Commit e3160b27 authored by Michał Kępień's avatar Michał Kępień
Browse files

Ensure responses sourced from mirror zones have the AD bit set

Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.
parent ad0ec2ea
......@@ -250,12 +250,24 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking flags set in a response sourced from a mirror zone ($n)"
echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......
......@@ -30,6 +30,12 @@ ISC_LANG_BEGINDECLS
*
* The rest of the zone was signed with at least one of the ZSKs
* present in the DNSKEY RRSET.
*
* Mark all RRsets correctly signed by one of the keys in the DNSKEY RRset at
* zone apex as secure.
*
* If 'secroots' is not NULL, mark the DNSKEY RRset as secure if it is
* correctly signed by at least one key present in 'secroots'.
*/
isc_result_t
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
......
......@@ -912,6 +912,8 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name,
continue;
}
if (goodsig(vctx, &rdata, name, keyrdataset, rdataset)) {
dns_rdataset_settrust(rdataset, dns_trust_secure);
dns_rdataset_settrust(&sigrdataset, dns_trust_secure);
set_algorithms[sig.algorithm] = 1;
}
}
......@@ -1561,6 +1563,8 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
* The supplied key is a trust anchor.
*/
dns_keytable_detachkeynode(vctx->secroots, &keynode);
dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
*goodkey = ISC_TRUE;
break;
case DNS_R_PARTIALMATCH:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment