1. 12 Apr, 2021 10 commits
    • Matthijs Mekking's avatar
      Changes and release notes for [#2596] · dfcef387
      Matthijs Mekking authored
    • Matthijs Mekking's avatar
      Also treat offline keys when going insecure · 39d8cdb6
      Matthijs Mekking authored
      When going insecure, BIND checks if there exist key state files. This
      is an indication that the zone is transitioning to insecure. Also here,
      we need to consider offline keys.
    • Matthijs Mekking's avatar
      Add kasp tests for offline keys · df2ed25b
      Matthijs Mekking authored
      Add a test for default.kasp that if we remove the private key file,
      no successor key is created for it. We need to update the kasp script
      to deal with a missing private key. If this is the case, skip checks
      for private key files.
      Add a test with a zone for which the private key of the ZSK is missing.
      Add a test with a zone for which the private key of the KSK is missing.
    • Matthijs Mekking's avatar
      Set result when goto failure in zone_resigninc · d56a8726
      Matthijs Mekking authored
      In the function 'zone_resigninc', if we goto failure because the zone
      is frozen or automatic resigning is disabled, the result was left
      unset. This could lead to spinning on resigning.
    • Matthijs Mekking's avatar
      Update smart signing when key is offline · c89bcaec
      Matthijs Mekking authored
      BIND 9 is smart about when to sign with what key. If a key is offline,
      BIND will delete the old signature anyway if there is another key to
      sign the RRset with.
      With KASP we don't want to fallback to the KSK if the ZSK is missing,
      or vice versa. Update the 'delsig_ok' function to reflect that.
      Also, it is always fine to delete the SOA RRSIG, because the SOA RRset
      will change and the old signature will be invalidated anyway.
    • Matthijs Mekking's avatar
      Don't roll offline keys · 52c855c5
      Matthijs Mekking authored
      When checking the current DNSSEC state against the policy, consider
      offline keys. If we didn't found an active key, check if the key is
      offline by checking the public key list. If there is a match in the
      public key list (the key data is retrieved from the .key and the
      .state files), treat the key as offline and don't create a successor
      key for it.
    • Matthijs Mekking's avatar
      rndc dnssec -status should include offline keys · 637bb058
      Matthijs Mekking authored
      The rndc command 'dnssec -status' only considered keys from
      'dns_dnssec_findmatchingkeys' which only includes keys with accessible
      private keys. Change it so that offline keys are also listed in the
    • Matthijs Mekking's avatar
      Try to read state when reading keylist from rdata · d5dea1ea
      Matthijs Mekking authored
      The function 'dns_dnssec_keylistfromrdataset()' creates a keylist from
      the DNSKEY RRset. If we attempt to read the private key, we also store
      the key state. However, if the private key is offline, the key state
      will not be stored. To fix this, first attempt to read the public key
      file. If then reading the private key file fails, and we do have a
      public key, add that to the keylist, with appropriate state. If we
      also failed to read the public key file, add the DNSKEY to the keylist,
      as we did before.
    • Matthijs Mekking's avatar
      When reading public key from file, also read state · 911be2e7
      Matthijs Mekking authored
      The 'dst_key_fromnamedfile()' function did not read and store the
      key state from the .state file when reading a public key file.
    • Matthijs Mekking's avatar
      Fix a kasp lock issue · ecf29b36
      Matthijs Mekking authored
      The kasp lock would stay locked if 'dns_keymgr_run' failed.
  2. 08 Apr, 2021 10 commits
  3. 07 Apr, 2021 20 commits