Don't check DNS_KEYFLAG_NOAUTH

All DNSKEY keys are able to authenticate. The DNS_KEYTYPE_NOAUTH
(and DNS_KEYTYPE_NOCONF) flags were defined for the KEY rdata type,
and are not applicable to DNSKEY.

Previously, because the DNSKEY implementation was built on top of
KEY, the NOAUTH flag prevented authentication in DNSKEYs as well.
This has been corrected.

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index a463752edb029b24ac450df9f020a5a91378f46d..6df2aaefa7fa25909bf20efe1b41186f3d1e9e92 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -191,7 +191,6 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
        isc_result_t ret;
        isc_buffer_t *databuf = NULL;
        char data[256 + 8];
-       uint32_t flags;
        unsigned int sigsize;
        dns_fixedname_t fnewname;
        dns_fixedname_t fsigner;
@@ -209,17 +208,6 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
                return DNS_R_INVALIDTIME;
        }
 
-       /*
-        * Is the key allowed to sign data?
-        */
-       flags = dst_key_flags(key);
-       if ((flags & DNS_KEYTYPE_NOAUTH) != 0) {
-               return DNS_R_KEYUNAUTHORIZED;
-       }
-       if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
-               return DNS_R_KEYUNAUTHORIZED;
-       }
-
        sig.mctx = mctx;
        sig.common.rdclass = set->rdclass;
        sig.common.rdtype = dns_rdatatype_rrsig;
@@ -381,7 +369,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
        unsigned char data[300];
        dst_context_t *ctx = NULL;
        int labels = 0;
-       uint32_t flags;
        bool downcase = false;
 
        REQUIRE(name != NULL);
@@ -446,19 +433,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
                break;
        }
 
-       /*
-        * Is the key allowed to sign data?
-        */
-       flags = dst_key_flags(key);
-       if ((flags & DNS_KEYTYPE_NOAUTH) != 0) {
-               inc_stat(dns_dnssecstats_fail);
-               return DNS_R_KEYUNAUTHORIZED;
-       }
-       if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
-               inc_stat(dns_dnssecstats_fail);
-               return DNS_R_KEYUNAUTHORIZED;
-       }
-
 again:
        ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, false,
                                 maxbits, &ctx);
@@ -1104,7 +1078,6 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
 bool
 dns_dnssec_iszonekey(dns_rdata_dnskey_t *key) {
        return (key->flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
-              (key->flags & DNS_KEYTYPE_NOAUTH) == 0 &&
               (key->protocol == DNS_KEYPROTO_DNSSEC ||
                key->protocol == DNS_KEYPROTO_ANY);
 }
@@ -1615,9 +1588,7 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
                RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &dnskey));
                dst_key_setttl(dnskey, keys.ttl);
 
-               if (!is_zone_key(dnskey) ||
-                   (dst_key_flags(dnskey) & DNS_KEYTYPE_NOAUTH) != 0)
-               {
+               if (!is_zone_key(dnskey)) {
                        goto skip;
                }
 
@@ -1723,11 +1694,6 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
                }
                RETERR(result);
 
-               /* This should never happen. */
-               if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) {
-                       goto skip;
-               }
-
                /*
                 * Whatever the key's default TTL may have
                 * been, the rdataset TTL takes priority.

diff --git a/lib/dns/key.c b/lib/dns/key.c
index 6e8091bc7516d9b6028950206e321f1e90eaca3a..07bd5cf88e622abd2042af9873dfaa6583d59bce 100644 (file)
--- a/lib/dns/key.c
+++ b/lib/dns/key.c
@@ -134,9 +134,6 @@ bool
 dst_key_iszonekey(const dst_key_t *key) {
        REQUIRE(VALID_KEY(key));
 
-       if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0) {
-               return false;
-       }
        if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
                return false;
        }

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 96e642f957a345c7bff7ce556949388ae0e6dac2..5e054459a29cdb8587545da29b0f1ba65c93a763 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6439,9 +6439,7 @@ findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
                RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
                dst_key_setttl(pubkey, rdataset.ttl);
 
-               if (!is_zone_key(pubkey) ||
-                   (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
-               {
+               if (!is_zone_key(pubkey)) {
                        goto next;
                }
                /* Corrupted .key file? */
@@ -6535,12 +6533,6 @@ findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
                 * been, the rdataset TTL takes priority.
                 */
                dst_key_setttl(keys[count], rdataset.ttl);
-
-               if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
-                       /* We should never get here. */
-                       dst_key_free(&keys[count]);
-                       goto next;
-               }
                count++;
        next:
                if (pubkey != NULL) {
@@ -20613,8 +20605,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
 
                result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
-               if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK |
-                                    DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE)
+               if ((dnskey.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
                {
                        ISC_LIST_UNLINK(diff->tuples, tuple, link);
                        ISC_LIST_APPEND(tuples, tuple, link);