Commit be5d4cad authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge branch '868-fix-trusted-keys-handling-with-dnssec-validation-auto' into 'master'

fix incorrect behavior mixing trusted-keys with validation auto

Closes #868

See merge request !1483
parents 8a8cd19e cdc4388a
Pipeline #14206 passed with stages
in 1 minute and 5 seconds
5228. [func] If trusted-keys and managed-keys were configured
simultaneously for the same name, the key could
not be be rolled automatically. This is now
a fatal configuration error. [GL #868]
5227. [placeholder]
 
5226. [placeholder]
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
managed-keys {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
};
trusted-keys {
example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
managed-keys {
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
};
trusted-keys {
. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation auto;
};
trusted-keys {
. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
managed-keys {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
example. initial-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
trusted-keys {
example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};
......@@ -387,7 +387,8 @@ grep "trusted-key for root from 2010 without updated" checkconf.out$n > /dev/nul
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)"
n=`expr $n + 1`
echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
ret=0
$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
......
......@@ -22,3 +22,7 @@ root server, causing key refresh queries to fail.
ns6 is a validator which has unsupported algorithms, one at start up,
one because of an algorithm rollover.
ns7 is a validator with multiple views configured. It is used for
testing per-view rndc commands and checking interactions between options
related to and potentially affecting RFC 5011 processing.
......@@ -132,7 +132,16 @@
<itemizedlist>
<listitem>
<para>
None.
When <command>trusted-keys</command> and
<command>managed-keys</command> were both configured for the
same name, or when <command>trusted-keys</command> was used to
configure a trust anchor for the root zone and
<command>dnssec-validation</command> was set to the default
value of <literal>auto</literal>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</para>
</listitem>
</itemizedlist>
......
......@@ -39,6 +39,7 @@
#include <dns/acl.h>
#include <dns/dnstap.h>
#include <dns/fixedname.h>
#include <dns/rbt.h>
#include <dns/rdataclass.h>
#include <dns/rdatatype.h>
#include <dns/rrl.h>
......@@ -3263,6 +3264,118 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
return (result);
}
/*
* Check for conflicts between trusted-keys and managed-keys.
*/
static isc_result_t
check_ta_conflicts(const cfg_obj_t *mkeys, const cfg_obj_t *tkeys,
bool autovalidation, isc_mem_t *mctx, isc_log_t *logctx)
{
isc_result_t result = ISC_R_SUCCESS, tresult;
const cfg_listelt_t *elt = NULL, *elt2 = NULL;
dns_fixedname_t fixed;
dns_name_t *name;
const cfg_obj_t *obj;
const char *str;
isc_symtab_t *symtab = NULL;
isc_symvalue_t symvalue;
char namebuf[DNS_NAME_FORMATSIZE];
const char *file;
unsigned int line;
name = dns_fixedname_initname(&fixed);
result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
for (elt = cfg_list_first(mkeys);
elt != NULL;
elt = cfg_list_next(elt))
{
const cfg_obj_t *keylist = cfg_listelt_value(elt);
for (elt2 = cfg_list_first(keylist);
elt2 != NULL;
elt2 = cfg_list_next(elt2))
{
obj = cfg_listelt_value(elt2);
str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
tresult = dns_name_fromstring(name, str, 0, NULL);
if (tresult != ISC_R_SUCCESS) {
/* already reported */
continue;
}
dns_name_format(name, namebuf, sizeof(namebuf));
symvalue.as_cpointer = obj;
tresult = isc_symtab_define(symtab, namebuf, 1,
symvalue,
isc_symexists_reject);
if (tresult != ISC_R_SUCCESS &&
tresult != ISC_R_EXISTS)
{
result = tresult;
continue;
}
}
}
for (elt = cfg_list_first(tkeys);
elt != NULL;
elt = cfg_list_next(elt))
{
const cfg_obj_t *keylist = cfg_listelt_value(elt);
for (elt2 = cfg_list_first(keylist);
elt2 != NULL;
elt2 = cfg_list_next(elt2))
{
obj = cfg_listelt_value(elt2);
str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
result = dns_name_fromstring(name, str, 0, NULL);
if (result != ISC_R_SUCCESS) {
/* already reported */
continue;
}
if (autovalidation &&
dns_name_equal(name, dns_rootname))
{
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"trusted-keys for root zone "
"cannot be used with "
"'dnssec-validation auto'.");
result = ISC_R_FAILURE;
continue;
}
dns_name_format(name, namebuf, sizeof(namebuf));
tresult = isc_symtab_lookup(symtab, namebuf, 1,
&symvalue);
if (tresult == ISC_R_SUCCESS) {
file = cfg_obj_file(symvalue.as_cpointer);
line = cfg_obj_line(symvalue.as_cpointer);
if (file == NULL) {
file = "<unknown file>";
}
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"trusted-keys and managed-keys "
"cannot be used for the "
"same name. managed-key defined "
"(%s:%u)", file, line);
result = ISC_R_FAILURE;
}
}
}
cleanup:
if (symtab != NULL) {
isc_symtab_destroy(&symtab);
}
return (result);
}
typedef enum {
special_zonetype_rpz,
special_zonetype_catz
......@@ -3404,7 +3517,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
isc_log_t *logctx, isc_mem_t *mctx)
{
const cfg_obj_t *zones = NULL;
const cfg_obj_t *keys = NULL;
const cfg_obj_t *keys = NULL, *tkeys = NULL, *mkeys = NULL;
#ifndef HAVE_DLOPEN
const cfg_obj_t *dyndb = NULL;
#endif
......@@ -3417,6 +3530,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
const cfg_obj_t *options = NULL;
const cfg_obj_t *opts = NULL;
const cfg_obj_t *plugin_list = NULL;
bool autovalidation = false;
unsigned int tflags, mflags;
/*
......@@ -3570,14 +3684,14 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
/*
* Check trusted-keys and managed-keys.
*/
keys = NULL;
tkeys = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "trusted-keys", &keys);
if (keys == NULL)
(void)cfg_map_get(config, "trusted-keys", &keys);
(void)cfg_map_get(voptions, "trusted-keys", &tkeys);
if (tkeys == NULL)
(void)cfg_map_get(config, "trusted-keys", &tkeys);
tflags = 0;
for (element = cfg_list_first(keys);
for (element = cfg_list_first(tkeys);
element != NULL;
element = cfg_list_next(element))
{
......@@ -3594,33 +3708,34 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
}
if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
"trusted-key for root from 2010 without updated "
"trusted-key from 2017: THIS WILL FAIL AFTER "
"KEY ROLLOVER");
}
if ((tflags & DLV_KSK_KEY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
"trusted-key for dlv.isc.org still present; "
"dlv.isc.org has been shut down");
}
keys = NULL;
mkeys = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "managed-keys", &keys);
if (keys == NULL)
(void)cfg_map_get(config, "managed-keys", &keys);
(void)cfg_map_get(voptions, "managed-keys", &mkeys);
if (mkeys == NULL)
(void)cfg_map_get(config, "managed-keys", &mkeys);
mflags = 0;
for (element = cfg_list_first(keys);
for (element = cfg_list_first(mkeys);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *keylist = cfg_listelt_value(element);
for (element2 = cfg_list_first(keylist);
element2 != NULL;
element2 = cfg_list_next(element2)) {
element2 = cfg_list_next(element2))
{
obj = cfg_listelt_value(element2);
tresult = check_trusted_key(obj, true, &mflags,
logctx);
......@@ -3630,13 +3745,13 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
}
if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"managed-key for root from 2010 without updated "
"managed-key from 2017");
}
if ((mflags & DLV_KSK_KEY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"managed-key for dlv.isc.org still present; "
"dlv.isc.org has been shut down");
}
......@@ -3644,11 +3759,28 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 &&
(mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0)
{
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"both trusted-keys and managed-keys for the ICANN "
"root are present");
}
obj = NULL;
if (voptions != NULL) {
(void)cfg_map_get(voptions, "dnssec-validation", &obj);
}
if (obj == NULL && options != NULL) {
(void)cfg_map_get(options, "dnssec-validation", &obj);
}
if (obj != NULL && !cfg_obj_isboolean(obj)) {
autovalidation = true;
}
tresult = check_ta_conflicts(mkeys, tkeys,
autovalidation, mctx, logctx);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
/*
* Check options.
*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment