Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
58aa084e
Commit
58aa084e
authored
Feb 06, 2020
by
Evan Hunt
Committed by
Matthijs Mekking
Feb 07, 2020
Browse files
add support for key algorithm mnemonics in dnssec-policy
parent
8c0db909
Changes
12
Hide whitespace changes
Inline
Side-by-side
bin/tests/system/checkconf/bad-kasp-key1.conf
0 → 100644
View file @
58aa084e
/*
*
Copyright
(
C
)
Internet
Systems
Consortium
,
Inc
. (
"ISC"
)
*
*
This
Source
Code
Form
is
subject
to
the
terms
of
the
Mozilla
Public
*
License
,
v
.
2
.
0
.
If
a
copy
of
the
MPL
was
not
distributed
with
this
*
file
,
You
can
obtain
one
at
http
://
mozilla
.
org
/
MPL
/
2
.
0
/.
*
*
See
the
COPYRIGHT
file
distributed
with
this
work
for
additional
*
information
regarding
copyright
ownership
.
*/
dnssec
-
policy
"badalg"
{
keys
{
csk
lifetime
unlimited
algorithm
ceasarscipher
;
};
};
zone
"example.net"
{
type
master
;
file
"example.db"
;
dnssec
-
policy
"badalg"
;
};
bin/tests/system/checkconf/bad-kasp-key2.conf
0 → 100644
View file @
58aa084e
/*
*
Copyright
(
C
)
Internet
Systems
Consortium
,
Inc
. (
"ISC"
)
*
*
This
Source
Code
Form
is
subject
to
the
terms
of
the
Mozilla
Public
*
License
,
v
.
2
.
0
.
If
a
copy
of
the
MPL
was
not
distributed
with
this
*
file
,
You
can
obtain
one
at
http
://
mozilla
.
org
/
MPL
/
2
.
0
/.
*
*
See
the
COPYRIGHT
file
distributed
with
this
work
for
additional
*
information
regarding
copyright
ownership
.
*/
dnssec
-
policy
"badalg"
{
keys
{
csk
lifetime
unlimited
algorithm
8
4097
;
};
};
zone
"example.net"
{
type
master
;
file
"example.db"
;
dnssec
-
policy
"badalg"
;
};
bin/tests/system/checkconf/bad-kasp-key3.conf
0 → 100644
View file @
58aa084e
/*
*
Copyright
(
C
)
Internet
Systems
Consortium
,
Inc
. (
"ISC"
)
*
*
This
Source
Code
Form
is
subject
to
the
terms
of
the
Mozilla
Public
*
License
,
v
.
2
.
0
.
If
a
copy
of
the
MPL
was
not
distributed
with
this
*
file
,
You
can
obtain
one
at
http
://
mozilla
.
org
/
MPL
/
2
.
0
/.
*
*
See
the
COPYRIGHT
file
distributed
with
this
work
for
additional
*
information
regarding
copyright
ownership
.
*/
dnssec
-
policy
"badalg"
{
keys
{
csk
lifetime
unlimited
algorithm
rsasha512
1023
;
};
};
zone
"example.net"
{
type
master
;
file
"example.db"
;
dnssec
-
policy
"badalg"
;
};
bin/tests/system/checkconf/bad-kasp-key4.conf
0 → 100644
View file @
58aa084e
/*
*
Copyright
(
C
)
Internet
Systems
Consortium
,
Inc
. (
"ISC"
)
*
*
This
Source
Code
Form
is
subject
to
the
terms
of
the
Mozilla
Public
*
License
,
v
.
2
.
0
.
If
a
copy
of
the
MPL
was
not
distributed
with
this
*
file
,
You
can
obtain
one
at
http
://
mozilla
.
org
/
MPL
/
2
.
0
/.
*
*
See
the
COPYRIGHT
file
distributed
with
this
work
for
additional
*
information
regarding
copyright
ownership
.
*/
dnssec
-
policy
"badalg"
{
keys
{
csk
lifetime
unlimited
algorithm
5
511
;
};
};
zone
"example.net"
{
type
master
;
file
"example.db"
;
dnssec
-
policy
"badalg"
;
};
bin/tests/system/checkconf/good-kasp.conf
View file @
58aa084e
...
...
@@ -17,9 +17,9 @@
dnssec
-
policy
"test"
{
dnskey
-
ttl
3600
;
keys
{
ksk
key
-
directory
lifetime
P1Y
algorithm
13
;
ksk
key
-
directory
lifetime
P1Y
algorithm
ecdsa256
;
zsk
lifetime
P30D
algorithm
13
;
csk
key
-
directory
lifetime
unlimited
algorithm
8
2048
;
csk
key
-
directory
lifetime
unlimited
algorithm
rsasha256
2048
;
};
max
-
zone
-
ttl
86400
;
parent
-
ds
-
ttl
7200
;
...
...
bin/tests/system/checkconf/kasp-ignore-keylen.conf
View file @
58aa084e
...
...
@@ -12,9 +12,7 @@
dnssec
-
policy
"warn-length"
{
keys
{
//
Algorithm
13
has
predefined
length
,
warn
about
length
param
.
csk
lifetime
unlimited
algorithm
13
2048
;
//
Algorithm
5
length
out
of
range
,
warn
about
length
param
.
csk
lifetime
unlimited
algorithm
5
4097
;
csk
lifetime
unlimited
algorithm
ecdsa256
2048
;
};
};
...
...
bin/tests/system/checkconf/tests.sh
View file @
58aa084e
...
...
@@ -475,9 +475,9 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status
=
`
expr
$status
+
$ret
`
n
=
`
expr
$n
+ 1
`
echo_i
"checking named-checkconf kasp
warning
s (
$n
)"
echo_i
"checking named-checkconf kasp
error
s (
$n
)"
ret
=
0
$CHECKCONF
kasp-and-other-dnssec-options.conf
>
checkconf.out
$n
2>&1
$CHECKCONF
kasp-and-other-dnssec-options.conf
>
checkconf.out
$n
2>&1
&&
ret
=
1
grep
"'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set"
< checkconf.out
$n
>
/dev/null
||
ret
=
1
grep
"dnskey-sig-validity: cannot be configured if dnssec-policy is also set"
< checkconf.out
$n
>
/dev/null
||
ret
=
1
grep
"dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set"
< checkconf.out
$n
>
/dev/null
||
ret
=
1
...
...
@@ -490,11 +490,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status
=
`
expr
$status
+
$ret
`
n
=
`
expr
$n
+ 1
`
echo_i
"checking named-checkconf kasp
key warning
s (
$n
)"
echo_i
"checking named-checkconf kasp
predefined key length
s (
$n
)"
ret
=
0
$CHECKCONF
kasp-ignore-keylen.conf
>
checkconf.out
$n
2>&1
grep
"dnssec-policy: key algorithm 13 has predefined length, ignoring length value 2048"
< checkconf.out
$n
>
/dev/null
||
ret
=
1
grep
"dnssec-policy: key with algorithm 5 has invalid key length, ignoring length value 4097"
< checkconf.out
$n
>
/dev/null
||
ret
=
1
$CHECKCONF
kasp-ignore-keylen.conf
>
checkconf.out
$n
2>&1
||
ret
=
1
grep
"dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048"
< checkconf.out
$n
>
/dev/null
||
ret
=
1
if
[
$ret
!=
0
]
;
then
echo_i
"failed"
;
fi
status
=
`
expr
$status
+
$ret
`
...
...
doc/arm/Bv9ARM-book.xml
View file @
58aa084e
...
...
@@ -11113,9 +11113,9 @@ example.com CNAME rpz-tcp-only.
</para>
<programlisting>keys {
ksk key-directory lifetime unlimited algorithm
8
2048;
ksk key-directory lifetime unlimited algorithm
rsasha1
2048;
zsk key-directory lifetime P30D algorithm 8;
csk key-directory lifetime P6MT12H3M15S algorithm
13
;
csk key-directory lifetime P6MT12H3M15S algorithm
ecdsa256
;
};
</programlisting>
...
...
@@ -11150,10 +11150,11 @@ example.com CNAME rpz-tcp-only.
</para>
<para>
The <command>algorithm</command> parameter(s) are the key's
algorithm, expressed numerically, and its size in bits. The
size may be omitted, as shown in the example for the
second and third keys; in this case an appropriate
default size will be used.
algorithm, expressed either as a string ("rsasha256",
"ecdsa384", etc) or as a decimal number, and the key's
size in bits. The size may be omitted, as shown in
the example for the second and third keys; in this case
an appropriate default size will be used.
</para>
</listitem>
</varlistentry>
...
...
lib/bind9/check.c
View file @
58aa084e
...
...
@@ -976,11 +976,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if
(
obj
!=
NULL
)
{
bool
bad_kasp
=
false
;
bool
bad_name
=
false
;
if
(
optlevel
!=
optlevel_config
&&
!
cfg_obj_isstring
(
obj
))
{
bad_kasp
=
true
;
}
else
if
(
optlevel
==
optlevel_config
)
{
dns_kasplist_t
list
;
dns_kasp_t
*
kasp
,
*
kasp_next
;
dns_kasp_t
*
kasp
=
NULL
,
*
kasp_next
=
NULL
;
ISC_LIST_INIT
(
list
);
...
...
@@ -989,11 +990,11 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
element
!=
NULL
;
element
=
cfg_list_next
(
element
))
{
isc_result_t
ret
;
cfg_obj_t
*
kconfig
=
cfg_listelt_value
(
element
);
if
(
!
cfg_obj_istuple
(
kconfig
))
{
if
(
!
cfg_obj_istuple
(
kconfig
))
{
bad_kasp
=
true
;
continue
;
}
...
...
@@ -1001,17 +1002,24 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
bad_name
=
true
;
continue
;
}
kasp
=
NULL
;
(
void
)
cfg_kasp_fromconfig
(
kconfig
,
mctx
,
ret
=
cfg_kasp_fromconfig
(
kconfig
,
mctx
,
logctx
,
&
list
,
&
kasp
);
if
(
ret
!=
ISC_R_SUCCESS
)
{
if
(
result
==
ISC_R_SUCCESS
)
{
result
=
ret
;
}
}
if
(
kasp
!=
NULL
)
{
dns_kasp_detach
(
&
kasp
);
}
}
}
for
(
kasp
=
ISC_LIST_HEAD
(
list
);
kasp
!=
NULL
;
for
(
kasp
=
ISC_LIST_HEAD
(
list
);
kasp
!=
NULL
;
kasp
=
kasp_next
)
{
kasp_next
=
ISC_LIST_NEXT
(
kasp
,
link
);
...
...
lib/dns/include/dns/kasp.h
View file @
58aa084e
...
...
@@ -45,7 +45,7 @@ struct dns_kasp_key {
/* Configuration */
uint32_t
lifetime
;
uint
32
_t
algorithm
;
uint
8
_t
algorithm
;
int
length
;
uint8_t
role
;
};
...
...
lib/isccfg/kaspconf.c
View file @
58aa084e
...
...
@@ -15,6 +15,7 @@
#include
<isc/mem.h>
#include
<isc/print.h>
#include
<isc/region.h>
#include
<isc/string.h>
#include
<isc/util.h>
...
...
@@ -25,6 +26,8 @@
#include
<dns/kasp.h>
#include
<dns/keyvalues.h>
#include
<dns/log.h>
#include
<dns/result.h>
#include
<dns/secalg.h>
/*
...
...
@@ -65,7 +68,7 @@ get_duration(const cfg_obj_t **maps, const char* option, uint32_t dfl)
* Create a new kasp key derived from configuration.
*/
static
isc_result_t
cfg_kaspkey_fromconfig
(
const
cfg_obj_t
*
config
,
dns_kasp_t
*
kasp
,
cfg_kaspkey_fromconfig
(
const
cfg_obj_t
*
config
,
dns_kasp_t
*
kasp
,
isc_log_t
*
logctx
)
{
isc_result_t
result
;
...
...
@@ -86,6 +89,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
}
else
{
const
char
*
rolestr
=
NULL
;
const
cfg_obj_t
*
obj
=
NULL
;
isc_consttextregion_t
alg
;
rolestr
=
cfg_obj_asstring
(
cfg_tuple_get
(
config
,
"role"
));
if
(
strcmp
(
rolestr
,
"ksk"
)
==
0
)
{
...
...
@@ -104,7 +108,17 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
}
obj
=
cfg_tuple_get
(
config
,
"algorithm"
);
key
->
algorithm
=
cfg_obj_asuint32
(
obj
);
alg
.
base
=
cfg_obj_asstring
(
obj
);
alg
.
length
=
strlen
(
alg
.
base
);
result
=
dns_secalg_fromtext
(
&
key
->
algorithm
,
(
isc_textregion_t
*
)
&
alg
);
if
(
result
!=
ISC_R_SUCCESS
)
{
cfg_obj_log
(
obj
,
logctx
,
ISC_LOG_ERROR
,
"dnssec-policy: bad algorithm %s"
,
alg
.
base
);
result
=
DNS_R_BADALG
;
goto
cleanup
;
}
obj
=
cfg_tuple_get
(
config
,
"length"
);
if
(
cfg_obj_isuint32
(
obj
))
{
...
...
@@ -121,10 +135,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
cfg_obj_log
(
obj
,
logctx
,
ISC_LOG_ERROR
,
"dnssec-policy: key with "
"algorithm %u has invalid "
"key length"
,
key
->
algorithm
);
return
(
ISC_R_RANGE
);
"algorithm %s has invalid "
"key length %u"
,
alg
.
base
,
size
);
result
=
ISC_R_RANGE
;
goto
cleanup
;
}
break
;
case
DNS_KEYALG_ECDSA256
:
...
...
@@ -132,10 +147,9 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
case
DNS_KEYALG_ED25519
:
case
DNS_KEYALG_ED448
:
cfg_obj_log
(
obj
,
logctx
,
ISC_LOG_WARNING
,
"dnssec-policy: key algorithm %
u
"
"dnssec-policy: key algorithm %
s
"
"has predefined length; ignoring "
"length value %u"
,
key
->
algorithm
,
size
);
"length value %u"
,
alg
.
base
,
size
);
default:
break
;
}
...
...
@@ -145,7 +159,13 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
}
dns_kasp_addkey
(
kasp
,
key
);
return
(
ISC_R_SUCCESS
);
cleanup:
dns_kasp_key_destroy
(
key
);
return
(
result
);
}
isc_result_t
...
...
lib/isccfg/namedconf.c
View file @
58aa084e
...
...
@@ -540,10 +540,10 @@ static cfg_type_t cfg_type_dnsseckeystore = {
/*%
* A dnssec key, as used in the "keys" statement in a "dnssec-policy".
*/
static
keyword_type_t
algorithm_kw
=
{
"algorithm"
,
&
cfg_type_u
int32
};
static
keyword_type_t
algorithm_kw
=
{
"algorithm"
,
&
cfg_type_u
string
};
static
cfg_type_t
cfg_type_algorithm
=
{
"algorithm"
,
parse_keyvalue
,
print_keyvalue
,
doc_keyvalue
,
&
cfg_rep_
uint32
,
&
algorithm_kw
doc_keyvalue
,
&
cfg_rep_
string
,
&
algorithm_kw
};
static
keyword_type_t
lifetime_kw
=
{
"lifetime"
,
...
...
Matthijs Mekking
🏡
@matthijs
mentioned in issue
#2127 (closed)
·
Sep 10, 2020
mentioned in issue
#2127 (closed)
mentioned in issue #2127
Toggle commit list
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment