From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 21 Jan 2021 13:32:12 +0000 (+0100)
Subject: Allow "detached" ZONEMD RR mode to ldns-verify-zone
X-Git-Tag: 1.8.0-rc.1~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b99b9e3f0e2d071787b9890a4198a4224487d34;p=thirdparty%2Fldns.git

Allow "detached" ZONEMD RR mode to ldns-verify-zone
---

diff --git a/examples/ldns-verify-zone.1.in b/examples/ldns-verify-zone.1.in
index 244da8a0..c37cb791 100644
--- a/examples/ldns-verify-zone.1.in
+++ b/examples/ldns-verify-zone.1.in
@@ -80,6 +80,11 @@ Requires a valid ZONEMD RR to be present. When given once, this option will
 permit verifying only the ZONEMD RR of an unsigned zone. When given more than
 once, the zone needs to be validly DNSSEC signed as well.
 
+.TP
+\fB-ZZZ\fR
+When three times a \fB-Z\fR option is given, the ZONEMD RR to be verified is
+considered "detached" and does not need to have valid signatures.
+
 .LP
 \fIperiod\fRs are given in ISO 8601 duration format:
 .RS
diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c
index c0287cf0..eb473abc 100644
--- a/examples/ldns-verify-zone.c
+++ b/examples/ldns-verify-zone.c
@@ -431,7 +431,8 @@ verify_nsec(ldns_dnssec_zone* zone, ldns_rbnode_t *cur_node,
 
 static ldns_status
 verify_dnssec_name(ldns_rdf *zone_name, ldns_dnssec_zone* zone,
-		ldns_rbnode_t *cur_node, ldns_rr_list *keys)
+		ldns_rbnode_t *cur_node, ldns_rr_list *keys,
+		bool detached_zonemd)
 {
 	ldns_status result = LDNS_STATUS_OK;
 	ldns_status status;
@@ -492,7 +493,10 @@ verify_dnssec_name(ldns_rdf *zone_name, ldns_dnssec_zone* zone,
 			      cur_rrset->type == LDNS_RR_TYPE_DS)) ||
 			    (!on_delegation_point &&
 			     cur_rrset->type != LDNS_RR_TYPE_RRSIG &&
-			     cur_rrset->type != LDNS_RR_TYPE_NSEC)) {
+			     cur_rrset->type != LDNS_RR_TYPE_NSEC &&
+
+			     (   cur_rrset->type != LDNS_RR_TYPE_ZONEMD
+			     || !detached_zonemd || cur_rrset->signatures))) {
 
 				status = verify_dnssec_rrset(zone_name,
 						name->name, cur_rrset, keys);
@@ -636,7 +640,8 @@ sigchase(ldns_resolver* res, ldns_rdf *zone_name, ldns_dnssec_rrsets *zonekeys,
 
 static ldns_status
 verify_dnssec_zone(ldns_dnssec_zone *dnssec_zone, ldns_rdf *zone_name,
-		ldns_rr_list *keys, bool apexonly, int percentage) 
+		ldns_rr_list *keys, bool apexonly, int percentage,
+		bool detached_zonemd) 
 {
 	ldns_rbnode_t *cur_node;
 	ldns_dnssec_rrsets *cur_key_rrset;
@@ -688,7 +693,8 @@ verify_dnssec_zone(ldns_dnssec_zone *dnssec_zone, ldns_rdf *zone_name,
 			if (percentage == 100 
 			    || ((random() % 100) >= 100 - percentage)) {
 				status = verify_dnssec_name(zone_name,
-						dnssec_zone, cur_node, keys);
+						dnssec_zone, cur_node, keys,
+						detached_zonemd);
 				update_error(&result, status);
 				if (apexonly)
 					break;
@@ -742,7 +748,8 @@ static void print_usage(FILE *out, const char *progname)
 	fprintf(out, "\t\t\tWhen given once, this option will permit verifying"
 	       "\n\t\t\tjust the ZONEMD RR of an unsigned zone. When given "
 	       "\n\t\t\tmore than once, the zone needs to be validly DNSSEC"
-	       "\n\t\t\tsigned as well.");
+	       "\n\t\t\tsigned as well. With three times a -Z option (-ZZZ)"
+	       "\n\t\t\ta ZONEMD RR without signatures is allowed.");
 	fprintf(out, "\n<period>s are given in ISO 8601 duration format: "
 	       "P[n]Y[n]M[n]DT[n]H[n]M[n]S\n");
 	fprintf(out, "\nif no file is given standard input is read\n");
@@ -941,32 +948,30 @@ main(int argc, char **argv)
 	if (zonemd_required == 1
 	&&  !ldns_dnssec_zone_find_rrset(dnssec_zone,
 			       	dnssec_zone->soa->name, LDNS_RR_TYPE_DNSKEY))
-		; /* pass */
+		result = LDNS_STATUS_OK;
 	else
 		result = verify_dnssec_zone(dnssec_zone,
 				dnssec_zone->soa->name, keys, apexonly,
-				percentage);
-
-	if (zonemd_required && !zonemd_rrset) {
-		fprintf(myerr, "ZONEMD was required but not found\n");
-		result = LDNS_STATUS_NO_ZONEMD;
+				percentage, zonemd_required > 2);
 
-	} else if (result == LDNS_STATUS_OK) {
-		result = ldns_dnssec_zone_verify_zonemd(dnssec_zone);
-		if (verbosity <= 3)
-			; /* pass */
+	if (zonemd_rrset) {
+		ldns_status zonemd_result
+		    = ldns_dnssec_zone_verify_zonemd(dnssec_zone);
 		
-		else if (result)
+		if (zonemd_result)
 			fprintf( myerr, "Could not validate zone digest: %s\n"
 			       , ldns_get_errorstr_by_id(result));
 
-		/* Result is also SUCCESS with proven ZONEMD absence,
-		 * then we should not print "matched the content"
-		 */
-		else if (zonemd_rrset)
+		else if (verbosity > 3)
 			fprintf( myout
 			       , "Zone digest matched the zone content\n");
-	}
+
+		if (zonemd_result)
+			result = zonemd_result;
+
+	} else if (zonemd_required)
+		result = LDNS_STATUS_NO_ZONEMD;
+
 	if (result == LDNS_STATUS_OK) {
 		if (verbosity >= 3) {
 			fprintf(myout, "Zone is verified and complete\n");
diff --git a/test/25-ZONEMD.tpkg/25-ZONEMD.dsc b/test/25-ZONEMD.tpkg/25-ZONEMD.dsc
index 8ab66b85..9b67a970 100644
--- a/test/25-ZONEMD.tpkg/25-ZONEMD.dsc
+++ b/test/25-ZONEMD.tpkg/25-ZONEMD.dsc
@@ -10,6 +10,6 @@ Help: 25-ZONEMD.help
 Pre: 
 Post: 
 Test: 25-ZONEMD.test
-AuxFiles: A.1.Simple-EXAMPLE-Zone A.2.Complex-EXAMPLE-Zone A.3.EXAMPLE-Zone-with-multiple-digests A.5.The-ROOT-SERVERS.NET-Zone repeated-ZONEMD-scheme-and-algorithm
+AuxFiles: A.1.Simple-EXAMPLE-Zone A.2.Complex-EXAMPLE-Zone A.3.EXAMPLE-Zone-with-multiple-digests A.4.The-URI.ARPA-Zone A.5.The-ROOT-SERVERS.NET-Zone repeated-ZONEMD-scheme-and-algorithm
 Passed:
 Failure:
diff --git a/test/25-ZONEMD.tpkg/25-ZONEMD.test b/test/25-ZONEMD.tpkg/25-ZONEMD.test
index 49b88b9a..09bf03cd 100644
--- a/test/25-ZONEMD.tpkg/25-ZONEMD.test
+++ b/test/25-ZONEMD.tpkg/25-ZONEMD.test
@@ -7,11 +7,18 @@ export LD_LIBRARY_PATH="../../lib:${LD_LIBRARY_PATH}"
 for ZONE in	A.1.Simple-EXAMPLE-Zone \
 		A.2.Complex-EXAMPLE-Zone \
 		A.3.EXAMPLE-Zone-with-multiple-digests \
+		A.4.The-URI.ARPA-Zone \
 		A.5.The-ROOT-SERVERS.NET-Zone
 do
 	echo Verifying ${ZONE}
-	../../examples/ldns-verify-zone -ZV 4 ${ZONE}
-
+	if [ "${ZONE}" = "A.4.The-URI.ARPA-Zone" ]
+	then
+		# Allow DNSSEC to fail (ZONEMD has no signature)
+		#
+		../../examples/ldns-verify-zone -ZZZV 4 -t 20181021203928 ${ZONE}
+	else
+		../../examples/ldns-verify-zone -ZV 4 ${ZONE}
+	fi
 	if [[ $? -ne 0 ]]; then 
 		echo "ZONE ${ZONE} failed"
 		exit 1
diff --git a/test/25-ZONEMD.tpkg/A.4.The-URI.ARPA-Zone b/test/25-ZONEMD.tpkg/A.4.The-URI.ARPA-Zone
new file mode 100644
index 00000000..3743349c
--- /dev/null
+++ b/test/25-ZONEMD.tpkg/A.4.The-URI.ARPA-Zone
@@ -0,0 +1,137 @@
+; <<>> DiG 9.9.4 <<>> @lax.xfr.dns.icann.org uri.arpa axfr
+; (2 servers found)
+;; global options: +cmd
+uri.arpa.         3600    IN      SOA     sns.dns.icann.org. (
+    noc.dns.icann.org. 2018100702 10800 3600 1209600 3600 )
+uri.arpa.         3600    IN      RRSIG   NSEC 8 2 3600 (
+    20181028142623 20181007205525 47155 uri.arpa.
+    eEC4w/oXLR1Epwgv4MBiDtSBsXhqrJVvJWUpbX8XpetAvD35bxwNCUTi
+    /pAJVUXefegWeiriD2rkTgCBCMmn7YQIm3gdR+HjY/+o3BXNQnz97f+e
+    HAE9EDDzoNVfL1PyV/2fde9tDeUuAGVVwmD399NGq9jWYMRpyri2kysr q/g= )
+uri.arpa.         86400   IN      RRSIG   NS 8 2 86400 (
+    20181028172020 20181007175821 47155 uri.arpa.
+    ATyV2A2A8ZoggC+68u4GuP5MOUuR+2rr3eWOkEU55zAHld/7FiBxl4ln
+    4byJYy7NudUwlMOEXajqFZE7DVl8PpcvrP3HeeGaVzKqaWj+aus0jbKF
+    Bsvs2b1qDZemBfkz/IfAhUTJKnto0vSUicJKfItu0GjyYNJCz2CqEuGD Wxc= )
+uri.arpa.         600     IN      RRSIG   MX 8 2 600 (
+    20181028170556 20181007175821 47155 uri.arpa.
+    e7/r3KXDohX1lyVavetFFObp8fB8aXT76HnN9KCQDxSnSghNM83UQV0t
+    lTtD8JVeN1mCvcNFZpagwIgB7XhTtm6Beur/m5ES+4uSnVeS6Q66HBZK
+    A3mR95IpevuVIZvvJ+GcCAQpBo6KRODYvJ/c/ZG6sfYWkZ7qg/Em5/+3 4UI= )
+uri.arpa.         3600    IN      RRSIG   DNSKEY 8 2 3600 (
+    20181028152832 20181007175821 15796 uri.arpa.
+    nzpbnh0OqsgBBP8St28pLvPEQ3wZAUdEBuUwil+rtjjWlYYiqjPxZ286
+    XF4Rq1usfV5x71jZz5IqswOaQgia91ylodFpLuXD6FTGs2nXGhNKkg1V
+    chHgtwj70mXU72GefVgo8TxrFYzxuEFP5ZTP92t97FVWVVyyFd86sbbR
+    6DZj3uA2wEvqBVLECgJLrMQ9Yy7MueJl3UA4h4E6zO2JY9Yp0W9woq0B
+    dqkkwYTwzogyYffPmGAJG91RJ2h6cHtFjEZe2MnaY2glqniZ0WT9vXXd
+    uFPm0KD9U77Ac+ZtctAF9tsZwSdAoL365E2L1usZbA+K0BnPPqGFJRJk
+    5R0A1w== )
+uri.arpa.         3600    IN      RRSIG   DNSKEY 8 2 3600 (
+    20181028152832 20181007175821 55480 uri.arpa.
+    lWtQV/5szQjkXmbcD47/+rOW8kJPksRFHlzxxmzt906+DBYyfrH6uq5X
+    nHvrUlQO6M12uhqDeL+bDFVgqSpNy+42/OaZvaK3J8EzPZVBHPJykKMV
+    63T83aAiJrAyHzOaEdmzLCpalqcEE2ImzlLHSafManRfJL8Yuv+JDZFj
+    2WDWfEcUuwkmIZWX11zxp+DxwzyUlRl7x4+ok5iKZWIg5UnBAf6B8T75
+    WnXzlhCw3F2pXI0a5LYg71L3Tp/xhjN6Yy9jGlIRf5BjB59X2zra3a2R
+    PkI09SSnuEwHyF1mDaV5BmQrLGRnCjvwXA7ho2m+vv4SP5dUdXf+GTeA
+    1HeBfw== )
+uri.arpa.         3600    IN      RRSIG   SOA 8 2 3600 (
+    20181029114753 20181008222815 47155 uri.arpa.
+    qn8yBNoHDjGdT79U2Wu9IIahoS0YPOgYP8lG+qwPcrZ1BwGiHywuoUa2
+    Mx6BWZlg+HDyaxj2iOmox+IIqoUHhXUbO7IUkJFlgrOKCgAR2twDHrXu
+    9BUQHy9SoV16wYm3kBTEPyxW5FFm8vcdnKAF7sxSY8BbaYNpRIEjDx4A JUc= )
+uri.arpa.         3600    IN      NSEC    ftp.uri.arpa. NS SOA (
+    MX RRSIG NSEC DNSKEY )
+uri.arpa.         86400   IN      NS      a.iana-servers.net.
+uri.arpa.         86400   IN      NS      b.iana-servers.net.
+uri.arpa.         86400   IN      NS      c.iana-servers.net.
+uri.arpa.         86400   IN      NS      ns2.lacnic.net.
+uri.arpa.         86400   IN      NS      sec3.apnic.net.
+uri.arpa.         600     IN      MX      10 pechora.icann.org.
+uri.arpa.         3600    IN      DNSKEY  256 3 8 (
+    AwEAAcBi7tSart2J599zbYWspMNGN70IBWb4ziqyQYH9MTB/VCz6WyUK
+    uXunwiJJbbQ3bcLqTLWEw134B6cTMHrZpjTAb5WAwg4XcWUu8mdcPTiL
+    Bl6qVRlRD0WiFCTzuYUfkwsh1Rbr7rvrxSQhF5rh71zSpwV5jjjp65Wx
+    SdJjlH0B )
+uri.arpa.         3600    IN      DNSKEY  257 3 8 (
+    AwEAAbNVv6ulgRdO31MtAehz7j3ALRjwZglWesnzvllQl/+hBRZr9QoY
+    cO2I+DkO4Q1NKxox4DUIxj8SxPO3GwDuOFR9q2/CFi2O0mZjafbdYtWc
+    3zSdBbi3q0cwCIx7GuG9eqlL+pg7mdk9dgdNZfHwB0LnqTD8ebLPsrO/
+    Id7kBaiqYOfMlZnh2fp+2h6OOJZHtY0DK1UlssyB5PKsE0tVzo5s6zo9
+    iXKe5u+8WTMaGDY49vG80JPAKE7ezMiH/NZcUMiE0PRZ8D3foq2dYuS5
+    ym+vA83Z7v8A+Rwh4UGnjxKB8zmr803V0ASAmHz/gwH5Vb0nH+LObwFt
+    l3wpbp+Wpm8= )
+uri.arpa.         3600    IN      DNSKEY  257 3 8 (
+    AwEAAbwnFTakCvaUKsXji4mgmxZUJi1IygbnGahbkmFEa0L16J+TchKR
+    wcgzVfsxUGa2MmeA4hgkAooC3uy+tTmoMsgy8uq/JAj24DjiHzd46LfD
+    FK/qMidVqFpYSHeq2Vv5ojkuIsx4oe4KsafGWYNOczKZgH5loGjN2aJG
+    mrIm++XCphOskgCsQYl65MIzuXffzJyxlAuts+ecAIiVeqRaqQfr8LRU
+    7wIsLxinXirprtQrbor+EtvlHp9qXE6ARTZDzf4jvsNpKvLFZtmxzFf3
+    e/UJz5eHjpwDSiZL7xE8aE1o1nGfPtJx9ZnB3bapltaJ5wY+5XOCKgY0
+    xmJVvNQlwdE= )
+ftp.uri.arpa.     3600    IN      RRSIG   NSEC 8 3 3600 (
+    20181028080856 20181007175821 47155 uri.arpa.
+    HClGAqPxzkYkAT7Q/QNtQeB6YrkP6EPOef+9Qo5/2zngwAewXEAQiyF9
+    jD1USJiroM11QqBS3v3aIdW/LXORs4Ez3hLcKNO1cKHsOuWAqzmE+BPP
+    Arfh8N95jqh/q6vpaB9UtMkQ53tM2fYU1GszOLN0knxbHgDHAh2axMGH lqM= )
+ftp.uri.arpa.     604800  IN      RRSIG   NAPTR 8 3 604800 (
+    20181028103644 20181007205525 47155 uri.arpa.
+    WoLi+vZzkxaoLr2IGZnwkRvcDf6KxiWQd1WZP/U+AWnV+7MiqsWPZaf0
+    9toRErerGoFOiOASNxZjBGJrRgjmavOM9U+LZSconP9zrNFd4dIu6kp5
+    YxlQJ0uHOvx1ZHFCj6lAt1ACUIw04ZhMydTmi27c8MzEOMepvn7iH7r7 k7k= )
+ftp.uri.arpa.     3600    IN      NSEC    http.uri.arpa. NAPTR (
+    RRSIG NSEC )
+ftp.uri.arpa.     604800  IN      NAPTR   0 0 "" "" (
+    "!^ftp://([^:/?#]*).*$!\\1!i" . )
+http.uri.arpa.    3600    IN      RRSIG   NSEC 8 3 3600 (
+    20181029010647 20181007175821 47155 uri.arpa.
+    U03NntQ73LHWpfLmUK8nMsqkwVsOGW2KdsyuHYAjqQSZvKbtmbv7HBmE
+    H1+Ii3Z+wtfdMZBy5aC/6sHdx69BfZJs16xumycMlAy6325DKTQbIMN+
+    ift9GrKBC7cgCd2msF/uzSrYxxg4MJQzBPvlkwXnY3b7eJSlIXisBIn7 3b8= )
+http.uri.arpa.    604800  IN      RRSIG   NAPTR 8 3 604800 (
+    20181029011815 20181007205525 47155 uri.arpa.
+    T7mRrdag+WSmG+n22mtBSQ/0Y3v+rdDnfQV90LN5Fq32N5K2iYFajF7F
+    Tp56oOznytfcL4fHrqOE0wRc9NWOCCUec9C7Wa1gJQcllEvgoAM+L6f0
+    RsEjWq6+9jvlLKMXQv0xQuMX17338uoD/xiAFQSnDbiQKxwWMqVAimv5 7Zs= )
+http.uri.arpa.    3600    IN      NSEC    mailto.uri.arpa. NAPTR (
+    RRSIG NSEC )
+http.uri.arpa.    604800  IN      NAPTR   0 0 "" "" (
+    "!^http://([^:/?#]*).*$!\\1!i" . )
+mailto.uri.arpa.  3600    IN      RRSIG   NSEC 8 3 3600 (
+    20181028110727 20181007175821 47155 uri.arpa.
+    GvxzVL85rEukwGqtuLxek9ipwjBMfTOFIEyJ7afC8HxVMs6mfFa/nEM/
+    IdFvvFg+lcYoJSQYuSAVYFl3xPbgrxVSLK125QutCFMdC/YjuZEnq5cl
+    fQciMRD7R3+znZfm8d8u/snLV9w4D+lTBZrJJUBe1Efc8vum5vvV7819 ZoY= )
+mailto.uri.arpa.  604800  IN      RRSIG   NAPTR 8 3 604800 (
+    20181028141825 20181007205525 47155 uri.arpa.
+    MaADUgc3fc5v++M0YmqjGk3jBdfIA5RuP62hUSlPsFZO4k37erjIGCfF
+    j+g84yc+QgbSde0PQHszl9fE/+SU5ZXiS9YdcbzSZxp2erFpZOTchrpg
+    916T4vx6i59scodjb0l6bDyZ+mtIPrc1w6b4hUyOUTsDQoAJYxdfEuMg Vy4= )
+mailto.uri.arpa.  3600    IN      NSEC    urn.uri.arpa. NAPTR (
+    RRSIG NSEC )
+mailto.uri.arpa.  604800  IN      NAPTR   0 0 "" "" (
+    "!^mailto:(.*)@(.*)$!\\2!i" . )
+urn.uri.arpa.     3600    IN      RRSIG   NSEC 8 3 3600 (
+    20181028123243 20181007175821 47155 uri.arpa.
+    Hgsw4Deops1O8uWyELGe6hpR/OEqCnTHvahlwiQkHhO5CSEQrbhmFAWe
+    UOkmGAdTEYrSz+skLRQuITRMwzyFf4oUkZihGyhZyzHbcxWfuDc/Pd/9
+    DSl56gdeBwy1evn5wBTms8yWQVkNtphbJH395gRqZuaJs3LD/qTyJ5Dp LvA= )
+urn.uri.arpa.     604800  IN      RRSIG   NAPTR 8 3 604800 (
+    20181029071816 20181007205525 47155 uri.arpa.
+    ALIZD0vBqAQQt40GQ0Efaj8OCyE9xSRJRdyvyn/H/wZVXFRFKrQYrLAS
+    D/K7q6CMTOxTRCu2J8yes63WJiaJEdnh+dscXzZkmOg4n5PsgZbkvUSW
+    BiGtxvz5jNncM0xVbkjbtByrvJQAO1cU1mnlDKe1FmVB1uLpVdA9Ib4J hMU= )
+urn.uri.arpa.     3600    IN      NSEC    uri.arpa. NAPTR RRSIG (
+    NSEC )
+urn.uri.arpa.     604800  IN      NAPTR   0 0 "" "" (
+    "/urn:([^:]+)/\\1/i" . )
+uri.arpa.         3600    IN      SOA     sns.dns.icann.org. (
+    noc.dns.icann.org. 2018100702 10800 3600 1209600 3600 )
+;; Query time: 66 msec
+;; SERVER: 192.0.32.132#53(192.0.32.132)
+;; WHEN: Sun Oct 21 20:39:28 UTC 2018
+;; XFR size: 34 records (messages 1, bytes 3941)
+uri.arpa.       3600    IN      ZONEMD  2018100702 1 1 (
+    1291b78ddf7669b1a39d014d87626b709b55774c5d7d58fa
+    dc556439889a10eaf6f11d615900a4f996bd46279514e473 )