From: Mark Andrews Date: Thu, 30 Apr 2026 23:06:36 +0000 (+1000) Subject: Remove remaining RFC 3445 KEY flags X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd96894bcdddb43aef2ddc768c548db053374194;p=thirdparty%2Fbind9.git Remove remaining RFC 3445 KEY flags RFC 3445 also eliminated the DNS_KEYTYPE_NOAUTH, DNS_KEYTYPE_NOCONF, and DNS_KEYOWNER_ENTITY flags. With NOAUTH and NOCONF gone, the concept of NOKEY can no longer be expressed in KEY records. DNS_KEYOWNER_ENTITY was already unused as of 22d688f656 but still defined; that is now also removed. --- diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index e671123a113..ac3871df960 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -543,8 +543,6 @@ main(int argc, char **argv) { flags |= DNS_KEYOWNER_ZONE; /* DNSKEY: name type ZONE */ flags |= kskflag; flags |= revflag; - } else { - flags |= DNS_KEYOWNER_ENTITY; /* KEY: name type HOST */ } isc_buffer_init(&buf, filename, sizeof(filename) - 1); diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index c55d614ec05..683473815fe 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -232,7 +232,6 @@ keygen(keygen_ctx_t *ctx, const char *keyname) { char filename[255]; char algstr[DNS_SECALG_FORMATSIZE]; uint16_t flags = 0; - bool null_key = false; bool conflict = false; bool show_progress = false; isc_buffer_t buf; @@ -497,8 +496,6 @@ keygen(keygen_ctx_t *ctx, const char *keyname) { if ((ctx->options & DST_TYPE_KEY) == 0) { flags |= DNS_KEYOWNER_ZONE; /* DNSKEY: name type ZONE */ - } else { - flags |= DNS_KEYOWNER_ENTITY; /* KEY: name type HOST */ } if (ctx->directory == NULL) { @@ -532,12 +529,6 @@ keygen(keygen_ctx_t *ctx, const char *keyname) { break; } - if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY && - (ctx->options & DST_TYPE_KEY) != 0) - { - null_key = true; - } - isc_buffer_init(&buf, filename, sizeof(filename) - 1); do { @@ -668,11 +659,6 @@ keygen(keygen_ctx_t *ctx, const char *keyname) { ctx->tag_min, ctx->tag_max, NULL)) { conflict = true; - if (null_key) { - dst_key_free(&key); - break; - } - if (verbose > 0) { isc_buffer_clear(&buf); result = dst_key_buildfilename( @@ -692,11 +678,6 @@ keygen(keygen_ctx_t *ctx, const char *keyname) { } } while (conflict); - if (conflict) { - fatal("cannot generate a null key due to possible key ID " - "collision"); - } - if (ctx->predecessor != NULL && prevkey != NULL) { dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key)); dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey)); diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index c5be6eda9ab..22af41ef900 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -707,8 +707,7 @@ syncdelete(dst_key_t *key, isc_stdtime_t now) { return false; } -#define is_zone_key(key) \ - ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE) +#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYOWNER_ZONE) != 0) isc_result_t dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) { @@ -1049,7 +1048,7 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name, bool dns_dnssec_iszonekey(dns_rdata_dnskey_t *key) { - return (key->flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && + return (key->flags & DNS_KEYOWNER_ZONE) != 0 && (key->protocol == DNS_KEYPROTO_DNSSEC || key->protocol == DNS_KEYPROTO_ANY); } diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 39913f6537f..561e12a1a4d 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -385,9 +385,7 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory) { RETERR(write_key_state(key, type, directory)); } - if (((type & DST_TYPE_PRIVATE) != 0) && - (key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY) - { + if ((type & DST_TYPE_PRIVATE) != 0) { return key->func->tofile(key, directory); } return ISC_R_SUCCESS; @@ -551,9 +549,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type, CHECK(result); } - if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC || - (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) - { + if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC) { CHECK(computeid(pubkey)); pubkey->modified = false; *keyp = pubkey; @@ -652,7 +648,7 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) { isc_buffer_putuint8(target, (uint8_t)dst_algorithm_tosecalg(key->key_alg)); - if (key->keydata.generic == NULL) { /*%< NULL KEY */ + if (key->keydata.generic == NULL) { return ISC_R_SUCCESS; } @@ -911,12 +907,6 @@ dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits, key->label = isc_mem_strdup(mctx, label); } - if (bits == 0) { /*%< NULL KEY */ - key->key_flags |= DNS_KEYTYPE_NOKEY; - *keyp = key; - return ISC_R_SUCCESS; - } - if (key->func->generate == NULL) { dst_key_free(&key); return DST_R_UNSUPPORTEDALG; diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h index 7f5e56f7690..0562a8085d0 100644 --- a/lib/dns/include/dns/keyvalues.h +++ b/lib/dns/include/dns/keyvalues.h @@ -16,42 +16,26 @@ /*! \file dns/keyvalues.h */ /* - * Flags field of the KEY rdata. Also used by DNSKEY, CDNSKEY, RKEY, - * KEYDATA. Some values are only defined for KEY and not the others, - * and vice versa. + * Flags field of the DNSKEY rdata. Also used by KEY, CDNSKEY, RKEY, + * and KEYDATA, which share DNSKEY's wire format. + * + * The following flags were removed by RFC 3445 and MUST be zero. + * Any use of these flags will break backwards compatibility with + * old software. As long as they are zero they are safe: + * - 1 << 15: Formerly DNS_KEYTYPE_NOAUTH. + * - 1 << 14: Formerly DNS_KEYTYPE_NOCONF. + * - 1 << 12: Formerly DNS_KEYFLAG_EXTENDED. + * - 1 << 9: Formerly DNS_KEYOWNER_ENTITY. + * + * The following flags are reserved and MUST be zero. + * - 1 << 13, 1 << 11, 1 << 10, 1 << 6 through 1 << 2 */ enum { - /* valid for KEY only. if both are set, there is no key data. */ - DNS_KEYTYPE_NOAUTH = 1 << 15, /* cannot be used for authentication. */ - DNS_KEYTYPE_NOCONF = 1 << 14, /* cannot be used for confidentiality. */ - - DNS_KEYFLAG_RESERVED2 = 1 << 13, /* reserved: must be zero. */ - DNS_KEYFLAG_DONOTUSE3 = 1 << 12, /* unused: must be zero. - formerly DNS_KEYFLAG_EXTENDED, - which was removed by RFC 3445 */ - DNS_KEYFLAG_RESERVED4 = 1 << 11, /* reserved: must be zero. */ - DNS_KEYFLAG_RESERVED5 = 1 << 10, /* reserved: must be zero. */ - - /* if nether of these is set, this is a user key (valid for KEY only) */ - DNS_KEYOWNER_ENTITY = 1 << 9, /* host key (valid for KEY only). */ - DNS_KEYOWNER_ZONE = 1 << 8, /* zone key (mandatory for DNSKEY). */ - - DNS_KEYFLAG_REVOKE = 1 << 7, /* key revoked (per rfc5011) */ - DNS_KEYFLAG_RESERVED9 = 1 << 6, /* reserved: must be zero. */ - DNS_KEYFLAG_RESERVED10 = 1 << 5, /* reserved: must be zero. */ - DNS_KEYFLAG_RESERVED11 = 1 << 4, /* reserved: must be zero. */ - - DNS_KEYFLAG_RESERVED12 = 1 << 3, /* reserved: must be zero. */ - DNS_KEYFLAG_RESERVED13 = 1 << 4, /* reserved: must be zero. */ - DNS_KEYFLAG_RESERVED14 = 1 << 2, /* reserved: must be zero. */ - - DNS_KEYFLAG_KSK = 1 << 0, /* key signing key */ + DNS_KEYOWNER_ZONE = 1 << 8, /* zone key (mandatory for DNSKEY). */ + DNS_KEYFLAG_REVOKE = 1 << 7, /* key revoked (per rfc5011) */ + DNS_KEYFLAG_KSK = 1 << 0, /* key signing key */ }; -#define DNS_KEYFLAG_OWNERMASK (DNS_KEYOWNER_ENTITY | DNS_KEYOWNER_ZONE) -#define DNS_KEYFLAG_TYPEMASK (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF) -#define DNS_KEYTYPE_NOKEY DNS_KEYFLAG_TYPEMASK - /* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */ enum { DNS_KEYALG_RSAMD5 = 1, /*%< RSA with MD5 */ diff --git a/lib/dns/key.c b/lib/dns/key.c index d341f1781b2..253c23250f2 100644 --- a/lib/dns/key.c +++ b/lib/dns/key.c @@ -128,7 +128,7 @@ bool dst_key_iszonekey(const dst_key_t *key) { REQUIRE(VALID_KEY(key)); - if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { + if ((key->key_flags & DNS_KEYOWNER_ZONE) == 0) { return false; } if (key->key_proto != DNS_KEYPROTO_DNSSEC && diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c index 2c5121242e3..2d375188a23 100644 --- a/lib/dns/rdata/generic/key_25.c +++ b/lib/dns/rdata/generic/key_25.c @@ -21,29 +21,6 @@ #define RRTYPE_KEY_ATTRIBUTES \ (DNS_RDATATYPEATTR_ATCNAME | DNS_RDATATYPEATTR_ZONECUTAUTH) -/* - * RFC 2535 section 3.1.2 says that if bits 0-1 of the Flags field are - * both set, it means there is no key information and the RR stops after - * the algorithm octet. However, this only applies to KEY records, as - * indicated by the specifications of the RR types based on KEY: - * - * CDNSKEY - RFC 7344 - * DNSKEY - RFC 4034 - * RKEY - draft-reid-dnsext-rkey-00 - */ -static bool -generic_key_nokey(dns_rdatatype_t type, unsigned int flags) { - switch (type) { - case dns_rdatatype_cdnskey: - case dns_rdatatype_dnskey: - case dns_rdatatype_rkey: - return false; - case dns_rdatatype_key: - default: - return (flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY; - } -} - static isc_result_t generic_fromtext_key(ARGS_FROMTEXT) { isc_token_t token; @@ -78,11 +55,6 @@ generic_fromtext_key(ARGS_FROMTEXT) { RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion)); RETERR(mem_tobuffer(target, &alg, 1)); - /* No Key? */ - if (generic_key_nokey(type, flags)) { - return ISC_R_SUCCESS; - } - /* * Save the current used value. It will become the current * value when we parse the keydata field. @@ -149,11 +121,6 @@ generic_totext_key(ARGS_TOTEXT) { isc_region_consume(&sr, 1); RETERR(str_totext(buf, target)); - /* No Key? */ - if (generic_key_nokey(rdata->type, flags)) { - return ISC_R_SUCCESS; - } - if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0 && algorithm == DNS_KEYALG_PRIVATEDNS) { @@ -249,9 +216,6 @@ generic_fromwire_key(ARGS_FROMWIRE) { isc_region_consume(&sr, 4); isc_buffer_forward(source, 4); - if (generic_key_nokey(type, flags)) { - return ISC_R_SUCCESS; - } if (sr.length == 0) { return ISC_R_UNEXPECTEDEND; } diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 24f51d75da8..df1abd65198 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -367,9 +367,8 @@ restore_key(dns_tsigkeyring_t *ring, isc_stdtime_t now, FILE *fp) { return DNS_R_BADALG; } - RETERR(dst_key_restore(name, dstalg, DNS_KEYOWNER_ENTITY, - DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, - ring->mctx, keystr, &dstkey)); + RETERR(dst_key_restore(name, dstalg, 0, DNS_KEYPROTO_DNSSEC, + dns_rdataclass_in, ring->mctx, keystr, &dstkey)); result = dns_tsigkey_createfromkey(name, dstalg, dstkey, true, true, creator, inception, expire, @@ -472,9 +471,8 @@ dns_tsigkey_create(const dns_name_t *name, dst_algorithm_t algorithm, isc_buffer_init(&b, secret, length); isc_buffer_add(&b, length); RETERR(dst_key_frombuffer( - name, algorithm, DNS_KEYOWNER_ENTITY, - DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, &b, - mctx, &dstkey)); + name, algorithm, 0, DNS_KEYPROTO_DNSSEC, + dns_rdataclass_in, &b, mctx, &dstkey)); } } else if (length > 0) { return DNS_R_BADALG; diff --git a/lib/dns/zone.c b/lib/dns/zone.c index d6a86dacc40..3414ed8d356 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -114,10 +114,11 @@ /*% * Key flags */ -#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) -#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) -#define ID(x) dst_key_id(x) -#define ALG(x) dst_key_alg(x) +#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) +#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) +#define ZONEKEY(x) ((dst_key_flags(x) & DNS_KEYOWNER_ZONE) != 0) +#define ID(x) dst_key_id(x) +#define ALG(x) dst_key_alg(x) /*% * KASP flags @@ -5122,9 +5123,6 @@ keyfromfile(dns_zone_t *zone, dst_key_t *pubkey, isc_mem_t *mctx, return result; } -#define is_zone_key(key) \ - ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE) - static isc_result_t findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, const dns_name_t *name, isc_stdtime_t now, @@ -5148,7 +5146,7 @@ findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, CHECK(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); dst_key_setttl(pubkey, rdataset.ttl); - if (!is_zone_key(pubkey)) { + if (!ZONEKEY(pubkey)) { goto next; } /* Corrupted .key file? */ @@ -16498,8 +16496,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if ((dnskey.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) - { + if ((dnskey.flags & DNS_KEYOWNER_ZONE) == 0) { ISC_LIST_UNLINK(diff->tuples, tuple, link); ISC_LIST_APPEND(tuples, tuple, link); continue; diff --git a/tests/dns/rdata_test.c b/tests/dns/rdata_test.c index 41d4cc7f292..b065b3e555b 100644 --- a/tests/dns/rdata_test.c +++ b/tests/dns/rdata_test.c @@ -2255,20 +2255,22 @@ ISC_RUN_TEST_IMPL(key) { * - 1 octet for Algorithm, * - variable number of octets for Public Key. * - * RFC 2535 section 3.1.2 states that if bits + * RFC 2535 section 3.1.2 stated that if bits * 0-1 of Flags are both set, the RR stops after * the algorithm octet and thus its length must * be 4 octets. In any other case, though, the - * Public Key part must not be empty. + * Public Key part must not be empty. This was + * modified by RFC 3445 which removed + * flags 0-1, and hence the concept of NOKEY. * * Algorithms PRIVATEDNS (253) and PRIVATEOID (254) - * have an algorithm identifier embedded and the start + * have an algorithm identifier embedded at the start * of the public key. */ WIRE_INVALID(0x00), WIRE_INVALID(0x00, 0x00), WIRE_INVALID(0x00, 0x00, 0x00), - WIRE_VALID(0xc0, 0x00, 0x00, 0x00), - WIRE_INVALID(0xc0, 0x00, 0x00, 0x00, 0x00), + WIRE_INVALID(0xc0, 0x00, 0x00, 0x00), + WIRE_VALID(0xc0, 0x00, 0x00, 0x00, 0x00), WIRE_INVALID(0x00, 0x00, 0x00, 0x00), WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00), /* PRIVATEDNS example. without key data */