]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Delete CDS/CDNSKEY records when zone is unsigned
authorMatthijs Mekking <matthijs@isc.org>
Wed, 17 Mar 2021 09:04:00 +0000 (10:04 +0100)
committerMatthijs Mekking <matthijs@isc.org>
Mon, 22 Mar 2021 09:30:59 +0000 (10:30 +0100)
CDS/CDNSKEY DELETE records are only useful if they are signed,
otherwise the parent cannot verify these RRsets anyway. So once the DS
has been removed (and signaled to BIND), we can remove the DNSKEY and
RRSIG records, and at this point we can also remove the CDS/CDNSKEY
records.

bin/tests/system/kasp/tests.sh
lib/dns/zone.c

index 43343e187963bbb300a9a83777558890299f1727..05025e5af254a80d7710f87d080c571dc0b3e29a 100644 (file)
@@ -3623,8 +3623,6 @@ check_next_key_event 93600
 set_zone "step2.going-insecure.kasp"
 set_policy "none" "2" "7200"
 set_server "ns6" "10.53.0.6"
-# Expect a CDS/CDNSKEY Delete Record.
-set_cdsdelete
 
 # The DS is long enough removed from the zone to be considered HIDDEN.
 # This means the DNSKEY and the KSK signatures can be removed.
@@ -3693,8 +3691,6 @@ set_zone "step2.going-insecure-dynamic.kasp"
 set_dynamic
 set_policy "none" "2" "7200"
 set_server "ns6" "10.53.0.6"
-# Expect a CDS/CDNSKEY Delete Record.
-set_cdsdelete
 
 # The DS is long enough removed from the zone to be considered HIDDEN.
 # This means the DNSKEY and the KSK signatures can be removed.
index 6083b058e6bed0e166380a47f83cc1568a15ff41..4f98f38a6a8b1ed76e11a16a2aa0d527e2ccdf3d 100644 (file)
@@ -20123,7 +20123,12 @@ zone_rekey(dns_zone_t *zone) {
        }
 
        if (result == ISC_R_SUCCESS) {
-               bool insecure = dns_zone_secure_to_insecure(zone, false);
+               /*
+                * Publish CDS/CDNSKEY DELETE records if the zone is
+                * transitioning from secure to insecure.
+                */
+               bool cds_delete = dns_zone_secure_to_insecure(zone, false);
+               isc_stdtime_t when;
 
                /*
                 * Only update DNSKEY TTL if we have a policy.
@@ -20160,9 +20165,36 @@ zone_rekey(dns_zone_t *zone) {
                        goto failure;
                }
 
+               if (cds_delete) {
+                       /*
+                        * Only publish CDS/CDNSKEY DELETE records if there is
+                        * a KSK that can be used to verify the RRset. This
+                        * means there must be a key with the KSK role that is
+                        * published and is used for signing.
+                        */
+                       cds_delete = false;
+                       for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
+                            key = ISC_LIST_NEXT(key, link)) {
+                               dst_key_t *dstk = key->key;
+                               bool ksk = false;
+                               (void)dst_key_getbool(dstk, DST_BOOL_KSK, &ksk);
+                               if (!ksk) {
+                                       continue;
+                               }
+
+                               if (dst_key_haskasp(dstk) &&
+                                   dst_key_is_published(dstk, now, &when) &&
+                                   dst_key_is_signing(dstk, DST_BOOL_KSK, now,
+                                                      &when))
+                               {
+                                       cds_delete = true;
+                                       break;
+                               }
+                       }
+               }
                result = dns_dnssec_syncdelete(&cdsset, &cdnskeyset,
                                               &zone->origin, zone->rdclass,
-                                              ttl, &diff, mctx, insecure);
+                                              ttl, &diff, mctx, cds_delete);
                if (result != ISC_R_SUCCESS) {
                        dnssec_log(zone, ISC_LOG_ERROR,
                                   "zone_rekey:couldn't update CDS/CDNSKEY "