From: Matthijs Mekking Date: Tue, 13 Oct 2020 12:39:21 +0000 (+0200) Subject: Support for NSEC3 in dnssec-policy X-Git-Tag: v9.17.8~27^2~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=114af58ee28329933e6d39f5f65fd75a63b3ff4a;p=thirdparty%2Fbind9.git Support for NSEC3 in dnssec-policy Implement support for NSEC3 in dnssec-policy. Store the configuration in kasp objects. When configuring a zone, call 'dns_zone_setnsec3param' to queue an nsec3param event. This will ensure that any previous chains will be removed and a chain according to the dnssec-policy is created. Add tests for dnssec-policy zones that uses the new 'nsec3param' option, as well as changing to new values, changing to NSEC, and changing from NSEC. --- diff --git a/bin/named/server.c b/bin/named/server.c index e580bc8a21f..9ee19aa733c 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -73,6 +73,7 @@ #include #include #include +#include #include #include #include diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index ceae3391ccc..6c8ffceade6 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1560,7 +1560,23 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, bool allow = false, maint = false; bool sigvalinsecs; - if (kasp) { + if (kasp != NULL) { + if (dns_kasp_nsec3(kasp)) { + result = dns_zone_setnsec3param( + zone, 1, dns_kasp_nsec3flags(kasp), + dns_kasp_nsec3iter(kasp), + dns_kasp_nsec3saltlen(kasp), + dns_kasp_nsec3salt(kasp), true); + } else { + unsigned char *salt; + DE_CONST("-", salt); + result = dns_zone_setnsec3param(zone, 0, 0, 0, + 0, salt, true); + } + INSIST(result == ISC_R_SUCCESS); + } + + if (kasp != NULL) { seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp); } else { obj = NULL; @@ -1571,7 +1587,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } dns_zone_setkeyvalidityinterval(zone, seconds); - if (kasp) { + if (kasp != NULL) { seconds = (uint32_t)dns_kasp_sigvalidity(kasp); dns_zone_setsigvalidityinterval(zone, seconds); seconds = (uint32_t)dns_kasp_sigrefresh(kasp); diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index a4a3abb5a5d..560ef74270e 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -121,6 +121,7 @@ TESTS += \ mkeys \ names \ notify \ + nsec3 \ nslookup \ padding \ pending \ diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index e24533a2e8c..f94bf0276fc 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -97,6 +97,7 @@ mirror mkeys names notify +nsec3 nslookup nsupdate padding diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh new file mode 100644 index 00000000000..c6d322babb7 --- /dev/null +++ b/bin/tests/system/nsec3/clean.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f dig.out.* rndc.signing.* +rm -f ns*/named.conf ns*/named.memstats ns*/named.run* +rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind +rm -f ns*/K*.private ns*/K*.key ns*/K*.state +rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed + diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in new file mode 100644 index 00000000000..0c722511c60 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -0,0 +1,81 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +dnssec-policy "nsec" { + // no need to change configuration: if no 'nsec3param' is set, + // NSEC will be used; +}; + +dnssec-policy "nsec3" { + nsec3param; +}; + +dnssec-policy "nsec3-other" { + nsec3param iterations 11 optout yes salt "deadbeef"; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ +zone "nsec-to-nsec3.kasp" { + type primary; + file "nsec-to-nsec3.kasp.db"; + dnssec-policy "nsec"; +}; + +/* This zone uses the default NSEC3 settings. */ +zone "nsec3.kasp" { + type primary; + file "nsec3.kasp.db"; + dnssec-policy "nsec3"; +}; + +/* This zone uses non-default NSEC3 settings. */ +zone "nsec3-other.kasp" { + type primary; + file "nsec3-other.kasp.db"; + dnssec-policy "nsec3-other"; +}; + +/* The zone will be reconfigured to use other NSEC3 settings. */ +zone "nsec3-change.kasp" { + type primary; + file "nsec3-change.kasp.db"; + dnssec-policy "nsec3"; +}; + +/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ +zone "nsec3-to-nsec.kasp" { + type primary; + file "nsec3-to-nsec.kasp.db"; + dnssec-policy "nsec3"; +}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in new file mode 100644 index 00000000000..ce9037889a7 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -0,0 +1,84 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +dnssec-policy "nsec" { + // no need to change configuration: if no 'nsec3param' is set, + // NSEC will be used; +}; + +dnssec-policy "nsec3" { + nsec3param; +}; + +dnssec-policy "nsec3-other" { + nsec3param iterations 11 optout yes salt "deadbeef"; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ +zone "nsec-to-nsec3.kasp" { + type primary; + file "nsec-to-nsec3.kasp.db"; + //dnssec-policy "nsec"; + dnssec-policy "nsec3"; +}; + +/* This zone uses the default NSEC3 settings. */ +zone "nsec3.kasp" { + type primary; + file "nsec3.kasp.db"; + dnssec-policy "nsec3"; +}; + +/* This zone uses non-default NSEC3 settings. */ +zone "nsec3-other.kasp" { + type primary; + file "nsec3-other.kasp.db"; + dnssec-policy "nsec3-other"; +}; + +/* The zone will be reconfigured to use other NSEC3 settings. */ +zone "nsec3-change.kasp" { + type primary; + file "nsec3-change.kasp.db"; + //dnssec-policy "nsec3"; + dnssec-policy "nsec3-other"; +}; + +/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ +zone "nsec3-to-nsec.kasp" { + type primary; + file "nsec3-to-nsec.kasp.db"; + //dnssec-policy "nsec3"; + dnssec-policy "nsec"; +}; diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh new file mode 100644 index 00000000000..957fe2a3b19 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -0,0 +1,28 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns3/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + cp template.db.in "$zonefile" +} + +for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec +do + setup "${zn}.kasp" +done diff --git a/bin/tests/system/nsec3/ns3/template.db.in b/bin/tests/system/nsec3/ns3/template.db.in new file mode 100644 index 00000000000..051a312891a --- /dev/null +++ b/bin/tests/system/nsec3/ns3/template.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh new file mode 100644 index 00000000000..8a92ee7dee9 --- /dev/null +++ b/bin/tests/system/nsec3/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +$SHELL clean.sh + +copy_setports ns3/named.conf.in ns3/named.conf + +( + cd ns3 + $SHELL setup.sh +) diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh new file mode 100644 index 00000000000..18a9a87ce84 --- /dev/null +++ b/bin/tests/system/nsec3/tests.sh @@ -0,0 +1,244 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +# Log errors and increment $ret. +log_error() { + echo_i "error: $1" + ret=$((ret+1)) +} + +# Call dig with default options. +dig_with_opts() { + $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" +} + +# Call rndc. +rndccmd() { + "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" +} + +# Set server key-directory ($1) and address ($2) for testing nsec3. +set_server() { + DIR=$1 + SERVER=$2 +} +# Set zone name ($1) and policy ($2) for testing nsec3. +set_zone_policy() { + ZONE=$1 + POLICY=$2 +} +# Set expected NSEC3 parameters: flags ($1), iterations ($2), and salt ($3). +set_nsec3param() { + FLAGS=$1 + ITERATIONS=$2 + SALT=$3 +} + +# The apex NSEC3PARAM record indicates that it is signed. +_wait_for_nsec3param() { + dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1 + grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" > /dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1 + return 0 +} +# The apex NSEC record indicates that it is signed. +_wait_for_nsec() { + dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC > "dig.out.test$n.wait" || return 1 + grep "NS SOA" "dig.out.test$n.wait" > /dev/null || return 1 + grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1 + grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" > /dev/null && return 1 + return 0 +} + +# Wait for the zone to be signed. +wait_for_zone_is_signed() { + n=$((n+1)) + ret=0 + echo_i "wait for ${ZONE} to be signed ($n)" + + if [ "$1" = "nsec3" ]; then + retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed" + else + retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed" + fi + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Test: dnssec-verify zone $1. +dnssec_verify() +{ + n=$((n+1)) + echo_i "dnssec-verify zone ${ZONE} ($n)" + ret=0 + dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.test$n.axfr || log_error "dig ${ZONE} AXFR failed" + $VERIFY -z -o "$ZONE" dig.out.test$n.axfr > /dev/null || log_error "dnssec verify zone $ZONE failed" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Test: check NSEC in answers +_check_nsec_nsec3param() +{ + dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 + grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1 + return 0 +} + +_check_nsec_nxdomain() +{ + dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 + grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 + grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1 + return 0 +} + +check_nsec() +{ + n=$((n+1)) + echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + n=$((n+1)) + echo_i "check NXDOMAIN response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +# Test: check NSEC3 parameters in answers +_check_nsec3_nsec3param() +{ + dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1 + grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1 + return 0 +} + +_check_nsec3_nxdomain() +{ + dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1 + grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1 + return 0 +} + +check_nsec3() +{ + n=$((n+1)) + echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) + + n=$((n+1)) + echo_i "check NSEC3 response for zone ${ZONE} ($n)" + ret=0 + retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +start_time="$(TZ=UTC date +%s)" +status=0 +n=0 + +# Zone: nsec-to-nsec3.kasp. +set_zone_policy "nsec-to-nsec3.kasp" "nsec" +set_server "ns3" "10.53.0.3" +echo_i "initial check zone ${ZONE}" +check_nsec +dnssec_verify + +# Zone: nsec3.kasp. +set_zone_policy "nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "-" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-change.kasp. +set_zone_policy "nsec3-change.kasp" "nsec3" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-to-nsec.kasp. +set_zone_policy "nsec3-to-nsec.kasp" "nsec3" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + +# Zone: nsec3-other.kasp. +set_zone_policy "nsec3-other.kasp" "nsec3-other" +set_nsec3param "1" "11" "DEADBEEF" +echo_i "initial check zone ${ZONE}" +check_nsec3 +dnssec_verify + + +# Reconfig named. +echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 + + +# Zone: nsec-to-nsec3.kasp. (reconfigured) +set_zone_policy "nsec-to-nsec3.kasp" "nsec3" +set_nsec3param "0" "5" "-" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Zone: nsec3.kasp. (same) +set_zone_policy "nsec3.kasp" "nsec3" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Zone: nsec3-change.kasp. (reconfigured) +set_zone_policy "nsec3-change.kasp" "nsec3-other" +set_nsec3param "1" "11" "DEADBEEF" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Zone: nsec3-to-nsec.kasp. (reconfigured) +set_zone_policy "nsec3-to-nsec.kasp" "nsec" +echo_i "check zone ${ZONE} after reconfig" +check_nsec +dnssec_verify + +# Zone: nsec3-other.kasp. (same) +set_zone_policy "nsec3-other.kasp" "nsec3-other" +set_nsec3param "1" "11" "DEADBEEF" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 +dnssec_verify + +# Using rndc signing -nsec3param +set_zone_policy "nsec3-change.kasp" "nsec3-other" +echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings" +rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE" +grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail" +check_nsec3 +dnssec_verify + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 + diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 80611ccef51..72ad42d6e37 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -50,6 +50,14 @@ struct dns_kasp_key { uint8_t role; }; +struct dns_kasp_nsec3param { + unsigned char salt[255]; + uint8_t saltlen; + uint8_t algorithm; + uint8_t iterations; + bool optout; +}; + /* Stores a DNSSEC policy */ struct dns_kasp { unsigned int magic; @@ -75,6 +83,10 @@ struct dns_kasp { dns_kasp_keylist_t keys; dns_ttl_t dnskey_ttl; + /* Configuration: Denial of existence */ + bool nsec3; + dns_kasp_nsec3param_t nsec3param; + /* Configuration: Timings */ uint32_t publish_safety; uint32_t retire_safety; @@ -86,8 +98,6 @@ struct dns_kasp { /* Parent settings */ dns_ttl_t parent_ds_ttl; uint32_t parent_propagation_delay; - - /* TODO: The rest of the KASP configuration */ }; #define DNS_KASP_MAGIC ISC_MAGIC('K', 'A', 'S', 'P') @@ -604,6 +614,94 @@ dns_kasp_key_zsk(dns_kasp_key_t *key); * */ +bool +dns_kasp_nsec3(dns_kasp_t *kasp); +/*%< + * Return true if NSEC3 chain should be used. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + */ + +uint8_t +dns_kasp_nsec3iter(dns_kasp_t *kasp); +/*%< + * The number of NSEC3 iterations to use. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + *\li 'kasp->nsec3' is true. + * + */ + +uint8_t +dns_kasp_nsec3flags(dns_kasp_t *kasp); +/*%< + * The NSEC3 flags field value. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + *\li 'kasp->nsec3' is true. + * + */ + +uint8_t +dns_kasp_nsec3saltlen(dns_kasp_t *kasp); +/*%< + * The NSEC3 salt length. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + *\li 'kasp->nsec3' is true. + * + */ + +unsigned char * +dns_kasp_nsec3salt(dns_kasp_t *kasp); +/*%< + * The NSEC3 salt used. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + *\li 'kasp->nsec3' is true. + * + */ + +void +dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3); +/*%< + * Set to use NSEC3 if 'nsec3' is 'true', otherwise policy will use NSEC. + * + * Requires: + * + *\li 'kasp' is a valid, unfrozen kasp. + * + */ + +isc_result_t +dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout, + const char *salt); +/*%< + * Set the desired NSEC3 parameters. + * + * Requires: + * + *\li 'kasp' is a valid, unfrozen kasp. + *\li 'kasp->nsec3' is true. + * + * Returns: + * + *\li ISC_R_SUCCESS, if NSEC3 parameters are set. + *\li Error, if isc_hex_decodestring() fails. + * + */ + ISC_LANG_ENDDECLS #endif /* DNS_KASP_H */ diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h index 49e92108bbd..a9c8be0635e 100644 --- a/lib/dns/include/dns/types.h +++ b/lib/dns/include/dns/types.h @@ -94,8 +94,9 @@ typedef struct dns_kasp dns_kasp_t; typedef ISC_LIST(dns_kasp_t) dns_kasplist_t; typedef struct dns_kasp_key dns_kasp_key_t; typedef ISC_LIST(dns_kasp_key_t) dns_kasp_keylist_t; -typedef uint16_t dns_keyflags_t; -typedef struct dns_keynode dns_keynode_t; +typedef struct dns_kasp_nsec3param dns_kasp_nsec3param_t; +typedef uint16_t dns_keyflags_t; +typedef struct dns_keynode dns_keynode_t; typedef ISC_LIST(dns_keynode_t) dns_keynodelist_t; typedef struct dns_keytable dns_keytable_t; typedef uint16_t dns_keytag_t; diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 68ec3a96514..51e4ed018b3 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -14,7 +14,9 @@ #include #include +#include #include +#include #include #include #include @@ -58,7 +60,7 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) { kasp->parent_ds_ttl = DNS_KASP_DS_TTL; kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY; - /* TODO: The rest of the KASP configuration */ + kasp->nsec3 = false; kasp->magic = DNS_KASP_MAGIC; *kaspp = kasp; @@ -446,3 +448,83 @@ dns_kasp_key_zsk(dns_kasp_key_t *key) { return (key->role & DNS_KASP_KEY_ROLE_ZSK); } + +uint8_t +dns_kasp_nsec3iter(dns_kasp_t *kasp) { + REQUIRE(kasp != NULL); + REQUIRE(kasp->frozen); + REQUIRE(kasp->nsec3); + + return (kasp->nsec3param.iterations); +} + +uint8_t +dns_kasp_nsec3flags(dns_kasp_t *kasp) { + REQUIRE(kasp != NULL); + REQUIRE(kasp->frozen); + REQUIRE(kasp->nsec3); + + if (kasp->nsec3param.optout) { + return (0x01); + } + return (0x00); +} + +uint8_t +dns_kasp_nsec3saltlen(dns_kasp_t *kasp) { + REQUIRE(kasp != NULL); + REQUIRE(kasp->frozen); + REQUIRE(kasp->nsec3); + + return (kasp->nsec3param.saltlen); +} + +unsigned char * +dns_kasp_nsec3salt(dns_kasp_t *kasp) { + REQUIRE(kasp != NULL); + REQUIRE(kasp->frozen); + REQUIRE(kasp->nsec3); + + return kasp->nsec3param.salt; +} + +bool +dns_kasp_nsec3(dns_kasp_t *kasp) { + REQUIRE(kasp != NULL); + REQUIRE(kasp->frozen); + + return kasp->nsec3; +} + +void +dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3) { + REQUIRE(kasp != NULL); + REQUIRE(!kasp->frozen); + + kasp->nsec3 = nsec3; +} + +isc_result_t +dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout, + const char *salt) { + isc_buffer_t buf; + isc_result_t ret = ISC_R_SUCCESS; + + REQUIRE(kasp != NULL); + REQUIRE(!kasp->frozen); + REQUIRE(kasp->nsec3); + + kasp->nsec3param.iterations = iter; + kasp->nsec3param.optout = optout; + kasp->nsec3param.saltlen = 0; + + if (salt != NULL && strcmp(salt, "-") != 0) { + isc_buffer_init(&buf, kasp->nsec3param.salt, + sizeof(kasp->nsec3param.salt)); + ret = isc_hex_decodestring(salt, &buf); + if (ret == ISC_R_SUCCESS) { + kasp->nsec3param.saltlen = isc_buffer_usedlength(&buf); + } + } + return (ret); +} diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index dbd2a020d93..cf316b98fba 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -436,11 +436,18 @@ dns_kasp_key_size dns_kasp_key_zsk dns_kasp_keylist_empty dns_kasp_keys +dns_kasp_nsec3 +dns_kasp_nsec3flags +dns_kasp_nsec3iter +dns_kasp_nsec3salt +dns_kasp_nsec3saltlen dns_kasp_parentpropagationdelay dns_kasp_publishsafety dns_kasp_retiresafety dns_kasp_setdnskeyttl dns_kasp_setdsttl +dns_kasp_setnsec3 +dns_kasp_setnsec3param dns_kasp_setparentpropagationdelay dns_kasp_setpublishsafety dns_kasp_setretiresafety diff --git a/lib/dns/zone.c b/lib/dns/zone.c index b473834baad..a85470ccb28 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9260,12 +9260,16 @@ zone_sign(dns_zone_t *zone) { DNS_ZONEOPT_DNSKEYKSKONLY); /* Determine which type of chain to build */ - CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec, - &build_nsec3)); - - /* If neither chain is found, default to NSEC */ - if (!build_nsec && !build_nsec3) { - build_nsec = true; + if (kasp != NULL) { + build_nsec3 = dns_kasp_nsec3(kasp); + build_nsec = !build_nsec3; + } else { + CHECK(dns_private_chains(db, version, zone->privatetype, + &build_nsec, &build_nsec3)); + /* If neither chain is found, default to NSEC */ + if (!build_nsec && !build_nsec3) { + build_nsec = true; + } } while (signing != NULL && nodes-- > 0 && signatures > 0) { @@ -21097,6 +21101,7 @@ dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags, if (hash == 0) { np->length = 0; np->nsec = true; + dnssec_log(zone, ISC_LOG_DEBUG(3), "setnsec3param:nsec"); } else { param.common.rdclass = zone->rdclass; param.common.rdtype = dns_rdatatype_nsec3param; @@ -21115,6 +21120,31 @@ dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags, np->data, sizeof(np->data)); np->length = prdata.length; np->nsec = false; + + if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { + unsigned char text[255 * 2 + 1]; + isc_buffer_t buf; + isc_result_t ret; + isc_region_t r; + + r.base = salt; + r.length = (unsigned int)saltlen; + if (saltlen > 0) { + isc_buffer_init(&buf, text, sizeof(text)); + ret = isc_hex_totext(&r, 2, "", &buf); + if (ret == ISC_R_SUCCESS) { + text[saltlen * 2] = 0; + } else { + text[0] = 0; + } + } else { + text[0] = '-'; + text[1] = 0; + } + dnssec_log(zone, ISC_LOG_DEBUG(3), + "setnsec3param:nsec3 %u %u %u %s", hash, + flags, iter, text); + } } /* diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 5da29876279..6629bf52b3e 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -29,6 +29,8 @@ #include #include +#define DEFAULT_NSEC3PARAM_ITER 5 + /* * Utility function for getting a configuration option. */ @@ -163,6 +165,34 @@ cleanup: return (result); } +static isc_result_t +cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp) { + const cfg_obj_t *obj = NULL; + const char *salt = NULL; + uint8_t iter = DEFAULT_NSEC3PARAM_ITER; + bool optout = false; + + /* How many iterations. */ + obj = cfg_tuple_get(config, "iterations"); + if (cfg_obj_isuint32(obj)) { + iter = cfg_obj_asuint32(obj); + } + + /* Opt-out? */ + obj = cfg_tuple_get(config, "optout"); + if (cfg_obj_isboolean(obj)) { + optout = cfg_obj_asboolean(obj); + } + + /* Salt */ + obj = cfg_tuple_get(config, "salt"); + if (cfg_obj_isstring(obj)) { + salt = cfg_obj_asstring(obj); + } + + return dns_kasp_setnsec3param(kasp, iter, optout, salt); +} + isc_result_t cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx, dns_kasplist_t *kasplist, dns_kasp_t **kaspp) { @@ -170,6 +200,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx, const cfg_obj_t *maps[2]; const cfg_obj_t *koptions = NULL; const cfg_obj_t *keys = NULL; + const cfg_obj_t *nsec3 = NULL; const cfg_listelt_t *element = NULL; const char *kaspname = NULL; dns_kasp_t *kasp = NULL; @@ -245,6 +276,18 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx, } INSIST(!(dns_kasp_keylist_empty(kasp))); + /* Configuration: NSEC3 */ + (void)confget(maps, "nsec3param", &nsec3); + if (nsec3 == NULL) { + dns_kasp_setnsec3(kasp, false); + } else { + dns_kasp_setnsec3(kasp, true); + result = cfg_nsec3param_fromconfig(nsec3, kasp); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + } + /* Configuration: Zone settings */ dns_kasp_setzonemaxttl( kasp, get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL)); @@ -259,8 +302,6 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx, kasp, get_duration(maps, "parent-propagation-delay", DNS_KASP_PARENT_PROPDELAY)); - /* TODO: Rest of the configuration */ - /* Append it to the list for future lookups. */ ISC_LIST_APPEND(*kasplist, kasp, link); INSIST(!(ISC_LIST_EMPTY(*kasplist))); diff --git a/util/copyrights b/util/copyrights index a29a86d66d2..ef18d6f35b6 100644 --- a/util/copyrights +++ b/util/copyrights @@ -603,6 +603,10 @@ ./bin/tests/system/notify/ns4/named.port.in X 2014,2018,2019,2020 ./bin/tests/system/notify/setup.sh SH 2000,2001,2004,2007,2012,2014,2016,2018,2019,2020 ./bin/tests/system/notify/tests.sh SH 2000,2001,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020 +./bin/tests/system/nsec3/clean.sh SH 2020 +./bin/tests/system/nsec3/ns3/setup.sh SH 2020 +./bin/tests/system/nsec3/setup.sh SH 2020 +./bin/tests/system/nsec3/tests.sh SH 2020 ./bin/tests/system/nslookup/clean.sh SH 2014,2015,2016,2018,2019,2020 ./bin/tests/system/nslookup/setup.sh SH 2014,2016,2018,2019,2020 ./bin/tests/system/nslookup/tests.sh SH 2014,2016,2018,2019,2020