1. 07 Jan, 2021 6 commits
  2. 06 Jan, 2021 10 commits
  3. 05 Jan, 2021 4 commits
  4. 04 Jan, 2021 5 commits
  5. 23 Dec, 2020 12 commits
    • Matthijs Mekking's avatar
      Merge branch 'matthijs-fixup-notes' into 'main' · 6c0e1723
      Matthijs Mekking authored
      Matthijs fixup notes
      
      See merge request !4512
      6c0e1723
    • Matthijs Mekking's avatar
      Fixup notes · 2e7ccece
      Matthijs Mekking authored
      I screwed up the notes in !4474
      2e7ccece
    • Matthijs Mekking's avatar
      Merge branch '1750-dnssec-policy-none' into 'main' · 1c26ab64
      Matthijs Mekking authored
      Resolve 'dnssec-policy' graceful transition to insecure
      
      Closes #2341 and #1750
      
      See merge request !4474
      1c26ab64
    • Matthijs Mekking's avatar
      Add notes for [#2341] · 08b6e8c2
      Matthijs Mekking authored
      Mention the bugfix in the release.
      08b6e8c2
    • Matthijs Mekking's avatar
      Add documentation and notes for [#1750] · 7825d8f9
      Matthijs Mekking authored
      7825d8f9
    • Matthijs Mekking's avatar
      Fix a quirky mkeys test failure · 2fc42b59
      Matthijs Mekking authored
      The mkeys system test started to fail after introducing support for
      zones transitioning to unsigned without going bogus. This is because
      there was actually a bug in the code: if you reconfigure a zone and
      remove the "auto-dnssec" option, the zone is actually still DNSSEC
      maintained. This is because in zoneconf.c there is no call
      to 'dns_zone_setkeyopt()' if the configuration option is not used
      (cfg_map_get(zoptions, "auto-dnssec", &obj) will return an error).
      
      The mkeys system test implicitly relied on this bug: initially the
      root zone is being DNSSEC maintained, then at some point it needs to
      reset the root zone in order to prepare for some tests with bad
      signatures. Because it needs to inject a bad signature, 'auto-dnssec'
      is removed from the configuration.
      
      The test pass but for the wrong reasons:
      
      I:mkeys:reset the root server
      I:mkeys:reinitialize trust anchors
      I:mkeys:check positive validation (18)
      
      The 'check positive validation' test works because the zone is still
      DNSSEC maintained: The DNSSEC records in the signed root zone file on
      disk are being ignored.
      
      After fixing the bug/introducing graceful transition to insecure,
      the root zone is no longer DNSSEC maintained after the reconfig.
      
      The zone now explicitly needs to be reloaded because otherwise the
      'check positive validation' test works against an old version of the
      zone (the one with all the revoked keys), and the test will obviously
      fail.
      2fc42b59
    • Matthijs Mekking's avatar
      Update keymgr to allow transition to insecure mode · 91341000
      Matthijs Mekking authored
      The keymgr prevented zones from going to insecure mode. If we
      have a policy with an empty key list this is a signal that the zone
      wants to go back to insecure mode. In this case allow one extra state
      transition to be valid when checking for DNSSEC safety.
      91341000
    • Matthijs Mekking's avatar
      Publish CDS/CDNSKEY Delete Records · 68d715a2
      Matthijs Mekking authored
      Check if zone is transitioning from secure to insecure. If so,
      delete the CDS/CDNSKEY records, otherwise make sure they are not
      part of the RRset.
      68d715a2
    • Matthijs Mekking's avatar
      Treat dnssec-policy "none" as a builtin zone · cf420b2a
      Matthijs Mekking authored
      Configure "none" as a builtin policy. Change the 'cfg_kasp_fromconfig'
      api so that the 'name' will determine what policy needs to be
      configured.
      
      When transitioning a zone from secure to insecure, there will be
      cases when a zone with no DNSSEC policy (dnssec-policy none) should
      be using KASP. When there are key state files available, this is an
      indication that the zone once was DNSSEC signed but is reconfigured
      to become insecure.
      
      If we would not run the keymgr, named would abruptly remove the
      DNSSEC records from the zone, making the zone bogus. Therefore,
      change the code such that a zone will use kasp if there is a valid
      dnssec-policy configured, or if there are state files available.
      cf420b2a
    • Matthijs Mekking's avatar
      Add function to see if dst key uses kasp · 8f2c5e45
      Matthijs Mekking authored
      For purposes of zones transitioning back to insecure mode, it is
      practical to see if related keys have a state file associated.
      8f2c5e45
    • Matthijs Mekking's avatar
      Small adjustments to kasp rndc_checkds function · 756674f6
      Matthijs Mekking authored
      Slightly better test output, and only call 'load keys' if the
      'rndc checkds' call succeeded.
      756674f6
    • Matthijs Mekking's avatar
      Add tests for going from secure to insecure · fa2e4e66
      Matthijs Mekking authored
      Add two test zones that will be reconfigured to go insecure, by
      setting the 'dnssec-policy' option to 'none'.
      
      One zone was using inline-signing (implicitly through dnssec-policy),
      the other is a dynamic zone.
      
      Two tweaks to the kasp system test are required: we need to set
      when to except the CDS/CDS Delete Records, and we need to know
      when we are dealing with a dynamic zone (because the logs to look for
      are slightly different, inline-signing prints "(signed)" after the
      zone name, dynamic zones do not).
      fa2e4e66
  6. 22 Dec, 2020 3 commits