Commit ac9286b7 authored by Evan Hunt's avatar Evan Hunt

Merge branch '868-fix-trusted-keys-handling-with-dnssec-validation-auto-v9_14-v9_11' into 'v9_11'

fix incorrect behavior mixing trusted-keys with validation auto

See merge request !1909
parents 3c45f0dd febbd908
Pipeline #14269 passed with stages
in 1 minute and 1 second
5229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852]
5228. [cleanup] If trusted-keys and managed-keys are configured
simultaneously for the same name, the key cannot
be rolled automatically. This configuration now
logs a warning. [GL #868]
5224. [bug] Only test provide-ixfr on TCP streams. [GL #991]
5222. [bug] 'delv -t ANY' could leak memory. [GL #983]
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
managed-keys {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
example. initial-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
trusted-keys {
example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
......@@ -197,6 +197,16 @@ l=`$CHECKCONF warn-keydir.conf 2>&1 | grep "key-directory" | wc -l`
[ $l -eq 0 ] || ret=1
rm -rf test.keydir
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking for trusted-key/managed-key collision warning ($n)"
ret=0
$CHECKCONF warn-duplicate-key.conf 2>&1 | grep "ROLLOVERS WILL FAIL" > /dev/null 2>&1 || ret=1
$CHECKCONF warn-duplicate-root-key.conf 2>&1 | grep "ROLLOVERS WILL FAIL" > /dev/null 2>&1 || ret=1
$CHECKCONF warn-validation-auto-key.conf 2>&1 | grep "ROLLOVERS WILL FAIL" > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)"
......@@ -368,7 +378,8 @@ grep "trusted-key for root from 2010 without updated" checkconf.out$n > /dev/nul
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)"
n=`expr $n + 1`
echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
ret=0
$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
managed-keys {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
};
trusted-keys {
example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
managed-keys {
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
};
trusted-keys {
. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation auto;
};
trusted-keys {
. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
......@@ -19,3 +19,7 @@ root server, causing key refresh queries to fail.
ns6 is a validator which has unsupported algorithms, one at start up,
one because of an algorithm rollover.
ns7 is a validator with multiple views configured. It is used for
testing per-view rndc commands and checking interactions between options
related to and potentially affecting RFC 5011 processing.
......@@ -96,7 +96,19 @@
<itemizedlist>
<listitem>
<para>
None.
When <command>trusted-keys</command> and
<command>managed-keys</command> are both configured for the
same name, or when <command>trusted-keys</command> is used to
configure a trust anchor for the root zone and
<command>dnssec-validation</command> is set to
<literal>auto</literal>, automatic RFC 5011 key
rollovers will fail.
</para>
<para>
This combination of settings was never intended to work,
but there was no check for it in the parser. This has been
corrected; a warning is now logged. (In BIND 9.15 and
higher this error will be fatal.) [GL #868]
</para>
</listitem>
</itemizedlist>
......
......@@ -42,6 +42,7 @@
#include <dns/acl.h>
#include <dns/dnstap.h>
#include <dns/fixedname.h>
#include <dns/rbt.h>
#include <dns/rdataclass.h>
#include <dns/rdatatype.h>
#include <dns/rrl.h>
......@@ -3107,6 +3108,120 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
return (result);
}
/*
* Check for conflicts between trusted-keys and managed-keys.
*/
static isc_result_t
check_ta_conflicts(const cfg_obj_t *mkeys, const cfg_obj_t *tkeys,
bool autovalidation, isc_mem_t *mctx, isc_log_t *logctx)
{
isc_result_t result = ISC_R_SUCCESS, tresult;
const cfg_listelt_t *elt = NULL, *elt2 = NULL;
dns_fixedname_t fixed;
dns_name_t *name;
const cfg_obj_t *obj;
const char *str;
isc_symtab_t *symtab = NULL;
isc_symvalue_t symvalue;
char namebuf[DNS_NAME_FORMATSIZE];
const char *file;
unsigned int line;
name = dns_fixedname_initname(&fixed);
result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
for (elt = cfg_list_first(mkeys);
elt != NULL;
elt = cfg_list_next(elt))
{
const cfg_obj_t *keylist = cfg_listelt_value(elt);
for (elt2 = cfg_list_first(keylist);
elt2 != NULL;
elt2 = cfg_list_next(elt2))
{
obj = cfg_listelt_value(elt2);
str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
tresult = dns_name_fromstring(name, str, 0, NULL);
if (tresult != ISC_R_SUCCESS) {
/* already reported */
continue;
}
dns_name_format(name, namebuf, sizeof(namebuf));
symvalue.as_cpointer = obj;
tresult = isc_symtab_define(symtab, namebuf, 1,
symvalue,
isc_symexists_reject);
if (tresult != ISC_R_SUCCESS &&
tresult != ISC_R_EXISTS)
{
result = tresult;
continue;
}
}
}
for (elt = cfg_list_first(tkeys);
elt != NULL;
elt = cfg_list_next(elt))
{
const cfg_obj_t *keylist = cfg_listelt_value(elt);
for (elt2 = cfg_list_first(keylist);
elt2 != NULL;
elt2 = cfg_list_next(elt2))
{
obj = cfg_listelt_value(elt2);
str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
result = dns_name_fromstring(name, str, 0, NULL);
if (result != ISC_R_SUCCESS) {
/* already reported */
continue;
}
if (autovalidation &&
dns_name_equal(name, dns_rootname))
{
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
"WARNING: "
"trusted-keys for root zone "
"used with "
"'dnssec-validation auto'. "
"KEY ROLLOVERS WILL FAIL.");
continue;
}
dns_name_format(name, namebuf, sizeof(namebuf));
tresult = isc_symtab_lookup(symtab, namebuf, 1,
&symvalue);
if (tresult == ISC_R_SUCCESS) {
file = cfg_obj_file(symvalue.as_cpointer);
line = cfg_obj_line(symvalue.as_cpointer);
if (file == NULL) {
file = "<unknown file>";
}
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
"WARNING: "
"trusted-keys and managed-keys "
"are both used for the "
"name '%s'. "
"KEY ROLLOVERS WILL FAIL. "
"managed-key defined "
"(%s:%u)", str, file, line);
}
}
}
cleanup:
if (symtab != NULL) {
isc_symtab_destroy(&symtab);
}
return (result);
}
static isc_result_t
check_rpz_catz(const char *rpz_catz, const cfg_obj_t *rpz_obj,
const char *viewname, isc_symtab_t *symtab, isc_log_t *logctx)
......@@ -3176,7 +3291,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
isc_log_t *logctx, isc_mem_t *mctx)
{
const cfg_obj_t *zones = NULL;
const cfg_obj_t *keys = NULL;
const cfg_obj_t *keys = NULL, *tkeys = NULL, *mkeys = NULL;
#ifndef HAVE_DLOPEN
const cfg_obj_t *dyndb = NULL;
#endif
......@@ -3189,6 +3304,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
const cfg_obj_t *options = NULL;
const cfg_obj_t *opts = NULL;
bool enablednssec, enablevalidation;
bool autovalidation = false;
const char *valstr = "no";
unsigned int tflags, mflags;
......@@ -3368,14 +3484,14 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
/*
* Check trusted-keys and managed-keys.
*/
keys = NULL;
tkeys = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "trusted-keys", &keys);
if (keys == NULL)
(void)cfg_map_get(config, "trusted-keys", &keys);
(void)cfg_map_get(voptions, "trusted-keys", &tkeys);
if (tkeys == NULL)
(void)cfg_map_get(config, "trusted-keys", &tkeys);
tflags = 0;
for (element = cfg_list_first(keys);
for (element = cfg_list_first(tkeys);
element != NULL;
element = cfg_list_next(element))
{
......@@ -3392,33 +3508,34 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
}
if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
"trusted-key for root from 2010 without updated "
"trusted-key from 2017: THIS WILL FAIL AFTER "
"KEY ROLLOVER");
}
if ((tflags & DLV_KSK_KEY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
"trusted-key for dlv.isc.org still present; "
"dlv.isc.org has been shut down");
}
keys = NULL;
mkeys = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "managed-keys", &keys);
if (keys == NULL)
(void)cfg_map_get(config, "managed-keys", &keys);
(void)cfg_map_get(voptions, "managed-keys", &mkeys);
if (mkeys == NULL)
(void)cfg_map_get(config, "managed-keys", &mkeys);
mflags = 0;
for (element = cfg_list_first(keys);
for (element = cfg_list_first(mkeys);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *keylist = cfg_listelt_value(element);
for (element2 = cfg_list_first(keylist);
element2 != NULL;
element2 = cfg_list_next(element2)) {
element2 = cfg_list_next(element2))
{
obj = cfg_listelt_value(element2);
tresult = check_trusted_key(obj, true, &mflags,
logctx);
......@@ -3428,13 +3545,13 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
}
if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"managed-key for root from 2010 without updated "
"managed-key from 2017");
}
if ((mflags & DLV_KSK_KEY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"managed-key for dlv.isc.org still present; "
"dlv.isc.org has been shut down");
}
......@@ -3442,11 +3559,28 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 &&
(mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0)
{
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"both trusted-keys and managed-keys for the ICANN "
"root are present");
}
obj = NULL;
if (voptions != NULL) {
(void)cfg_map_get(voptions, "dnssec-validation", &obj);
}
if (obj == NULL && options != NULL) {
(void)cfg_map_get(options, "dnssec-validation", &obj);
}
if (obj != NULL && !cfg_obj_isboolean(obj)) {
autovalidation = true;
}
tresult = check_ta_conflicts(mkeys, tkeys,
autovalidation, mctx, logctx);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
/*
* Check options.
*/
......
......@@ -777,6 +777,8 @@
./bin/tests/system/checkconf/good-acl.conf CONF-C 2016,2018,2019
./bin/tests/system/checkconf/good-class.conf CONF-C 2015,2016,2018,2019
./bin/tests/system/checkconf/good-dlv-dlv.example.com.conf CONF-C 2017,2018,2019
./bin/tests/system/checkconf/good-dup-managed-key.conf CONF-C 2019
./bin/tests/system/checkconf/good-dup-trusted-key.conf CONF-C 2019
./bin/tests/system/checkconf/good-lmdb-mapsize-largest.conf CONF-C 2017,2018,2019
./bin/tests/system/checkconf/good-lmdb-mapsize-smallest.conf CONF-C 2017,2018,2019
./bin/tests/system/checkconf/good-nested.conf CONF-C 2015,2016,2018,2019
......@@ -818,7 +820,10 @@
./bin/tests/system/checkconf/view-class-in2.conf CONF-C 2016,2018,2019
./bin/tests/system/checkconf/warn-dlv-auto.conf CONF-C 2017,2018,2019
./bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf CONF-C 2017,2018,2019
./bin/tests/system/checkconf/warn-duplicate-key.conf CONF-C 2019
./bin/tests/system/checkconf/warn-duplicate-root-key.conf CONF-C 2019
./bin/tests/system/checkconf/warn-keydir.conf CONF-C 2013,2016,2018,2019
./bin/tests/system/checkconf/warn-validation-auto-key.conf CONF-C 2019
./bin/tests/system/checkds/clean.sh SH 2012,2013,2014,2016,2018,2019
./bin/tests/system/checkds/dig.bat BAT 2016,2018,2019
./bin/tests/system/checkds/dig.pl PERL 2014,2016,2018,2019
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment