From: Evan Hunt Date: Fri, 15 Apr 2016 01:53:54 +0000 (-0700) Subject: [v9_10] fixed revoked key regression X-Git-Tag: v9.10.4rc1~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=01badd28ba3e17422f34742545e7002edb198b20;p=thirdparty%2Fbind9.git [v9_10] fixed revoked key regression 4436. [bug] Fixed a regression introduced in change #4337 which caused signed domains with revoked KSKs to fail validation. [RT #42147] --- diff --git a/CHANGES b/CHANGES index 39f384718d8..46d4fc388aa 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,9 @@ --- 9.10.4rc1 released --- +4436. [bug] Fixed a regression introduced in change #4337 which + caused signed domains with revoked KSKs to fail + validation. [RT #42147] + 4345. [contrib] perftcpdns mishandled the return values from clock_nanosleep. [RT #42131] diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index c4b3f3794e5..dbab82ac3c2 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -77,6 +77,7 @@ rm -f ns3/split-smart.example.db rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed rm -f ns3/ttlpatch.example.db.patched rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db +rm -f ns3/revkey.example.db rm -f ns3/managed-future.example.db rm -f ns4/managed-keys.bind* rm -f ns4/named.conf diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index f0dd668ace5..0b8ee45068d 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -159,3 +159,6 @@ ns.future A 10.53.0.3 managed-future NS ns.managed-future ns.managed-future A 10.53.0.3 + +revkey NS ns.revkey +ns.revkey A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 4ff450397f7..4b2a6e73138 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -30,7 +30,7 @@ for subdomain in secure bogus dnskey-unknown dnskey-nsec3-unknown \ dynamic keyless nsec3 optout nsec3-unknown optout-unknown \ multiple rsasha256 rsasha512 kskonly update-nsec3 auto-nsec \ auto-nsec3 secure.below-cname ttlpatch split-dnssec split-smart \ - expired expiring upper lower managed-future + expired expiring upper lower managed-future revkey do cp ../ns3/dsset-$subdomain.example. . done diff --git a/bin/tests/system/dnssec/ns3/keyless.example.db.in b/bin/tests/system/dnssec/ns3/generic.example.db.in similarity index 94% rename from bin/tests/system/dnssec/ns3/keyless.example.db.in rename to bin/tests/system/dnssec/ns3/generic.example.db.in index e2d1ffa95e2..3a7165d2526 100644 --- a/bin/tests/system/dnssec/ns3/keyless.example.db.in +++ b/bin/tests/system/dnssec/ns3/generic.example.db.in @@ -13,8 +13,6 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: keyless.example.db.in,v 1.5 2007/06/19 23:47:02 tbox Exp $ - $TTL 300 ; 5 minutes @ IN SOA mname1. . ( 2000042407 ; serial diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index 375c6884dc7..ac921ba47ba 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -292,6 +292,11 @@ zone "managed-future.example" { allow-update { any; }; }; +zone "revkey.example" { + type master; + file "revkey.example.db.signed"; +}; + include "siginterval.conf"; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index d74c428740b..8e0a974029e 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -52,7 +52,7 @@ cat $infile $keyname1.key $keyname2.key >$zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 zone=keyless.example. -infile=keyless.example.db.in +infile=generic.example.db.in zonefile=keyless.example.db keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` @@ -516,3 +516,19 @@ kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone` zskname=`$KEYGEN -q -r $RANDFILE $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone with a revoked key +# +zone=revkey.example. +infile=generic.example.db.in +zonefile=revkey.example.db + +ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone` +ksk1=`$REVOKE $ksk1` +ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone` +zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone` + +cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile + +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 4352bba5753..5475fd3c4ba 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -872,6 +872,25 @@ if [ -x ${DELV} ] ; then status=`expr $status + $ret` fi +echo "I:checking that validation succeeds when a revoked key is encountered ($n)" +ret=0 +$DIG $DIGOPTS revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +if [ -x ${DELV} ] ; then + ret=0 + echo "I:checking that validation succeeds when a revoked key is encountered using dns_client ($n)" + $DELV $DELVOPTS +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 + grep "fully validated" delv.out$n > /dev/null || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +fi + echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)" ret=0 #prime diff --git a/lib/dns/view.c b/lib/dns/view.c index 4256c189237..e3e05911d38 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -1824,15 +1824,29 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname, isc_buffer_init(&buffer, data, sizeof(data)); dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, dns_rdatatype_dnskey, dnskey, &buffer); + result = dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key); if (result != ISC_R_SUCCESS) return; + result = dns_view_getsecroots(view, &sr); if (result == ISC_R_SUCCESS) { - dns_keytable_deletekeynode(sr, key); - dns_keytable_marksecure(sr, keyname); + result = dns_keytable_deletekeynode(sr, key); + + /* + * If key was found in secroots, then it was a + * configured trust anchor, and we want to fail + * secure. If there are no other configured keys, + * then leave a null key so that we can't validate + * anymore. + */ + + if (result == ISC_R_SUCCESS) + dns_keytable_marksecure(sr, keyname); + dns_keytable_detach(&sr); } + dst_key_free(&key); }