Change nsec3param salt config to saltlen

Upon request from Mark, change the configuration of salt to salt
length.

Introduce a new function 'dns_zone_checknsec3aram' that can be used
upon reconfiguration to check if the existing NSEC3 parameters are
in sync with the configuration. If a salt is used that matches the
configured salt length, don't change the NSEC3 parameters.

diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index cd61c576afdcb4ecc2618616a8c030b7aa07d59b..1933eefa9c7813d2cb464ca69676fac37ebb2df1 100644 (file)
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -66,8 +66,8 @@ DNSSEC-POLICY
        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
            duration_or_unlimited algorithm string [ integer ]; ... };
        max-zone-ttl duration;
-       nsec3param [ iterations integer ] [ optout boolean ] [ salt
-           string ];
+       nsec3param [ iterations integer ] [ optout boolean ] [
+           salt-length integer ];
        parent-ds-ttl duration;
        parent-propagation-delay duration;
        publish-safety duration;

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 1f1dbaabed5f04c3a10f2224ac5513f14d154bdc..2fea020200fc31c60933873001f4ad19ee1a9a44 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -29,6 +29,7 @@
 #include <dns/log.h>
 #include <dns/masterdump.h>
 #include <dns/name.h>
+#include <dns/nsec3.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
@@ -1561,15 +1562,32 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                bool sigvalinsecs;
 
                if (kasp != NULL) {
+                       unsigned char saltbuf[255];
+                       unsigned char *salt;
+                       DE_CONST("-", salt);
+
                        if (dns_kasp_nsec3(kasp)) {
-                               result = dns_zone_setnsec3param(
+                               result = dns_zone_checknsec3param(
                                        zone, 1, dns_kasp_nsec3flags(kasp),
                                        dns_kasp_nsec3iter(kasp),
-                                       dns_kasp_nsec3saltlen(kasp),
-                                       dns_kasp_nsec3salt(kasp), true);
+                                       dns_kasp_nsec3saltlen(kasp), NULL);
+                               if (result != ISC_R_SUCCESS) {
+                                       if (dns_kasp_nsec3saltlen(kasp) > 0) {
+                                               RETERR(dns_nsec3_generate_salt(
+                                                       saltbuf,
+                                                       dns_kasp_nsec3saltlen(
+                                                               kasp)));
+                                               salt = saltbuf;
+                                       }
+                                       result = dns_zone_setnsec3param(
+                                               zone, 1,
+                                               dns_kasp_nsec3flags(kasp),
+                                               dns_kasp_nsec3iter(kasp),
+                                               dns_kasp_nsec3saltlen(kasp),
+                                               salt, true);
+                               }
+
                        } else {
-                               unsigned char *salt;
-                               DE_CONST("-", salt);
                                result = dns_zone_setnsec3param(zone, 0, 0, 0,
                                                                0, salt, true);
                        }

diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf
index f3d286eb1ad0299b7fe9a1bf2ff1cccf807a81a9..87fdc9db581dfa67ece49412476c74d07b43d2b4 100644 (file)
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -22,7 +22,7 @@ dnssec-policy "test" {
                csk key-directory lifetime unlimited algorithm rsasha256 2048;
        };
        max-zone-ttl 86400;
-       nsec3param iterations 5 optout no salt "deadbeef";
+       nsec3param iterations 5 optout no salt-length 8;
        parent-ds-ttl 7200;
        parent-propagation-delay PT1H;
        publish-safety PT3600S;

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 44926bccf15a25f25ca74d4881bfc714de85a1fc..fea98a6ee29f98d10616d0b64c5a4717ba84dcf4 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -508,14 +508,6 @@ grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < che
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-n=`expr $n + 1`
-echo_i "checking named-checkconf kasp nsec3 salt errors ($n)"
-ret=0
-$CHECKCONF kasp-bad-nsec3-salt.conf > checkconf.out$n 2>&1 && ret=1
-grep "dnssec-policy: bad nsec3 salt pepper" < checkconf.out$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
 n=`expr $n + 1`
 echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
 ret=0

diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
index a168b88e0cf5e7f4ef945cfd1f93299b7014c49d..e40fa4e656f0b226d62e2db8a058c04abb50a957 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -25,7 +25,7 @@ dnssec-policy "optout" {
 };
 
 dnssec-policy "nsec3-other" {
-       nsec3param iterations 11 optout yes salt "deadbeef";
+       nsec3param iterations 11 optout yes salt-length 0;
 };
 
 options {

diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in
index 91bc44e31454a7f53b4beaf8f191ec0c94eda9ba..327f5495591d797d78ef4351b307461c760fe19a 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named2.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -25,7 +25,7 @@ dnssec-policy "optout" {
 };
 
 dnssec-policy "nsec3-other" {
-       nsec3param iterations 11 optout yes salt "deadbeef";
+       nsec3param iterations 11 optout yes salt-length 0;
 };
 
 options {

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index 012411fdce0064938960748ada082d355f9c65a5..ee121156837d1f9c7e6a6e89b9c00ce5101eed9a 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -38,11 +38,14 @@ set_zone_policy() {
        ZONE=$1
        POLICY=$2
 }
-# Set expected NSEC3 parameters: flags ($1), iterations ($2), and salt ($3).
+# Set expected NSEC3 parameters: flags ($1), iterations ($2), and
+# salt length ($3).
 set_nsec3param() {
        FLAGS=$1
        ITERATIONS=$2
-       SALT=$3
+       SALTLEN=$3
+       SALT=""
+       test "$SALTLEN" = "0" && SALT="-"
 }
 
 # The apex NSEC3PARAM record indicates that it is signed.
@@ -167,7 +170,7 @@ dnssec_verify
 
 # Zone: nsec3.kasp.
 set_zone_policy "nsec3.kasp" "nsec3"
-set_nsec3param "0" "5" "-"
+set_nsec3param "0" "5" "8"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
@@ -192,14 +195,14 @@ dnssec_verify
 
 # Zone: nsec3-from-optout.kasp.
 set_zone_policy "nsec3-from-optout.kasp" "optout"
-set_nsec3param "1" "5" "-"
+set_nsec3param "1" "5" "8"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-other.kasp.
 set_zone_policy "nsec3-other.kasp" "nsec3-other"
-set_nsec3param "1" "11" "DEADBEEF"
+set_nsec3param "1" "11" "0"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
@@ -213,7 +216,7 @@ rndc_reconfig ns3 10.53.0.3
 
 # Zone: nsec-to-nsec3.kasp. (reconfigured)
 set_zone_policy "nsec-to-nsec3.kasp" "nsec3"
-set_nsec3param "0" "5" "-"
+set_nsec3param "0" "5" "8"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
@@ -226,7 +229,7 @@ dnssec_verify
 
 # Zone: nsec3-change.kasp. (reconfigured)
 set_zone_policy "nsec3-change.kasp" "nsec3-other"
-set_nsec3param "1" "11" "DEADBEEF"
+set_nsec3param "1" "11" "0"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
@@ -238,25 +241,28 @@ check_nsec
 dnssec_verify
 
 # Zone: nsec3-to-optout.kasp. (reconfigured)
-set_zone_policy "nsec3-to-optout.kasp" "optout"
-set_nsec3param "1" "5" "-"
-echo_i "check zone ${ZONE} after reconfig"
-check_nsec3
-dnssec_verify
+# DISABLED:
+# There is a bug in the nsec3param building code that thinks when the
+# optout bit is changed, the chain already exists. [GL #2216]
+#set_zone_policy "nsec3-to-optout.kasp" "optout"
+#set_nsec3param "1" "5" "8"
+#echo_i "check zone ${ZONE} after reconfig"
+#check_nsec3
+#dnssec_verify
 
 # Zone: nsec3-from-optout.kasp. (reconfigured)
 # DISABLED:
 # There is a bug in the nsec3param building code that thinks when the
-# optout bit is removed, the chain already exists. [GL #2216]
+# optout bit is changed, the chain already exists. [GL #2216]
 #set_zone_policy "nsec3-from-optout.kasp" "nsec3"
-#set_nsec3param "0" "5" "-"
+#set_nsec3param "0" "5" "8"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
 #dnssec_verify
 
 # Zone: nsec3-other.kasp. (same)
 set_zone_policy "nsec3-other.kasp" "nsec3-other"
-set_nsec3param "1" "11" "DEADBEEF"
+set_nsec3param "1" "11" "0"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 3597d8fe0338758df7b2698fe1e10124b7035569..bcbbe3d05debc7c77ca3fceab232acb01c40c138 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4958,14 +4958,15 @@ The following options can be specified in a ``dnssec-policy`` statement:
      ``nsec3param``
        Use NSEC3 instead of NSEC, and optionally set the NSEC3 parameters.
 
-       Here is an example (for illustration purposes only) of
-       a ``nsec3`` configuration:
+       Here is an example of an ``nsec3`` configuration:
 
        ::
 
-          nsec3param ttl 0 iterations 5 optout no salt "-";
+          nsec3param iterations 5 optout no salt-length 8;
 
-       The default is to use NSEC.
+       The default is to use NSEC. The ``iterations``, ``optout``
+       and ``salt-length`` parts are optional, but if not set, the
+       values in the example above are the default NSEC3 parameters.
 
      ``zone-propagation-delay``
        This is the expected propagation delay from the time when a zone

diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index f7d3823cd22eb4257bc4e9088e0e7d181f8943ea..abf620fa11e96455eeb24beaa0e889dcdd594850 100644 (file)
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -105,8 +105,8 @@ dnssec\-policy string {
       keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime
           duration_or_unlimited algorithm string [ integer ]; ... };
       max\-zone\-ttl duration;
-      nsec3param [ iterations integer ] [ optout boolean ] [ salt
-          string ];
+      nsec3param [ iterations integer ] [ optout boolean ] [
+          salt\-length integer ];
       parent\-ds\-ttl duration;
       parent\-propagation\-delay duration;
       publish\-safety duration;

diff --git a/doc/misc/dnssec-policy.grammar.rst b/doc/misc/dnssec-policy.grammar.rst
index c9771fcb3d048c4c830ec3936cadaa7ef673e685..e826ccab4e536f9d26be45c37f30922d80705c85 100644 (file)
--- a/doc/misc/dnssec-policy.grammar.rst
+++ b/doc/misc/dnssec-policy.grammar.rst
@@ -5,8 +5,8 @@
        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
            <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
        max-zone-ttl <duration>;
-       nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
-           <string> ];
+       nsec3param [ iterations <integer> ] [ optout <boolean> ] [
+           salt-length <integer> ];
        parent-ds-ttl <duration>;
        parent-propagation-delay <duration>;
        publish-safety <duration>;

diff --git a/doc/misc/options b/doc/misc/options
index 6d641c4b6f0284ac16f20cf462e700262012e780..27ee95a3d3779de92ab7eb07cb8814140ca335cb 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -26,8 +26,8 @@ dnssec-policy <string> {
         keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
             <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
         max-zone-ttl <duration>;
-        nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
-            <string> ];
+        nsec3param [ iterations <integer> ] [ optout <boolean> ] [
+            salt-length <integer> ];
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         parent-registration-delay <duration>; // obsolete

diff --git a/doc/misc/options.active b/doc/misc/options.active
index da3bfed79c844b81665d4ce468df5a6cecb7f73f..9fbffdb84075b52c297cfcfd935929045884989e 100644 (file)
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -26,8 +26,8 @@ dnssec-policy <string> {
         keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
             <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
         max-zone-ttl <duration>;
-        nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
-            <string> ];
+        nsec3param [ iterations <integer> ] [ optout <boolean> ] [
+            salt-length <integer> ];
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         publish-safety <duration>;

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 72ad42d6e3752112110de5627a64785ed6c1a027..e49b01a1775b09a6a460dc3d5f70d0da2f5c042b 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -51,11 +51,10 @@ struct dns_kasp_key {
 };
 
 struct dns_kasp_nsec3param {
-       unsigned char salt[255];
-       uint8_t       saltlen;
-       uint8_t       algorithm;
-       uint8_t       iterations;
-       bool          optout;
+       uint8_t saltlen;
+       uint8_t algorithm;
+       uint8_t iterations;
+       bool    optout;
 };
 
 /* Stores a DNSSEC policy */
@@ -661,18 +660,6 @@ dns_kasp_nsec3saltlen(dns_kasp_t *kasp);
  *
  */
 
-unsigned char *
-dns_kasp_nsec3salt(dns_kasp_t *kasp);
-/*%<
- * The NSEC3 salt used.
- *
- * Requires:
- *
- *\li  'kasp' is a valid, frozen kasp.
- *\li  'kasp->nsec3' is true.
- *
- */
-
 void
 dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3);
 /*%<
@@ -684,9 +671,9 @@ dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3);
  *
  */
 
-isc_result_t
+void
 dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
-                      const char *salt);
+                      uint8_t saltlen);
 /*%<
  * Set the desired NSEC3 parameters.
  *
@@ -695,11 +682,6 @@ dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
  *\li  'kasp' is a valid, unfrozen kasp.
  *\li  'kasp->nsec3' is true.
  *
- * Returns:
- *
- *\li  ISC_R_SUCCESS, if NSEC3 parameters are set.
- *\li  Error, if isc_hex_decodestring() fails.
- *
  */
 
 ISC_LANG_ENDDECLS

diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index a37689cebbab3f7095a29519b2174286b7abaabd..7528e8bef030e444c2833957286ea80655786ae9 100644 (file)
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -159,7 +159,7 @@
 #define DNS_R_TOOMANYKEYS      (ISC_RESULTCLASS_DNS + 121)
 #define DNS_R_KEYNOTACTIVE     (ISC_RESULTCLASS_DNS + 122)
 #define DNS_R_NSEC3ITERRANGE   (ISC_RESULTCLASS_DNS + 123)
-#define DNS_R_NSEC3BADSALT     (ISC_RESULTCLASS_DNS + 124)
+#define DNS_R_NSEC3SALTRANGE   (ISC_RESULTCLASS_DNS + 124)
 #define DNS_R_NSEC3BADALG      (ISC_RESULTCLASS_DNS + 125)
 
 #define DNS_R_NRESULTS 126 /*%< Number of results */

diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index c8342ca7dbfe66c9415415a6a922dee2a335cf22..75882ba395ae6280bf7aef66b97205ec40c375a5 100644 (file)
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -2378,6 +2378,23 @@ dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw);
 isc_result_t
 dns_zone_keydone(dns_zone_t *zone, const char *data);
 
+isc_result_t
+dns_zone_checknsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
+                        uint16_t iter, uint8_t saltlen, unsigned char *salt);
+/*%
+ * Check if the NSEC3 parameters for the zone match the requested parameters.
+ *
+ * If 'salt' is NULL, a match is found if the salt has the requested length,
+ * otherwise the NSEC3 salt must match the requested salt value too.
+ *
+ * Requires:
+ * \li  'zone' to be valid.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS, if a match is found.
+ * \li  Error, if no match is found, or if the db lookup failed.
+ */
+
 isc_result_t
 dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
                       uint16_t iter, uint8_t saltlen, unsigned char *salt,

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 51e4ed018b3fe17e7039b2976d644be4b1f4fe36..fc98a6c7cd81736c5785f616bfe9dc00f6123a31 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -479,15 +479,6 @@ dns_kasp_nsec3saltlen(dns_kasp_t *kasp) {
        return (kasp->nsec3param.saltlen);
 }
 
-unsigned char *
-dns_kasp_nsec3salt(dns_kasp_t *kasp) {
-       REQUIRE(kasp != NULL);
-       REQUIRE(kasp->frozen);
-       REQUIRE(kasp->nsec3);
-
-       return kasp->nsec3param.salt;
-}
-
 bool
 dns_kasp_nsec3(dns_kasp_t *kasp) {
        REQUIRE(kasp != NULL);
@@ -504,27 +495,14 @@ dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3) {
        kasp->nsec3 = nsec3;
 }
 
-isc_result_t
+void
 dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
-                      const char *salt) {
-       isc_buffer_t buf;
-       isc_result_t ret = ISC_R_SUCCESS;
-
+                      uint8_t saltlen) {
        REQUIRE(kasp != NULL);
        REQUIRE(!kasp->frozen);
        REQUIRE(kasp->nsec3);
 
        kasp->nsec3param.iterations = iter;
        kasp->nsec3param.optout = optout;
-       kasp->nsec3param.saltlen = 0;
-
-       if (salt != NULL && strcmp(salt, "-") != 0) {
-               isc_buffer_init(&buf, kasp->nsec3param.salt,
-                               sizeof(kasp->nsec3param.salt));
-               ret = isc_hex_decodestring(salt, &buf);
-               if (ret == ISC_R_SUCCESS) {
-                       kasp->nsec3param.saltlen = isc_buffer_usedlength(&buf);
-               }
-       }
-       return (ret);
+       kasp->nsec3param.saltlen = saltlen;
 }

diff --git a/lib/dns/result.c b/lib/dns/result.c
index eea0257015473ee11448aacecface9ce9df9d090..118e2574f0b878ffa4d254ff3bebaddb7bc5084d 100644 (file)
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -171,7 +171,7 @@ static const char *text[DNS_R_NRESULTS] = {
        "key is not actively signing",   /*%< 122 DNS_R_KEYNOTACTIVE */
 
        "NSEC3 iterations out of range",       /*%< 123 DNS_R_NSEC3ITERRANGE */
-       "bad NSEC3 salt",                      /*%< 124 DNS_R_NSEC3BADSALT */
+       "NSEC3 salt length too high",          /*%< 124 DNS_R_NSEC3SALTRANGE */
        "cannot use NSEC3 with key algorithm", /*%< 125 DNS_R_NSEC3BADALG */
 };
 
@@ -304,7 +304,7 @@ static const char *ids[DNS_R_NRESULTS] = {
        "DNS_R_TOOMANYKEYS",
        "DNS_R_KEYNOTACTIVE",
        "DNS_R_NSEC3ITERRANGE",
-       "DNS_R_NSEC3BADSALT",
+       "DNS_R_NSEC3SALTRANGE",
        "DNS_R_NSEC3BADALG",
 };
 

diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index cf316b98fbaac1e1149cf04b1022e040fd3d5284..2b0383af73eff50ff4361046f38c0e2d1a2c1d3e 100644 (file)
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -439,7 +439,6 @@ dns_kasp_keys
 dns_kasp_nsec3
 dns_kasp_nsec3flags
 dns_kasp_nsec3iter
-dns_kasp_nsec3salt
 dns_kasp_nsec3saltlen
 dns_kasp_parentpropagationdelay
 dns_kasp_publishsafety
@@ -1165,6 +1164,7 @@ dns_zone_catz_enable
 dns_zone_catz_enable_db
 dns_zone_cdscheck
 dns_zone_checknames
+dns_zone_checknsec3param
 dns_zone_clearforwardacl
 dns_zone_clearnotifyacl
 dns_zone_clearqueryacl

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index a85470ccb28804ccba20a2b434207126c0eb29f9..9fd1b3df406f1c65d975917e9da8ad4673a1dd31 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -21052,6 +21052,100 @@ failure:
        INSIST(newver == NULL);
 }
 
+/*
+ * Check if zone has NSEC3PARAM (and thus a chain) with the right parameters.
+ */
+isc_result_t
+dns_zone_checknsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
+                        uint16_t iter, uint8_t saltlen, unsigned char *salt) {
+       isc_result_t result = ISC_R_UNEXPECTED;
+       dns_dbnode_t *node = NULL;
+       dns_db_t *db = NULL;
+       dns_dbversion_t *version = NULL;
+       dns_rdataset_t rdataset;
+       dns_rdata_nsec3param_t nsec3param;
+       dns_rdata_t rdata = DNS_RDATA_INIT;
+
+       REQUIRE(DNS_ZONE_VALID(zone));
+       UNUSED(flags);
+
+       dns_rdataset_init(&rdataset);
+
+       ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+       if (zone->db != NULL) {
+               dns_db_attach(zone->db, &db);
+       }
+       ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+       if (db == NULL) {
+               goto cleanup;
+       }
+
+       result = dns_db_findnode(db, &zone->origin, false, &node);
+       if (result != ISC_R_SUCCESS) {
+               dns_zone_log(zone, ISC_LOG_ERROR,
+                            "nsec3param lookup failure: %s",
+                            dns_result_totext(result));
+               goto cleanup;
+       }
+       dns_db_currentversion(db, &version);
+
+       result = dns_db_findrdataset(db, node, version,
+                                    dns_rdatatype_nsec3param,
+                                    dns_rdatatype_none, 0, &rdataset, NULL);
+       if (result != ISC_R_SUCCESS) {
+               INSIST(!dns_rdataset_isassociated(&rdataset));
+               if (result != ISC_R_NOTFOUND) {
+                       dns_zone_log(zone, ISC_LOG_ERROR,
+                                    "nsec3param lookup failure: %s",
+                                    dns_result_totext(result));
+               }
+               goto cleanup;
+       }
+
+       for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+            result = dns_rdataset_next(&rdataset))
+       {
+               dns_rdataset_current(&rdataset, &rdata);
+               result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+               INSIST(result == ISC_R_SUCCESS);
+               dns_rdata_reset(&rdata);
+               if (nsec3param.hash != hash) {
+                       continue;
+               }
+               if (nsec3param.iterations != iter) {
+                       continue;
+               }
+               if (nsec3param.salt_length != saltlen) {
+                       continue;
+               }
+               if (salt != NULL) {
+                       if (memcmp(nsec3param.salt, salt, saltlen) != 0) {
+                               continue;
+                       }
+               }
+               /* Found a match. */
+               result = ISC_R_SUCCESS;
+               goto cleanup;
+       }
+       INSIST(result != ISC_R_SUCCESS);
+
+cleanup:
+       if (dns_rdataset_isassociated(&rdataset)) {
+               dns_rdataset_disassociate(&rdataset);
+       }
+       if (node != NULL) {
+               dns_db_detachnode(db, &node);
+       }
+       if (version != NULL) {
+               dns_db_closeversion(db, &version, false);
+       }
+       if (db != NULL) {
+               dns_db_detach(&db);
+       }
+
+       return (result);
+}
+
 /*
  * Called when an "rndc signing -nsec3param ..." command is received.
  *

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 39b97f8d545b0278d3cde40f905dd2156021fefb..9a006c896359979f699902bfcfab65c865d20531 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -29,7 +29,8 @@
 #include <isccfg/kaspconf.h>
 #include <isccfg/namedconf.h>
 
-#define DEFAULT_NSEC3PARAM_ITER 5
+#define DEFAULT_NSEC3PARAM_ITER           5
+#define DEFAULT_NSEC3PARAM_SALTLEN 8
 
 /*
  * Utility function for getting a configuration option.
@@ -171,8 +172,8 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
        dns_kasp_key_t *kkey;
        unsigned int min_keysize = 4096;
        const cfg_obj_t *obj = NULL;
-       const char *salt = NULL;
        uint32_t iter = DEFAULT_NSEC3PARAM_ITER;
+       uint32_t saltlen = DEFAULT_NSEC3PARAM_SALTLEN;
        uint32_t badalg = 0;
        bool optout = false;
        isc_result_t ret = ISC_R_SUCCESS;
@@ -236,17 +237,19 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
        }
 
        /* Salt */
-       obj = cfg_tuple_get(config, "salt");
-       if (cfg_obj_isstring(obj)) {
-               salt = cfg_obj_asstring(obj);
+       obj = cfg_tuple_get(config, "salt-length");
+       if (cfg_obj_isuint32(obj)) {
+               saltlen = cfg_obj_asuint32(obj);
        }
-
-       ret = dns_kasp_setnsec3param(kasp, iter, optout, salt);
-       if (ret != ISC_R_SUCCESS) {
+       if (saltlen > 0xff) {
                cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-                           "dnssec-policy: bad nsec3 salt %s", salt);
+                           "dnssec-policy: nsec3 salt length %u too high",
+                           saltlen);
+               return (DNS_R_NSEC3SALTRANGE);
        }
-       return (ret);
+
+       dns_kasp_setnsec3param(kasp, iter, optout, saltlen);
+       return (ISC_R_SUCCESS);
 }
 
 isc_result_t

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 5ec87adbe9b16d4da7fcdeb16f2a62fcbbc59e5a..f139aa3dda17ae422a707e262d8d768d765f0c73 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -587,17 +587,16 @@ static cfg_type_t cfg_type_nsec3optout = {
        &cfg_rep_boolean, &nsec3optout_kw
 };
 
-static keyword_type_t nsec3salt_kw = { "salt", &cfg_type_sstring };
+static keyword_type_t nsec3salt_kw = { "salt-length", &cfg_type_uint32 };
 static cfg_type_t cfg_type_nsec3salt = {
-       "salt",          parse_optional_keyvalue,
-       print_keyvalue,  doc_optional_keyvalue,
-       &cfg_rep_string, &nsec3salt_kw
+       "salt-length",         parse_optional_keyvalue, print_keyvalue,
+       doc_optional_keyvalue, &cfg_rep_uint32,         &nsec3salt_kw
 };
 
 static cfg_tuplefielddef_t nsec3param_fields[] = {
        { "iterations", &cfg_type_nsec3iter, 0 },
        { "optout", &cfg_type_nsec3optout, 0 },
-       { "salt", &cfg_type_nsec3salt, 0 },
+       { "salt-length", &cfg_type_nsec3salt, 0 },
        { NULL, NULL, 0 }
 };