Commit ed106086 authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge branch '7-remove-dlv-validation' into 'master'

Remove DLV validation code

Closes #7

See merge request !2233
parents 053a716a d7461772
Pipeline #19436 passed with stages
in 1 minute and 2 seconds
5276. [func] DNSSEC Lookaside Validation (DLV) is now obsolete;
all code enabling its use has been removed from the
validator, "delv", and the DNSSEC tools. [GL #7]
5275. [bug] Mark DS records included in referral messages
with trust level "pending" so that they can be
validated and cached immediately, with no need to
......
......@@ -125,18 +125,16 @@ static bool
static bool
cdflag = false,
no_sigs = false,
root_validation = true,
dlv_validation = true;
root_validation = true;
static bool use_tcp = false;
static char *anchorfile = NULL;
static char *trust_anchor = NULL;
static char *dlv_anchor = NULL;
static int num_keys = 0;
static dns_fixedname_t afn, dfn;
static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
static dns_fixedname_t afn;
static dns_name_t *anchor_name = NULL;
/* Default bind.keys contents */
static char anchortext[] = DNSSEC_KEYS;
......@@ -161,7 +159,7 @@ usage(void) {
" q-opt is one of:\n"
" -x dot-notation (shortcut for reverse lookups)\n"
" -d level (set debugging level)\n"
" -a anchor-file (specify root and dlv trust anchors)\n"
" -a anchor-file (specify root trust anchor)\n"
" -b address[#port] (bind to source address/port)\n"
" -p port (specify port number)\n"
" -q name (specify query name)\n"
......@@ -181,7 +179,8 @@ usage(void) {
" +[no]comments (Control display of comment lines)\n"
" +[no]rrcomments (Control display of per-record "
"comments)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 \"unknown\" format)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 "
"\"unknown\" format)\n"
" +[no]short (Short form answer)\n"
" +[no]split=## (Split hex/base64 fields into chunks)\n"
" +[no]tcp (TCP mode)\n"
......@@ -190,7 +189,7 @@ usage(void) {
" +[no]rtrace (Trace resolver fetches)\n"
" +[no]mtrace (Trace messages received)\n"
" +[no]vtrace (Trace validation process)\n"
" +[no]dlv (DNSSEC lookaside validation anchor)\n"
" +[no]dlv (Obsolete)\n"
" +[no]root (DNSSEC validation trust anchor)\n"
" +[no]dnssec (Display DNSSEC records)\n"
" -h (print help and exit)\n"
......@@ -381,10 +380,9 @@ print_status(dns_rdataset_t *rdataset) {
tstr = "glue data";
break;
case dns_trust_answer:
if (root_validation || dlv_validation)
if (root_validation) {
tstr = "unsigned answer";
else
tstr = "answer not validated";
}
break;
case dns_trust_authauthority:
tstr = "authority data";
......@@ -575,30 +573,30 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_fixedname_t fkeyname;
dns_name_t *keyname;
isc_result_t result;
bool match_root = false, match_dlv = false;
bool match_root = false;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
if (!root_validation && !dlv_validation)
if (!root_validation) {
return (ISC_R_SUCCESS);
}
if (anchor_name)
if (anchor_name) {
match_root = dns_name_equal(keyname, anchor_name);
if (dlv_name)
match_dlv = dns_name_equal(keyname, dlv_name);
}
if (!match_root && !match_dlv)
if (!match_root) {
return (ISC_R_SUCCESS);
if ((!root_validation && match_root) || (!dlv_validation && match_dlv))
}
if (!root_validation && match_root) {
return (ISC_R_SUCCESS);
}
if (match_root)
if (match_root) {
delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s",
trust_anchor);
if (match_dlv)
delv_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s",
dlv_anchor);
}
flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
......@@ -697,7 +695,7 @@ setup_dnsseckeys(dns_client_t *client) {
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
if (!root_validation && !dlv_validation) {
if (!root_validation) {
return (ISC_R_SUCCESS);
}
......@@ -719,9 +717,6 @@ setup_dnsseckeys(dns_client_t *client) {
if (trust_anchor != NULL) {
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
}
if (dlv_anchor != NULL) {
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
}
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
......@@ -772,11 +767,6 @@ setup_dnsseckeys(dns_client_t *client) {
fatal("No trusted keys were loaded");
}
if (dlv_validation) {
dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
}
cleanup:
if (bindkeys != NULL) {
cfg_obj_destroy(parser, &bindkeys);
......@@ -1024,11 +1014,10 @@ plus_option(char *option) {
switch (cmd[1]) {
case 'l': /* dlv */
FULLCHECK("dlv");
if (state && no_sigs)
break;
dlv_validation = state;
if (value != NULL) {
dlv_anchor = isc_mem_strdup(mctx, value);
if (state) {
fprintf(stderr, "Invalid option: "
"+dlv is obsolete\n");
exit(1);
}
break;
case 'n': /* dnssec */
......@@ -1213,7 +1202,6 @@ dash_option(char *option, char *next, bool *open_type_class) {
/* NOTREACHED */
case 'i':
no_sigs = true;
dlv_validation = false;
root_validation = false;
break;
case 'm':
......@@ -1648,14 +1636,18 @@ main(int argc, char *argv[]) {
/* Set up resolution options */
resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
if (no_sigs)
if (no_sigs) {
resopt |= DNS_CLIENTRESOPT_NODNSSEC;
if (!root_validation && !dlv_validation)
}
if (!root_validation) {
resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
if (cdflag)
}
if (cdflag) {
resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;
if (use_tcp)
}
if (use_tcp) {
resopt |= DNS_CLIENTRESOPT_TCP;
}
/* Perform resolution */
ISC_LIST_INIT(namelist);
......@@ -1680,8 +1672,6 @@ main(int argc, char *argv[]) {
dns_client_freeresanswer(client, &namelist);
cleanup:
if (dlv_anchor != NULL)
isc_mem_free(mctx, dlv_anchor);
if (trust_anchor != NULL)
isc_mem_free(mctx, trust_anchor);
if (anchorfile != NULL)
......
......@@ -96,7 +96,7 @@
<command>delv</command> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
......@@ -211,10 +211,7 @@
<para>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<option>+root=NAME</option> options. DNSSEC Lookaside
Validation can also be turned on by using the
<option>+dlv=NAME</option> to specify the name of a
zone containing DLV records.
<option>+root=NAME</option> options.
</para>
<para>
Note: When reading the trust anchor file,
......@@ -620,8 +617,7 @@
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<option>-i</option> or <option>+noroot</option> and
<option>+nodlv</option>.
<option>-i</option> or <option>+noroot</option>.
</para>
</listitem>
</varlistentry>
......@@ -630,7 +626,7 @@
<term><option>+[no]root[=ROOT]</option></term>
<listitem>
<para>
Indicates whether to perform conventional (non-lookaside)
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
......@@ -641,18 +637,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]dlv[=DLV]</option></term>
<listitem>
<para>
Indicates whether to perform DNSSEC lookaside validation,
and if so, specifies the name of the DLV trust anchor.
The <option>-a</option> option must also be used to specify
a file containing the DLV key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]tcp</option></term>
<listitem>
......
......@@ -208,8 +208,7 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
}
static void
logkey(dns_rdata_t *rdata)
{
logkey(dns_rdata_t *rdata) {
isc_result_t result;
dst_key_t *key = NULL;
isc_buffer_t buf;
......@@ -228,9 +227,7 @@ logkey(dns_rdata_t *rdata)
}
static void
emit(dns_dsdigest_t dt, bool showall, char *lookaside,
bool cds, dns_rdata_t *rdata)
{
emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
isc_result_t result;
unsigned char buf[DNS_DS_BUFFERSIZE];
char text_buf[DST_KEY_MAXTEXTSIZE];
......@@ -262,18 +259,6 @@ emit(dns_dsdigest_t dt, bool showall, char *lookaside,
if (result != ISC_R_SUCCESS)
fatal("can't print name");
/* Add lookaside origin, if set */
if (lookaside != NULL) {
if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, lookaside);
if (lookaside[strlen(lookaside) - 1] != '.') {
if (isc_buffer_availablelength(&nameb) < 1)
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, ".");
}
}
result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
&textb);
......@@ -293,26 +278,24 @@ emit(dns_dsdigest_t dt, bool showall, char *lookaside,
isc_buffer_usedregion(&classb, &r);
printf("%.*s", (int)r.length, r.base);
if (lookaside == NULL) {
if (cds)
printf(" CDS ");
else
printf(" DS ");
} else
printf(" DLV ");
if (cds) {
printf(" CDS ");
} else {
printf(" DS ");
}
isc_buffer_usedregion(&textb, &r);
printf("%.*s\n", (int)r.length, r.base);
}
static void
emits(bool showall, char *lookaside, bool cds, dns_rdata_t *rdata) {
emits(bool showall, bool cds, dns_rdata_t *rdata) {
unsigned i, n;
n = sizeof(dtype)/sizeof(dtype[0]);
for (i = 0; i < n; i++) {
if (dtype[i] != 0) {
emit(dtype[i], showall, lookaside, cds, rdata);
emit(dtype[i], showall, cds, rdata);
}
}
}
......@@ -338,12 +321,11 @@ usage(void) {
" -f zonefile: read keys from a zone file\n"
" -h: print help information\n"
" -K directory: where to find key or keyset files\n"
" -l zone: print DLV records in the given lookaside zone\n"
" -s: read keys from keyset-<dnsname> file\n"
" -T: TTL of output records (omitted by default)\n"
" -v level: verbosity\n"
" -V: print version information\n");
fprintf(stderr, "Output: DS, DLV, or CDS RRs\n");
fprintf(stderr, "Output: DS or CDS RRs\n");
exit (-1);
}
......@@ -352,7 +334,6 @@ int
main(int argc, char **argv) {
char *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *lookaside = NULL;
char *endp;
int ch;
bool cds = false;
......@@ -397,9 +378,6 @@ main(int argc, char **argv) {
add_dtype(strtodsdigest(isc_commandline_argument));
break;
case 'C':
if (lookaside != NULL)
fatal("lookaside and CDS are mutually"
" exclusive");
cds = true;
break;
case 'c':
......@@ -418,12 +396,7 @@ main(int argc, char **argv) {
filename = isc_commandline_argument;
break;
case 'l':
if (cds)
fatal("lookaside and CDS are mutually"
" exclusive");
lookaside = isc_commandline_argument;
if (strlen(lookaside) == 0U)
fatal("lookaside must be a non-empty string");
fatal("-l option (DLV lookaside) is obsolete");
break;
case 's':
usekeyset = true;
......@@ -528,7 +501,7 @@ main(int argc, char **argv) {
logkey(&rdata);
}
emits(showall, lookaside, cds, &rdata);
emits(showall, cds, &rdata);
}
} else {
unsigned char key_buf[DST_KEY_MAXSIZE];
......@@ -536,7 +509,7 @@ main(int argc, char **argv) {
loadkey(argv[isc_commandline_index], key_buf,
DST_KEY_MAXSIZE, &rdata);
emits(showall, lookaside, cds, &rdata);
emits(showall, cds, &rdata);
}
if (dns_rdataset_isassociated(&rdataset)) {
......
......@@ -112,10 +112,8 @@
<para>
The <command>dnssec-dsfromkey</command> command outputs DS (Delegation
Signer) resource records (RRs) and other similarly-constructed RRs:
with the <option>-l</option> option it outputs DLV (DNSSEC Lookaside
Validation) RRs; or with the <option>-C</option> it outputs CDS (Child
DS) RRs.
Signer) resource records (RRs), or CDS (Child DS) RRs with the
<option>-C</option> option.
</para>
<para>
......@@ -212,9 +210,7 @@
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records. This is mutually
exclusive with the <option>-l</option> option for generating DLV
records.
Generate CDS records rather than DS records.
</para>
</listitem>
</varlistentry>
......@@ -260,19 +256,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set instead of a DS set. The specified
<replaceable>domain</replaceable> is appended to the name for each
record in the set.
This is mutually exclusive with the <option>-C</option> option
for generating CDS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
......@@ -362,7 +345,6 @@
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle> (DS RRs),
<citetitle>RFC 4431</citetitle> (DLV RRs),
<citetitle>RFC 4509</citetitle> (SHA-256 for DS RRs),
<citetitle>RFC 6605</citetitle> (SHA-384 for DS RRs),
<citetitle>RFC 7344</citetitle> (CDS and CDNSKEY RRs).
......
......@@ -163,8 +163,6 @@ static bool removefile = false;
static bool generateds = false;
static bool ignore_kskflag = false;
static bool keyset_kskonly = false;
static dns_name_t *dlv = NULL;
static dns_fixedname_t dlv_fixed;
static dns_master_style_t *dsstyle = NULL;
static unsigned int serialformat = SOA_SERIAL_KEEP;
static unsigned int hash_length = 0;
......@@ -2906,7 +2904,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
dns_dbversion_t *dbversion = NULL;
dns_diff_t diff;
dns_difftuple_t *tuple = NULL;
dns_fixedname_t fixed;
dns_name_t *name;
dns_rdata_t rdata, ds;
bool have_ksk = false;
......@@ -2939,18 +2936,7 @@ writeset(const char *prefix, dns_rdatatype_t type) {
dns_diff_init(mctx, &diff);
if (type == dns_rdatatype_dlv) {
dns_name_t tname;
unsigned int labels;
dns_name_init(&tname, NULL);
name = dns_fixedname_initname(&fixed);
labels = dns_name_countlabels(gorigin);
dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname);
result = dns_name_concatenate(&tname, dlv, name, NULL);
check_result(result, "dns_name_concatenate");
} else
name = gorigin;
name = gorigin;
for (key = ISC_LIST_HEAD(keylist);
key != NULL;
......@@ -2991,8 +2977,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
DNS_DSDIGEST_SHA256,
dsbuf, &ds);
check_result(result, "dns_ds_buildrdata");
if (type == dns_rdatatype_dlv)
ds.type = dns_rdatatype_dlv;
result = dns_difftuple_create(mctx,
DNS_DIFFOP_ADDRESIGN,
name, 0, &ds, &tuple);
......@@ -3130,7 +3114,6 @@ usage(void) {
"\t\twith older versions of dnssec-signzone -g\n");
fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
fprintf(stderr, "\t-k key_signing_key\n");
fprintf(stderr, "\t-l lookasidezone\n");
fprintf(stderr, "\t-3 NSEC3 salt\n");
fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
fprintf(stderr, "\t-A NSEC3 optout\n");
......@@ -3206,8 +3189,6 @@ main(int argc, char *argv[]) {
int tempfilelen = 0;
dns_rdataclass_t rdclass;
isc_task_t **tasks = NULL;
isc_buffer_t b;
int len;
hashlist_t hashlist;
bool make_keyset = false;
bool set_salt = false;
......@@ -3385,14 +3366,7 @@ main(int argc, char *argv[]) {
break;
case 'l':
len = strlen(isc_commandline_argument);
isc_buffer_init(&b, isc_commandline_argument, len);
isc_buffer_add(&b, len);
dlv = dns_fixedname_initname(&dlv_fixed);
result = dns_name_fromtext(dlv, &b, dns_rootname, 0,
NULL);
check_result(result, "dns_name_fromtext(dlv)");
fatal("-l option (DLV lookaside) is obsolete");
break;
case 'M':
......@@ -3798,10 +3772,8 @@ main(int argc, char *argv[]) {
if (!nokeys) {
writeset("dsset-", dns_rdatatype_ds);
if (make_keyset)
if (make_keyset) {
writeset("keyset-", dns_rdatatype_dnskey);
if (dlv != NULL) {
writeset("dlvset-", dns_rdatatype_dlv);
}
}
......
......@@ -224,16 +224,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-M <replaceable class="parameter">maxttl</replaceable></term>
<listitem>
......
......@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2019-06-28</date>
<date>2019-08-07</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
......@@ -154,7 +154,6 @@ logging {
</literallayout>
</refsection>
<refsection><info><title>MANAGED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal">
......@@ -253,9 +252,6 @@ options {
dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable>
trust-anchor <replaceable>string</replaceable> |
auto | no ); deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
......@@ -614,9 +610,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable>
trust-anchor <replaceable>string</replaceable> |
auto | no ); deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
......@@ -866,7 +859,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
masters [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable>
| <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [
port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
max-ixfr-log-size ( default | unlimited |
max-journal-size ( default | unlimited | <replaceable>sizeval</replaceable> );
max-records <replaceable>integer</replaceable>;
max-refresh-time <replaceable>integer</replaceable>;
......@@ -886,7 +878,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable>
| * ) ] [ dscp <replaceable>integer</replaceable> ];
notify-to-soa <replaceable>boolean</replaceable>;
pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
request-expire <replaceable>boolean</replaceable>;
request-ixfr <replaceable>boolean</replaceable>;
serial-update-method ( date | increment | unixtime );
......
......@@ -3783,7 +3783,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
const cfg_obj_t *zonelist;
const cfg_obj_t *dlzlist;
const cfg_obj_t *dlz;
const cfg_obj_t *dlvobj = NULL;
unsigned int dlzargc;
char **dlzargv;
const cfg_obj_t *dyndb_list, *plugin_list;
......@@ -4614,7 +4613,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
}