Commit 59d84d1b authored by Mark Andrews's avatar Mark Andrews
Browse files

2001. [func] Check the KSK flag when updating a secure dynamic zone.

                        New zone option "update-check-ksk yes;".  [RT #15817]
parent ac124a78
2000. [bug] memmove()/strtol() fix was incomplete. [#RT 15812]
2001. [func] Check the KSK flag when updating a secure dynamic zone.
New zone option "update-check-ksk yes;". [RT #15817]
2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
1999. [func] Implement "rrset-order fixed". [RT #13662]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.70 2006/03/03 00:43:34 marka Exp $ */
/* $Id: config.c,v 1.71 2006/03/06 01:27:51 marka Exp $ */
/*! \file */
......@@ -175,6 +175,7 @@ options {\n\
check-mx-cname warn;\n\
check-srv-cname warn;\n\
zero-no-soa-ttl yes;\n\
update-check-ksk yes;\n\
};\n\
"
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.19 2006/01/05 23:45:33 marka Exp $ -->
<!-- $Id: named.conf.docbook,v 1.20 2006/03/06 01:27:51 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
......@@ -280,6 +280,7 @@ options {
allow-transfer { <replaceable>address_match_element</replaceable>; ... };
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
notify <replaceable>notifytype</replaceable>;
notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
......@@ -426,6 +427,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
allow-transfer { <replaceable>address_match_element</replaceable>; ... };
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
notify <replaceable>notifytype</replaceable>;
notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
......@@ -511,6 +513,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
( name | subdomain | wildcard | self ) <replaceable>string</replaceable>
<replaceable>rrtypelist</replaceable>; ...
};
update-check-ksk <replaceable>boolean</replaceable>;
notify <replaceable>notifytype</replaceable>;
notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.128 2006/03/03 00:43:34 marka Exp $ */
/* $Id: update.c,v 1.129 2006/03/06 01:27:51 marka Exp $ */
#include <config.h>
......@@ -31,6 +31,7 @@
#include <dns/events.h>
#include <dns/fixedname.h>
#include <dns/journal.h>
#include <dns/keyvalues.h>
#include <dns/message.h>
#include <dns/nsec.h>
#include <dns/rdataclass.h>
......@@ -1604,6 +1605,44 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
return (result);
}
static isc_boolean_t
ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
isc_boolean_t ret = ISC_FALSE;
isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_dnskey_t dnskey;
dns_rdataset_init(&rdataset);
CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
&rdataset, NULL));
CHECK(dns_rdataset_first(&rdataset));
while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
dns_rdataset_current(&rdataset, &rdata);
CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
== DNS_KEYOWNER_ZONE) {
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
have_ksk = ISC_TRUE;
else
have_nonksk = ISC_TRUE;
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&rdataset);
}
if (have_ksk && have_nonksk)
ret = ISC_TRUE;
failure:
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
if (node != NULL)
dns_db_detachnode(db, &node);
return (ret);
}
/*%
* Add RRSIG records for an RRset, recording the change in "diff".
*/
......@@ -1611,7 +1650,7 @@ static isc_result_t
add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
isc_stdtime_t expire)
isc_stdtime_t expire, isc_boolean_t check_ksk)
{
isc_result_t result;
dns_dbnode_t *node = NULL;
......@@ -1632,6 +1671,11 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_db_detachnode(db, &node);
for (i = 0; i < nkeys; i++) {
if (check_ksk && type != dns_rdatatype_dnskey &&
(dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
continue;
/* Calculate the signature, creating a RRSIG RDATA. */
CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
&inception, &expire,
......@@ -1685,6 +1729,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
dns_dbnode_t *node = NULL;
isc_boolean_t check_ksk;
dns_diff_init(client->mctx, &diffnames);
dns_diff_init(client->mctx, &affected);
......@@ -1705,6 +1750,17 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
inception = now - 3600; /* Allow for some clock skew. */
expire = now + sigvalidityinterval;
/*
* Do we look at the KSK flag on the DNSKEY to determining which
* keys sign which RRsets? First check the zone option then
* check the keys flags to make sure atleast one has a ksk set
* and one doesn't.
*/
check_ksk = ISC_TF((dns_zone_getoptions(zone) &
DNS_ZONEOPT_UPDATECHECKKSK) != 0);
if (check_ksk)
check_ksk = ksk_sanity(db, newver);
/*
* Get the NSEC's TTL from the SOA MINIMUM field.
*/
......@@ -1764,7 +1820,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
CHECK(add_sigs(db, newver, name, type,
&sig_diff, zone_keys, nkeys,
client->mctx, inception,
expire));
expire, check_ksk));
}
skip:
/* Skip any other updates to the same RRset. */
......@@ -1949,7 +2005,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
} else if (t->op == DNS_DIFFOP_ADD) {
CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec,
&sig_diff, zone_keys, nkeys,
client->mctx, inception, expire));
client->mctx, inception, expire,
check_ksk));
} else {
INSIST(0);
}
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.131 2006/02/28 02:39:51 marka Exp $ */
/* $Id: zoneconf.c,v 1.132 2006/03/06 01:27:52 marka Exp $ */
/*% */
......@@ -720,6 +720,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(0);
dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
obj = NULL;
result = ns_config_get(maps, "update-check-ksk", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
}
/*
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.20 2006/01/04 00:37:24 marka Exp $
# $Id: sign.sh,v 1.21 2006/03/06 01:27:52 marka Exp $
RANDFILE=../random.data
......@@ -43,9 +43,10 @@ zone=dynamic.example.
infile=dynamic.example.db.in
zonefile=dynamic.example.db
keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
keyname1=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
keyname2=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
cat $infile $keyname.key >$zonefile
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.296 2006/02/26 22:54:46 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.297 2006/03/06 01:27:52 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -4416,6 +4416,7 @@ category notify { null; };
<optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
<optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
......@@ -5638,6 +5639,21 @@ options {
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>update-check-ksk</command></term>
<listitem>
<para>
When regenerating the RRSIGs following a UPDATE
request to a secure zone, check the KSK flag on
the DNSKEY RR to determine if this key should be
used to generate the RRSIG. This flag is ignored
if there are not DNSKEY RRs both with and without
a KSK. Default yes.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect3>
......@@ -8004,6 +8020,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
......@@ -8489,6 +8506,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
<varlistentry>
<term><command>update-check-ksk</command></term>
<listitem>
<para>
See the description of
<command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>database</command></term>
<listitem>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.71 2006/03/03 00:43:35 marka Exp $ */
/* $Id: check.c,v 1.72 2006/03/06 01:27:52 marka Exp $ */
/*! \file */
......@@ -933,6 +933,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "check-mx-cname", MASTERZONE },
{ "check-srv-cname", MASTERZONE },
{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
{ "update-check-ksk", MASTERZONE },
};
static optionstable dialups[] = {
......
......@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.85 2005/11/30 03:33:49 marka Exp $
* $Id: dnssec.c,v 1.86 2006/03/06 01:27:52 marka Exp $
*/
/*! \file */
......@@ -520,10 +520,10 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_result_t
dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name,
const char *directory, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys)
dns_dbnode_t *node, dns_name_t *name,
const char *directory, isc_mem_t *mctx,
unsigned int maxkeys, dst_key_t **keys,
unsigned int *nkeys)
{
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.h,v 1.143 2006/02/28 02:39:51 marka Exp $ */
/* $Id: zone.h,v 1.144 2006/03/06 01:27:52 marka Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
......@@ -65,6 +65,7 @@ typedef enum {
#define DNS_ZONEOPT_IGNOREMXCNAME 0x00100000U /*%< ignore MX CNAME check */
#define DNS_ZONEOPT_WARNSRVCNAME 0x00200000U /*%< warn on SRV CNAME check */
#define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U /*%< ignore SRV CNAME check */
#define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U /*%< check dnskey KSK flag */
#ifndef NOMINUM_PUBLIC
/*
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.66 2006/02/28 02:39:52 marka Exp $ */
/* $Id: namedconf.c,v 1.67 2006/03/06 01:27:52 marka Exp $ */
/*! \file */
......@@ -844,6 +844,7 @@ zone_clauses[] = {
{ "check-srv-cname", &cfg_type_checkmode, 0 },
{ "check-sibling", &cfg_type_boolean, 0 },
{ "zero-no-soa-ttl", &cfg_type_boolean, 0 },
{ "update-check-ksk", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment