Commit cf224bbf authored by Mark Andrews's avatar Mark Andrews
Browse files

1942. [bug] If the name of a DNSKEY match that of one in

                        trusted-keys do not attempt to validate the DNSKEY
                        using the parents DS RRset. [RT #15649]
parent 6e3b7da8
1942. [bug] If the name of a DNSKEY match that of one in
trusted-keys do not attempt to validate the DNSKEY
using the parents DS RRset. [RT #15649]
1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.282 2005/11/03 00:51:54 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.283 2005/12/04 23:54:00 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -2410,19 +2410,95 @@ allow-update { key host1-host2. ;};
<sect2>
<title>Configuring Servers</title>
<para>
Unlike <acronym>BIND</acronym> 8,
<acronym>BIND</acronym> 9 does not verify signatures on
load,
so zone keys for authoritative zones do not need to be specified
in the configuration file.
<para>
To enable <command>named</command> to respond appropriately
to DNS requests from DNSSEC aware clients
<command>dnssec-enable</command> must be set to yes.
</para>
<para>
The public key for any security root must be present in
the configuration file's <command>trusted-keys</command>
statement, as described later in this document.
<para>
To enable <command>named</command> to validate answers from
other servers both <command>dnssec-enable</command> and
<command>dnssec-validate</command> must be set and some
some <command>trusted-keys</command> must be configured
into <filename>named.conf</filename>.
</para>
<para>
<command>trusted-keys</command> are copies of DNSKEY RRs
for zones that are used to form the first link the the
cryptographic chain of trust. All keys listed in
<command>trusted-keys</command> (and corresponding zones)
are deemed to exist and only the listed keys will be used
to validated the DNSKEY RRset that they are from.
</para>
<para>
<command>trusted-keys</command> are described in more detail
later in this document.
</para>
<para>
Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
9 does not verify signatures on load, so zone keys for
authoritative zones do not need to be specified in the
configuration file.
</para>
<para>
After DNSSEC gets established, a typical DNSSEC configuration
will look something like the following. It has a one or
more public keys for the root. This allows answers from
outside the organization to be validated. It will also
have several keys for parts of the namespace the organization
controls. These are here to ensure that named is immune
to compromises in the DNSSEC components of the security
of parent zones.
</para>
<programlisting>
trusted-keys {
/* Root Key */
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
/* Key for out organizations forward zone */
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
SCThlHf3xiYleDbt/o1OTQ09A0=";
/* Key for our reverse zone. */
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
options {
...
dnssec-enable yes;
dnssec-validation yes;
};
</programlisting>
<note>
None of the keys listed in this example are valid. In particular
the root key is not valid.
</note>
</sect2>
......@@ -7577,34 +7653,36 @@ query-source-v6 address * port *;
</programlisting>
</sect2>
<sect2>
<title><command>trusted-keys</command> Statement Definition
and Usage</title>
<para>
The <command>trusted-keys</command> statement defines DNSSEC
security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A
security root is defined when the public key for a
non-authoritative
zone is known, but cannot be securely obtained through DNS, either
because it is the DNS root zone or because its parent zone is
unsigned.
Once a key has been configured as a trusted key, it is treated as
if it had been validated and proven secure. The resolver attempts
DNSSEC validation on all DNS data in subdomains of a security
root.
<sect2>
<title><command>trusted-keys</command> Statement Definition
and Usage</title>
<para>
The <command>trusted-keys</command> statement defines
DNSSEC security roots. DNSSEC is described in <xref
linkend="DNSSEC"/>. A security root is defined when the
public key for a non-authoritative zone is known, but
cannot be securely obtained through DNS, either because
it is the DNS root zone or because its parent zone is
unsigned. Once a key has been configured as a trusted
key, it is treated as if it had been validated and
proven secure. The resolver attempts DNSSEC validation
on all DNS data in subdomains of a security root.
</para>
<para>
All zones listed in <command>trusted-keys</command> are deemed
to exist regardless of what parent zones say.
All keys (and corresponding zones) listed in
<command>trusted-keys</command> are deemed to exist regardless
of what parent zones say. Similarly for all keys listed in
<command>trusted-keys</command> only those keys are
used to validate the DNSKEY RRset. The parents DS RRset
will not be used.
</para>
<para>
The <command>trusted-keys</command> statement can
contain
multiple key entries, each consisting of the key's domain name,
flags, protocol, algorithm, and the Base-64 representation of the
key data.
</para>
</sect2>
<para>
The <command>trusted-keys</command> statement can contain
multiple key entries, each consisting of the key's
domain name, flags, protocol, algorithm, and the Base-64
representation of the key data.
</para>
</sect2>
<sect2 id="view_statement_grammar">
<title><command>view</command> Statement Grammar</title>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keytable.h,v 1.13 2005/04/29 00:22:59 marka Exp $ */
/* $Id: keytable.h,v 1.14 2005/12/04 23:54:01 marka Exp $ */
#ifndef DNS_KEYTABLE_H
#define DNS_KEYTABLE_H 1
......@@ -135,7 +135,8 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
dns_keynode_t **keynodep);
/*%<
* Search for a key named 'name', matching 'algorithm' and 'tag' in
* 'keytable'.
* 'keytable'. This finds the first instance which matches. Use
* dns_keytable_findnextkeynode() to find other instances.
*
* Requires:
*
......@@ -148,6 +149,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
* Returns:
*
*\li ISC_R_SUCCESS
*\li DNS_R_PARTIALMATCH the name existed in the keytable.
*\li ISC_R_NOTFOUND
*
*\li Any other result indicates an error.
......@@ -158,7 +160,7 @@ dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep);
/*%<
* Search for the next key with the same properties as 'keynode' in
* 'keytable'.
* 'keytable' as found by dns_keytable_findkeynode().
*
* Requires:
*
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keytable.c,v 1.31 2005/07/12 01:00:15 marka Exp $ */
/* $Id: keytable.c,v 1.32 2005/12/04 23:54:00 marka Exp $ */
/*! \file */
......@@ -236,6 +236,13 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
/*
* Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
* as that indicates that 'name' was not found.
*
* DNS_R_PARTIALMATCH indicates that the name was found but we
* didn't get a match on algorithm and key id arguments.
*/
knode = NULL;
data = NULL;
result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
......@@ -253,7 +260,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
UNLOCK(&keytable->lock);
*keynodep = knode;
} else
result = ISC_R_NOTFOUND;
result = DNS_R_PARTIALMATCH;
} else if (result == DNS_R_PARTIALMATCH)
result = ISC_R_NOTFOUND;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.137 2005/11/30 05:01:34 marka Exp $ */
/* $Id: validator.c,v 1.138 2005/12/04 23:54:00 marka Exp $ */
/*! \file */
......@@ -1623,12 +1623,14 @@ validatezonekey(dns_validator_t *val) {
dns_rdata_t keyrdata = DNS_RDATA_INIT;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
char namebuf[DNS_NAME_FORMATSIZE];
dns_keytag_t keytag;
dns_rdata_ds_t ds;
dns_rdata_dnskey_t key;
dns_rdata_rrsig_t sig;
dst_key_t *dstkey;
isc_boolean_t supported_algorithm;
isc_boolean_t atsep = ISC_FALSE;
/*
* Caller must be holding the validator lock.
......@@ -1659,6 +1661,9 @@ validatezonekey(dns_validator_t *val) {
sig.algorithm,
sig.keyid,
&keynode);
if (result == DNS_R_PARTIALMATCH ||
result == ISC_R_SUCCESS)
atsep = ISC_TRUE;
while (result == ISC_R_SUCCESS) {
dstkey = dns_keynode_key(keynode);
result = verify(val, dstkey, &sigrdata,
......@@ -1697,6 +1702,22 @@ validatezonekey(dns_validator_t *val) {
return (DNS_R_NOVALIDDS);
}
if (atsep) {
/*
* We have not found a key to verify this DNSKEY
* RRset. As this is a SEP we have to assume that
* the RRset is invalid.
*/
dns_name_format(val->event->name, namebuf,
sizeof(namebuf));
validator_log(val, ISC_LOG_DEBUG(2),
"unable to find a DNSKEY which verifies "
"the DNSKEY RRset and also matches one "
"of specified trusted-keys for '%s'",
namebuf);
return (DNS_R_NOVALIDKEY);
}
/*
* Otherwise, try to find the DS record.
*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment