
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment