--- /dev/null
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ log-time-ascii: yes
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+; initial content (say from dig example.com DNSKEY > example.com.key)
+AUTOTRUST_FILE example.com
+example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+AUTOTRUST_END
+CONFIG_END
+
+SCENARIO_BEGIN Test autotrust with initial trust anchor ZSK
+
+; K-ROOT
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id copy_query
+REPLY QR AA
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS k.root-servers.net.
+SECTION ADDITIONAL
+k.root-servers.net IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 3600 IN A 10.20.30.40
+www.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899}
+SECTION AUTHORITY
+example.com. 3600 IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.com. 3600 IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 1
+example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
+; ZSK 1
+example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (ksk), size = 512b}
+; signatures
+example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 30899 example.com. b/HK231jIQLX8IhlZfup3r0yhpXaasbPE6LzxoEVVvWaTZWcLmeV8jDIcn0qO7Yvs7bIJN20lwVAV0GcHH3hWQ== ;{id = 30899}
+example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 55582 example.com. PCHme1QLoULxqjhg5tMlpR0qJlBfstEUVq18TtNoKQe9le1YhJ9caheXcTWoK+boLhXxg9u6Yyvq8FboQh0OjA== ;{id = 55582}
+
+ENTRY_END
+RANGE_END
+
+; set date/time to Aug 24 09:46:40 (2009).
+STEP 5 TIME_PASSES ELAPSE 1251100000
+STEP 6 ASSIGN t0 = ${time}
+; get probe time and check it. 4800 is about 10% less than 5400. And more than
+; the 3600 that a failure timeout would have.
+STEP 7 ASSIGN probe = ${range 4800 ${timeout} 5400}
+
+
+; the auto probing should have been done now.
+STEP 8 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: 1251100000 ;;Mon Aug 24 09:46:40 2009
+;;last_success: 1251100000 ;;Mon Aug 24 09:46:40 2009
+;;next_probe_time: ${$t0 + $probe} ;;${ctime $t0 + $probe}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1251100000 ;;Mon Aug 24 09:46:40 2009
+FILE_END
+
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 3600 IN A 10.20.30.40
+www.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899}
+SECTION AUTHORITY
+example.com. 3600 IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.com. 3600 IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899}
+ENTRY_END
+
+; The autotrust anchor was probed due to the query.
+
+STEP 30 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: 1251100000 ;;Mon Aug 24 09:46:40 2009
+;;last_success: 1251100000 ;;Mon Aug 24 09:46:40 2009
+;;next_probe_time: ${$t0 + $probe} ;;${ctime $t0 + $probe}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1251100000 ;;Mon Aug 24 09:46:40 2009
+FILE_END
+
+; wait and see if autotrust probes (the unchanged) domain again.
+STEP 40 TIME_PASSES EVAL ${$probe}
+
+STEP 50 TRAFFIC
+
+STEP 65 ASSIGN probe2 = ${range 4800 ${timeout} 5400}
+
+STEP 70 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${time} ;;${ctime ${time}}
+;;last_success: ${time} ;;${ctime ${time}}
+;;next_probe_time: ${$t0 + $probe + $probe2} ;;${ctime $t0 + $probe + $probe2}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1251100000 ;;Mon Aug 24 09:46:40 2009
+FILE_END
+
+SCENARIO_END
continue;
if(ta->s == AUTR_STATE_REMOVED)
continue;
- /* only store SEP keys */
- if(!rr_is_dnskey_sep(ta->rr))
+ /* only store keys */
+ if(ldns_rr_get_type(ta->rr) != LDNS_RR_TYPE_DNSKEY)
continue;
str = ldns_rr2str(ta->rr);
if(!str || !str[0]) {
}
}
+/** if ZSK init then trust KSKs */
+static int
+init_zsk_to_ksk(struct module_env* env, struct trust_anchor* tp, int* changed)
+{
+ /* search for VALID ZSKs */
+ struct autr_ta* anchor;
+ int validzsk = 0;
+ int validksk = 0;
+ for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
+ /* last_change test makes sure it was manually configured */
+ if (ldns_rr_get_type(anchor->rr) == LDNS_RR_TYPE_DNSKEY &&
+ anchor->last_change == 0 &&
+ !rr_is_dnskey_sep(anchor->rr) &&
+ anchor->s == AUTR_STATE_VALID)
+ validzsk++;
+ }
+ if(validzsk == 0)
+ return 0;
+ for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
+ if (rr_is_dnskey_sep(anchor->rr) &&
+ anchor->s == AUTR_STATE_ADDPEND) {
+ verbose_key(anchor, VERB_ALGO, "trust KSK from "
+ "ZSK(config)");
+ set_trustanchor_state(env, anchor, changed,
+ AUTR_STATE_VALID);
+ validksk++;
+ }
+ }
+ return validksk;
+}
+
/** Remove missing trustanchors so the list does not grow forever */
static void
remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp,
struct autr_ta* anchor;
int exceeded;
int valid = 0;
- if(env->cfg->keep_missing == 0)
- return; /* keep forever */
/* see if we have anchors that are valid */
for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
/* Only do KSKs */
if (anchor->s == AUTR_STATE_VALID)
valid++;
}
- if(valid == 0)
- return;
+ /* if there are no SEP Valid anchors, see if we started out with
+ * a ZSK (last-change=0) anchor, which is VALID and there are KSKs
+ * now that can be made valid. Do this immediately because there
+ * is no guarantee that the ZSKs get announced long enough. Usually
+ * this is immediately after init with a ZSK trusted, unless the domain
+ * was not advertising any KSKs at all. In which case we perfectly
+ * track the zero number of KSKs. */
+ if(valid == 0) {
+ valid = init_zsk_to_ksk(env, tp, changed);
+ if(valid == 0)
+ return;
+ }
for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
- /* Only do KSKs */
- if (!rr_is_dnskey_sep(anchor->rr))
+ /* ignore ZSKs if newly added */
+ if(anchor->s == AUTR_STATE_START)
+ continue;
+ /* remove ZSKs if a KSK is present */
+ if (!rr_is_dnskey_sep(anchor->rr)) {
+ if(valid > 0) {
+ verbose_key(anchor, VERB_ALGO, "remove ZSK "
+ "[%d key(s) VALID]", valid);
+ set_trustanchor_state(env, anchor, changed,
+ AUTR_STATE_REMOVED);
+ }
continue;
+ }
/* Only do MISSING keys */
if (anchor->s != AUTR_STATE_MISSING)
continue;
+ if(env->cfg->keep_missing == 0)
+ continue; /* keep forever */
exceeded = check_holddown(env, anchor, env->cfg->keep_missing);
/* If keep_missing has exceeded and we still have more than
while(p) {
/* do we want to remove this key? */
if(p->s == AUTR_STATE_START || p->s == AUTR_STATE_REMOVED ||
- !rr_is_dnskey_sep(p->rr)) {
+ ldns_rr_get_type(p->rr) != LDNS_RR_TYPE_DNSKEY) {
struct autr_ta* np = p->next;
/* remove */
ldns_rr_free(p->rr);
projects / thirdparty / unbound.git / commitdiff
