From: Mark Andrews Date: Fri, 27 May 2011 01:46:22 +0000 (+0000) Subject: 3120. [bug] Named could fail to validate zones list in a DLV X-Git-Tag: v9.4-ESV-R5~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51c9119e6d449789ffb7872cbe5411ff45add2a8;p=thirdparty%2Fbind9.git 3120. [bug] Named could fail to validate zones list in a DLV that validated insecure without using DLV and had DS records in the parent zone. [RT #24631] --- diff --git a/CHANGES b/CHANGES index d4d6dcce2fa..d7e2c93350d 100644 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,10 @@ trigger an off-by-one error in the ncache code and crash named. [RT #24650] +3120. [bug] Named could fail to validate zones list in a DLV + that validated insecure without using DLV and had + DS records in the parent zone. [RT #24631] + --- 9.4-ESV-R5rc1 released --- 3113. [doc] Document the relationship between serial-query-rate diff --git a/bin/tests/system/dlv/clean.sh b/bin/tests/system/dlv/clean.sh index a7657a2d594..d05c0515020 100644 --- a/bin/tests/system/dlv/clean.sh +++ b/bin/tests/system/dlv/clean.sh @@ -14,22 +14,38 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.2.2.3 2010/06/04 23:46:02 tbox Exp $ +# $Id: clean.sh,v 1.2.2.4 2011/05/27 01:46:20 marka Exp $ rm -f random.data rm -f ns*/named.run +rm -f ns1/K* +rm -f ns1/dsset-* +rm -f ns1/*.signed +rm -f ns1/signer.err +rm -f ns1/root.db +rm -f ns1/keyset-* +rm -f ns2/K* +rm -f ns2/dlvset-* +rm -f ns2/dsset-* +rm -f ns2/*.signed +rm -f ns2/*.pre +rm -f ns2/signer.err +rm -f ns2/druz.db +rm -f ns2/keyset-* rm -f ns3/K* rm -f ns3/*.db rm -f ns3/*.signed rm -f ns3/dlvset-* rm -f ns3/dsset-* rm -f ns3/keyset-* -rm -f ns3/trusted.conf ns5/trusted.conf +rm -f ns1/trusted.conf ns5/trusted.conf +rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf rm -f ns3/signer.err rm -f ns6/K* rm -f ns6/*.db rm -f ns6/*.signed rm -f ns6/dsset-* rm -f ns6/signer.err +rm -f ns6/keyset-* rm -f */named.memstats rm -f dig.out.ns*.test* diff --git a/bin/tests/system/dlv/ns1/named.conf b/bin/tests/system/dlv/ns1/named.conf index eee981de2bd..931350dc36b 100644 --- a/bin/tests/system/dlv/ns1/named.conf +++ b/bin/tests/system/dlv/ns1/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2 2004/05/14 04:58:20 marka Exp $ */ +/* $Id: named.conf,v 1.2.2.2 2011/05/27 01:46:21 marka Exp $ */ controls { /* empty */ }; @@ -28,8 +28,8 @@ options { listen-on-v6 { none; }; recursion no; notify yes; - dnssec-enable no; + dnssec-enable yes; }; -zone "." { type master; file "root.db"; }; +zone "." { type master; file "root.signed"; }; zone "rootservers.utld" { type master; file "rootservers.utld.db"; }; diff --git a/bin/tests/system/dlv/ns1/root.db b/bin/tests/system/dlv/ns1/root.db.in similarity index 76% rename from bin/tests/system/dlv/ns1/root.db rename to bin/tests/system/dlv/ns1/root.db.in index c1bc6adf7e9..c5802a1e527 100644 --- a/bin/tests/system/dlv/ns1/root.db +++ b/bin/tests/system/dlv/ns1/root.db.in @@ -1,6 +1,6 @@ -; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") ; -; Permission to use, copy, modify, and distribute this software for any +; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above ; copyright notice and this permission notice appear in all copies. ; @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db,v 1.2 2004/05/14 04:58:20 marka Exp $ +; $Id: root.db.in,v 1.3.10.2 2011/05/27 01:46:21 marka Exp $ $TTL 120 @ SOA ns.rootservers.utld hostmaster.ns.rootservers.utld ( @@ -22,3 +22,5 @@ ns A 10.53.0.1 ; utld NS ns.utld ns.utld A 10.53.0.2 +druz NS ns.druz +ns.druz A 10.53.0.2 diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh new file mode 100755 index 00000000000..b6ba75f08c4 --- /dev/null +++ b/bin/tests/system/dlv/ns1/sign.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Copyright (C) 2004, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.3.10.2 2011/05/27 01:46:21 marka Exp $ + +(cd ../ns2 && sh -e ./sign.sh || exit 1) + +echo "I:dlv/ns1/sign.sh" + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=. +infile=root.db.in +zonefile=root.db +outfile=root.signed + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err + +echo "I: signed $zone" + +grep -v '^;' $keyname2.key | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < trusted.conf +cp trusted.conf ../ns5 + diff --git a/bin/tests/system/dlv/ns2/druz.db.in b/bin/tests/system/dlv/ns2/druz.db.in new file mode 100644 index 00000000000..82a88b41a40 --- /dev/null +++ b/bin/tests/system/dlv/ns2/druz.db.in @@ -0,0 +1,54 @@ +; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: druz.db.in,v 1.4.10.2 2011/05/27 01:46:21 marka Exp $ + +$TTL 120 +@ SOA ns hostmaster.ns 1 3600 1200 604800 60 +@ NS ns +ns A 10.53.0.2 +; +rootservers NS ns.rootservers +ns.rootservers A 10.53.0.1 +; +; +child1 NS ns.child1 +ns.child1 A 10.53.0.3 +; +child2 NS ns.child2 +ns.child2 A 10.53.0.4 +; +child3 NS ns.child3 +ns.child3 A 10.53.0.3 +; +child4 NS ns.child4 +ns.child4 A 10.53.0.3 +; +child5 NS ns.child5 +ns.child5 A 10.53.0.3 +; +child6 NS ns.child6 +ns.child6 A 10.53.0.4 +; +child7 NS ns.child7 +ns.child7 A 10.53.0.3 +; +child8 NS ns.child8 +ns.child8 A 10.53.0.3 +; +child9 NS ns.child9 +ns.child9 A 10.53.0.3 +; +child10 NS ns.child10 +ns.child10 A 10.53.0.3 diff --git a/bin/tests/system/dlv/ns2/named.conf b/bin/tests/system/dlv/ns2/named.conf index 0b4e36b0ef2..561cf8284d8 100644 --- a/bin/tests/system/dlv/ns2/named.conf +++ b/bin/tests/system/dlv/ns2/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2 2004/05/14 04:58:21 marka Exp $ */ +/* $Id: named.conf,v 1.2.2.2 2011/05/27 01:46:21 marka Exp $ */ controls { /* empty */ }; @@ -28,8 +28,9 @@ options { listen-on-v6 { none; }; recursion no; notify yes; - dnssec-enable no; + dnssec-enable yes; }; zone "." { type hint; file "hints"; }; zone "utld" { type master; file "utld.db"; }; +zone "druz" { type master; file "druz.signed"; }; diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh new file mode 100755 index 00000000000..aba152aabb4 --- /dev/null +++ b/bin/tests/system/dlv/ns2/sign.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# +# Copyright (C) 2004, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.3.10.2 2011/05/27 01:46:21 marka Exp $ + +(cd ../ns3 && sh -e ./sign.sh || exit 1) + +echo "I:dlv/ns2/sign.sh" + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=druz. +infile=druz.db.in +zonefile=druz.db +outfile=druz.pre +dlvzone=utld. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err + +$CHECKZONE -q -D -i none druz druz.pre | +sed '/IN DNSKEY/s/\([a-z0-9A-Z/]\{10\}\)[a-z0-9A-Z/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed + +echo "I: signed $zone" diff --git a/bin/tests/system/dlv/ns3/named.conf b/bin/tests/system/dlv/ns3/named.conf index 042dc23a30e..89bf242dbfd 100644 --- a/bin/tests/system/dlv/ns3/named.conf +++ b/bin/tests/system/dlv/ns3/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2 2004/05/14 04:58:22 marka Exp $ */ +/* $Id: named.conf,v 1.2.2.2 2011/05/27 01:46:21 marka Exp $ */ controls { /* empty */ }; @@ -41,3 +41,11 @@ zone "child7.utld" { type master; file "child7.signed"; }; // no dlv zone "child8.utld" { type master; file "child8.signed"; }; // no dlv zone "child9.utld" { type master; file "child9.signed"; }; // dlv zone "child10.utld" { type master; file "child.db.in"; }; // dlv unsigned +zone "child1.druz" { type master; file "child1.druz.signed"; }; // dlv +zone "child3.druz" { type master; file "child3.druz.signed"; }; // dlv +zone "child4.druz" { type master; file "child4.druz.signed"; }; // dlv +zone "child5.druz" { type master; file "child5.druz.signed"; }; // dlv +zone "child7.druz" { type master; file "child7.druz.signed"; }; // no dlv +zone "child8.druz" { type master; file "child8.druz.signed"; }; // no dlv +zone "child9.druz" { type master; file "child9.druz.signed"; }; // dlv +zone "child10.druz" { type master; file "child.db.in"; }; // dlv unsigned diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh index dcb176e96e2..9135f2eb4b9 100755 --- a/bin/tests/system/dlv/ns3/sign.sh +++ b/bin/tests/system/dlv/ns3/sign.sh @@ -14,21 +14,24 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.2.2.3 2010/06/04 23:46:02 tbox Exp $ +# $Id: sign.sh,v 1.2.2.4 2011/05/27 01:46:22 marka Exp $ (cd ../ns6 && sh -e sign.sh) +echo "I:dlv/ns3/sign.sh" + SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh RANDFILE=../random.data +dlvzone=dlv.utld. dlvsets= +dssets= zone=child1.utld. infile=child.db.in zonefile=child1.utld.db outfile=child1.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -44,7 +47,6 @@ zone=child3.utld. infile=child.db.in zonefile=child3.utld.db outfile=child3.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -60,7 +62,6 @@ zone=child4.utld. infile=child.db.in zonefile=child4.utld.db outfile=child4.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -76,7 +77,6 @@ zone=child5.utld. infile=child.db.in zonefile=child5.utld.db outfile=child5.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -92,7 +92,6 @@ zone=child7.utld. infile=child.db.in zonefile=child7.utld.db outfile=child7.signed -dlvzone=dlv.utld. keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -107,7 +106,6 @@ zone=child8.utld. infile=child.db.in zonefile=child8.utld.db outfile=child8.signed -dlvzone=dlv.utld. keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -122,7 +120,6 @@ zone=child9.utld. infile=child.db.in zonefile=child9.utld.db outfile=child9.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -137,7 +134,6 @@ zone=child10.utld. infile=child.db.in zonefile=child10.utld.db outfile=child10.signed -dlvzone=dlv.utld. dlvsets="$dlvsets dlvset-$zone" keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -148,12 +144,133 @@ cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile $SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo "I: signed $zone" +zone=child1.druz. +infile=child.db.in +zonefile=child1.druz.db +outfile=child1.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child3.druz. +infile=child.db.in +zonefile=child3.druz.db +outfile=child3.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child4.druz. +infile=child.db.in +zonefile=child4.druz.db +outfile=child4.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child5.druz. +infile=child.db.in +zonefile=child5.druz.db +outfile=child5.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child7.druz. +infile=child.db.in +zonefile=child7.druz.db +outfile=child7.druz.signed +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile + +$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child8.druz. +infile=child.db.in +zonefile=child8.druz.db +outfile=child8.druz.signed + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=child9.druz. +infile=child.db.in +zonefile=child9.druz.db +outfile=child9.druz.signed +dlvsets="$dlvsets dlvset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + +zone=child10.druz. +infile=child.db.in +zonefile=child10.druz.db +outfile=child10.druz.signed +dlvsets="$dlvsets dlvset-$zone" +dssets="$dssets dsset-$zone" + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + zone=dlv.utld. infile=dlv.db.in zonefile=dlv.utld.db outfile=dlv.signed -dlvzone=dlv.utld. keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` @@ -172,5 +289,7 @@ trusted-keys { "$dn" $flags $proto $alg "$key"; }; EOF -' > trusted.conf -cp trusted.conf ../ns5 +' > trusted-dlv.conf +cp trusted-dlv.conf ../ns5 + +cp $dssets ../ns2 diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf index f5954471fd2..9c65da3468c 100644 --- a/bin/tests/system/dlv/ns5/named.conf +++ b/bin/tests/system/dlv/ns5/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2.2.7 2007/08/28 07:20:02 tbox Exp $ */ +/* $Id: named.conf,v 1.2.2.8 2011/05/27 01:46:22 marka Exp $ */ /* * Choose a keyname that is unlikely to clash with any real key names. @@ -46,6 +46,7 @@ controls { }; include "trusted.conf"; +include "trusted-dlv.conf"; options { query-source address 10.53.0.5; diff --git a/bin/tests/system/dlv/ns6/named.conf b/bin/tests/system/dlv/ns6/named.conf index 82ab467cd8a..c8a32516b7e 100644 --- a/bin/tests/system/dlv/ns6/named.conf +++ b/bin/tests/system/dlv/ns6/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.3.10.2 2010/06/04 23:46:02 tbox Exp $ */ +/* $Id: named.conf,v 1.3.10.3 2011/05/27 01:46:22 marka Exp $ */ controls { /* empty */ }; @@ -40,3 +40,11 @@ zone "grand.child7.utld" { type master; file "grand.child7.signed"; }; zone "grand.child8.utld" { type master; file "grand.child8.signed"; }; zone "grand.child9.utld" { type master; file "grand.child9.signed"; }; zone "grand.child10.utld" { type master; file "grand.child.db.in"; }; +zone "grand.child1.druz" { type master; file "grand.child1.druz.signed"; }; +zone "grand.child3.druz" { type master; file "grand.child3.druz.signed"; }; +zone "grand.child4.druz" { type master; file "grand.child4.druz.signed"; }; +zone "grand.child5.druz" { type master; file "grand.child5.druz.signed"; }; +zone "grand.child7.druz" { type master; file "grand.child7.druz.signed"; }; +zone "grand.child8.druz" { type master; file "grand.child8.druz.signed"; }; +zone "grand.child9.druz" { type master; file "grand.child9.druz.signed"; }; +zone "grand.child10.druz" { type master; file "grand.child10.druz.signed"; }; diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh index 715f215b134..c0322e827e3 100755 --- a/bin/tests/system/dlv/ns6/sign.sh +++ b/bin/tests/system/dlv/ns6/sign.sh @@ -14,11 +14,13 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.3.10.2 2010/06/04 23:46:02 tbox Exp $ +# $Id: sign.sh,v 1.3.10.3 2011/05/27 01:46:22 marka Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh +echo "I:dlv/ns6/sign.sh" + RANDFILE=../random.data zone=grand.child1.utld. @@ -137,3 +139,120 @@ cat $infile $keyname1.key $keyname2.key >$zonefile $SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err echo "I: signed $zone" + +zone=grand.child1.druz. +infile=child.db.in +zonefile=grand.child1.druz.db +outfile=grand.child1.druz.signed + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child3.druz. +infile=child.db.in +zonefile=grand.child3.druz.db +outfile=grand.child3.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child4.druz. +infile=child.db.in +zonefile=grand.child4.druz.db +outfile=grand.child4.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child5.druz. +infile=child.db.in +zonefile=grand.child5.druz.db +outfile=grand.child5.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child7.druz. +infile=child.db.in +zonefile=grand.child7.druz.db +outfile=grand.child7.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child8.druz. +infile=child.db.in +zonefile=grand.child8.druz.db +outfile=grand.child8.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + + +zone=grand.child9.druz. +infile=child.db.in +zonefile=grand.child9.druz.db +outfile=grand.child9.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" + +zone=grand.child10.druz. +infile=child.db.in +zonefile=grand.child10.druz.db +outfile=grand.child10.druz.signed +dlvzone=dlv.druz. + +keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` +keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err +echo "I: signed $zone" diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh index 0e3898b125d..39102422545 100644 --- a/bin/tests/system/dlv/setup.sh +++ b/bin/tests/system/dlv/setup.sh @@ -14,8 +14,8 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.2 2004/05/14 04:58:19 marka Exp $ +# $Id: setup.sh,v 1.2.2.2 2011/05/27 01:46:20 marka Exp $ ../../genrandom 400 random.data -(cd ns3 && sh -e sign.sh) +(cd ns1 && sh -e sign.sh) diff --git a/bin/tests/system/dlv/tests.sh b/bin/tests/system/dlv/tests.sh index d2a5ff43f9d..5e43ba5fbd7 100644 --- a/bin/tests/system/dlv/tests.sh +++ b/bin/tests/system/dlv/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.2.2.3 2010/06/04 23:46:02 tbox Exp $ +# $Id: tests.sh,v 1.2.2.4 2011/05/27 01:46:20 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -42,5 +42,21 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)" +ret=0 +$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)" +ret=0 +$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h index 8cf5c132c6e..d13e8150d2a 100644 --- a/lib/dns/include/dns/masterdump.h +++ b/lib/dns/include/dns/masterdump.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.h,v 1.31.14.4 2005/09/01 03:04:28 marka Exp $ */ +/* $Id: masterdump.h,v 1.31.14.5 2011/05/27 01:46:22 marka Exp $ */ #ifndef DNS_MASTERDUMP_H #define DNS_MASTERDUMP_H 1 @@ -329,6 +329,9 @@ dns_master_stylecreate(dns_master_style_t **style, unsigned int flags, void dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx); +const char * +dns_trust_totext(dns_trust_t trust); + ISC_LANG_ENDDECLS #endif /* DNS_MASTERDUMP_H */ diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c index bfa638105d3..8b9d0c2c26f 100644 --- a/lib/dns/masterdump.c +++ b/lib/dns/masterdump.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.c,v 1.73.18.19 2009/11/25 04:50:24 marka Exp $ */ +/* $Id: masterdump.c,v 1.73.18.20 2011/05/27 01:46:22 marka Exp $ */ /*! \file */ @@ -785,6 +785,13 @@ static const char *trustnames[] = { "local" /* aka ultimate */ }; +const char * +dns_trust_totext(dns_trust_t trust) { + if (trust >= sizeof(trustnames)/sizeof(*trustnames)) + return ("bad"); + return (trustnames[trust]); +} + static isc_result_t dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx, diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 2fe204fd34e..96a4cc7eadd 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.119.18.62 2011/02/27 23:45:16 tbox Exp $ */ +/* $Id: validator.c,v 1.119.18.63 2011/05/27 01:46:22 marka Exp $ */ /*! \file */ @@ -331,7 +331,8 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "keyset with trust %d", rdataset->trust); + "keyset with trust %s", + dns_trust_totext(rdataset->trust)); /* * Only extract the dst key if the keyset is secure. */ @@ -408,7 +409,8 @@ dsfetched(isc_task_t *task, isc_event_t *event) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "dsset with trust %d", rdataset->trust); + "dsset with trust %s", + dns_trust_totext(rdataset->trust)); val->dsset = &val->frdataset; result = validatezonekey(val); if (result != DNS_R_WAIT) @@ -567,7 +569,8 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "keyset with trust %d", val->frdataset.trust); + "keyset with trust %s", + dns_trust_totext(val->frdataset.trust)); /* * Only extract the dst key if the keyset is secure. */ @@ -638,10 +641,10 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { isc_boolean_t have_dsset; dns_name_t *name; validator_log(val, ISC_LOG_DEBUG(3), - "%s with trust %d", + "%s with trust %s", val->frdataset.type == dns_rdatatype_ds ? "dsset" : "ds non-existance", - val->frdataset.trust); + dns_trust_totext(val->frdataset.trust)); have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds); name = dns_fixedname_name(&val->fname); if ((val->attributes & VALATTR_INSECURITY) != 0 && @@ -713,8 +716,8 @@ cnamevalidated(isc_task_t *task, isc_event_t *event) { if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %d", - val->frdataset.trust); + validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s", + dns_trust_totext(val->frdataset.trust)); result = proveunsecure(val, ISC_FALSE, ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); @@ -1052,8 +1055,8 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { INSIST(type == dns_rdatatype_dlv); if (val->frdataset.trust != dns_trust_secure) { validator_log(val, ISC_LOG_DEBUG(3), - "covering nsec: trust %u", - val->frdataset.trust); + "covering nsec: trust %s", + dns_trust_totext(val->frdataset.trust)); goto notfound; } result = dns_rdataset_first(&val->frdataset); @@ -1370,8 +1373,8 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { * See if we've got the key used in the signature. */ validator_log(val, ISC_LOG_DEBUG(3), - "keyset with trust %d", - val->frdataset.trust); + "keyset with trust %s", + dns_trust_totext(val->frdataset.trust)); result = get_dst_key(val, siginfo, val->keyset); if (result != ISC_R_SUCCESS) { /* @@ -2076,8 +2079,11 @@ validatezonekey(dns_validator_t *val) { "must be secure failure"); return (DNS_R_MUSTBESECURE); } - markanswer(val, "validatezonekey (2)"); - return (ISC_R_SUCCESS); + if (val->view->dlv == NULL || DLVTRIED(val)) { + markanswer(val, "validatezonekey (2)"); + return (ISC_R_SUCCESS); + } + return (startfinddlvsep(val, val->event->name)); } /* @@ -2685,7 +2691,8 @@ dlvvalidated(isc_task_t *task, isc_event_t *event) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "dlvset with trust %d", val->frdataset.trust); + "dlvset with trust %s", + dns_trust_totext(val->frdataset.trust)); dns_rdataset_clone(&val->frdataset, &val->dlv); val->havedlvsep = ISC_TRUE; if (dlv_algorithm_supported(val))