Commit 72c20173 authored by Michał Kępień's avatar Michał Kępień

Do not check SEP bit for mirror zone trust anchors

When a mirror zone is verified, the 'ignore_kskflag' argument passed to
dns_zoneverify_dnssec() is set to false.  This means that in order for
its verification to succeed, a mirror zone needs to have at least one
key with the SEP bit set configured as a trust anchor.  This brings no
security benefit and prevents zones signed only using keys without the
SEP bit set from being mirrored, so change the value of the
'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
parent 724663c1
......@@ -55,6 +55,11 @@ zone "verify-axfr" {
file "verify-axfr.db.signed";
};
zone "verify-csk" {
type master;
file "verify-csk.db.signed";
};
zone "verify-ixfr" {
type master;
file "verify-ixfr.db.signed";
......
......@@ -32,6 +32,18 @@ done
# the "root" zone on ns1.
keys_to_trust="$keys_to_trust $keyname1"
# Prepare a zone signed using a Combined Signing Key (CSK) without the SEP bit
# set and add that key to the list of keys to trust.
zone=verify-csk
infile=verify.db.in
zonefile=verify-csk.db
keyname=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
cat $infile $keyname.key > $zonefile
$SIGNER -P -o $zone $zonefile > /dev/null
keys_to_trust="$keys_to_trust $keyname"
# Prepare remaining zones used in the test.
ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
......
......@@ -56,6 +56,12 @@ zone "verify-axfr" {
file "verify-axfr.db.mirror";
};
zone "verify-csk" {
type mirror;
masters { 10.53.0.2; };
file "verify-csk.db.mirror";
};
zone "verify-ixfr" {
type mirror;
masters { 10.53.0.2; };
......
......@@ -92,11 +92,23 @@ wait_for_transfer verify-untrusted
$DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted KSK DNSKEY found" > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that a mirror zone signed using a CSK without the SEP bit set is accepted ($n)"
ret=0
nextpartreset ns3/named.run
wait_for_transfer verify-csk
$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ($n)"
ret=0
......
......@@ -19816,7 +19816,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
origin = dns_db_origin(db);
result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
zone->mctx, false, false);
zone->mctx, true, false);
done:
if (secroots != NULL) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment