Commit 653a78de authored by Evan Hunt's avatar Evan Hunt
Browse files

3165. [bug] dnssec-signzone could generate new signatures when

			resigning, even when valid signatures were already
			present. [RT #26025]
parent 4ce95a24
3165. [bug] dnssec-signzone could generate new signatures when
resigning, even when valid signatures were already
present. [RT #26025]
3164. [func] Enable DLZ modules to retrieve client information, 3164. [func] Enable DLZ modules to retrieve client information,
so that responses can be changed depending on the so that responses can be changed depending on the
source address of the query. [RT #25768] source address of the query. [RT #25768]
......
...@@ -29,7 +29,7 @@ ...@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dnssec-signzone.c,v 1.279 2011/07/19 23:47:48 tbox Exp $ */ /* $Id: dnssec-signzone.c,v 1.280 2011/10/11 19:26:05 each Exp $ */
/*! \file */ /*! \file */
...@@ -411,6 +411,7 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) { ...@@ -411,6 +411,7 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
if (result == ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) {
key->force_publish = ISC_FALSE; key->force_publish = ISC_FALSE;
key->force_sign = ISC_FALSE; key->force_sign = ISC_FALSE;
key->index = keycount++;
ISC_LIST_APPEND(keylist, key, link); ISC_LIST_APPEND(keylist, key, link);
} }
...@@ -557,36 +558,34 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, ...@@ -557,36 +558,34 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
vbprintf(2, "\trrsig by %s %s - dnskey not found\n", vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
keep ? "retained" : "dropped", sigstr); keep ? "retained" : "dropped", sigstr);
} else if (issigningkey(key)) { } else if (issigningkey(key)) {
wassignedby[key->index] = ISC_TRUE;
if (!expired && rrsig.originalttl == set->ttl && if (!expired && rrsig.originalttl == set->ttl &&
setverifies(name, set, key->key, &sigrdata)) { setverifies(name, set, key->key, &sigrdata)) {
vbprintf(2, "\trrsig by %s retained\n", sigstr); vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE; keep = ISC_TRUE;
wassignedby[key->index] = ISC_TRUE;
nowsignedby[key->index] = ISC_TRUE;
} else { } else {
vbprintf(2, "\trrsig by %s dropped - %s\n", vbprintf(2, "\trrsig by %s dropped - %s\n",
sigstr, expired ? "expired" : sigstr, expired ? "expired" :
rrsig.originalttl != set->ttl ? rrsig.originalttl != set->ttl ?
"ttl change" : "failed to verify"); "ttl change" : "failed to verify");
wassignedby[key->index] = ISC_TRUE;
resign = ISC_TRUE; resign = ISC_TRUE;
} }
} else if (!ispublishedkey(key) && remove_orphans) { } else if (!ispublishedkey(key) && remove_orphans) {
vbprintf(2, "\trrsig by %s dropped - dnskey removed\n", vbprintf(2, "\trrsig by %s dropped - dnskey removed\n",
sigstr); sigstr);
} else if (iszonekey(key)) { } else if (iszonekey(key)) {
wassignedby[key->index] = ISC_TRUE;
if (!expired && rrsig.originalttl == set->ttl && if (!expired && rrsig.originalttl == set->ttl &&
setverifies(name, set, key->key, &sigrdata)) { setverifies(name, set, key->key, &sigrdata)) {
vbprintf(2, "\trrsig by %s retained\n", sigstr); vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE; keep = ISC_TRUE;
wassignedby[key->index] = ISC_TRUE;
nowsignedby[key->index] = ISC_TRUE;
} else { } else {
vbprintf(2, "\trrsig by %s dropped - %s\n", vbprintf(2, "\trrsig by %s dropped - %s\n",
sigstr, expired ? "expired" : sigstr, expired ? "expired" :
rrsig.originalttl != set->ttl ? rrsig.originalttl != set->ttl ?
"ttl change" : "failed to verify"); "ttl change" : "failed to verify");
wassignedby[key->index] = ISC_TRUE;
} }
} else if (!expired) { } else if (!expired) {
vbprintf(2, "\trrsig by %s retained\n", sigstr); vbprintf(2, "\trrsig by %s retained\n", sigstr);
...@@ -619,6 +618,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, ...@@ -619,6 +618,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
} }
} else { } else {
tuple = NULL; tuple = NULL;
vbprintf(2, "removing signature by %s\n", sigstr);
result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
name, sigset.ttl, name, sigset.ttl,
&sigrdata, &tuple); &sigrdata, &tuple);
...@@ -650,7 +650,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, ...@@ -650,7 +650,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
key != NULL; key != NULL;
key = ISC_LIST_NEXT(key, link)) key = ISC_LIST_NEXT(key, link))
{ {
if (nowsignedby[key->index] && !ispublishedkey(key)) if (nowsignedby[key->index])
continue; continue;
if (!issigningkey(key)) if (!issigningkey(key))
...@@ -3364,6 +3364,8 @@ usage(void) { ...@@ -3364,6 +3364,8 @@ usage(void) {
fprintf(stderr, "use pseudorandom data (faster but less secure)\n"); fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
fprintf(stderr, "\t-P:\t"); fprintf(stderr, "\t-P:\t");
fprintf(stderr, "disable post-sign verification\n"); fprintf(stderr, "disable post-sign verification\n");
fprintf(stderr, "\t-R:\t");
fprintf(stderr, "remove signatures from keys that no longer exist\n");
fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n"); fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n");
fprintf(stderr, "\t-t:\t"); fprintf(stderr, "\t-t:\t");
fprintf(stderr, "print statistics\n"); fprintf(stderr, "print statistics\n");
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.42 2011/05/23 20:10:02 each Exp $ # $Id: clean.sh,v 1.43 2011/10/11 19:26:06 each Exp $
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
...@@ -46,6 +46,7 @@ rm -f ns3/secure.optout.example.db ...@@ -46,6 +46,7 @@ rm -f ns3/secure.optout.example.db
rm -f */named.secroots rm -f */named.secroots
rm -f ns1/managed.key.id rm -f ns1/managed.key.id
rm -f signer/example.db rm -f signer/example.db
rm -f signer/signer.out.1 signer/signer.out.2
rm -f ns2/algroll.db rm -f ns2/algroll.db
rm -f ns3/kskonly.example.db rm -f ns3/kskonly.example.db
rm -f ns4/named.conf rm -f ns4/named.conf
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.96 2011/10/10 00:34:57 marka Exp $ # $Id: tests.sh,v 1.97 2011/10/11 19:26:06 each Exp $
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
...@@ -1050,6 +1050,26 @@ n=`expr $n + 1` ...@@ -1050,6 +1050,26 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:checking dnssec-signzone retains unexpired signatures ($n)"
ret=0
(
cd signer
$SIGNER -Sxt -o example example.db > signer.out.1 2>&1
$SIGNER -Sxt -o example -f example.db.signed example.db.signed > signer.out.2 2>&1
) || ret=1
gen1=`awk '/generated/ {print $3}' signer/signer.out.1`
retain1=`awk '/retained/ {print $3}' signer/signer.out.1`
drop1=`awk '/dropped/ {print $3}' signer/signer.out.1`
gen2=`awk '/generated/ {print $3}' signer/signer.out.2`
retain2=`awk '/retained/ {print $3}' signer/signer.out.2`
drop2=`awk '/dropped/ {print $3}' signer/signer.out.2`
[ "$retain2" -eq `expr "$gen1" + "$retain1"` ] || ret=1
[ "$gen2" -eq 0 ] || ret=1
[ "$drop2" -eq 0 ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking validated data are not cached longer than originalttl ($n)" echo "I:checking validated data are not cached longer than originalttl ($n)"
ret=0 ret=0
$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment