1. 26 Aug, 2022 2 commits
  2. 25 Aug, 2022 3 commits
  3. 24 Aug, 2022 2 commits
  4. 23 Aug, 2022 3 commits
  5. 22 Aug, 2022 5 commits
    • Matthijs Mekking's avatar
      Merge branch '3486-checkconf-dnssec-policy-nsec3-incompatible-algorithm' into 'main' · ae143340
      Matthijs Mekking authored
      Graceful dnssec-policy transition from NSEC only to NSEC3
      
      Closes #3486
      
      See merge request !6647
      ae143340
    • Matthijs Mekking's avatar
      Fix nsec3 system test issues · 1c5bbac5
      Matthijs Mekking authored
      The wait_for_zone_is_signed function was never called, which could lead
      to test failures due to timing issues (where a zone was not fully signed
      yet, but the test was trying to verify the zone).
      
      Also add two missing set_nsec3param calls to ensure the ITERATIONS
      value is set for these test cases.
      1c5bbac5
    • Matthijs Mekking's avatar
      Add change entry and release note for #3486 · 4f2a15b5
      Matthijs Mekking authored
      News worthy.
      4f2a15b5
    • Matthijs Mekking's avatar
      Add test case for #3486 · 6e534c1c
      Matthijs Mekking authored
      Add two scenarios where we change the dnssec-policy from using RSASHA1
      to something with NSEC3.
      
      The first case should work, as the DS is still in hidden state and we
      can basically do anything with DNSSEC.
      
      The second case should fail, because the DS of the predecessor is
      published and we can't immediately remove the predecessor DNSKEY. So
      in this case we should keep the NSEC chain for a bit longer.
      
      Add two more scenarios where we change the dnssec-policy from using
      NSEC3 to something NSEC only. Both should work because there are no
      restrictions on using NSEC when it comes to algorithms, but in the
      cases where the DS is published we can't bluntly remove the predecessor.
      
      Extend the nsec3 system test by also checking the DNSKEY RRset for the
      expected DNSKEY records. This requires some "kasp system"-style setup
      for each test (setting key properties and key states). Also move the
      dnssec-verify check inside the check_nsec/check_nsec3 functions because
      we will have to do that every time.
      6e534c1c
    • Matthijs Mekking's avatar
      Wait with NSEC3 during a DNSSEC policy change · 501dc87d
      Matthijs Mekking authored
      When doing a dnssec-policy reconfiguration from a zone with NSEC only
      keys to a zone that uses NSEC3, figure out to wait with building the
      NSEC3 chain.
      
      Previously, BIND 9 would attempt to sign such a zone, but failed to
      do so because the NSEC3 chain conflicted with existing DNSKEY records
      in the zone that were not compatible with NSEC3.
      
      There exists logic for detecting such a case in the functions
      dnskey_sane() (in lib/dns/zone.c) and check_dnssec() (in
      lib/ns/update.c). Both functions look very similar so refactor them
      to use the same code and call the new function (called
      dns_zone_check_dnskey_nsec3()).
      
      Also update the dns_nsec_nseconly() function to take an additional
      parameter 'diff' that, if provided, will be checked whether an
      offending NSEC only DNSKEY will be deleted from the zone. If so,
      this key will not be considered when checking the zone for NSEC only
      DNSKEYs. This is needed to allow a transition from an NSEC zone with
      NSEC only DNSKEYs to an NSEC3 zone.
      501dc87d
  6. 19 Aug, 2022 12 commits
  7. 18 Aug, 2022 12 commits
  8. 17 Aug, 2022 1 commit