Commit cbed2a46 authored by Michał Kępień's avatar Michał Kępień

Merge branch '298-fix-dname-handling-in-dnssec-tools-v9_11' into 'v9_11'

[v9_11] Fix DNAME handling in DNSSEC tools

See merge request !364
parents e104d97c 28b8ab88
Pipeline #2386 failed with stages
in 7 minutes and 55 seconds
4971. [bug] dnssec-signzone and dnssec-verify did not treat records
below a DNAME as out-of-zone data. [GL #298]
4969. [cleanup] Refactor zone logging functions. [GL #269] 4969. [cleanup] Refactor zone logging functions. [GL #269]
4968. [bug] If glue records are signed, attempt to validate them. 4968. [bug] If glue records are signed, attempt to validate them.
......
...@@ -191,6 +191,19 @@ static dns_ttl_t maxttl = 0; ...@@ -191,6 +191,19 @@ static dns_ttl_t maxttl = 0;
static void static void
sign(isc_task_t *task, isc_event_t *event); sign(isc_task_t *task, isc_event_t *event);
/*%
* Store a copy of 'name' in 'fzonecut' and return a pointer to that copy.
*/
static dns_name_t *
savezonecut(dns_fixedname_t *fzonecut, dns_name_t *name) {
dns_name_t *result;
result = dns_fixedname_initname(fzonecut);
dns_name_copy(name, result, NULL);
return (result);
}
static void static void
dumpnode(dns_name_t *name, dns_dbnode_t *node) { dumpnode(dns_name_t *name, dns_dbnode_t *node) {
dns_rdataset_t rds; dns_rdataset_t rds;
...@@ -1487,14 +1500,19 @@ assignwork(isc_task_t *task, isc_task_t *worker) { ...@@ -1487,14 +1500,19 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
if (dns_name_issubdomain(name, gorigin) && if (dns_name_issubdomain(name, gorigin) &&
(zonecut == NULL || (zonecut == NULL ||
!dns_name_issubdomain(name, zonecut))) { !dns_name_issubdomain(name, zonecut))) {
if (is_delegation(gdb, gversion, gorigin, name, node, NULL)) { if (is_delegation(gdb, gversion, gorigin,
zonecut = dns_fixedname_initname(&fzonecut); name, node, NULL))
dns_name_copy(name, zonecut, NULL); {
zonecut = savezonecut(&fzonecut, name);
if (!OPTOUT(nsec3flags) || if (!OPTOUT(nsec3flags) ||
secure(name, node)) secure(name, node))
found = ISC_TRUE; found = ISC_TRUE;
} else } else if (has_dname(gdb, gversion, node)) {
zonecut = savezonecut(&fzonecut, name);
found = ISC_TRUE; found = ISC_TRUE;
} else {
found = ISC_TRUE;
}
} }
} }
...@@ -1733,7 +1751,6 @@ nsecify(void) { ...@@ -1733,7 +1751,6 @@ nsecify(void) {
dns_rdataset_init(&rdataset); dns_rdataset_init(&rdataset);
name = dns_fixedname_initname(&fname); name = dns_fixedname_initname(&fname);
nextname = dns_fixedname_initname(&fnextname); nextname = dns_fixedname_initname(&fnextname);
dns_fixedname_init(&fzonecut);
zonecut = NULL; zonecut = NULL;
/* /*
...@@ -1795,11 +1812,12 @@ nsecify(void) { ...@@ -1795,11 +1812,12 @@ nsecify(void) {
} }
if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) { if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) {
zonecut = dns_fixedname_name(&fzonecut); zonecut = savezonecut(&fzonecut, name);
dns_name_copy(name, zonecut, NULL);
remove_sigs(node, ISC_TRUE, 0); remove_sigs(node, ISC_TRUE, 0);
if (generateds) if (generateds)
add_ds(name, node, nsttl); add_ds(name, node, nsttl);
} else if (has_dname(gdb, gversion, node)) {
zonecut = savezonecut(&fzonecut, name);
} }
result = dns_dbiterator_next(dbiter); result = dns_dbiterator_next(dbiter);
...@@ -2206,7 +2224,6 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, ...@@ -2206,7 +2224,6 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
dns_rdataset_init(&rdataset); dns_rdataset_init(&rdataset);
name = dns_fixedname_initname(&fname); name = dns_fixedname_initname(&fname);
nextname = dns_fixedname_initname(&fnextname); nextname = dns_fixedname_initname(&fnextname);
dns_fixedname_init(&fzonecut);
zonecut = NULL; zonecut = NULL;
/* /*
...@@ -2240,6 +2257,10 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, ...@@ -2240,6 +2257,10 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
(void)active_node(node); (void)active_node(node);
} }
if (has_dname(gdb, gversion, node)) {
zonecut = savezonecut(&fzonecut, name);
}
result = dns_dbiterator_next(dbiter); result = dns_dbiterator_next(dbiter);
nextnode = NULL; nextnode = NULL;
while (result == ISC_R_SUCCESS) { while (result == ISC_R_SUCCESS) {
...@@ -2263,8 +2284,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, ...@@ -2263,8 +2284,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
if (is_delegation(gdb, gversion, gorigin, if (is_delegation(gdb, gversion, gorigin,
nextname, nextnode, &nsttl)) nextname, nextnode, &nsttl))
{ {
zonecut = dns_fixedname_name(&fzonecut); zonecut = savezonecut(&fzonecut, nextname);
dns_name_copy(nextname, zonecut, NULL);
remove_sigs(nextnode, ISC_TRUE, 0); remove_sigs(nextnode, ISC_TRUE, 0);
if (generateds) if (generateds)
add_ds(nextname, nextnode, nsttl); add_ds(nextname, nextnode, nsttl);
...@@ -2274,6 +2294,8 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, ...@@ -2274,6 +2294,8 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
result = dns_dbiterator_next(dbiter); result = dns_dbiterator_next(dbiter);
continue; continue;
} }
} else if (has_dname(gdb, gversion, nextnode)) {
zonecut = savezonecut(&fzonecut, nextname);
} }
dns_db_detachnode(gdb, &nextnode); dns_db_detachnode(gdb, &nextnode);
break; break;
...@@ -2372,6 +2394,11 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, ...@@ -2372,6 +2394,11 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
dns_db_detachnode(gdb, &node); dns_db_detachnode(gdb, &node);
continue; continue;
} }
if (has_dname(gdb, gversion, node)) {
zonecut = savezonecut(&fzonecut, name);
}
result = dns_dbiterator_next(dbiter); result = dns_dbiterator_next(dbiter);
nextnode = NULL; nextnode = NULL;
while (result == ISC_R_SUCCESS) { while (result == ISC_R_SUCCESS) {
...@@ -2394,14 +2421,15 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations, ...@@ -2394,14 +2421,15 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
if (is_delegation(gdb, gversion, gorigin, if (is_delegation(gdb, gversion, gorigin,
nextname, nextnode, NULL)) nextname, nextnode, NULL))
{ {
zonecut = dns_fixedname_name(&fzonecut); zonecut = savezonecut(&fzonecut, nextname);
dns_name_copy(nextname, zonecut, NULL);
if (OPTOUT(nsec3flags) && if (OPTOUT(nsec3flags) &&
!secure(nextname, nextnode)) { !secure(nextname, nextnode)) {
dns_db_detachnode(gdb, &nextnode); dns_db_detachnode(gdb, &nextnode);
result = dns_dbiterator_next(dbiter); result = dns_dbiterator_next(dbiter);
continue; continue;
} }
} else if (has_dname(gdb, gversion, nextnode)) {
zonecut = savezonecut(&fzonecut, nextname);
} }
dns_db_detachnode(gdb, &nextnode); dns_db_detachnode(gdb, &nextnode);
break; break;
......
...@@ -572,6 +572,21 @@ is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, ...@@ -572,6 +572,21 @@ is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
return (ISC_TF(result == ISC_R_SUCCESS)); return (ISC_TF(result == ISC_R_SUCCESS));
} }
isc_boolean_t
has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
dns_rdataset_t dnameset;
isc_result_t result;
dns_rdataset_init(&dnameset);
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dname, 0, 0,
&dnameset, NULL);
if (dns_rdataset_isassociated(&dnameset)) {
dns_rdataset_disassociate(&dnameset);
}
return (ISC_TF(result == ISC_R_SUCCESS));
}
static isc_boolean_t static isc_boolean_t
goodsig(dns_name_t *origin, dns_rdata_t *sigrdata, dns_name_t *name, goodsig(dns_name_t *origin, dns_rdata_t *sigrdata, dns_name_t *name,
dns_rdataset_t *keyrdataset, dns_rdataset_t *rdataset, isc_mem_t *mctx) dns_rdataset_t *keyrdataset, dns_rdataset_t *rdataset, isc_mem_t *mctx)
...@@ -1724,6 +1739,9 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver, ...@@ -1724,6 +1739,9 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver,
zonecut = dns_fixedname_name(&fzonecut); zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL); dns_name_copy(name, zonecut, NULL);
isdelegation = ISC_TRUE; isdelegation = ISC_TRUE;
} else if (has_dname(db, ver, node)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
} }
nextnode = NULL; nextnode = NULL;
result = dns_dbiterator_next(dbiter); result = dns_dbiterator_next(dbiter);
......
...@@ -87,6 +87,13 @@ isc_boolean_t ...@@ -87,6 +87,13 @@ isc_boolean_t
is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp); dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);
/*%
* Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
* 'node'; return ISC_FALSE otherwise.
*/
isc_boolean_t
has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node);
void void
verifyzone(dns_db_t *db, dns_dbversion_t *ver, verifyzone(dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx, dns_name_t *origin, isc_mem_t *mctx,
......
...@@ -58,7 +58,7 @@ do ...@@ -58,7 +58,7 @@ do
expect1="signature has expired" expect1="signature has expired"
expect2="No self-signed .*DNSKEY found" expect2="No self-signed .*DNSKEY found"
;; ;;
*.out-of-zone-nsec|*.below-bottom-of-zone-nsec) *.out-of-zone-nsec|*.below-bottom-of-zone-nsec|*.below-dname-nsec)
expect1="unexpected NSEC RRset at" expect1="unexpected NSEC RRset at"
;; ;;
*.nsec.broken-chain) *.nsec.broken-chain)
......
...@@ -42,6 +42,13 @@ $KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n ...@@ -42,6 +42,13 @@ $KEYGEN -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $KEYGEN -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n $SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
setup ksk+zsk.nsec.apex-dname good
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cp unsigned.db ${file}.tmp
echo "@ DNAME data" >> ${file}.tmp
$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
# A set of nsec3 zones. # A set of nsec3 zones.
setup zsk-only.nsec3 good setup zsk-only.nsec3 good
$KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n $KEYGEN -3 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
...@@ -56,11 +63,18 @@ $KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n ...@@ -56,11 +63,18 @@ $KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n $SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
setup ksk+zsk.outout good setup ksk+zsk.optout good
$KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n $KEYGEN -3 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n $KEYGEN -3 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n $SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
setup ksk+zsk.nsec3.apex-dname good
zsk=`$KEYGEN -3 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -3 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cp unsigned.db ${file}.tmp
echo "@ DNAME data" >> ${file}.tmp
$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
# A set of zones with only DNSKEY records. # A set of zones with only DNSKEY records.
setup zsk-only.dnskeyonly bad setup zsk-only.dnskeyonly bad
key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n key1=`$KEYGEN -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
...@@ -151,7 +165,7 @@ $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s ...@@ -151,7 +165,7 @@ $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s
echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file} echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
# extra NSEC record below bottom of one # extra NSEC record below bottom of zone
setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
...@@ -162,6 +176,15 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$ ...@@ -162,6 +176,15 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$
# dnssec-signzone signs any node with a NSEC record. # dnssec-signzone signs any node with a NSEC record.
awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file} awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file}
# extra NSEC record below DNAME
setup ksk+zsk.nsec.below-dname-nsec bad
zsk=`$KEYGEN -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file}
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
# missing NSEC3 record at empty node # missing NSEC3 record at empty node
# extract the hash fields from the empty node's NSEC 3 record then fix up # extract the hash fields from the empty node's NSEC 3 record then fix up
# the NSEC3 chain to remove it # the NSEC3 chain to remove it
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment