From: Mark Andrews Date: Tue, 9 Jan 2024 06:01:07 +0000 (+1100) Subject: Fail if there are non apex DNSKEYs X-Git-Tag: v9.20.0~35^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3efc15be429d940a98baa4715959071e2581502;p=thirdparty%2Fbind9.git Fail if there are non apex DNSKEYs DNSSEC only works when DNSKEYs are self signed. This only occurs when the DNSKEY RRset is at the apex. Cause dnssec-signzone to fail if it attempts to sign an non-apex DNSKEY RRset. --- diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 7b854641805..b38de8e942f 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1167,7 +1167,7 @@ has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) { * Signs all records at a name. */ static void -signname(dns_dbnode_t *node, dns_name_t *name) { +signname(dns_dbnode_t *node, bool apex, dns_name_t *name) { isc_result_t result; dns_rdataset_t rdataset; dns_rdatasetiter_t *rdsiter; @@ -1218,6 +1218,10 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_name_format(name, namebuf, sizeof(namebuf)); fatal("'%s': found DS RRset without NS RRset\n", namebuf); + } else if (rdataset.type == dns_rdatatype_dnskey && !apex) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namebuf, sizeof(namebuf)); + fatal("'%s': Non-apex DNSKEY RRset\n", namebuf); } signset(&del, &add, node, name, &rdataset); @@ -1537,7 +1541,7 @@ signapex(void) { check_result(result, "dns_dbiterator_seek()"); result = dns_dbiterator_current(gdbiter, &node, name); check_dns_dbiterator_current(result); - signname(node, name); + signname(node, true, name); dumpnode(name, node); dns_db_detachnode(gdb, &node); result = dns_dbiterator_first(gdbiter); @@ -1666,7 +1670,7 @@ assignwork(void *arg) { UNLOCK(&namelock); - signname(node, dns_fixedname_name(&fname)); + signname(node, false, dns_fixedname_name(&fname)); /*% * Write a node to the output file, and restart the worker task.