From: Kees Monshouwer Date: Mon, 21 Sep 2020 14:12:45 +0000 (+0200) Subject: auth: ignore cryptokeys in presigned zones and do not add CDS and CDNSKEY records X-Git-Tag: auth-4.4.0-alpha1~5^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95b70d3a3a649873313c03208fb93628c72c5ac5;p=thirdparty%2Fpdns.git auth: ignore cryptokeys in presigned zones and do not add CDS and CDNSKEY records --- diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index a3b1028cb2..7ca9c6b0e6 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -1050,9 +1050,11 @@ void PacketHandler::completeANYRecords(DNSPacket& p, std::unique_ptr& { addNSECX(p, r, target, DNSName(), sd.qname, 5); if(sd.qname == p.qdomain) { - addDNSKEY(p, r, sd); - addCDNSKEY(p, r, sd); - addCDS(p, r, sd); + if(!d_dk.isPresigned(sd.qname)) { + addDNSKEY(p, r, sd); + addCDNSKEY(p, r, sd); + addCDS(p, r, sd); + } addNSEC3PARAM(p, r, sd); } } @@ -1281,22 +1283,24 @@ std::unique_ptr PacketHandler::doQuestion(DNSPacket& p) if(!retargetcount) r->qdomainzone=sd.qname; if(sd.qname==p.qdomain) { - if(p.qtype.getCode() == QType::DNSKEY) - { - if(addDNSKEY(p, r, sd)) - goto sendit; - } - else if(p.qtype.getCode() == QType::CDNSKEY) - { - if(addCDNSKEY(p,r, sd)) - goto sendit; - } - else if(p.qtype.getCode() == QType::CDS) - { - if(addCDS(p,r, sd)) - goto sendit; + if(!d_dk.isPresigned(sd.qname)) { + if(p.qtype.getCode() == QType::DNSKEY) + { + if(addDNSKEY(p, r, sd)) + goto sendit; + } + else if(p.qtype.getCode() == QType::CDNSKEY) + { + if(addCDNSKEY(p,r, sd)) + goto sendit; + } + else if(p.qtype.getCode() == QType::CDS) + { + if(addCDS(p,r, sd)) + goto sendit; + } } - else if(d_dnssec && p.qtype.getCode() == QType::NSEC3PARAM) + if(d_dnssec && p.qtype.getCode() == QType::NSEC3PARAM) { if(addNSEC3PARAM(p,r, sd)) goto sendit; diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc index 6a56ce13b4..318c252d6e 100644 --- a/pdns/tcpreceiver.cc +++ b/pdns/tcpreceiver.cc @@ -609,70 +609,73 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, typedef map nsecxrepo_t; nsecxrepo_t nsecxrepo; - - // this is where the DNSKEYs go in - - DNSSECKeeper::keyset_t keys = dk.getKeys(target); - + vector cds, cdnskey; DNSZoneRecord zrr; - - zrr.dr.d_name = target; - zrr.dr.d_ttl = sd.minimum; - zrr.auth = 1; // please sign! - string publishCDNSKEY, publishCDS; - dk.getPublishCDNSKEY(q->qdomain, publishCDNSKEY); - dk.getPublishCDS(q->qdomain, publishCDS); - vector cds, cdnskey; - DNSSECKeeper::keyset_t entryPoints = dk.getEntryPoints(q->qdomain); - set entryPointIds; - for (auto const& value : entryPoints) - entryPointIds.insert(value.second.id); + if(securedZone && !presignedZone) { + // this is where the DNSKEYs go in + DNSSECKeeper::keyset_t keys = dk.getKeys(target); + + zrr.dr.d_name = target; + zrr.dr.d_ttl = sd.minimum; + zrr.auth = 1; // please sign! + + string publishCDNSKEY, publishCDS; + dk.getPublishCDNSKEY(q->qdomain, publishCDNSKEY); + dk.getPublishCDS(q->qdomain, publishCDS); + DNSSECKeeper::keyset_t entryPoints = dk.getEntryPoints(q->qdomain); + set entryPointIds; + for (auto const& value : entryPoints) + entryPointIds.insert(value.second.id); + + for(const DNSSECKeeper::keyset_t::value_type& value : keys) { + if (!value.second.published) { + continue; + } + zrr.dr.d_type = QType::DNSKEY; + zrr.dr.d_content = std::make_shared(value.first.getDNSKEY()); + DNSName keyname = NSEC3Zone ? DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, zrr.dr.d_name))) : zrr.dr.d_name; + NSECXEntry& ne = nsecxrepo[keyname]; - for(const DNSSECKeeper::keyset_t::value_type& value : keys) { - if (!value.second.published) { - continue; - } - zrr.dr.d_type = QType::DNSKEY; - zrr.dr.d_content = std::make_shared(value.first.getDNSKEY()); - DNSName keyname = NSEC3Zone ? DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, zrr.dr.d_name))) : zrr.dr.d_name; - NSECXEntry& ne = nsecxrepo[keyname]; - - ne.d_set.set(zrr.dr.d_type); - ne.d_ttl = sd.getNegativeTTL(); - csp.submit(zrr); + ne.d_set.set(zrr.dr.d_type); + ne.d_ttl = sd.getNegativeTTL(); + csp.submit(zrr); - // generate CDS and CDNSKEY records - if(entryPointIds.count(value.second.id) > 0){ - if(publishCDNSKEY == "1") { - zrr.dr.d_type=QType::CDNSKEY; - zrr.dr.d_content = std::make_shared(value.first.getDNSKEY()); - cdnskey.push_back(zrr); - } + // generate CDS and CDNSKEY records + if(entryPointIds.count(value.second.id) > 0){ + if(publishCDNSKEY == "1") { + zrr.dr.d_type=QType::CDNSKEY; + zrr.dr.d_content = std::make_shared(value.first.getDNSKEY()); + cdnskey.push_back(zrr); + } - if(!publishCDS.empty()){ - zrr.dr.d_type=QType::CDS; - vector digestAlgos; - stringtok(digestAlgos, publishCDS, ", "); - for(auto const &digestAlgo : digestAlgos) { - zrr.dr.d_content=std::make_shared(makeDSFromDNSKey(target, value.first.getDNSKEY(), pdns_stou(digestAlgo))); - cds.push_back(zrr); + if(!publishCDS.empty()){ + zrr.dr.d_type=QType::CDS; + vector digestAlgos; + stringtok(digestAlgos, publishCDS, ", "); + for(auto const &digestAlgo : digestAlgos) { + zrr.dr.d_content=std::make_shared(makeDSFromDNSKey(target, value.first.getDNSKEY(), pdns_stou(digestAlgo))); + cds.push_back(zrr); + } } } } - } - - if(::arg().mustDo("direct-dnskey")) { - sd.db->lookup(QType(QType::DNSKEY), target, sd.domain_id); - while(sd.db->get(zrr)) { - zrr.dr.d_ttl = sd.minimum; - csp.submit(zrr); + + if(::arg().mustDo("direct-dnskey")) { + sd.db->lookup(QType(QType::DNSKEY), target, sd.domain_id); + while(sd.db->get(zrr)) { + zrr.dr.d_ttl = sd.minimum; + csp.submit(zrr); + } } } uint8_t flags; if(NSEC3Zone) { // now stuff in the NSEC3PARAM + zrr.dr.d_name = target; + zrr.dr.d_ttl = sd.minimum; + zrr.auth = 1; flags = ns3pr.d_flags; zrr.dr.d_type = QType::NSEC3PARAM; ns3pr.d_flags = 0; diff --git a/regression-tests/tests/any-query/command b/regression-tests/tests/any-query/command index 334ca51105..d3c4aca7e2 100755 --- a/regression-tests/tests/any-query/command +++ b/regression-tests/tests/any-query/command @@ -1,3 +1,3 @@ #!/bin/sh -SDIGBUFSIZE=32768 cleandig example.com ANY tcp +SDIGBUFSIZE=32768 cleandig example.com ANY dnssec tcp diff --git a/regression-tests/tests/any-query/expected_result b/regression-tests/tests/any-query/expected_result index 0002fcff44..2571b0576f 100644 --- a/regression-tests/tests/any-query/expected_result +++ b/regression-tests/tests/any-query/expected_result @@ -3,7 +3,7 @@ 0 example.com. IN NS 120 ns1.example.com. 0 example.com. IN NS 120 ns2.example.com. 0 example.com. IN SOA 100000 ns1.example.com. ahu.example.com. 2847484148 28800 7200 604800 86400 -2 . IN OPT 0 +2 . IN OPT 32768 2 ns1.example.com. IN A 120 192.168.1.1 2 ns2.example.com. IN A 120 192.168.1.2 2 smtp-servers.example.com. IN A 120 192.168.0.2