From: Robin Geuze Date: Tue, 17 Mar 2020 08:59:26 +0000 (+0100) Subject: Proper fix for NSECx typemaps in the case of only unpublished DNSKEY's X-Git-Tag: dnsdist-1.5.0-rc1~26^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3a5b3fef3680b86c54f4a80bcbfa92b9035d1ece;p=thirdparty%2Fpdns.git Proper fix for NSECx typemaps in the case of only unpublished DNSKEY's --- diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 6defb6f1f2..dbbc0db1b1 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -507,16 +507,19 @@ void PacketHandler::emitNSEC(std::unique_ptr& r, const SOAData& sd, c if(sd.qname == name) { nrc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table auto keyset = d_dk.getKeys(name); - if (!keyset.empty()) { - nrc.set(QType::DNSKEY); - string publishCDNSKEY; - d_dk.getPublishCDNSKEY(name, publishCDNSKEY); - if (publishCDNSKEY == "1") - nrc.set(QType::CDNSKEY); - string publishCDS; - d_dk.getPublishCDS(name, publishCDS); - if (! publishCDS.empty()) - nrc.set(QType::CDS); + for(const auto& value: keyset) { + if (value.second.published) { + nrc.set(QType::DNSKEY); + string publishCDNSKEY; + d_dk.getPublishCDNSKEY(name, publishCDNSKEY); + if (publishCDNSKEY == "1") + nrc.set(QType::CDNSKEY); + string publishCDS; + d_dk.getPublishCDS(name, publishCDS); + if (! publishCDS.empty()) + nrc.set(QType::CDS); + break; + } } } @@ -559,16 +562,19 @@ void PacketHandler::emitNSEC3(std::unique_ptr& r, const SOAData& sd, n3rc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table n3rc.set(QType::NSEC3PARAM); auto keyset = d_dk.getKeys(name); - if (!keyset.empty()) { - n3rc.set(QType::DNSKEY); - string publishCDNSKEY; - d_dk.getPublishCDNSKEY(name, publishCDNSKEY); - if (publishCDNSKEY == "1") - n3rc.set(QType::CDNSKEY); - string publishCDS; - d_dk.getPublishCDS(name, publishCDS); - if (! publishCDS.empty()) - n3rc.set(QType::CDS); + for(const auto& value: keyset) { + if (value.second.published) { + n3rc.set(QType::DNSKEY); + string publishCDNSKEY; + d_dk.getPublishCDNSKEY(name, publishCDNSKEY); + if (publishCDNSKEY == "1") + n3rc.set(QType::CDNSKEY); + string publishCDS; + d_dk.getPublishCDS(name, publishCDS); + if (! publishCDS.empty()) + n3rc.set(QType::CDS); + break; + } } } diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result index 0ec4367dae..70ebd4a567 100644 --- a/regression-tests.nobackend/tinydns-data-check/expected_result +++ b/regression-tests.nobackend/tinydns-data-check/expected_result @@ -14,4 +14,5 @@ b1f775045fa2cf0a3b91aa834af06e49 ../regression-tests/zones/stest.com a98864b315f16bcf49ce577426063c42 ../regression-tests/zones/cdnskey-cds-test.com 9aeed2c26d0c3ba3baf22dfa9568c451 ../regression-tests/zones/2.0.192.in-addr.arpa 99c73e8b5db5781fec1ac3fa6a2662a9 ../regression-tests/zones/cryptokeys.org +1f9e19be0cff67330f3a0a5347654f91 ../regression-tests/zones/hiddencryptokeys.org 52a95993ada0b4ed986a2fe6463a27e0 ../modules/tinydnsbackend/data.cdb diff --git a/regression-tests/backends/bind-master b/regression-tests/backends/bind-master index c2b5770156..141310f4da 100644 --- a/regression-tests/backends/bind-master +++ b/regression-tests/backends/bind-master @@ -59,7 +59,12 @@ __EOF__ fi if [ $zone != insecure.dnssec-parent.com ] then - securezone $zone bind + securezone $zone bind + if [ $zone = hiddencryptokeys.org ] + then + keyid=$($PDNSUTIL --config-dir=. --config-name=bind list-keys $zone | grep hiddencryptokeys.org | awk '{ print $5 }') + $PDNSUTIL --config-dir=. --config-name=bind unpublish-zone-key $zone $keyid + fi if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ] then $PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1 diff --git a/regression-tests/backends/gsql-common b/regression-tests/backends/gsql-common index 86840ff1d5..48903ecff7 100644 --- a/regression-tests/backends/gsql-common +++ b/regression-tests/backends/gsql-common @@ -24,7 +24,12 @@ gsql_master() then $PDNSUTIL --config-dir=. --config-name=$backend set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 fi - securezone $zone ${backend} + securezone $zone ${backend} + if [ $zone = hiddencryptokeys.org ] + then + keyid=$($PDNSUTIL --config-dir=. --config-name=$backend list-keys $zone | grep hiddencryptokeys.org | awk '{ print $5 }') + $PDNSUTIL --config-dir=. --config-name=$backend unpublish-zone-key $zone $keyid + fi if [ $zone = cryptokeys.org ] then $PDNSUTIL --config-dir=. --config-name=$backend add-zone-key $zone zsk 384 active unpublished ecdsa384 diff --git a/regression-tests/backends/lmdb-master b/regression-tests/backends/lmdb-master index b557b6a88c..cc0d18ac84 100644 --- a/regression-tests/backends/lmdb-master +++ b/regression-tests/backends/lmdb-master @@ -29,6 +29,11 @@ __EOF__ $PDNSUTIL --config-dir=. --config-name=lmdb set-nsec3 $zone '1 1 1 abcd' narrow 2>&1 fi securezone $zone lmdb + if [ $zone = hiddencryptokeys.org ] + then + keyid=$($PDNSUTIL --config-dir=. --config-name=lmdb list-keys $zone | grep hiddencryptokeys.org | awk '{ print $5 }') + $PDNSUTIL --config-dir=. --config-name=lmdb unpublish-zone-key $zone $keyid + fi if [ $zone = cryptokeys.org ] then $PDNSUTIL --config-dir=. --config-name=lmdb add-zone-key $zone zsk 384 active unpublished ecdsa384 diff --git a/regression-tests/named.conf b/regression-tests/named.conf index 52c383f94b..c1105a0891 100644 --- a/regression-tests/named.conf +++ b/regression-tests/named.conf @@ -93,3 +93,8 @@ zone "cryptokeys.org"{ file "cryptokeys.org"; }; +zone "hiddencryptokeys.org"{ + type master; + file "hiddencryptokeys.org"; +}; + diff --git a/regression-tests/tests/cryptokeys/command b/regression-tests/tests/cryptokeys/command index 1529298c63..72757ab770 100755 --- a/regression-tests/tests/cryptokeys/command +++ b/regression-tests/tests/cryptokeys/command @@ -1,2 +1,3 @@ #!/bin/sh cleandig cryptokeys.org DNSKEY dnssec +cleandig hiddencryptokeys.org DNSKEY dnssec diff --git a/regression-tests/tests/cryptokeys/expected_result.dnssec b/regression-tests/tests/cryptokeys/expected_result.dnssec index 409f965e24..a3e101c9f2 100644 --- a/regression-tests/tests/cryptokeys/expected_result.dnssec +++ b/regression-tests/tests/cryptokeys/expected_result.dnssec @@ -5,3 +5,10 @@ 2 . IN OPT 32768 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='cryptokeys.org.', qtype=DNSKEY +1 hiddencryptokeys.org. IN NSEC 3600 hiddencryptokeys.org. A NS SOA RRSIG NSEC +1 hiddencryptokeys.org. IN RRSIG 3600 NSEC 13 2 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ... +1 hiddencryptokeys.org. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ... +1 hiddencryptokeys.org. IN SOA 3600 cryptokeys.ds9a.nl. ahu.ds9a.nl. 2009071301 14400 3600 604800 3600 +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='hiddencryptokeys.org.', qtype=DNSKEY diff --git a/regression-tests/tests/cryptokeys/expected_result.narrow b/regression-tests/tests/cryptokeys/expected_result.narrow new file mode 100644 index 0000000000..691ab9f937 --- /dev/null +++ b/regression-tests/tests/cryptokeys/expected_result.narrow @@ -0,0 +1,14 @@ +0 cryptokeys.org. IN DNSKEY 3600 256 3 10 ... +0 cryptokeys.org. IN DNSKEY 3600 257 3 13 ... +0 cryptokeys.org. IN RRSIG 3600 DNSKEY 13 2 3600 [expiry] [inception] [keytag] cryptokeys.org. ... +0 cryptokeys.org. IN RRSIG 3600 DNSKEY 14 2 3600 [expiry] [inception] [keytag] cryptokeys.org. ... +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='cryptokeys.org.', qtype=DNSKEY +1 hiddencryptokeys.org. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ... +1 hiddencryptokeys.org. IN SOA 3600 cryptokeys.ds9a.nl. ahu.ds9a.nl. 2009071301 14400 3600 604800 3600 +1 vd844e5oi5854h79fnaa0f80nqo8brf0.hiddencryptokeys.org. IN NSEC3 3600 1 [flags] 1 abcd VD844E5OI5854H79FNAA0F80NQO8BRF1 A NS SOA RRSIG NSEC3PARAM +1 vd844e5oi5854h79fnaa0f80nqo8brf0.hiddencryptokeys.org. IN RRSIG 3600 NSEC3 13 3 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ... +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='hiddencryptokeys.org.', qtype=DNSKEY diff --git a/regression-tests/tests/cryptokeys/expected_result.nsec3 b/regression-tests/tests/cryptokeys/expected_result.nsec3 new file mode 100644 index 0000000000..af5aa67357 --- /dev/null +++ b/regression-tests/tests/cryptokeys/expected_result.nsec3 @@ -0,0 +1,14 @@ +0 cryptokeys.org. IN DNSKEY 3600 256 3 10 ... +0 cryptokeys.org. IN DNSKEY 3600 257 3 13 ... +0 cryptokeys.org. IN RRSIG 3600 DNSKEY 13 2 3600 [expiry] [inception] [keytag] cryptokeys.org. ... +0 cryptokeys.org. IN RRSIG 3600 DNSKEY 14 2 3600 [expiry] [inception] [keytag] cryptokeys.org. ... +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='cryptokeys.org.', qtype=DNSKEY +1 hiddencryptokeys.org. IN RRSIG 3600 SOA 13 2 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ... +1 hiddencryptokeys.org. IN SOA 3600 cryptokeys.ds9a.nl. ahu.ds9a.nl. 2009071301 14400 3600 604800 3600 +1 vd844e5oi5854h79fnaa0f80nqo8brf0.hiddencryptokeys.org. IN NSEC3 3600 1 [flags] 1 abcd VD844E5OI5854H79FNAA0F80NQO8BRF0 A NS SOA RRSIG NSEC3PARAM +1 vd844e5oi5854h79fnaa0f80nqo8brf0.hiddencryptokeys.org. IN RRSIG 3600 NSEC3 13 3 3600 [expiry] [inception] [keytag] hiddencryptokeys.org. ... +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='hiddencryptokeys.org.', qtype=DNSKEY diff --git a/regression-tests/tests/cryptokeys/skip-drill b/regression-tests/tests/cryptokeys/skip-drill new file mode 100644 index 0000000000..e69de29bb2 diff --git a/regression-tests/tests/verify-dnssec-zone/command b/regression-tests/tests/verify-dnssec-zone/command index e57cbd0182..81e9fc564e 100755 --- a/regression-tests/tests/verify-dnssec-zone/command +++ b/regression-tests/tests/verify-dnssec-zone/command @@ -1,5 +1,5 @@ #!/usr/bin/env bash -for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(cryptokeys.org\|example.com\|nztest.com\|insecure.dnssec-parent.com\)$') +for zone in $(grep 'zone ' named.conf | cut -f2 -d\" | grep -v '^\(hiddencryptokeys.org\|cryptokeys.org\|example.com\|nztest.com\|insecure.dnssec-parent.com\)$') do TFILE=$(mktemp tmp.XXXXXXXXXX) drill -p $port axfr $zone @$nameserver | ldns-read-zone -z -u CDS -u CDNSKEY > $TFILE diff --git a/regression-tests/zones/hiddencryptokeys.org b/regression-tests/zones/hiddencryptokeys.org new file mode 100644 index 0000000000..d84d77d372 --- /dev/null +++ b/regression-tests/zones/hiddencryptokeys.org @@ -0,0 +1,10 @@ +hiddencryptokeys.org. 3600 IN SOA cryptokeys.ds9a.nl. ahu.ds9a.nl. ( + 2009071301 ; serial + 14400 ; refresh (2 hours 30 minutes) + 3600 ; retry (7 minutes 30 seconds) + 604800 ; expire (1 week) + 3600 ; minimum (7 minutes 30 seconds) + ) + 3600 NS cryptokeys.ds9a.nl. + 3600 NS cryptokeys.ds9a.nl. + 3600 A 212.123.148.70