Commit 28923bc6 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Merge branch '2517-cds-dnskey-delete-records-prevent-loading-unsigned-zone' into 'main'

Resolve "CDS and CDNSKEY DELETE records prevent (re-)loading unsigned zone"

Closes #2517

See merge request !4810
parents 052ec16a 841e90c6
5606. [bug] CDS/CDNSKEY DELETE records were not removed when a zone
transitioned from secure to insecure. "named-checkzone"
should not complain if such records exist in an
unsigned zone. [GL #2517]
5605. [bug] "dig -u" now uses CLOCK_REALTIME for more accurate
time reporting. [GL #2592]
 
......
example. 0 SOA . . 0 0 0 0 0
example. 0 NS .
example. 0 CDS 0 0 0 00
example. 0 CDNSKEY 0 3 0 AA==
......@@ -3623,8 +3623,6 @@ check_next_key_event 93600
set_zone "step2.going-insecure.kasp"
set_policy "none" "2" "7200"
set_server "ns6" "10.53.0.6"
# Expect a CDS/CDNSKEY Delete Record.
set_cdsdelete
# The DS is long enough removed from the zone to be considered HIDDEN.
# This means the DNSKEY and the KSK signatures can be removed.
......@@ -3693,8 +3691,6 @@ set_zone "step2.going-insecure-dynamic.kasp"
set_dynamic
set_policy "none" "2" "7200"
set_server "ns6" "10.53.0.6"
# Expect a CDS/CDNSKEY Delete Record.
set_cdsdelete
# The DS is long enough removed from the zone to be considered HIDDEN.
# This means the DNSKEY and the KSK signatures can be removed.
......
......@@ -42,6 +42,10 @@ Bug Fixes
- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed.
This has been fixed. [GL #2523]
- CDS/CDNSKEY DELETE records are now removed when a zone transitioned from
secure to insecure. "named-checkzone" no longer complains if such records
exist in an unsigned zone. [GL #2517]
- Fix a crash when transferring a zone over TLS, after "named" previously
skipped a master. [GL #2562]
......
......@@ -20123,7 +20123,12 @@ zone_rekey(dns_zone_t *zone) {
}
 
if (result == ISC_R_SUCCESS) {
bool insecure = dns_zone_secure_to_insecure(zone, false);
/*
* Publish CDS/CDNSKEY DELETE records if the zone is
* transitioning from secure to insecure.
*/
bool cds_delete = dns_zone_secure_to_insecure(zone, false);
isc_stdtime_t when;
 
/*
* Only update DNSKEY TTL if we have a policy.
......@@ -20160,9 +20165,36 @@ zone_rekey(dns_zone_t *zone) {
goto failure;
}
 
if (cds_delete) {
/*
* Only publish CDS/CDNSKEY DELETE records if there is
* a KSK that can be used to verify the RRset. This
* means there must be a key with the KSK role that is
* published and is used for signing.
*/
cds_delete = false;
for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
key = ISC_LIST_NEXT(key, link)) {
dst_key_t *dstk = key->key;
bool ksk = false;
(void)dst_key_getbool(dstk, DST_BOOL_KSK, &ksk);
if (!ksk) {
continue;
}
if (dst_key_haskasp(dstk) &&
dst_key_is_published(dstk, now, &when) &&
dst_key_is_signing(dstk, DST_BOOL_KSK, now,
&when))
{
cds_delete = true;
break;
}
}
}
result = dns_dnssec_syncdelete(&cdsset, &cdnskeyset,
&zone->origin, zone->rdclass,
ttl, &diff, mctx, insecure);
ttl, &diff, mctx, cds_delete);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"zone_rekey:couldn't update CDS/CDNSKEY "
......@@ -20524,6 +20556,7 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
unsigned char buffer[DNS_DS_BUFFERSIZE];
unsigned char algorithms[256];
unsigned int i;
bool empty = false;
 
enum { notexpected = 0, expected = 1, found = 2 };
 
......@@ -20559,14 +20592,8 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
dns_rdatatype_none, 0, &dnskey, NULL);
if (result == ISC_R_NOTFOUND) {
if (dns_rdataset_isassociated(&cds)) {
result = DNS_R_BADCDS;
} else {
result = DNS_R_BADCDNSKEY;
}
goto failure;
}
if (result != ISC_R_SUCCESS) {
empty = true;
} else if (result != ISC_R_SUCCESS) {
goto failure;
}
 
......@@ -20596,6 +20623,12 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
delete = true;
continue;
}
if (empty) {
result = DNS_R_BADCDS;
goto failure;
}
CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL));
if (algorithms[structcds.algorithm] == 0) {
algorithms[structcds.algorithm] = expected;
......@@ -20663,6 +20696,12 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
delete = true;
continue;
}
if (empty) {
result = DNS_R_BADCDNSKEY;
goto failure;
}
CHECK(dns_rdata_tostruct(&crdata, &structcdnskey,
NULL));
if (algorithms[structcdnskey.algorithm] == 0) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment