Commit ff7015a0 authored by Michał Kępień's avatar Michał Kępień

Treat records below a DNAME as out-of-zone data

DNAME records indicate bottom of zone and thus no records below a DNAME
should be DNSSEC-signed or included in NSEC(3) chains.  Add a helper
function, has_dname(), for detecting DNAME records at a given node.
Prevent signing DNAME-obscured records.  Check that DNAME-obscured
records are not signed.

(cherry picked from commit 75c0d85f)
parent f3b5550c
......@@ -1493,8 +1493,13 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
if (!OPTOUT(nsec3flags) ||
secure(name, node))
found = ISC_TRUE;
} else
} else if (has_dname(gdb, gversion, node)) {
zonecut = dns_fixedname_initname(&fzonecut);
dns_name_copy(name, zonecut, NULL);
found = ISC_TRUE;
} else {
found = ISC_TRUE;
}
}
}
......@@ -1800,6 +1805,9 @@ nsecify(void) {
remove_sigs(node, ISC_TRUE, 0);
if (generateds)
add_ds(name, node, nsttl);
} else if (has_dname(gdb, gversion, node)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
}
result = dns_dbiterator_next(dbiter);
......@@ -2240,6 +2248,11 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
(void)active_node(node);
}
if (has_dname(gdb, gversion, node)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
}
result = dns_dbiterator_next(dbiter);
nextnode = NULL;
while (result == ISC_R_SUCCESS) {
......@@ -2274,6 +2287,9 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
result = dns_dbiterator_next(dbiter);
continue;
}
} else if (has_dname(gdb, gversion, nextnode)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(nextname, zonecut, NULL);
}
dns_db_detachnode(gdb, &nextnode);
break;
......@@ -2372,6 +2388,12 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
dns_db_detachnode(gdb, &node);
continue;
}
if (has_dname(gdb, gversion, node)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
}
result = dns_dbiterator_next(dbiter);
nextnode = NULL;
while (result == ISC_R_SUCCESS) {
......@@ -2402,6 +2424,9 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
result = dns_dbiterator_next(dbiter);
continue;
}
} else if (has_dname(gdb, gversion, nextnode)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(nextname, zonecut, NULL);
}
dns_db_detachnode(gdb, &nextnode);
break;
......
......@@ -602,6 +602,21 @@ is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
return (ISC_TF(result == ISC_R_SUCCESS));
}
isc_boolean_t
has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
dns_rdataset_t dnameset;
isc_result_t result;
dns_rdataset_init(&dnameset);
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dname, 0, 0,
&dnameset, NULL);
if (dns_rdataset_isassociated(&dnameset)) {
dns_rdataset_disassociate(&dnameset);
}
return (ISC_TF(result == ISC_R_SUCCESS));
}
static isc_boolean_t
goodsig(dns_name_t *origin, dns_rdata_t *sigrdata, dns_name_t *name,
dns_rdataset_t *keyrdataset, dns_rdataset_t *rdataset, isc_mem_t *mctx)
......@@ -1754,6 +1769,9 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver,
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
isdelegation = ISC_TRUE;
} else if (has_dname(db, ver, node)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
}
nextnode = NULL;
result = dns_dbiterator_next(dbiter);
......
......@@ -90,6 +90,13 @@ isc_boolean_t
is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);
/*%
* Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
* 'node'; return ISC_FALSE otherwise.
*/
isc_boolean_t
has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node);
void
verifyzone(dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
......
......@@ -58,7 +58,7 @@ do
expect1="signature has expired"
expect2="No self-signed .*DNSKEY found"
;;
*.out-of-zone-nsec|*.below-bottom-of-zone-nsec)
*.out-of-zone-nsec|*.below-bottom-of-zone-nsec|*.below-dname-nsec)
expect1="unexpected NSEC RRset at"
;;
*.nsec.broken-chain)
......
......@@ -42,6 +42,13 @@ $KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
setup ksk+zsk.nsec.apex-dname good
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cp unsigned.db ${file}.tmp
echo "@ DNAME data" >> ${file}.tmp
$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
# A set of nsec3 zones.
setup zsk-only.nsec3 good
$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
......@@ -56,11 +63,18 @@ $KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
setup ksk+zsk.outout good
setup ksk+zsk.optout good
$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
$SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
setup ksk+zsk.nsec3.apex-dname good
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cp unsigned.db ${file}.tmp
echo "@ DNAME data" >> ${file}.tmp
$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
# A set of zones with only DNSKEY records.
setup zsk-only.dnskeyonly bad
key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
......@@ -151,7 +165,7 @@ $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s
echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
# extra NSEC record below bottom of one
# extra NSEC record below bottom of zone
setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
......@@ -162,6 +176,15 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$
# dnssec-signzone signs any node with a NSEC record.
awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file}
# extra NSEC record below DNAME
setup ksk+zsk.nsec.below-dname-nsec bad
zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
cat unsigned.db $ksk.key $zsk.key > $file
$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file}
$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
# missing NSEC3 record at empty node
# extract the hash fields from the empty node's NSEC 3 record then fix up
# the NSEC3 chain to remove it
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment