reject the use of trusted-keys and managed-keys for the same name

diff --git a/bin/tests/system/checkconf/bad-duplicate-key.conf b/bin/tests/system/checkconf/bad-duplicate-key.conf
new file mode 100644 (file)
index 0000000..92d5231
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-key.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       dnssec-validation yes;
+};
+
+managed-keys {
+       example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+               25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+               tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+               kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+               fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+               WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+               NQyrszHhWUU=";
+};
+
+trusted-keys {
+       example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+               y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+               YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+               2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+               E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+               Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+               6zqCkwuMmrU=";
+};

diff --git a/bin/tests/system/checkconf/bad-duplicate-root-key.conf b/bin/tests/system/checkconf/bad-duplicate-root-key.conf
new file mode 100644 (file)
index 0000000..1e72ad4
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-root-key.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       dnssec-validation yes;
+};
+
+managed-keys {
+       . initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+               25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+               tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+               kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+               fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+               WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+               NQyrszHhWUU=";
+};
+
+trusted-keys {
+       . 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+               y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+               YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+               2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+               E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+               Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+               6zqCkwuMmrU=";
+};

diff --git a/bin/tests/system/checkconf/bad-validation-auto-key.conf b/bin/tests/system/checkconf/bad-validation-auto-key.conf
new file mode 100644 (file)
index 0000000..31a6e82
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-validation-auto-key.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       dnssec-validation auto;
+};
+
+trusted-keys {
+       . 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+               y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+               YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+               2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+               E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+               Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+               6zqCkwuMmrU=";
+};

diff --git a/bin/tests/system/checkconf/good-dup-managed-key.conf b/bin/tests/system/checkconf/good-dup-managed-key.conf
new file mode 100644 (file)
index 0000000..38533fc
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dup-managed-key.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       dnssec-validation yes;
+};
+
+managed-keys {
+       example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+               25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+               tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+               kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+               fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+               WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+               NQyrszHhWUU=";
+       example. initial-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+               y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+               YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+               2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+               E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+               Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+               6zqCkwuMmrU=";
+};

diff --git a/bin/tests/system/checkconf/good-dup-trusted-key.conf b/bin/tests/system/checkconf/good-dup-trusted-key.conf
new file mode 100644 (file)
index 0000000..fc344ba
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dup-trusted-key.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       dnssec-validation yes;
+};
+
+trusted-keys {
+       example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+               25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+               tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+               kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+               fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+               WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+               NQyrszHhWUU=";
+       example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+               y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+               YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+               2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+               E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+               Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+               6zqCkwuMmrU=";
+};

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index fa6c4da16bcb96440bddca342a923e20e5f4ebe9..9bb9c05f85d926f5bab379b78671bdb4057089f3 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -387,7 +387,8 @@ grep "trusted-key for root from 2010 without updated" checkconf.out$n > /dev/nul
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
-echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)"
+n=`expr $n + 1`
+echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
 ret=0
 $CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
 [ -s checkconf.out$n ] && ret=1

diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README
index 07910cbb6ea6e560dcc629fbae10e327b893c855..6a4fd4e19510818f63122b84ac290366477c12ed 100644 (file)
--- a/bin/tests/system/mkeys/README
+++ b/bin/tests/system/mkeys/README
@@ -22,3 +22,7 @@ root server, causing key refresh queries to fail.
 
 ns6 is a validator which has unsupported algorithms, one at start up,
 one because of an algorithm rollover.
+
+ns7 is a validator with multiple views configured.  It is used for
+testing per-view rndc commands and checking interactions between options
+related to and potentially affecting RFC 5011 processing.

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 1d7a3d4a3be0d239136a28fd822e2ed2a46da998..aaa625df8af2fc00a0bd0781c54d8697c221a1a5 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -39,6 +39,7 @@
 #include <dns/acl.h>
 #include <dns/dnstap.h>
 #include <dns/fixedname.h>
+#include <dns/rbt.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatatype.h>
 #include <dns/rrl.h>
@@ -3263,6 +3264,118 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
        return (result);
 }
 
+/*
+ * Check for conflicts between trusted-keys and managed-keys.
+ */
+static isc_result_t
+check_ta_conflicts(const cfg_obj_t *mkeys, const cfg_obj_t *tkeys,
+                  bool autovalidation, isc_mem_t *mctx, isc_log_t *logctx)
+{
+       isc_result_t result = ISC_R_SUCCESS, tresult;
+       const cfg_listelt_t *elt = NULL, *elt2 = NULL;
+       dns_fixedname_t fixed;
+       dns_name_t *name;
+       const cfg_obj_t *obj;
+       const char *str;
+       isc_symtab_t *symtab = NULL;
+       isc_symvalue_t symvalue;
+       char namebuf[DNS_NAME_FORMATSIZE];
+       const char *file;
+       unsigned int line;
+
+       name = dns_fixedname_initname(&fixed);
+
+       result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab);
+       if (result != ISC_R_SUCCESS) {
+               goto cleanup;
+       }
+
+       for (elt = cfg_list_first(mkeys);
+            elt != NULL;
+            elt = cfg_list_next(elt))
+       {
+               const cfg_obj_t *keylist = cfg_listelt_value(elt);
+               for (elt2 = cfg_list_first(keylist);
+                    elt2 != NULL;
+                    elt2 = cfg_list_next(elt2))
+               {
+                       obj = cfg_listelt_value(elt2);
+                       str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+                       tresult = dns_name_fromstring(name, str, 0, NULL);
+                       if (tresult != ISC_R_SUCCESS) {
+                               /* already reported */
+                               continue;
+                       }
+
+                       dns_name_format(name, namebuf, sizeof(namebuf));
+                       symvalue.as_cpointer = obj;
+                       tresult = isc_symtab_define(symtab, namebuf, 1,
+                                                  symvalue,
+                                                  isc_symexists_reject);
+                       if (tresult != ISC_R_SUCCESS &&
+                           tresult != ISC_R_EXISTS)
+                       {
+                               result = tresult;
+                               continue;
+                       }
+               }
+       }
+
+       for (elt = cfg_list_first(tkeys);
+            elt != NULL;
+            elt = cfg_list_next(elt))
+       {
+               const cfg_obj_t *keylist = cfg_listelt_value(elt);
+               for (elt2 = cfg_list_first(keylist);
+                    elt2 != NULL;
+                    elt2 = cfg_list_next(elt2))
+               {
+                       obj = cfg_listelt_value(elt2);
+                       str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+                       result = dns_name_fromstring(name, str, 0, NULL);
+                       if (result != ISC_R_SUCCESS) {
+                               /* already reported */
+                               continue;
+                       }
+
+                       if (autovalidation &&
+                           dns_name_equal(name, dns_rootname))
+                       {
+                               cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                           "trusted-keys for root zone "
+                                           "cannot be used with "
+                                           "'dnssec-validation auto'.");
+                               result = ISC_R_FAILURE;
+                               continue;
+                       }
+
+                       dns_name_format(name, namebuf, sizeof(namebuf));
+                       tresult = isc_symtab_lookup(symtab, namebuf, 1,
+                                                  &symvalue);
+                       if (tresult == ISC_R_SUCCESS) {
+                               file = cfg_obj_file(symvalue.as_cpointer);
+                               line = cfg_obj_line(symvalue.as_cpointer);
+                               if (file == NULL) {
+                                       file = "<unknown file>";
+                               }
+                               cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                           "trusted-keys and managed-keys "
+                                           "cannot be used for the "
+                                           "same name.  managed-key defined "
+                                           "(%s:%u)", file, line);
+
+                               result = ISC_R_FAILURE;
+                       }
+               }
+       }
+
+ cleanup:
+       if (symtab != NULL) {
+               isc_symtab_destroy(&symtab);
+       }
+       return (result);
+}
+
 typedef enum {
        special_zonetype_rpz,
        special_zonetype_catz
@@ -3404,7 +3517,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
               isc_log_t *logctx, isc_mem_t *mctx)
 {
        const cfg_obj_t *zones = NULL;
-       const cfg_obj_t *keys = NULL;
+       const cfg_obj_t *keys = NULL, *tkeys = NULL, *mkeys = NULL;
 #ifndef HAVE_DLOPEN
        const cfg_obj_t *dyndb = NULL;
 #endif
@@ -3417,6 +3530,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
        const cfg_obj_t *options = NULL;
        const cfg_obj_t *opts = NULL;
        const cfg_obj_t *plugin_list = NULL;
+       bool autovalidation = false;
        unsigned int tflags, mflags;
 
        /*
@@ -3570,14 +3684,14 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
        /*
         * Check trusted-keys and managed-keys.
         */
-       keys = NULL;
+       tkeys = NULL;
        if (voptions != NULL)
-               (void)cfg_map_get(voptions, "trusted-keys", &keys);
-       if (keys == NULL)
-               (void)cfg_map_get(config, "trusted-keys", &keys);
+               (void)cfg_map_get(voptions, "trusted-keys", &tkeys);
+       if (tkeys == NULL)
+               (void)cfg_map_get(config, "trusted-keys", &tkeys);
 
        tflags = 0;
-       for (element = cfg_list_first(keys);
+       for (element = cfg_list_first(tkeys);
             element != NULL;
             element = cfg_list_next(element))
        {
@@ -3594,33 +3708,34 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
        }
 
        if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) {
-               cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+               cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
                            "trusted-key for root from 2010 without updated "
                            "trusted-key from 2017: THIS WILL FAIL AFTER "
                            "KEY ROLLOVER");
        }
 
        if ((tflags & DLV_KSK_KEY) != 0) {
-               cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+               cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
                            "trusted-key for dlv.isc.org still present; "
                            "dlv.isc.org has been shut down");
        }
 
-       keys = NULL;
+       mkeys = NULL;
        if (voptions != NULL)
-               (void)cfg_map_get(voptions, "managed-keys", &keys);
-       if (keys == NULL)
-               (void)cfg_map_get(config, "managed-keys", &keys);
+               (void)cfg_map_get(voptions, "managed-keys", &mkeys);
+       if (mkeys == NULL)
+               (void)cfg_map_get(config, "managed-keys", &mkeys);
 
        mflags = 0;
-       for (element = cfg_list_first(keys);
+       for (element = cfg_list_first(mkeys);
             element != NULL;
             element = cfg_list_next(element))
        {
                const cfg_obj_t *keylist = cfg_listelt_value(element);
                for (element2 = cfg_list_first(keylist);
                     element2 != NULL;
-                    element2 = cfg_list_next(element2)) {
+                    element2 = cfg_list_next(element2))
+               {
                        obj = cfg_listelt_value(element2);
                        tresult = check_trusted_key(obj, true, &mflags,
                                                    logctx);
@@ -3630,13 +3745,13 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
        }
 
        if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
-               cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+               cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
                            "managed-key for root from 2010 without updated "
                            "managed-key from 2017");
        }
 
        if ((mflags & DLV_KSK_KEY) != 0) {
-               cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+               cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
                            "managed-key for dlv.isc.org still present; "
                            "dlv.isc.org has been shut down");
        }
@@ -3644,11 +3759,28 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
        if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 &&
            (mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0)
        {
-               cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+               cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
                            "both trusted-keys and managed-keys for the ICANN "
                            "root are present");
        }
 
+       obj = NULL;
+       if (voptions != NULL) {
+               (void)cfg_map_get(voptions, "dnssec-validation", &obj);
+       }
+       if (obj == NULL && options != NULL) {
+               (void)cfg_map_get(options, "dnssec-validation", &obj);
+       }
+       if (obj != NULL && !cfg_obj_isboolean(obj)) {
+               autovalidation = true;
+       }
+
+       tresult = check_ta_conflicts(mkeys, tkeys,
+                                    autovalidation, mctx, logctx);
+       if (tresult != ISC_R_SUCCESS) {
+               result = tresult;
+       }
+
        /*
         * Check options.
         */