Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
59d84d1b
Commit
59d84d1b
authored
Mar 06, 2006
by
Mark Andrews
Browse files
2001. [func] Check the KSK flag when updating a secure dynamic zone.
New zone option "update-check-ksk yes;". [RT #15817]
parent
ac124a78
Changes
11
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
59d84d1b
2000. [bug] memmove()/strtol() fix was incomplete. [#RT 15812]
2001. [func] Check the KSK flag when updating a secure dynamic zone.
New zone option "update-check-ksk yes;". [RT #15817]
2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
1999. [func] Implement "rrset-order fixed". [RT #13662]
...
...
bin/named/config.c
View file @
59d84d1b
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.7
0
2006/03/0
3
0
0:43:34
marka Exp $ */
/* $Id: config.c,v 1.7
1
2006/03/0
6
0
1:27:51
marka Exp $ */
/*! \file */
...
...
@@ -175,6 +175,7 @@ options {\n\
check-mx-cname warn;
\n
\
check-srv-cname warn;
\n
\
zero-no-soa-ttl yes;
\n
\
update-check-ksk yes;
\n
\
};
\n
\
"
...
...
bin/named/named.conf.docbook
View file @
59d84d1b
...
...
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.
19
2006/0
1
/0
5 23:45:33
marka Exp $ -->
<!-- $Id: named.conf.docbook,v 1.
20
2006/0
3
/0
6 01:27:51
marka Exp $ -->
<refentry>
<refentryinfo>
<date>
Aug 13, 2004
</date>
...
...
@@ -280,6 +280,7 @@ options {
allow-transfer {
<replaceable>
address_match_element
</replaceable>
; ... };
allow-update {
<replaceable>
address_match_element
</replaceable>
; ... };
allow-update-forwarding {
<replaceable>
address_match_element
</replaceable>
; ... };
update-check-ksk
<replaceable>
boolean
</replaceable>
;
notify
<replaceable>
notifytype
</replaceable>
;
notify-source (
<replaceable>
ipv4_address
</replaceable>
| * )
<optional>
port (
<replaceable>
integer
</replaceable>
| * )
</optional>
;
...
...
@@ -426,6 +427,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
allow-transfer {
<replaceable>
address_match_element
</replaceable>
; ... };
allow-update {
<replaceable>
address_match_element
</replaceable>
; ... };
allow-update-forwarding {
<replaceable>
address_match_element
</replaceable>
; ... };
update-check-ksk
<replaceable>
boolean
</replaceable>
;
notify
<replaceable>
notifytype
</replaceable>
;
notify-source (
<replaceable>
ipv4_address
</replaceable>
| * )
<optional>
port (
<replaceable>
integer
</replaceable>
| * )
</optional>
;
...
...
@@ -511,6 +513,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
( name | subdomain | wildcard | self )
<replaceable>
string
</replaceable>
<replaceable>
rrtypelist
</replaceable>
; ...
};
update-check-ksk
<replaceable>
boolean
</replaceable>
;
notify
<replaceable>
notifytype
</replaceable>
;
notify-source (
<replaceable>
ipv4_address
</replaceable>
| * )
<optional>
port (
<replaceable>
integer
</replaceable>
| * )
</optional>
;
...
...
bin/named/update.c
View file @
59d84d1b
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.12
8
2006/03/0
3
0
0:43:34
marka Exp $ */
/* $Id: update.c,v 1.12
9
2006/03/0
6
0
1:27:51
marka Exp $ */
#include <config.h>
...
...
@@ -31,6 +31,7 @@
#include <dns/events.h>
#include <dns/fixedname.h>
#include <dns/journal.h>
#include <dns/keyvalues.h>
#include <dns/message.h>
#include <dns/nsec.h>
#include <dns/rdataclass.h>
...
...
@@ -1604,6 +1605,44 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
return
(
result
);
}
static
isc_boolean_t
ksk_sanity
(
dns_db_t
*
db
,
dns_dbversion_t
*
ver
)
{
isc_boolean_t
ret
=
ISC_FALSE
;
isc_boolean_t
have_ksk
=
ISC_FALSE
,
have_nonksk
=
ISC_FALSE
;
isc_result_t
result
;
dns_dbnode_t
*
node
=
NULL
;
dns_rdataset_t
rdataset
;
dns_rdata_t
rdata
=
DNS_RDATA_INIT
;
dns_rdata_dnskey_t
dnskey
;
dns_rdataset_init
(
&
rdataset
);
CHECK
(
dns_db_findnode
(
db
,
dns_db_origin
(
db
),
ISC_FALSE
,
&
node
));
CHECK
(
dns_db_findrdataset
(
db
,
node
,
ver
,
dns_rdatatype_dnskey
,
0
,
0
,
&
rdataset
,
NULL
));
CHECK
(
dns_rdataset_first
(
&
rdataset
));
while
(
result
==
ISC_R_SUCCESS
&&
(
!
have_ksk
||
!
have_nonksk
))
{
dns_rdataset_current
(
&
rdataset
,
&
rdata
);
CHECK
(
dns_rdata_tostruct
(
&
rdata
,
&
dnskey
,
NULL
));
if
((
dnskey
.
flags
&
(
DNS_KEYFLAG_OWNERMASK
|
DNS_KEYTYPE_NOAUTH
))
==
DNS_KEYOWNER_ZONE
)
{
if
((
dnskey
.
flags
&
DNS_KEYFLAG_KSK
)
!=
0
)
have_ksk
=
ISC_TRUE
;
else
have_nonksk
=
ISC_TRUE
;
}
dns_rdata_reset
(
&
rdata
);
result
=
dns_rdataset_next
(
&
rdataset
);
}
if
(
have_ksk
&&
have_nonksk
)
ret
=
ISC_TRUE
;
failure:
if
(
dns_rdataset_isassociated
(
&
rdataset
))
dns_rdataset_disassociate
(
&
rdataset
);
if
(
node
!=
NULL
)
dns_db_detachnode
(
db
,
&
node
);
return
(
ret
);
}
/*%
* Add RRSIG records for an RRset, recording the change in "diff".
*/
...
...
@@ -1611,7 +1650,7 @@ static isc_result_t
add_sigs
(
dns_db_t
*
db
,
dns_dbversion_t
*
ver
,
dns_name_t
*
name
,
dns_rdatatype_t
type
,
dns_diff_t
*
diff
,
dst_key_t
**
keys
,
unsigned
int
nkeys
,
isc_mem_t
*
mctx
,
isc_stdtime_t
inception
,
isc_stdtime_t
expire
)
isc_stdtime_t
expire
,
isc_boolean_t
check_ksk
)
{
isc_result_t
result
;
dns_dbnode_t
*
node
=
NULL
;
...
...
@@ -1632,6 +1671,11 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_db_detachnode
(
db
,
&
node
);
for
(
i
=
0
;
i
<
nkeys
;
i
++
)
{
if
(
check_ksk
&&
type
!=
dns_rdatatype_dnskey
&&
(
dst_key_flags
(
keys
[
i
])
&
DNS_KEYFLAG_KSK
)
!=
0
)
continue
;
/* Calculate the signature, creating a RRSIG RDATA. */
CHECK
(
dns_dnssec_sign
(
name
,
&
rdataset
,
keys
[
i
],
&
inception
,
&
expire
,
...
...
@@ -1685,6 +1729,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_rdata_t
rdata
=
DNS_RDATA_INIT
;
dns_rdataset_t
rdataset
;
dns_dbnode_t
*
node
=
NULL
;
isc_boolean_t
check_ksk
;
dns_diff_init
(
client
->
mctx
,
&
diffnames
);
dns_diff_init
(
client
->
mctx
,
&
affected
);
...
...
@@ -1705,6 +1750,17 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
inception
=
now
-
3600
;
/* Allow for some clock skew. */
expire
=
now
+
sigvalidityinterval
;
/*
* Do we look at the KSK flag on the DNSKEY to determining which
* keys sign which RRsets? First check the zone option then
* check the keys flags to make sure atleast one has a ksk set
* and one doesn't.
*/
check_ksk
=
ISC_TF
((
dns_zone_getoptions
(
zone
)
&
DNS_ZONEOPT_UPDATECHECKKSK
)
!=
0
);
if
(
check_ksk
)
check_ksk
=
ksk_sanity
(
db
,
newver
);
/*
* Get the NSEC's TTL from the SOA MINIMUM field.
*/
...
...
@@ -1764,7 +1820,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
CHECK
(
add_sigs
(
db
,
newver
,
name
,
type
,
&
sig_diff
,
zone_keys
,
nkeys
,
client
->
mctx
,
inception
,
expire
));
expire
,
check_ksk
));
}
skip:
/* Skip any other updates to the same RRset. */
...
...
@@ -1949,7 +2005,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
}
else
if
(
t
->
op
==
DNS_DIFFOP_ADD
)
{
CHECK
(
add_sigs
(
db
,
newver
,
&
t
->
name
,
dns_rdatatype_nsec
,
&
sig_diff
,
zone_keys
,
nkeys
,
client
->
mctx
,
inception
,
expire
));
client
->
mctx
,
inception
,
expire
,
check_ksk
));
}
else
{
INSIST
(
0
);
}
...
...
bin/named/zoneconf.c
View file @
59d84d1b
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.13
1
2006/0
2/28 02:39
:5
1
marka Exp $ */
/* $Id: zoneconf.c,v 1.13
2
2006/0
3/06 01:27
:5
2
marka Exp $ */
/*% */
...
...
@@ -720,6 +720,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST
(
0
);
dns_zone_setoption
(
zone
,
DNS_ZONEOPT_WARNSRVCNAME
,
warn
);
dns_zone_setoption
(
zone
,
DNS_ZONEOPT_IGNORESRVCNAME
,
ignore
);
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"update-check-ksk"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
dns_zone_setoption
(
zone
,
DNS_ZONEOPT_UPDATECHECKKSK
,
cfg_obj_asboolean
(
obj
));
}
/*
...
...
bin/tests/system/dnssec/ns3/sign.sh
View file @
59d84d1b
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.2
0
2006/0
1
/0
4
0
0:37:24
marka Exp $
# $Id: sign.sh,v 1.2
1
2006/0
3
/0
6
0
1:27:52
marka Exp $
RANDFILE
=
../random.data
...
...
@@ -43,9 +43,10 @@ zone=dynamic.example.
infile
=
dynamic.example.db.in
zonefile
=
dynamic.example.db
keyname
=
`
$KEYGEN
-r
$RANDFILE
-a
RSAMD5
-b
768
-n
zone
$zone
`
keyname1
=
`
$KEYGEN
-r
$RANDFILE
-a
RSAMD5
-b
768
-n
zone
$zone
`
keyname2
=
`
$KEYGEN
-r
$RANDFILE
-a
RSAMD5
-b
1024
-n
zone
-f
KSK
$zone
`
cat
$infile
$keyname
.key
>
$zonefile
cat
$infile
$keyname
1
.key
$keyname2
.key
>
$zonefile
$SIGNER
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null
...
...
doc/arm/Bv9ARM-book.xml
View file @
59d84d1b
...
...
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.29
6
2006/0
2/26 22:54:46
marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.29
7
2006/0
3/06 01:27:52
marka Exp $ -->
<book
xmlns:xi=
"http://www.w3.org/2001/XInclude"
>
<title>
BIND 9 Administrator Reference Manual
</title>
...
...
@@ -4416,6 +4416,7 @@ category notify { null; };
<optional>
allow-recursion {
<replaceable>
address_match_list
</replaceable>
};
</optional>
<optional>
allow-update {
<replaceable>
address_match_list
</replaceable>
};
</optional>
<optional>
allow-update-forwarding {
<replaceable>
address_match_list
</replaceable>
};
</optional>
<optional>
update-check-ksk
<replaceable>
yes_or_no
</replaceable>
;
</optional>
<optional>
allow-v6-synthesis {
<replaceable>
address_match_list
</replaceable>
};
</optional>
<optional>
blackhole {
<replaceable>
address_match_list
</replaceable>
};
</optional>
<optional>
avoid-v4-udp-ports {
<replaceable>
port_list
</replaceable>
};
</optional>
...
...
@@ -5638,6 +5639,21 @@ options {
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
update-check-ksk
</command></term>
<listitem>
<para>
When regenerating the RRSIGs following a UPDATE
request to a secure zone, check the KSK flag on
the DNSKEY RR to determine if this key should be
used to generate the RRSIG. This flag is ignored
if there are not DNSKEY RRs both with and without
a KSK. Default yes.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect3>
...
...
@@ -8004,6 +8020,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional>
allow-query {
<replaceable>
address_match_list
</replaceable>
};
</optional>
<optional>
allow-transfer {
<replaceable>
address_match_list
</replaceable>
};
</optional>
<optional>
allow-update-forwarding {
<replaceable>
address_match_list
</replaceable>
};
</optional>
<optional>
update-check-ksk
<replaceable>
yes_or_no
</replaceable>
;
</optional>
<optional>
also-notify {
<replaceable>
ip_addr
</replaceable>
<optional>
port
<replaceable>
ip_port
</replaceable></optional>
;
<optional>
<replaceable>
ip_addr
</replaceable>
<optional>
port
<replaceable>
ip_port
</replaceable></optional>
; ...
</optional>
};
</optional>
<optional>
check-names (
<constant>
warn
</constant>
|
<constant>
fail
</constant>
|
<constant>
ignore
</constant>
) ;
</optional>
<optional>
dialup
<replaceable>
dialup_option
</replaceable>
;
</optional>
...
...
@@ -8489,6 +8506,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
<varlistentry>
<term><command>
update-check-ksk
</command></term>
<listitem>
<para>
See the description of
<command>
update-check-ksk
</command>
in
<xref
linkend=
"boolean_options"
/>
.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
database
</command></term>
<listitem>
...
...
lib/bind9/check.c
View file @
59d84d1b
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.7
1
2006/03/0
3
0
0:43:35
marka Exp $ */
/* $Id: check.c,v 1.7
2
2006/03/0
6
0
1:27:52
marka Exp $ */
/*! \file */
...
...
@@ -933,6 +933,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{
"check-mx-cname"
,
MASTERZONE
},
{
"check-srv-cname"
,
MASTERZONE
},
{
"masterfile-format"
,
MASTERZONE
|
SLAVEZONE
|
STUBZONE
|
HINTZONE
},
{
"update-check-ksk"
,
MASTERZONE
},
};
static
optionstable
dialups
[]
=
{
...
...
lib/dns/dnssec.c
View file @
59d84d1b
...
...
@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.8
5
200
5/11/30 03:33:49
marka Exp $
* $Id: dnssec.c,v 1.8
6
200
6/03/06 01:27:52
marka Exp $
*/
/*! \file */
...
...
@@ -520,10 +520,10 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_result_t
dns_dnssec_findzonekeys2
(
dns_db_t
*
db
,
dns_dbversion_t
*
ver
,
dns_dbnode_t
*
node
,
dns_name_t
*
name
,
const
char
*
directory
,
isc_mem_t
*
mctx
,
unsigned
int
maxkeys
,
dst_key_t
**
keys
,
unsigned
int
*
nkeys
)
dns_dbnode_t
*
node
,
dns_name_t
*
name
,
const
char
*
directory
,
isc_mem_t
*
mctx
,
unsigned
int
maxkeys
,
dst_key_t
**
keys
,
unsigned
int
*
nkeys
)
{
dns_rdataset_t
rdataset
;
dns_rdata_t
rdata
=
DNS_RDATA_INIT
;
...
...
lib/dns/include/dns/zone.h
View file @
59d84d1b
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.h,v 1.14
3
2006/0
2/28 02:39
:5
1
marka Exp $ */
/* $Id: zone.h,v 1.14
4
2006/0
3/06 01:27
:5
2
marka Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
...
...
@@ -65,6 +65,7 @@ typedef enum {
#define DNS_ZONEOPT_IGNOREMXCNAME 0x00100000U
/*%< ignore MX CNAME check */
#define DNS_ZONEOPT_WARNSRVCNAME 0x00200000U
/*%< warn on SRV CNAME check */
#define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U
/*%< ignore SRV CNAME check */
#define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U
/*%< check dnskey KSK flag */
#ifndef NOMINUM_PUBLIC
/*
...
...
lib/isccfg/namedconf.c
View file @
59d84d1b
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.6
6
2006/0
2/28 02:39
:52 marka Exp $ */
/* $Id: namedconf.c,v 1.6
7
2006/0
3/06 01:27
:52 marka Exp $ */
/*! \file */
...
...
@@ -844,6 +844,7 @@ zone_clauses[] = {
{
"check-srv-cname"
,
&
cfg_type_checkmode
,
0
},
{
"check-sibling"
,
&
cfg_type_boolean
,
0
},
{
"zero-no-soa-ttl"
,
&
cfg_type_boolean
,
0
},
{
"update-check-ksk"
,
&
cfg_type_boolean
,
0
},
{
NULL
,
NULL
,
0
}
};
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment