]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Add built-in dnssec-policy "insecure"
authorMatthijs Mekking <matthijs@isc.org>
Wed, 21 Apr 2021 14:09:06 +0000 (16:09 +0200)
committerMatthijs Mekking <matthijs@isc.org>
Fri, 30 Apr 2021 09:18:38 +0000 (11:18 +0200)
Add a new built-in policy "insecure", to be used to gracefully unsign
a zone. Previously you could just remove the 'dnssec-policy'
configuration from your zone statement, or remove it.

The built-in policy "none" (or not configured) now actually means
no DNSSEC maintenance for the corresponding zone. So if you
immediately reconfigure your zone from whatever policy to "none",
your zone will temporarily be seen as bogus by validating resolvers.

This means we can remove the functions 'dns_zone_use_kasp()' and
'dns_zone_secure_to_insecure()' again. We also no longer have to
check for the existence of key state files to figure out if a zone
is transitioning to insecure.

bin/named/server.c
bin/named/zoneconf.c
lib/bind9/check.c
lib/dns/include/dns/zone.h
lib/dns/update.c
lib/dns/win32/libdns.def.in
lib/dns/zone.c
lib/isccfg/kaspconf.c

index 136c922384ab7529274e5a31c5c10a2154a0c529..6342ff31a16431d87b1204789243d578ddaee30d 100644 (file)
@@ -9174,7 +9174,7 @@ load_configuration(const char *filename, named_server_t *server,
                dns_kasp_detach(&kasp);
        }
        /*
-        * Create the built-in kasp policies ("default", "none").
+        * Create the built-in kasp policies ("default", "insecure").
         */
        kasp = NULL;
        CHECK(cfg_kasp_fromconfig(NULL, "default", named_g_mctx, named_g_lctx,
@@ -9184,7 +9184,7 @@ load_configuration(const char *filename, named_server_t *server,
        dns_kasp_detach(&kasp);
 
        kasp = NULL;
-       CHECK(cfg_kasp_fromconfig(NULL, "none", named_g_mctx, named_g_lctx,
+       CHECK(cfg_kasp_fromconfig(NULL, "insecure", named_g_mctx, named_g_lctx,
                                  &kasplist, &kasp));
        INSIST(kasp != NULL);
        dns_kasp_freeze(kasp);
@@ -14827,7 +14827,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
                CHECK(ISC_R_UNEXPECTEDEND);
        }
 
-       if (dns_zone_use_kasp(zone)) {
+       if (dns_zone_getkasp(zone) != NULL) {
                (void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
                                   "command instead");
                (void)putnull(text);
index e0b17e65f539542a64c32db1a28442bd7c47ca59..c82cf76850e0caaca7066fa9d5f1b0a415659755 100644 (file)
@@ -1249,15 +1249,23 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                result = named_config_get(maps, "dnssec-policy", &obj);
                if (result == ISC_R_SUCCESS) {
                        kaspname = cfg_obj_asstring(obj);
-                       result = dns_kasplist_find(kasplist, kaspname, &kasp);
-                       if (result != ISC_R_SUCCESS) {
-                               cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
-                                           "'dnssec-policy '%s' not found ",
-                                           kaspname);
-                               RETERR(result);
+                       if (strcmp(kaspname, "none") != 0) {
+                               result = dns_kasplist_find(kasplist, kaspname,
+                                                          &kasp);
+                               if (result != ISC_R_SUCCESS) {
+                                       cfg_obj_log(
+                                               obj, named_g_lctx,
+                                               ISC_LOG_ERROR,
+                                               "dnssec-policy '%s' not found ",
+                                               kaspname);
+                                       RETERR(result);
+                               }
+                               dns_zone_setkasp(zone, kasp);
+                               use_kasp = true;
                        }
-                       dns_zone_setkasp(zone, kasp);
-                       use_kasp = dns_zone_use_kasp(zone);
+               }
+               if (!use_kasp) {
+                       dns_zone_setkasp(zone, NULL);
                }
 
                obj = NULL;
@@ -1671,10 +1679,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 
                obj = NULL;
                result = cfg_map_get(zoptions, "auto-dnssec", &obj);
-               if (kasp != NULL && strcmp(dns_kasp_getname(kasp), "none") != 0)
-               {
+               if (kasp != NULL) {
+                       bool s2i = (strcmp(dns_kasp_getname(kasp),
+                                          "insecure") != 0);
                        dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
-                       dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
+                       dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i);
                        dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
                } else if (result == ISC_R_SUCCESS) {
                        const char *arg = cfg_obj_asstring(obj);
@@ -1691,11 +1700,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                        dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
                        dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
                        dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
-               } else {
-                       bool s2i = dns_zone_secure_to_insecure(zone, false);
-                       dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, s2i);
-                       dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
-                       dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, s2i);
                }
        }
 
@@ -2216,13 +2220,6 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
                        dns_zone_log(zone, ISC_LOG_DEBUG(1),
                                     "inline-signing: "
                                     "implicitly through dnssec-policy");
-               } else {
-                       inline_signing = dns_zone_secure_to_insecure(zone,
-                                                                    true);
-                       dns_zone_log(
-                               zone, ISC_LOG_DEBUG(1), "inline-signing: %s",
-                               inline_signing ? "transitioning to insecure"
-                                              : "no");
                }
        }
 
index 9555ba37f9325bf203ad7b9c4ac465807a59466b..13e1da994bed4e2f6eddeb98c92eb26eec23d09b 100644 (file)
@@ -2634,6 +2634,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 
                if (strcmp(kaspname, "default") == 0) {
                        has_dnssecpolicy = true;
+               } else if (strcmp(kaspname, "insecure") == 0) {
+                       has_dnssecpolicy = true;
                } else if (strcmp(kaspname, "none") == 0) {
                        has_dnssecpolicy = false;
                } else {
index 822989ab82ac4c8dab20445d3b32e98de0b8e818..48e3ae34b558a5d888d3f5cb9f70b6dc50e4dee5 100644 (file)
@@ -686,32 +686,6 @@ dns_zone_getkasp(dns_zone_t *zone);
  *\li  'zone' to be a valid zone.
  */
 
-bool
-dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig);
-/*%<
- *     Returns true if the zone is transitioning to insecure.
- *     Only can happen if a zone previously used a dnssec-policy,
- *     but changed the value to "none" (or removed the configuration
- *     option). If 'reconfig' is true, only check the key files,
- *     because the zone structure is not yet updated with the
- *     newest configuration.
- *
- * Require:
- *\li  'zone' to be a valid zone.
- */
-
-bool
-dns_zone_use_kasp(dns_zone_t *zone);
-/*%<
- *     Check if zone needs to use kasp.
- *     True if there is a policy that is not "none",
- *     or if there are state files associated with the keys
- *     related to this zone.
- *
- * Require:
- *\li  'zone' to be a valid zone.
- */
-
 void
 dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp);
 /*%<
index 1b923f692e3b6019942ba2d6c414033ea41bffb8..6b8b868b99ea3ed59c3a36f0417c782e45543fe5 100644 (file)
@@ -1087,6 +1087,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
         bool keyset_kskonly) {
        isc_result_t result;
        dns_dbnode_t *node = NULL;
+       dns_kasp_t *kasp = dns_zone_getkasp(zone);
        dns_rdataset_t rdataset;
        dns_rdata_t sig_rdata = DNS_RDATA_INIT;
        dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone);
@@ -1097,7 +1098,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
        bool use_kasp = false;
        isc_mem_t *mctx = diff->mctx;
 
-       if (dns_zone_use_kasp(zone)) {
+       if (kasp != NULL) {
                check_ksk = false;
                keyset_kskonly = true;
                use_kasp = true;
index c22be8ee2bce52d895d2f536a9d7167c7b2b3e24..bcf586d02bda51523441224beb388d96d566e46f 100644 (file)
@@ -1292,7 +1292,6 @@ dns_zone_rekey
 dns_zone_replacedb
 dns_zone_rpz_enable
 dns_zone_rpz_enable_db
-dns_zone_secure_to_insecure
 dns_zone_set_parentcatz
 dns_zone_setadded
 dns_zone_setalsonotify
@@ -1378,7 +1377,6 @@ dns_zone_setzeronosoattl
 dns_zone_signwithkey
 dns_zone_synckeyzone
 dns_zone_unload
-dns_zone_use_kasp
 dns_zone_verifydb
 dns_zonekey_iszonekey
 dns_zonemgr_attach
index 00e6dd2f4ed5a08c5483cec18f9b073bd82c02db..7ccacf6e807df8964eaee77cae63b55d738379b2 100644 (file)
@@ -5736,82 +5736,6 @@ dns_zone_getkasp(dns_zone_t *zone) {
        return (zone->kasp);
 }
 
-static bool
-statefile_exist(dns_zone_t *zone) {
-       isc_result_t ret;
-       dns_dnsseckeylist_t keys;
-       dns_dnsseckey_t *key = NULL;
-       isc_stdtime_t now;
-       isc_time_t timenow;
-       bool found = false;
-
-       TIME_NOW(&timenow);
-       now = isc_time_seconds(&timenow);
-
-       ISC_LIST_INIT(keys);
-
-       ret = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone),
-                                         dns_zone_getkeydirectory(zone), now,
-                                         dns_zone_getmctx(zone), &keys);
-       if (ret == ISC_R_SUCCESS) {
-               for (key = ISC_LIST_HEAD(keys); key != NULL;
-                    key = ISC_LIST_NEXT(key, link)) {
-                       if (dst_key_haskasp(key->key)) {
-                               found = true;
-                               break;
-                       }
-               }
-       }
-
-       /* Clean up keys */
-       while (!ISC_LIST_EMPTY(keys)) {
-               key = ISC_LIST_HEAD(keys);
-               ISC_LIST_UNLINK(keys, key, link);
-               dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
-       }
-
-       return (found);
-}
-
-bool
-dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig) {
-       REQUIRE(DNS_ZONE_VALID(zone));
-
-       /*
-        * If checking during reconfig, the zone is not yet updated
-        * with the new kasp configuration, so only check the key
-        * files.
-        */
-       if (reconfig) {
-               return (statefile_exist(zone));
-       }
-
-       if (zone->kasp == NULL) {
-               return (false);
-       }
-       if (strcmp(dns_kasp_getname(zone->kasp), "none") != 0) {
-               return (false);
-       }
-       /*
-        * "dnssec-policy none", but if there are key state files
-        * this zone used to be secure but is transitioning back to
-        * insecure.
-        */
-       return (statefile_exist(zone));
-}
-
-bool
-dns_zone_use_kasp(dns_zone_t *zone) {
-       dns_kasp_t *kasp = dns_zone_getkasp(zone);
-
-       if (kasp == NULL) {
-               return (false);
-       } else if (strcmp(dns_kasp_getname(kasp), "none") != 0) {
-               return (true);
-       }
-       return dns_zone_secure_to_insecure(zone, false);
-}
-
 void
 dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) {
        REQUIRE(DNS_ZONE_VALID(zone));
@@ -6793,7 +6717,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
        unsigned int i, j;
        bool use_kasp = false;
 
-       if (dns_zone_use_kasp(zone)) {
+       if (dns_zone_getkasp(zone) != NULL) {
                check_ksk = false;
                keyset_kskonly = true;
                use_kasp = true;
@@ -7311,7 +7235,7 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
                dns_rdata_reset(&rdata);
        }
 
-       if (dns_zone_use_kasp(zone)) {
+       if (dns_zone_getkasp(zone) != NULL) {
                dns_kasp_key_t *kkey;
                int zsk_count = 0;
                bool approved;
@@ -7523,7 +7447,7 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
                } else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK,
                                                         inception, &when)) {
                        /* Only applies to dnssec-policy. */
-                       if (dns_zone_use_kasp(zone)) {
+                       if (dns_zone_getkasp(zone) != NULL) {
                                goto next_rdataset;
                        }
                }
@@ -9262,7 +9186,7 @@ zone_sign(dns_zone_t *zone) {
        signing = ISC_LIST_HEAD(zone->signing);
        first = true;
 
-       if (dns_zone_use_kasp(zone)) {
+       if (dns_zone_getkasp(zone) != NULL) {
                check_ksk = false;
                keyset_kskonly = true;
                use_kasp = true;
@@ -16659,7 +16583,7 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
                         * Allow DNSSEC records with dnssec-policy.
                         * WMM: Perhaps add config option for it.
                         */
-                       if (!dns_zone_use_kasp(zone)) {
+                       if (dns_zone_getkasp(zone) == NULL) {
                                dns_rdataset_disassociate(&rdataset);
                                continue;
                        }
@@ -19961,7 +19885,7 @@ zone_rekey(dns_zone_t *zone) {
        dns__zonediff_t zonediff;
        bool commit = false, newactive = false;
        bool newalg = false;
-       bool fullsign, use_kasp;
+       bool fullsign;
        dns_ttl_t ttl = 3600;
        const char *dir = NULL;
        isc_mem_t *mctx = NULL;
@@ -20035,7 +19959,6 @@ zone_rekey(dns_zone_t *zone) {
        fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
 
        kasp = dns_zone_getkasp(zone);
-       use_kasp = dns_zone_use_kasp(zone);
        if (kasp != NULL) {
                LOCK(&kasp->lock);
        }
@@ -20048,10 +19971,14 @@ zone_rekey(dns_zone_t *zone) {
                           isc_result_totext(result));
        }
 
-       if (use_kasp && (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND)) {
+       if (kasp != NULL &&
+           (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND)) {
                result = dns_keymgr_run(&zone->origin, zone->rdclass, dir, mctx,
                                        &keys, kasp, now, &nexttime);
                if (result != ISC_R_SUCCESS) {
+                       if (kasp != NULL) {
+                               UNLOCK(&kasp->lock);
+                       }
                        dnssec_log(zone, ISC_LOG_ERROR,
                                   "zone_rekey:dns_dnssec_keymgr failed: %s",
                                   isc_result_totext(result));
@@ -20064,12 +19991,17 @@ zone_rekey(dns_zone_t *zone) {
        }
 
        if (result == ISC_R_SUCCESS) {
+               bool cds_delete = false;
+               isc_stdtime_t when;
+
                /*
                 * Publish CDS/CDNSKEY DELETE records if the zone is
                 * transitioning from secure to insecure.
                 */
-               bool cds_delete = dns_zone_secure_to_insecure(zone, false);
-               isc_stdtime_t when;
+               if (kasp != NULL &&
+                   strcmp(dns_kasp_getname(kasp), "insecure") == 0) {
+                       cds_delete = true;
+               }
 
                /*
                 * Only update DNSKEY TTL if we have a policy.
@@ -20329,7 +20261,7 @@ zone_rekey(dns_zone_t *zone) {
        /*
         * If keymgr provided a next time, use the calculated next rekey time.
         */
-       if (use_kasp) {
+       if (kasp != NULL) {
                isc_time_t timenext;
                uint32_t nexttime_seconds;
 
index 5b458473ca539db0efac84cf303c9dd007c3e785..8a119fb612166cbd72d10222348795b3aed35732 100644 (file)
@@ -326,9 +326,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
                        }
                }
                INSIST(!(dns_kasp_keylist_empty(kasp)));
-       } else if (strcmp(kaspname, "none") == 0) {
-               /* "dnssec-policy none": key list must be empty */
-               INSIST(strcmp(kaspname, "none") == 0);
+       } else if (strcmp(kaspname, "insecure") == 0) {
+               /* "dnssec-policy insecure": key list must be empty */
+               INSIST(strcmp(kaspname, "insecure") == 0);
                INSIST(dns_kasp_keylist_empty(kasp));
        } else {
                /* No keys clause configured, use the "default". */