+2495. [bug] Tighten RRSIG checks. [RT #18795]
+
2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
installed. [RT #18826]
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.208 2008/09/26 01:27:08 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.209 2008/11/14 22:53:46 marka Exp $ */
/*! \file */
fatal("cannot load dnskey %s: %s", argv[i],
isc_result_totext(result));
+ if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+ fatal("key %s not at origin\n", argv[i]);
+
key = ISC_LIST_HEAD(keylist);
while (key != NULL) {
dst_key_t *dkey = key->key;
fatal("cannot load dnskey %s: %s", dskeyfile[i],
isc_result_totext(result));
+ if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+ fatal("key %s not at origin\n", dskeyfile[i]);
+
key = ISC_LIST_HEAD(keylist);
while (key != NULL) {
dst_key_t *dkey = key->key;
*/
/*
- * $Id: dnssec.c,v 1.91 2007/09/14 04:32:50 marka Exp $
+ * $Id: dnssec.c,v 1.92 2008/11/14 22:53:46 marka Exp $
*/
/*! \file */
if (ret != ISC_R_SUCCESS)
return (ret);
+ if (set->type != sig.covered)
+ return (DNS_R_SIGINVALID);
+
if (isc_serial_lt(sig.timeexpire, sig.timesigned))
return (DNS_R_SIGINVALID);
return (DNS_R_SIGEXPIRED);
}
+ /*
+ * NS, SOA and DNSSKEY records are signed by their owner.
+ * DS records are signed by the parent.
+ */
+ switch (set->type) {
+ case dns_rdatatype_ns:
+ case dns_rdatatype_soa:
+ case dns_rdatatype_dnskey:
+ if (!dns_name_equal(name, &sig.signer))
+ return (DNS_R_SIGINVALID);
+ break;
+ case dns_rdatatype_ds:
+ if (dns_name_equal(name, &sig.signer))
+ return (DNS_R_SIGINVALID);
+ /* FALLTHROUGH */
+ default:
+ if (!dns_name_issubdomain(name, &sig.signer))
+ return (DNS_R_SIGINVALID);
+ break;
+ }
+
/*
* Is the key allowed to sign data?
*/
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto next;
+ /* Corrupted .key file? */
+ if (!dns_name_equal(name, dst_key_name(pubkey)))
+ goto next;
keys[count] = NULL;
result = dst_key_fromfile(dst_key_name(pubkey),
dst_key_id(pubkey),
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.15 2008/09/24 02:46:22 marka Exp $
+ * $Id: dst_api.c,v 1.16 2008/11/14 22:53:46 marka Exp $
*/
/*! \file */
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string)
BADTOKEN();
+
+ /*
+ * We don't support "@" in .key files.
+ */
+ if (!strcmp(DST_AS_STR(token), "@"))
+ BADTOKEN();
+
dns_fixedname_init(&name);
isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
isc_buffer_add(&b, strlen(DST_AS_STR(token)));
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.162 2008/09/24 02:46:22 marka Exp $ */
+/* $Id: validator.c,v 1.163 2008/11/14 22:53:46 marka Exp $ */
#include <config.h>
*/
if (dns_rdatatype_atparent(val->event->rdataset->type))
return (DNS_R_CONTINUE);
+ } else {
+ /*
+ * SOA and NS RRsets can only be signed by a key with
+ * the same name.
+ */
+ if (val->event->rdataset->type == dns_rdatatype_soa ||
+ val->event->rdataset->type == dns_rdatatype_ns) {
+ const char *typename;
+
+ if (val->event->rdataset->type == dns_rdatatype_soa)
+ typename = "SOA";
+ else
+ typename = "NS";
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "%s signer mismatch", typename);
+ return (DNS_R_CONTINUE);
+ }
}
/*
&sigrdata);
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ if (!dns_name_equal(val->event->name, &sig.signer))
+ continue;
+
result = dns_keytable_findkeynode(val->keytable,
val->event->name,
sig.algorithm,
if (ds.key_tag != sig.keyid ||
ds.algorithm != sig.algorithm)
continue;
-
+ if (!dns_name_equal(val->event->name, &sig.signer)) {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "DNSKEY signer mismatch");
+ continue;
+ }
dstkey = NULL;
result = dns_dnssec_keyfromrdata(val->event->name,
&keyrdata,
projects / thirdparty / bind9.git / commitdiff
