Commit bfe32d08 authored by Evan Hunt's avatar Evan Hunt
Browse files

3116. [func] New 'dnssec-update-mode' option controls updates

			of DNSSEC records in signed dynamic zones.  Set to
			'no-resign' to disable automatic RRSIG regeneration
			while retaining the ability to sign new or changed
			data. [RT #24533]
parent 86e92d6a
3116. [func] New 'dnssec-update-mode' option controls updates
of DNSSEC records in signed dynamic zones. Set to
'no-resign' to disable automatic RRSIG regeneration
while retaining the ability to sign new or changed
data. [RT #24533]
3115. [bug] Named could fail to return requested data when
following a CNAME that points into the same zone.
[RT #24455]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.117 2011/04/29 21:37:14 each Exp $ */
/* $Id: config.c,v 1.118 2011/05/23 20:10:01 each Exp $ */
/*! \file */
......@@ -209,6 +209,7 @@ options {\n\
check-srv-cname warn;\n\
zero-no-soa-ttl yes;\n\
update-check-ksk yes;\n\
dnssec-update-mode maintain;\n\
dnssec-dnskey-kskonly no;\n\
dnssec-loadkeys-interval 60;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.176 2011/05/06 21:23:50 each Exp $ */
/* $Id: zoneconf.c,v 1.177 2011/05/23 20:10:01 each Exp $ */
/*% */
......@@ -1248,7 +1248,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
*/
if (ztype == dns_zone_master) {
isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
isc_boolean_t create = ISC_FALSE;
obj = NULL;
result = ns_config_get(maps, "check-wildcard", &obj);
......@@ -1338,15 +1337,25 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
allow = ISC_TRUE;
else if (strcasecmp(arg, "maintain") == 0)
allow = maint = ISC_TRUE;
else if (strcasecmp(arg, "create") == 0)
allow = maint = create = ISC_TRUE;
else if (strcasecmp(arg, "off") == 0)
;
else
INSIST(0);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, create);
}
obj = NULL;
result = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "no-resign") == 0)
dns_zone_setkeyopt(zone, DNS_ZONEKEY_NORESIGN,
ISC_TRUE);
else if (strcasecmp(arg, "maintain") == 0)
;
else
INSIST(0);
}
}
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.41 2011/03/07 14:03:49 marka Exp $
# $Id: clean.sh,v 1.42 2011/05/23 20:10:02 each Exp $
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
......@@ -24,6 +24,7 @@ rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns3/split-dnssec.example.db
rm -f ns3/expiring.example.db ns3/nosign.example.db
rm -f ns2/private.secure.example.db
rm -f ns2/badparam.db ns2/badparam.db.bad
rm -f ns2/single-nsec3.db
......@@ -56,3 +57,4 @@ rm -f signer/nsec3param.out
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/split-smart.example.db
rm -f nosign.before
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.47 2011/05/19 00:31:57 smann Exp $ */
/* $Id: named.conf,v 1.48 2011/05/23 20:10:02 each Exp $ */
// NS3
......@@ -229,4 +229,11 @@ zone "expiring.example" {
file "expiring.example.db.signed";
};
zone "nosign.example" {
type master;
allow-update { any; };
dnssec-update-mode no-resign;
file "nosign.example.db.signed";
};
include "trusted.conf";
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: nosign.example.db.in,v 1.2 2011/05/23 20:10:02 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.41 2011/05/19 00:31:57 smann Exp $
# $Id: sign.sh,v 1.42 2011/05/23 20:10:02 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -370,6 +370,9 @@ echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
: > $signedfile
$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
#
# Zone with signatures about to expire, but no private key to replace them
#
zone="expiring.example."
infile="expiring.example.db.in"
zonefile="expiring.example.db"
......@@ -380,3 +383,20 @@ cp $infile $zonefile
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
rm -f ${zskname}.private ${kskname}.private
#
# Zone with signatures about to expire, and dynamic, but configured
# not to resign with 'auto-resign no;'
#
zone="nosign.example."
infile="nosign.example.db.in"
zonefile="nosign.example.db"
signedfile="nosign.example.db.signed"
kskname=`$KEYGEN -q -r $RANDFILE $zone`
zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
cp $infile $zonefile
$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
# preserve a normalized copy of the NS RRSIG for comparison later
$CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \
awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
sed 's/[ ][ ]*/ /g'> ../nosign.before
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.89 2011/05/19 00:31:57 smann Exp $
# $Id: tests.sh,v 1.90 2011/05/23 20:10:02 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -1329,6 +1329,49 @@ ret=0
$DIG +noall +answer +dnssec +nottl -p 5300 expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1
# there must be a signature here
[ -s dig.out.ns3.test$n ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:testing new records are signed with 'no-resign' ($n)"
ret=0
(
echo zone nosign.example
echo server 10.53.0.3 5300
echo update add new.nosign.example 300 in txt "hi there"
echo send
) | $NSUPDATE
sleep 1
$DIG +noall +answer +dnssec -p 5300 txt new.nosign.example @10.53.0.3 \
> dig.out.ns3.test$n 2>&1
grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:testing expiring records aren't resigned with 'no-resign' ($n)"
ret=0
$DIG +noall +answer +dnssec +nottl -p 5300 nosign.example ns @10.53.0.3 | \
grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1
# the NS RRSIG should not be changed
cmp -s nosign.before dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:testing updates fail with no private key ($n)"
ret=0
rm -f ns3/Knosign.example.*.private
(
echo zone nosign.example
echo server 10.53.0.3 5300
echo update add fail.nosign.example 300 in txt "reject me"
echo send
) | $NSUPDATE > /dev/null 2>&1 && ret=1
$DIG +noall +answer +dnssec -p 5300 fail.nosign.example txt @10.53.0.3 \
> dig.out.ns3.test$n 2>&1
[ -s dig.out.ns3.test$n ] && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
 
<!-- File: $Id: Bv9ARM-book.xml,v 1.491 2011/05/17 04:48:51 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.492 2011/05/23 20:10:02 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
 
......@@ -1189,10 +1189,10 @@ zone "eng.example.com" {
<para>
This command requires that the
<command>auto-dnssec</command> zone option to be set
to <literal>allow</literal>,
<literal>maintain</literal>, or
<literal>create</literal>, and also requires
the zone to be configured to allow dynamic DNS.
to <literal>allow</literal> or
<literal>maintain</literal>,
and also requires the zone to be configured to
allow dynamic DNS.
See <xref linkend="dynamic_update_policies"/> for
more details.
</para>
......@@ -1218,9 +1218,9 @@ zone "eng.example.com" {
<para>
This command requires that the
<command>auto-dnssec</command> zone option to
be set to <literal>maintain</literal> or
<literal>create</literal>, and also requires
the zone to be configured to allow dynamic DNS.
be set to <literal>maintain</literal>,
and also requires the zone to be configured to
allow dynamic DNS.
See <xref linkend="dynamic_update_policies"/> for
more details.
</para>
......@@ -5062,6 +5062,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
<optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
<optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
......@@ -5852,6 +5853,41 @@ options {
</listitem>
</varlistentry>
 
<varlistentry>
<term><command>dnssec-update-mode</command></term>
<listitem>
<para>
If this option is set to its default value of
<literal>maintain</literal> in a zone of type
<literal>master</literal> which is DNSSEC-signed
and configured to allow dynamic updates (see
<xref linkend="dynamic_update_policies"/>), and
if <command>named</command> has access to the
private signing key(s) for the zone, then
<command>named</command> will automatically sign all new
or changed records and maintain signatures for the zone
by regenerating RRSIG records whenever they approach
their expiration date.
</para>
<para>
If the option is changed to <literal>no-resign</literal>,
then <command>named</command> will sign all new or
changed records, but scheduled maintenance of
signatures is disabled.
</para>
<para>
With either of these settings, <command>named</command>
will reject updates to a DNSSEC-signed zone when the
signing keys are inactive or unavailable to
<command>named</command>. (A planned third option,
<literal>external</literal>, will disable all automatic
signing and allow DNSSEC data to be submitted into a zone
via dyanmic update; this is not yet implemented.)
</para>
</listitem>
</varlistentry>
</variablelist>
 
<sect3 id="boolean_options">
......@@ -10052,7 +10088,7 @@ view "external" {
<optional> min-retry-time <replaceable>number</replaceable> ; </optional>
<optional> max-retry-time <replaceable>number</replaceable> ; </optional>
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
<optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>; </optional>
<optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>; </optional>
<optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
};
 
......@@ -10064,6 +10100,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
<optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
<optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
......@@ -10666,6 +10703,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
 
<varlistentry>
<term><command>dnssec-update-mode</command></term>
<listitem>
<para>
See the description of
<command>dnssec-update-mode</command> in <xref linkend="options"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>dnssec-dnskey-kskonly</command></term>
<listitem>
......@@ -11141,7 +11188,7 @@ example.com. NS ns2.example.net.
<para>
Zones configured for dynamic DNS may also use this
option to allow varying levels of automatic DNSSEC key
management. There are four possible settings:
management. There are three possible settings:
</para>
<para>
<command>auto-dnssec allow;</command> permits
......@@ -11172,13 +11219,6 @@ example.com. NS ns2.example.net.
interval is defined by
<command>dnssec-loadkeys-interval</command>.)
</para>
<para>
<command>auto-dnssec create;</command> includes the
above, but also allows <command>named</command>
to create new keys in the key repository when needed.
(NOTE: This option is not yet implemented; the syntax is
being reserved for future use.)
</para>
<para>
The default setting is <command>auto-dnssec off</command>.
</para>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.h,v 1.188 2011/05/06 21:23:51 each Exp $ */
/* $Id: zone.h,v 1.189 2011/05/23 20:10:03 each Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
......@@ -93,6 +93,7 @@ typedef enum {
#define DNS_ZONEKEY_MAINTAIN 0x00000002U /*%< publish/sign on schedule */
#define DNS_ZONEKEY_CREATE 0x00000004U /*%< make keys when needed */
#define DNS_ZONEKEY_FULLSIGN 0x00000008U /*%< roll to new keys immediately */
#define DNS_ZONEKEY_NORESIGN 0x00000010U /*%< no automatic resigning */
#ifndef DNS_ZONE_MINREFRESH
#define DNS_ZONE_MINREFRESH 300 /*%< 5 minutes */
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.610 2011/05/19 23:47:17 tbox Exp $ */
/* $Id: zone.c,v 1.611 2011/05/23 20:10:02 each Exp $ */
/*! \file */
......@@ -3625,6 +3625,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
}
if (zone->type == dns_zone_master &&
!DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) &&
dns_zone_isdynamic(zone, ISC_FALSE) &&
dns_db_issecure(db)) {
dns_name_t *name;
......@@ -4956,10 +4957,14 @@ zone_resigninc(dns_zone_t *zone) {
dns_diff_init(zone->mctx, &sig_diff);
sig_diff.resign = zone->sigresigninginterval;
/*
* Updates are disabled. Pause for 5 minutes.
* Zone is frozen or automatic resigning is disabled.
* Pause for 5 minutes.
*/
if (zone->update_disabled) {
if (zone->update_disabled ||
DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN))
{
result = ISC_R_FAILURE;
goto failure;
}
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.137 2011/05/07 05:55:17 each Exp $ */
/* $Id: namedconf.c,v 1.138 2011/05/23 20:10:03 each Exp $ */
/*! \file */
......@@ -541,13 +541,18 @@ static cfg_type_t cfg_type_bracketed_sockaddrlist = {
&cfg_rep_list, &cfg_type_sockaddr
};
static const char *autodnssec_enums[] = { "allow", "maintain", "create",
"off", NULL };
static const char *autodnssec_enums[] = { "allow", "maintain", "off", NULL };
static cfg_type_t cfg_type_autodnssec = {
"autodnssec", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
&cfg_rep_string, &autodnssec_enums
};
static const char *dnssecupdatemode_enums[] = { "maintain", "no-resign", NULL };
static cfg_type_t cfg_type_dnssecupdatemode = {
"dnssecupdatemode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
&cfg_rep_string, &dnssecupdatemode_enums
};
static cfg_type_t cfg_type_rrsetorder = {
"rrsetorder", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
&cfg_rep_list, &cfg_type_rrsetorderingelement
......@@ -1360,6 +1365,7 @@ zone_clauses[] = {
{ "dnssec-dnskey-kskonly", &cfg_type_boolean, 0 },
{ "dnssec-loadkeys-interval", &cfg_type_uint32, 0 },
{ "dnssec-secure-to-insecure", &cfg_type_boolean, 0 },
{ "dnssec-update-mode", &cfg_type_dnssecupdatemode, 0 },
{ "forward", &cfg_type_forwardtype, 0 },
{ "forwarders", &cfg_type_portiplist, 0 },
{ "key-directory", &cfg_type_qstring, 0 },
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment