Commit 889f4e0b authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Also ignore configured revoked trusted anchors

(cherry picked from commit 4d1ed128)
parent c80bf677
......@@ -162,16 +162,16 @@
* using it has a 'result' variable and a 'cleanup' label.
*/
#define CHECK(op) \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
} while (0)
#define TCHECK(op) \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
} while (0)
#define CHECKM(op, msg) \
......@@ -757,6 +757,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
if (flags > 0xffff)
CHECKM(ISC_R_RANGE, "key flags");
if (flags & DNS_KEYFLAG_REVOKE)
CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set");
if (proto > 0xff)
CHECKM(ISC_R_RANGE, "key protocol");
if (alg > 0xff)
......@@ -810,7 +812,8 @@ dstkey_fromconfig(dns_view_t *view, const cfg_obj_t *vconfig,
"ignoring %s key for '%s': no crypto support",
managed ? "managed" : "trusted",
keynamestr);
} else if (result == DST_R_UNSUPPORTEDALG) {
} else if (result == DST_R_UNSUPPORTEDALG ||
result == DST_R_BADKEYTYPE) {
cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
"skipping %s key for '%s': %s",
managed ? "managed" : "trusted",
......@@ -853,7 +856,8 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
key = cfg_listelt_value(elt2);
result = dstkey_fromconfig(view, vconfig, key, managed,
&dstkey, mctx);
if (result == DST_R_UNSUPPORTEDALG) {
if (result == DST_R_UNSUPPORTEDALG ||
result == DST_R_BADKEYTYPE) {
result = ISC_R_SUCCESS;
continue;
}
......
......@@ -38,3 +38,6 @@ ns3.disabled A 10.53.0.3
enabled NS ns3.enabled
ns3.enabled A 10.53.0.3
; A secure subdomain with a revoked trust anchor
revoked NS ns3.revoked
ns3.revoked A 10.53.0.3
......@@ -333,6 +333,11 @@ zone "unsupported.managed" {
file "unsupported.managed.db.signed";
};
zone "revoked.managed" {
type master;
file "revoked.managed.db.signed";
};
zone "secure.trusted" {
type master;
file "secure.trusted.db.signed";
......@@ -353,6 +358,11 @@ zone "unsupported.trusted" {
file "unsupported.trusted.db.signed";
};
zone "revoked.trusted" {
type master;
file "revoked.trusted.db.signed";
};
include "siginterval.conf";
include "trusted.conf";
......@@ -3830,8 +3830,10 @@ echo_i "checking that keys with unsupported algorithms and disabled algorithms a
ret=0
grep "skipping trusted key for 'disabled\.trusted\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
grep "skipping trusted key for 'unsupported\.trusted\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
grep "skipping trusted key for 'revoked\.trusted\.': bad key type" ns8/named.run > /dev/null || ret=1
grep "skipping managed key for 'disabled\.managed\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
grep "skipping managed key for 'unsupported\.managed\.': algorithm is unsupported" ns8/named.run > /dev/null || ret=1
grep "skipping managed key for 'revoked\.managed\.': bad key type" ns8/named.run > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment