1. 05 May, 2021 12 commits
    • Matthijs Mekking's avatar
      No longer need to strcmp for "none" · fc8b76e8
      Matthijs Mekking authored
      When we introduced "dnssec-policy insecure" we could have removed the
      'strcmp' check for "none", because if it was set to "none", the 'kasp'
      variable would have been set to NULL.
      fc8b76e8
    • Matthijs Mekking's avatar
      Changes and release notes for [#2596] · 366ed047
      Matthijs Mekking authored
      366ed047
    • Matthijs Mekking's avatar
      Add kasp tests for offline keys · 4a8ad0a7
      Matthijs Mekking authored
      Add a test for default.kasp that if we remove the private key file,
      no successor key is created for it. We need to update the kasp script
      to deal with a missing private key. If this is the case, skip checks
      for private key files.
      
      Add a test with a zone for which the private key of the ZSK is missing.
      
      Add a test with a zone for which the private key of the KSK is missing.
      4a8ad0a7
    • Matthijs Mekking's avatar
      Update smart signing when key is offline · 6a60bf63
      Matthijs Mekking authored
      BIND 9 is smart about when to sign with what key. If a key is offline,
      BIND will delete the old signature anyway if there is another key to
      sign the RRset with.
      
      With KASP we don't want to fallback to the KSK if the ZSK is missing,
      only for the SOA RRset. If the KSK is missing, but we do have a ZSK,
      deleting the signature is fine. Otherwise it depends on if we use KASP
      or not. Update the 'delsig_ok' function to reflect that.
      6a60bf63
    • Matthijs Mekking's avatar
      Don't roll offline keys · 3e6fc49c
      Matthijs Mekking authored
      When checking the current DNSSEC state against the policy, consider
      offline keys. If we didn't found an active key, check if the key is
      offline by checking the public key list. If there is a match in the
      public key list (the key data is retrieved from the .key and the
      .state files), treat the key as offline and don't create a successor
      key for it.
      3e6fc49c
    • Matthijs Mekking's avatar
      rndc dnssec -status should include offline keys · b3a5859a
      Matthijs Mekking authored
      The rndc command 'dnssec -status' only considered keys from
      'dns_dnssec_findmatchingkeys' which only includes keys with accessible
      private keys. Change it so that offline keys are also listed in the
      status.
      b3a5859a
    • Matthijs Mekking's avatar
      Try to read state when reading keylist from rdata · 7ed08957
      Matthijs Mekking authored
      The function 'dns_dnssec_keylistfromrdataset()' creates a keylist from
      the DNSKEY RRset. If we attempt to read the private key, we also store
      the key state. However, if the private key is offline, the key state
      will not be stored. To fix this, first attempt to read the public key
      file. If then reading the private key file fails, and we do have a
      public key, add that to the keylist, with appropriate state. If we
      also failed to read the public key file, add the DNSKEY to the keylist,
      as we did before.
      7ed08957
    • Matthijs Mekking's avatar
      When reading public key from file, also read state · fa05c1b8
      Matthijs Mekking authored
      The 'dst_key_fromnamedfile()' function did not read and store the
      key state from the .state file when reading a public key file.
      fa05c1b8
    • Matthijs Mekking's avatar
      Fix a kasp lock issue · cf17698f
      Matthijs Mekking authored
      The kasp lock would stay locked if 'dns_keymgr_run' failed.
      cf17698f
    • Mark Andrews's avatar
      Merge branch... · 2be319b7
      Mark Andrews authored
      Merge branch '2678-named-checkconf-doesn-t-catch-redefinition-of-dnssec-policy-insecure' into 'main'
      
      Resolve "named-checkconf doesn't catch redefinition of dnssec-policy insecure"
      
      Closes #2678
      
      See merge request !4994
      2be319b7
    • Mark Andrews's avatar
    • Mark Andrews's avatar
      Merge branch '2536-inline-signing-documentation-doesn-t-match-reality' into 'main' · 0f538725
      Mark Andrews authored
      Resolve "inline-signing documentation doesn't match reality"
      
      Closes #2536
      
      See merge request !4751
      0f538725
  2. 04 May, 2021 10 commits
  3. 03 May, 2021 9 commits
  4. 30 Apr, 2021 9 commits