From: Charles-Henri Bruyand Date: Wed, 23 May 2018 13:34:54 +0000 (+0200) Subject: auth: sign CDS/CDNSKEY RRsets with the KSK X-Git-Tag: dnsdist-1.3.1~54^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F6655%2Fhead;p=thirdparty%2Fpdns.git auth: sign CDS/CDNSKEY RRsets with the KSK --- diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc index af77f41325..771ddd76d7 100644 --- a/pdns/dnssecsigner.cc +++ b/pdns/dnssecsigner.cc @@ -38,6 +38,7 @@ typedef map, string> signaturecache_t; static signaturecache_t g_signatures; static int g_cacheweekno; +const static std::set g_KSKSignedQTypes {QType::DNSKEY, QType::CDS, QType::CDNSKEY}; AtomicCounter* g_signatureCount; static void fillOutRRSIG(DNSSECPrivateKey& dpk, const DNSName& signQName, RRSIGRecordContent& rrc, vector >& toSign) @@ -106,8 +107,11 @@ static int getRRSIGsForRRSET(DNSSECKeeper& dk, const DNSName& signer, const DNSN if(!keymeta.second.active) continue; + bool signWithKSK = g_KSKSignedQTypes.count(signQType) != 0; + // Do not sign DNSKEY RRsets with the ZSK if((signQType == QType::DNSKEY && keymeta.second.keyType == DNSSECKeeper::ZSK) || - (signQType != QType::DNSKEY && keymeta.second.keyType == DNSSECKeeper::KSK)) { + // Do not sign any other RRset than DNSKEY, CDS and CDNSKEY with a KSK + (!signWithKSK && keymeta.second.keyType == DNSSECKeeper::KSK)) { continue; } diff --git a/regression-tests/tests/publishing-cds-cdnskey/expected_result b/regression-tests/tests/publishing-cds-cdnskey/expected_result index cc03f2d9a0..0c709606dd 100644 --- a/regression-tests/tests/publishing-cds-cdnskey/expected_result +++ b/regression-tests/tests/publishing-cds-cdnskey/expected_result @@ -1,11 +1,13 @@ 0 secure-delegated.dnssec-parent.com. IN CDS 86400 54319 8 1 a28ebe791e9cc7f4c2821131be367326ddd7434c 0 secure-delegated.dnssec-parent.com. IN CDS 86400 54319 8 2 a0b9c38cd324182af0ef66830d0a0e85a1d58979c9834e18c871779e040857b7 0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... 2 . IN OPT 32768 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=CDS 0 secure-delegated.dnssec-parent.com. IN CDNSKEY 86400 257 3 8 AwEAAZd9R7SWWGqA12oG7Ls+h3b0/IAyMj/Pqn/ZuKWM/OdpxT/cn2xwLDhkdmqP/pUqAzvyFPyd4kTqrmLfbohBwA7+07pBVa4qf/jxlHivdMNUD72H+dUYqBlmhCC6l3eG+8FZi2tkdwn8kUoa9kyLMtrEaFnOd/oUQbmNvIDp+8VWv1cSnRJ8UXKdXLl0smpvC7h1K2AUiC5oGIYQTCYWwYRM1wCbb+q1fbFCdkbI7OQW/h7Pj30eLpIuz0bJj4vdKXXZHK8clSdTMAFm6rQsNDI0w7QdCgaDmTn3b6TF2UJi4eDnh7uDbSpUd1mI5XWNw4C6WrUmebFLfiry6vqdiIc= 0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... 2 . IN OPT 32768 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=CDNSKEY @@ -13,6 +15,8 @@ Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=CDNSKEY 0 secure-delegated.dnssec-parent.com. IN CDS 86400 54319 8 1 a28ebe791e9cc7f4c2821131be367326ddd7434c 0 secure-delegated.dnssec-parent.com. IN CDS 86400 54319 8 2 a0b9c38cd324182af0ef66830d0a0e85a1d58979c9834e18c871779e040857b7 0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... 0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... 0 cdnskey-cds-test.com. IN CDS 86400 0 cdnskey-cds-test.com. IN CDS 86400