From: Evan Hunt Date: Mon, 21 Jan 2019 21:12:26 +0000 (-0800) Subject: improve handling of trailing dots in dnssec-keymgr and dnssec-coverage X-Git-Tag: v9.12.4rc1~45^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f06d65e38619e44d79f60fd7902b91221240839;p=thirdparty%2Fbind9.git improve handling of trailing dots in dnssec-keymgr and dnssec-coverage - mishandling of trailing dots caused bad behavior with the root zone or names like "example.com." - fixing this exposed an error in dnssec-coverage caused the wrong return value if there were KSK errors but no ZSK errors - incidentally silenced the dnssec-keygen output in the coverage system test (cherry picked from commit 1ccf4e6c169993a20305dfec5a23a55e1d920fe1) --- diff --git a/CHANGES b/CHANGES index 52a143e2e30..a8504d88d01 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5143. [bug] dnssec-keymgr and dnssec-coverage failed to find + key files for zone names ending in ".". [GL #560] + 5140. [bug] Don't immediately mark existing keys as inactive and deleted when running dnssec-keymgr for the first time. [GL #117] diff --git a/bin/python/isc/coverage.py.in b/bin/python/isc/coverage.py.in index 4e392a780ef..b6ed5d0a692 100644 --- a/bin/python/isc/coverage.py.in +++ b/bin/python/isc/coverage.py.in @@ -188,6 +188,9 @@ def parse_args(): if args.filename and len(args.zone) > 1: fatal("ERROR: -f can only be used with one zone.") + # strip trailing dots + args.zone = [x[:-1] for x in args.zone if len(x) > 1 and x[-1] == '.'] + # convert from time arguments to seconds try: if args.maxttl: @@ -251,7 +254,7 @@ def main(): print("PHASE 1--Loading keys to check for internal timing problems") try: - kd = keydict(path=args.path, zone=args.zone, keyttl=args.keyttl) + kd = keydict(path=args.path, zones=args.zone, keyttl=args.keyttl) except Exception as e: fatal('ERROR: Unable to build key dictionary: ' + str(e)) diff --git a/bin/python/isc/eventlist.py.in b/bin/python/isc/eventlist.py.in index 5c1b31aebb9..f11bba3a7a5 100644 --- a/bin/python/isc/eventlist.py.in +++ b/bin/python/isc/eventlist.py.in @@ -73,7 +73,7 @@ class eventlist: kok = self.checkzone(z, "KSK", until, output) if not no_zsk and z in self._Z.keys(): found = True - kok = self.checkzone(z, "ZSK", until, output) + zok = self.checkzone(z, "ZSK", until, output) if not found: output("ERROR: No key events found") diff --git a/bin/python/isc/keydict.py.in b/bin/python/isc/keydict.py.in index 578a8478885..e4dcb08fc21 100644 --- a/bin/python/isc/keydict.py.in +++ b/bin/python/isc/keydict.py.in @@ -49,15 +49,18 @@ class keydict: self._keydict[key.name][key.alg][key.keyid] = key def readone(self, path, zone): - match='K' + zone + '.+*.private' + if not zone.endswith('.'): + zone += '.' + match='K' + zone + '+*.private' files = glob.glob(os.path.join(path, match)) found = False for infile in files: key = dnskey(infile, path, self._defttl) - if key.name != zone: # shouldn't ever happen + if key.fullname != zone: # shouldn't ever happen continue - self._keydict[key.name][key.alg][key.keyid] = key + keyname=key.name if zone != '.' else '.' + self._keydict[keyname][key.alg][key.keyid] = key found = True return found diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh index 5184a5edbfe..be6e3d8fba8 100644 --- a/bin/tests/system/coverage/setup.sh +++ b/bin/tests/system/coverage/setup.sh @@ -22,115 +22,115 @@ ln -s $CHECKZONE named-compilezone dir=01-ksk-inactive rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 -ksk2=`$KEYGEN -K $dir -S $ksk1` +ksk2=`$KEYGEN -q -K $dir -S $ksk1` $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` # Test 2: ZSK goes inactive before successor is active dir=02-zsk-inactive rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 -zsk2=`$KEYGEN -K $dir -S $zsk1` +zsk2=`$KEYGEN -q -K $dir -S $zsk1` $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` # Test 3: KSK is unpublished before its successor is published dir=03-ksk-unpublished rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 -ksk2=`$KEYGEN -K $dir -S $ksk1` +ksk2=`$KEYGEN -q -K $dir -S $ksk1` $SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` # Test 4: ZSK is unpublished before its successor is published dir=04-zsk-unpublished rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 -zsk2=`$KEYGEN -K $dir -S $zsk1` +zsk2=`$KEYGEN -q -K $dir -S $zsk1` $SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` # Test 5: KSK deleted and successor published before KSK is deactivated # and successor activated. dir=05-ksk-unpub-active rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 -ksk2=`$KEYGEN -K $dir -S $ksk1` -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +ksk2=`$KEYGEN -q -K $dir -S $ksk1` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` # Test 6: ZSK deleted and successor published before ZSK is deactivated # and successor activated. dir=06-zsk-unpub-active rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 -zsk2=`$KEYGEN -K $dir -S $zsk1` -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +zsk2=`$KEYGEN -q -K $dir -S $zsk1` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` # Test 7: KSK rolled with insufficient delay after prepublication. dir=07-ksk-ttl rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 -ksk2=`$KEYGEN -K $dir -S $ksk1` +ksk2=`$KEYGEN -q -K $dir -S $ksk1` # allow only 1 day between publication and activation $SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` # Test 8: ZSK rolled with insufficient delay after prepublication. dir=08-zsk-ttl rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 -zsk2=`$KEYGEN -K $dir -S $zsk1` +zsk2=`$KEYGEN -q -K $dir -S $zsk1` # allow only 1 day between publication and activation $SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` # Test 9: KSK goes inactive before successor is active, but checking ZSKs dir=09-check-zsk rm -f $dir/K*.key rm -f $dir/K*.private -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 -ksk2=`$KEYGEN -K $dir -S $ksk1` +ksk2=`$KEYGEN -q -K $dir -S $ksk1` $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` # Test 10: ZSK goes inactive before successor is active, but checking KSKs dir=10-check-ksk rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 -zsk2=`$KEYGEN -K $dir -S $zsk1` +zsk2=`$KEYGEN -q -K $dir -S $zsk1` $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` # Test 11: ZSK goes inactive before successor is active, but after cutoff dir=11-cutoff rm -f $dir/K*.key rm -f $dir/K*.private -zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` +zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com` $SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1 -zsk2=`$KEYGEN -K $dir -S $zsk1` +zsk2=`$KEYGEN -q -K $dir -S $zsk1` $SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1 -ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` +ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com` # Test 12: Too early KSK deletion dir=12-ksk-deletion -ksk1=`$KEYGEN -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com` -ksk2=`$KEYGEN -K $dir -S $ksk1.key example.com` +ksk1=`$KEYGEN -q -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com` +ksk2=`$KEYGEN -q -K $dir -S $ksk1.key example.com` diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh index 3b9b1a2ea62..04aebe1b953 100644 --- a/bin/tests/system/keymgr/clean.sh +++ b/bin/tests/system/keymgr/clean.sh @@ -9,9 +9,7 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f */K*.key -rm -f */K*.private -rm -f Kexample.com.*.key -rm -f Kexample.com.*.private -rm -f coverage.* keymgr.* +rm -f K*.key */K*.key +rm -f K*.private */K*.private +rm -f coverage.* keymgr.* settime.* rm -f policy.out diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh index 89fedd31dff..6ef0a367682 100644 --- a/bin/tests/system/keymgr/tests.sh +++ b/bin/tests/system/keymgr/tests.sh @@ -104,6 +104,23 @@ for dir in [0-9][0-9]-*; do status=`expr $status + $ret` done +echo_i "checking domains ending in . ($n)" +ret=0 +$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.1.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.1.$n | wc -l` +[ "$nkeys" -eq 2 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.2.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.2.$n | wc -l` +[ "$nkeys" -eq 0 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.3.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.3.$n | wc -l` +[ "$nkeys" -eq 2 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.4.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.4.$n | wc -l` +[ "$nkeys" -eq 0 ] || ret=1 +status=`expr $status + $ret` +n=`expr $n + 1` + echo_i "checking policy.conf parser ($n)" ret=0 ${PYTHON} testpolicy.py policy.sample > policy.out