From 12e20eb5f4881a5a69293491aa3d2addcd6b33e5 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 27 Apr 2010 13:00:48 +0000
Subject: [PATCH]        - autotrust anchor file can be initialized with a ZSK
 key as well.

git-svn-id: file:///svn/unbound/trunk@2100 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog                   |   1 +
 testdata/autotrust_init_zsk.rpl | 180 ++++++++++++++++++++++++++++++++
 validator/autotrust.c           |  69 ++++++++++--
 3 files changed, 241 insertions(+), 9 deletions(-)
 create mode 100644 testdata/autotrust_init_zsk.rpl

diff --git a/doc/Changelog b/doc/Changelog
index 333181fab..25321dade 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,7 @@
 27 April 2010: Wouter
 	- unbound-control get_option domain-insecure shows config file items.
 	- fix retry sequence if prime hints are recursion-lame.
+	- autotrust anchor file can be initialized with a ZSK key as well.
 
 26 April 2010: Wouter
 	- Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
diff --git a/testdata/autotrust_init_zsk.rpl b/testdata/autotrust_init_zsk.rpl
new file mode 100644
index 000000000..5e72f2d23
--- /dev/null
+++ b/testdata/autotrust_init_zsk.rpl
@@ -0,0 +1,180 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+	log-time-ascii: yes
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+; initial content (say from dig example.com DNSKEY > example.com.key) 
+AUTOTRUST_FILE example.com
+example.com.	10800	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+AUTOTRUST_END
+CONFIG_END
+
+SCENARIO_BEGIN Test autotrust with initial trust anchor ZSK
+
+; K-ROOT
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id copy_query
+REPLY QR AA
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS k.root-servers.net.
+SECTION ADDITIONAL
+k.root-servers.net IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com.	3600	IN	A	10.20.30.40
+www.example.com.	3600	IN	RRSIG	A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899}
+SECTION AUTHORITY
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+; KSK 1
+example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
+; ZSK 1
+example.com.	10800	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (ksk), size = 512b}
+; signatures
+example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20090924111500 20090821111500 30899 example.com. b/HK231jIQLX8IhlZfup3r0yhpXaasbPE6LzxoEVVvWaTZWcLmeV8jDIcn0qO7Yvs7bIJN20lwVAV0GcHH3hWQ== ;{id = 30899}
+example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20090924111500 20090821111500 55582 example.com. PCHme1QLoULxqjhg5tMlpR0qJlBfstEUVq18TtNoKQe9le1YhJ9caheXcTWoK+boLhXxg9u6Yyvq8FboQh0OjA== ;{id = 55582}
+
+ENTRY_END
+RANGE_END
+
+; set date/time to Aug 24 09:46:40  (2009).
+STEP 5 TIME_PASSES ELAPSE 1251100000
+STEP 6 ASSIGN t0 = ${time}
+; get probe time and check it. 4800 is about 10% less than 5400. And more than
+; the 3600 that a failure timeout would have.
+STEP 7 ASSIGN probe = ${range 4800 ${timeout} 5400}
+
+
+; the auto probing should have been done now.
+STEP 8 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: 1251100000 ;;Mon Aug 24 09:46:40 2009
+;;last_success: 1251100000 ;;Mon Aug 24 09:46:40 2009
+;;next_probe_time: ${$t0 + $probe} ;;${ctime $t0 + $probe}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1251100000 ;;Mon Aug 24 09:46:40 2009
+FILE_END
+
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com.	3600	IN	A	10.20.30.40
+www.example.com.	3600	IN	RRSIG	A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899}
+SECTION AUTHORITY
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899}
+ENTRY_END
+
+; The autotrust anchor was probed due to the query.
+
+STEP 30 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: 1251100000 ;;Mon Aug 24 09:46:40 2009
+;;last_success: 1251100000 ;;Mon Aug 24 09:46:40 2009
+;;next_probe_time: ${$t0 + $probe} ;;${ctime $t0 + $probe}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1251100000 ;;Mon Aug 24 09:46:40 2009
+FILE_END
+
+; wait and see if autotrust probes (the unchanged) domain again.
+STEP 40 TIME_PASSES EVAL ${$probe}
+
+STEP 50 TRAFFIC
+
+STEP 65 ASSIGN probe2 = ${range 4800 ${timeout} 5400}
+
+STEP 70 CHECK_AUTOTRUST example.com
+FILE_BEGIN
+; autotrust trust anchor file
+;;id: example.com. 1
+;;last_queried: ${time} ;;${ctime ${time}}
+;;last_success: ${time} ;;${ctime ${time}}
+;;next_probe_time: ${$t0 + $probe + $probe2} ;;${ctime $t0 + $probe + $probe2}
+;;query_failed: 0
+;;query_interval: 5400
+;;retry_time: 3600
+example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1251100000 ;;Mon Aug 24 09:46:40 2009
+FILE_END
+
+SCENARIO_END
diff --git a/validator/autotrust.c b/validator/autotrust.c
index 578a63f46..0574b74b1 100644
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@@ -941,8 +941,8 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
 			continue;
 		if(ta->s == AUTR_STATE_REMOVED)
 			continue;
-		/* only store SEP keys */
-		if(!rr_is_dnskey_sep(ta->rr))
+		/* only store keys */
+		if(ldns_rr_get_type(ta->rr) != LDNS_RR_TYPE_DNSKEY)
 			continue;
 		str = ldns_rr2str(ta->rr);
 		if(!str || !str[0]) {
@@ -1578,6 +1578,37 @@ anchor_state_update(struct module_env* env, struct autr_ta* anchor, int* c)
 	}
 }
 
+/** if ZSK init then trust KSKs */
+static int
+init_zsk_to_ksk(struct module_env* env, struct trust_anchor* tp, int* changed)
+{
+	/* search for VALID ZSKs */
+	struct autr_ta* anchor;
+	int validzsk = 0;
+	int validksk = 0;
+	for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
+		/* last_change test makes sure it was manually configured */
+                if (ldns_rr_get_type(anchor->rr) == LDNS_RR_TYPE_DNSKEY &&
+			anchor->last_change == 0 && 
+			!rr_is_dnskey_sep(anchor->rr) &&
+			anchor->s == AUTR_STATE_VALID)
+                        validzsk++;
+	}
+	if(validzsk == 0)
+		return 0;
+	for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
+                if (rr_is_dnskey_sep(anchor->rr) && 
+			anchor->s == AUTR_STATE_ADDPEND) {
+			verbose_key(anchor, VERB_ALGO, "trust KSK from "
+				"ZSK(config)");
+			set_trustanchor_state(env, anchor, changed, 
+				AUTR_STATE_VALID);
+			validksk++;
+		}
+	}
+	return validksk;
+}
+
 /** Remove missing trustanchors so the list does not grow forever */
 static void
 remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp,
@@ -1586,8 +1617,6 @@ remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp,
 	struct autr_ta* anchor;
 	int exceeded;
 	int valid = 0;
-	if(env->cfg->keep_missing == 0)
-		return; /* keep forever */
 	/* see if we have anchors that are valid */
 	for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
 		/* Only do KSKs */
@@ -1596,16 +1625,38 @@ remove_missing_trustanchors(struct module_env* env, struct trust_anchor* tp,
                 if (anchor->s == AUTR_STATE_VALID)
                         valid++;
 	}
-	if(valid == 0)
-		return;
+	/* if there are no SEP Valid anchors, see if we started out with
+	 * a ZSK (last-change=0) anchor, which is VALID and there are KSKs
+	 * now that can be made valid.  Do this immediately because there
+	 * is no guarantee that the ZSKs get announced long enough.  Usually
+	 * this is immediately after init with a ZSK trusted, unless the domain
+	 * was not advertising any KSKs at all.  In which case we perfectly
+	 * track the zero number of KSKs. */
+	if(valid == 0) {
+		valid = init_zsk_to_ksk(env, tp, changed);
+		if(valid == 0)
+			return;
+	}
 	
 	for(anchor = tp->autr->keys; anchor; anchor = anchor->next) {
-		/* Only do KSKs */
-                if (!rr_is_dnskey_sep(anchor->rr))
+		/* ignore ZSKs if newly added */
+		if(anchor->s == AUTR_STATE_START)
+			continue;
+		/* remove ZSKs if a KSK is present */
+                if (!rr_is_dnskey_sep(anchor->rr)) {
+			if(valid > 0) {
+				verbose_key(anchor, VERB_ALGO, "remove ZSK "
+					"[%d key(s) VALID]", valid);
+				set_trustanchor_state(env, anchor, changed, 
+					AUTR_STATE_REMOVED);
+			}
                         continue;
+		}
                 /* Only do MISSING keys */
                 if (anchor->s != AUTR_STATE_MISSING)
                         continue;
+		if(env->cfg->keep_missing == 0)
+			continue; /* keep forever */
 
 		exceeded = check_holddown(env, anchor, env->cfg->keep_missing);
 		/* If keep_missing has exceeded and we still have more than 
@@ -1657,7 +1708,7 @@ autr_cleanup_keys(struct trust_anchor* tp)
 	while(p) {
 		/* do we want to remove this key? */
 		if(p->s == AUTR_STATE_START || p->s == AUTR_STATE_REMOVED ||
-			!rr_is_dnskey_sep(p->rr)) {
+			ldns_rr_get_type(p->rr) != LDNS_RR_TYPE_DNSKEY) {
 			struct autr_ta* np = p->next;
 			/* remove */
 			ldns_rr_free(p->rr);
-- 
2.47.2