--- 9.12.0b1 released ---
-4773. [bug] Keys specified in "managed-keys" statements
- can now only be used when validating key refresh
- queries during initialization of RFC 5011 key
- maintenance. If initialization fails, DNSSEC
- validation of normal queries will also fail.
- Previously, validation of normal queries could
- succeed using the initializing key, potentially
- masking problems with managed-keys. [RT #46077]
-
4772. [test] Expanded unit testing framework for libns, using
hooks to interrupt query flow and inspect state
at specified locations. [RT #46173]
continue;
}
- CHECK(dns_keytable_add2(secroots, managed,
- managed, &dstkey));
+ CHECK(dns_keytable_add(secroots, managed, &dstkey));
}
}
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
"managed-keys-directory '%s' "
- "must be writable and accessible",
- directory);
+ "is not writable", directory);
result = ISC_R_NOPERM;
goto cleanup;
}
if (access(directory, DIR_PERM_OK) != 0) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "working directory '%s' must be "
- "writable and accessible", directory);
+ "directory '%s' is not writable",
+ directory);
return (ISC_R_NOPERM);
}
do {
dst_key_t *key = dns_keynode_key(keynode);
- if (key != NULL && !dns_keynode_initial(keynode)) {
+ if (key != NULL) {
name = dst_key_name(key);
if (n < (sizeof(ids)/sizeof(ids[0]))) {
ids[n] = dst_key_id(key);
}
nextnode = NULL;
(void)dns_keytable_nextkeynode(keytable, keynode, &nextnode);
- if (keynode != firstnode) {
+ if (keynode != firstnode)
dns_keytable_detachkeynode(keytable, &keynode);
- }
keynode = nextnode;
} while (keynode != NULL);
- if (n == 0) {
+ if (n == 0)
return;
- }
- if (n > 1) {
+ if (n > 1)
qsort(ids, n, sizeof(ids[0]), cid);
- }
/*
* Encoded as "_ta-xxxx\(-xxxx\)*" where xxxx is the hex version of
r.base = label;
r.length = sizeof(label);;
m = snprintf(r.base, r.length, "_ta");
- if (m < 0 || (unsigned)m > r.length) {
+ if (m < 0 || (unsigned)m > r.length)
return;
- }
isc_textregion_consume(&r, m);
for (i = 0; i < n; i++) {
m = snprintf(r.base, r.length, "-%04x", ids[i]);
- if (m < 0 || (unsigned)m > r.length) {
+ if (m < 0 || (unsigned)m > r.length)
return;
- }
isc_textregion_consume(&r, m);
}
dns_fixedname_init(&fixed);
tatname = dns_fixedname_name(&fixed);
result = dns_name_fromstring2(tatname, label, name, 0, NULL);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS)
return;
- }
dns_name_format(tatname, namebuf, sizeof(namebuf));
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
view->name, namebuf);
tat = isc_mem_get(dotat_arg->view->mctx, sizeof(*tat));
- if (tat == NULL) {
+ if (tat == NULL)
return;
- }
tat->mctx = NULL;
tat->task = NULL;
if (access(".", DIR_PERM_OK) != 0) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "the working directory must be "
- "writable and accessible");
+ "the working directory is not writable");
result = ISC_R_NOPERM;
goto cleanup;
}
ns3 is a validator with a broken key in managed-keys.
-ns4 is a validator with a deliberately broken managed-keys.bind and
-managed-keys.jnl, causing RFC 5011 initialization to fail.
+Tests TODO:
-ns5 is a validator which is prevented from getting a response from the
-root server, causing key refresh queries to fail.
+- initial working KSK
+
+TODO: test using delv with new trusted key too
+
+- introduce a REVOKE bit
+
+- later remove a signature
+
+- corrupt a signature
+
+TODO: also same things with dlv auto updates of trust anchor
rm -f dig.out* delv.out* rndc.out* signer.out*
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
rm -f ns1/named.conf
-rm -rf ns4/nope
controls { /* empty */ };
-acl allowed {
- ! 10.53.0.5;
- any;
-};
-
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
notify no;
dnssec-enable yes;
dnssec-validation yes;
- allow-query { allowed; };
};
key rndc_key {
controls { /* empty */ };
-acl allowed {
- ! 10.53.0.5;
- any;
-};
-
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
notify no;
dnssec-enable yes;
dnssec-validation yes;
- allow-query { allowed; };
};
key rndc_key {
EOF
' > managed.conf
cp managed.conf ../ns2/managed.conf
-cp managed.conf ../ns4/managed.conf
-cp managed.conf ../ns5/managed.conf
# Configure a trusted key statement (used by delve)
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
--m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40 -T tat=1
+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40
+++ /dev/null
-/*
- * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-// NS4
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.4;
- notify-source 10.53.0.4;
- transfer-source 10.53.0.4;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.4; };
- listen-on-v6 { none; };
- recursion yes;
- notify no;
- dnssec-enable yes;
- dnssec-validation auto;
- bindkeys-file "managed.conf";
- managed-keys-directory "nope";
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
-};
-
-zone "." {
- type hint;
- file "../../common/root.hint";
-};
+++ /dev/null
-/*
- * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-// NS5
-
-options {
- query-source address 10.53.0.5;
- notify-source 10.53.0.5;
- transfer-source 10.53.0.5;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.5; };
- listen-on-v6 { none; };
- recursion yes;
- notify no;
- dnssec-enable yes;
- dnssec-validation auto;
- bindkeys-file "managed.conf";
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
-};
-
-zone "." {
- type hint;
- file "../../common/root.hint";
-};
cp ns1/named1.conf ns1/named.conf
cd ns1 && $SHELL sign.sh
-
-cd ../ns4
-mkdir nope
-touch nope/managed-keys.bind
-touch nope/managed.keys.bind.jnl
-chmod 444 nope/*
n=`expr $n + 1`
echo "I: check positive validation with valid trust anchor ($n)"
ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /'
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I: check positive validation ($n)"
ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /'
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
$SETTIME -D none -R none -K ns1 `cat ns1/managed.key` > /dev/null
$SETTIME -D now -K ns1 $standby1 > /dev/null
$SETTIME -D now -K ns1 $standby2 > /dev/null
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /'
sleep 1
$SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>&-
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload . | sed 's/^/I: ns1 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
sleep 1
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /'
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
echo "I: check that trust-anchor-telemetry queries are logged ($n)"
ret=0
-grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1
+grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns3/named.run > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo "I: check that trust-anchor-telemetry queries contain the correct key ($n)"
-ret=0
-# convert the hexadecimal key from the TAT query into decimal and
-# compare against the known key.
-tathex=`grep "query '_ta-[0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([a-f0-9][a-f0-d]*\)):/\1/'`
-tatkey=`$PERL -e 'printf("%d\n", hex(@ARGV[0]));' $tathex`
-realkey=`$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots - | grep '; managed' | sed 's#.*SHA256/\([0-9][0-9]*\) ; managed.*#\1#'`
-[ "$tatkey" -eq "$realkey" ] || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo "I: check initialization fails if managed-keys can't be created ($n)"
-ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots | sed 's/^/I: ns4 /'
-grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1
-grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1
-grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo "I: check failure to contact root servers does not prevent key refreshes after restart ($n)"
-ret=0
-# By the time we get here, ns5 should have attempted refreshing its managed
-# keys. These attempts should fail as ns1 is configured to REFUSE all queries
-# from ns5. Note we do not configure ns5 with "-T mkeytimers"; this is to
-# ensure key refresh retry will be scheduled one hour in the future instead of
-# a few seconds in the future, in order to prevent races when ns5 is restarted.
-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns5
-$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5
-sleep 2
-# ns5/named.run will contain logs from both the old instance and the new
-# instance. In order for the test to pass, both must attempt a fetch.
-count=`grep -c "Creating key fetch" ns5/named.run`
-[ $count -lt 2 ] && ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
options {
query-source address 10.53.0.2;
port 5300;
- pid-file "named2.pid";
+ pid-file "named3.pid";
listen-on { 10.53.0.2; 10.53.0.3; };
listen-on-v6 { fd92:7065:b8e:ffff::2; };
recursion no;
options {
query-source address 10.53.0.2;
port 5300;
- pid-file "named2.pid";
+ pid-file "named4.pid";
lock-file none;
listen-on { 10.53.0.2; 10.53.0.3; };
listen-on-v6 { fd92:7065:b8e:ffff::2; };
(cd ns2; $NAMED -c named-alt2.conf -D ns2-extra-2 -X named.lock -m record,size,mctx -d 99 -g -U 4 >> named3.run 2>&1 & )
sleep 2
grep "another named process" ns2/named3.run > /dev/null || ret=1
-[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
+[ -s ns2/named3.pid ] && $KILL -15 `cat ns2/named3.pid`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
(cd ns2; $NAMED -c named-alt3.conf -D ns2-extra-3 -m record,size,mctx -d 99 -g -U 4 >> named4.run 2>&1 & )
sleep 2
grep "another named process" ns2/named4.run > /dev/null && ret=1
-[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
+[ -s ns2/named4.pid ] && $KILL -15 `cat ns2/named4.pid`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-if [ ! "$CYGWIN" ]; then
- n=`expr $n + 1`
- echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)"
- ret=0
- cp -f ns2/named-alt4.conf ns2/named.conf
- $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
- grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
- sleep 1
- grep "[^-]directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
-
- n=`expr $n + 1`
- echo "I: checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)"
- ret=0
- cp -f ns2/named-alt5.conf ns2/named.conf
- $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
- grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
- sleep 1
- grep "managed-keys-directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
+n=`expr $n + 1`
+echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)"
+ret=0
+cp -f ns2/named-alt4.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
- echo "I: kill existing named process"
- [ -s "ns2/named.pid" ] && kill -15 `cat ns2/named.pid`
+n=`expr $n + 1`
+echo "I: checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)"
+ret=0
+cp -f ns2/named-alt5.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
- n=`expr $n + 1`
- echo "I: checking that named refuses to start if working directory is not writable ($n)"
- ret=0
- cd ns2
- $NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 &
- sleep 2
- grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1
- cd ..
- [ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
+n=`expr $n + 1`
+echo "I: checking that named refuses to start if working directory is not writable ($n)"
+ret=0
+cd ns2
+$NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 &
+sleep 2
+grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1
+# pidfile could be in either place depending on whether the directory
+# successfully changed.
+[ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
+[ -s ../named.pid ] && kill -15 `cat ../named.pid` > /dev/null 2>&1
+cd ..
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
- n=`expr $n + 1`
- echo "I: checking that named refuses to start if managed-keys-directory is not writable ($n)"
- ret=0
- cd ns2
- $NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 &
- sleep 2
- grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1
- cd ..
- [ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
-fi
+n=`expr $n + 1`
+echo "I: checking that named refuses to start if managed-keys-directory is not writable ($n)"
+ret=0
+cd ns2
+$NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 &
+sleep 2
+grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1
+# pidfile could be in either place depending on whether the directory
+# successfully changed.
+[ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
+[ -s ../named.pid ] && kill -15 `cat ../named.pid` > /dev/null 2>&1
+cd ..
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
are not writable by the effective user ID. [RT #46077]
</para>
</listitem>
- <listitem>
- <para>
- Initializing keys specified in a <command>managed-keys</command>
- statement or by <command>dnssec-validation auto;</command> are
- no longer treated as valid for any use other than validation of
- RFC 5011 initialization queries. The effect of this is that
- DNSSEC validation will fail if RFC 5011 key maintenance
- cannot be initialized: initialization problems will not be
- masked, but will be immediately visible. [RT #46077]
- </para>
- </listitem>
<listitem>
<para>
Previously, <command>update-policy local;</command> accepted
if (result != ISC_R_SUCCESS)
goto cleanup;
- result = dns_keytable_add2(secroots, ISC_FALSE, ISC_FALSE, &dstkey);
+ result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);
cleanup:
if (dstkey != NULL)
isc_result_t
dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
- dst_key_t **keyp) ISC_DEPRECATED;
-isc_result_t
-dns_keytable_add2(dns_keytable_t *keytable, isc_boolean_t managed,
- isc_boolean_t initial, dst_key_t **keyp);
+ dst_key_t **keyp);
/*%<
* Add '*keyp' to 'keytable' (using the name in '*keyp').
- * The value of keynode->managed is set to 'managed', and the
- * value of keynode->initial is set to 'initial'. ('initial' should
- * be only used when adding managed-keys from configuration: this
- * indicates a secure root which can be *only* used for validating
- * RFC 5011 key refresh queries, but not for other DNSSEC validation.
- * Once a key refresh query has validated, we update the keynode
- * with inital == ISC_FALSE.)
+ * The value of keynode->managed is set to 'managed'
*
* Notes:
*
* Is this flagged as a managed key?
*/
-isc_boolean_t
-dns_keynode_initial(dns_keynode_t *keynode);
-/*%<
- * Is this flagged as an initializing key?
- */
-
-void
-dns_keynode_trust(dns_keynode_t *keynode);
-/*%<
- * Sets keynode->initial to ISC_FALSE in order mark the key as
- * trusted: no longer an initializing key.
- */
-
isc_result_t
dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target);
/*%<
isc_refcount_t refcount;
dst_key_t * key;
isc_boolean_t managed;
- isc_boolean_t initial;
struct dns_keynode * next;
};
}
static isc_result_t
-insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial,
+insert(dns_keytable_t *keytable, isc_boolean_t managed,
const dns_name_t *keyname, dst_key_t **keyp)
{
isc_result_t result;
return (result);
knode->managed = managed;
- knode->initial = initial;
RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
isc_result_t
dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
dst_key_t **keyp)
-{
- return (dns_keytable_add2(keytable, managed, ISC_FALSE, keyp));
-}
-
-isc_result_t
-dns_keytable_add2(dns_keytable_t *keytable, isc_boolean_t managed,
- isc_boolean_t initial, dst_key_t **keyp)
{
REQUIRE(keyp != NULL && *keyp != NULL);
- return (insert(keytable, managed, initial, dst_key_name(*keyp), keyp));
+ return (insert(keytable, managed, dst_key_name(*keyp), keyp));
}
isc_result_t
dns_keytable_marksecure(dns_keytable_t *keytable, const dns_name_t *name) {
- return (insert(keytable, ISC_TRUE, ISC_FALSE, name, NULL));
+ return (insert(keytable, ISC_TRUE, name, NULL));
}
isc_result_t
if (knode->key == NULL)
continue;
dst_key_format(knode->key, pbuf, sizeof(pbuf));
- snprintf(obuf, sizeof(obuf), "%s ; %s%s\n", pbuf,
- knode->initial ? "initializing " : "",
- knode->managed ? "managed" : "trusted");
+ snprintf(obuf, sizeof(obuf), "%s ; %s\n", pbuf,
+ knode->managed ? "managed" : "trusted");
result = putstr(text, obuf);
if (result != ISC_R_SUCCESS)
break;
return (keynode->managed);
}
-isc_boolean_t
-dns_keynode_initial(dns_keynode_t *keynode) {
- /*
- * Is this an initailizing key?
- */
- REQUIRE(VALID_KEYNODE(keynode));
-
- return (keynode->initial);
-}
-
-void
-dns_keynode_trust(dns_keynode_t *keynode) {
- /*
- * This is no longer an initializing key.
- */
- REQUIRE(VALID_KEYNODE(keynode));
-
- keynode->initial = ISC_FALSE;
-}
-
isc_result_t
dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
isc_result_t result;
knode->magic = KEYNODE_MAGIC;
knode->managed = ISC_FALSE;
- knode->initial = ISC_FALSE;
knode->key = NULL;
knode->next = NULL;
/* Add a normal key */
create_key(257, 3, 5, "example.com", keystr1, &key);
- ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+ ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
ISC_R_SUCCESS);
/* Add a null key */
* nextkeynode() should still return NOTFOUND.
*/
create_key(257, 3, 5, "example.com", keystr1, &key);
- ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+ ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
ISC_R_SUCCESS);
ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode), ISC_R_NOTFOUND);
/* Add another key (different keydata) */
dns_keytable_detachkeynode(keytable, &keynode);
create_key(257, 3, 5, "example.com", keystr2, &key);
- ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+ ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
ISC_R_SUCCESS);
ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"),
&keynode), ISC_R_SUCCESS);
ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
&null_keynode), ISC_R_SUCCESS);
create_key(257, 3, 5, "null.example", keystr2, &key);
- ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+ ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
ISC_R_SUCCESS);
ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
&keynode), ISC_R_SUCCESS);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
create_key(257, 3, 5, "example", keystr1, &key);
- result = dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key);
+ result = dns_keytable_add(keytable, ISC_FALSE, &key);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
isc_stdtime_get(&now);
if (vresult == ISC_R_SUCCESS)
break;
if (val->keynode != NULL) {
- dst_key_t *key = NULL;
dns_keynode_t *nextnode = NULL;
result = dns_keytable_findnextkeynode(
val->keytable,
val->key = NULL;
break;
}
- key = dns_keynode_key(val->keynode);
- if (key == NULL)
+ val->key = dns_keynode_key(val->keynode);
+ if (val->key == NULL)
break;
- if (dns_keynode_initial(val->keynode)) {
- continue;
- }
- val->key = key;
} else {
if (get_dst_key(val, val->siginfo, val->keyset)
!= ISC_R_SUCCESS)
val->view->acceptexpired);
}
- if (val->keynode != NULL) {
+ if (val->keynode != NULL)
dns_keytable_detachkeynode(val->keytable,
&val->keynode);
- } else {
+ else {
if (val->key != NULL)
dst_key_free(&val->key);
if (val->keyset != NULL) {
&keynode);
break;
}
- if (! dns_keynode_initial(keynode)) {
- result = verify(val, dstkey,
- &sigrdata, sig.keyid);
- if (result == ISC_R_SUCCESS) {
- dns_keytable_detachkeynode(
+ result = verify(val, dstkey, &sigrdata,
+ sig.keyid);
+ if (result == ISC_R_SUCCESS) {
+ dns_keytable_detachkeynode(
val->keytable,
&keynode);
- break;
- }
+ break;
}
result = dns_keytable_findnextkeynode(
val->keytable,
*/
static void
trust_key(dns_zone_t *zone, dns_name_t *keyname,
- dns_rdata_dnskey_t *dnskey, isc_boolean_t initial,
- isc_mem_t *mctx)
+ dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
{
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
goto failure;
CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
- CHECK(dns_keytable_add2(sr, ISC_TRUE, initial, &dstkey));
+ CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
dns_keytable_detach(&sr);
failure:
/* Add to keytables. */
trusted++;
- trust_key(zone, name, &dnskey,
- ISC_TF(keydata.addhd == 0), mctx);
+ trust_key(zone, name, &dnskey, mctx);
}
if (trusted == 0 && pending != 0) {
case dns_zone_key:
result = sync_keyzone(zone, db);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS)
goto cleanup;
- }
break;
default:
return (result);
cleanup:
- if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "failed to initialize managed-keys (%s): "
- "DNSSEC validation WILL FAIL",
- isc_result_totext(result));
- }
-
for (inc = ISC_LIST_HEAD(zone->newincludes);
inc != NULL;
- inc = ISC_LIST_HEAD(zone->newincludes))
- {
+ inc = ISC_LIST_HEAD(zone->newincludes)) {
ISC_LIST_UNLINK(zone->newincludes, inc, link);
isc_mem_free(zone->mctx, inc->name);
isc_mem_put(zone->mctx, inc, sizeof(*inc));
dst_key_t *dstkey;
isc_stdtime_t now;
int pending = 0;
- isc_boolean_t secure = ISC_FALSE, initial = ISC_FALSE;
+ isc_boolean_t secure = ISC_FALSE;
isc_boolean_t free_needed;
UNUSED(task);
*/
for (result = dns_rdataset_first(&kfetch->dnskeysigset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&kfetch->dnskeysigset))
- {
+ result = dns_rdataset_next(&kfetch->dnskeysigset)) {
dns_keynode_t *keynode = NULL;
dns_rdata_reset(&sigrr);
break;
if (dst_key_alg(dstkey) == sig.algorithm &&
- dst_key_id(dstkey) == sig.keyid)
- {
+ dst_key_id(dstkey) == sig.keyid) {
result = dns_dnssec_verify2(keyname,
&kfetch->dnskeyset,
dstkey, ISC_FALSE,
dns_trust_secure;
kfetch->dnskeysigset.trust =
dns_trust_secure;
- secure = ISC_TRUE;
- initial = dns_keynode_initial(keynode);
- dns_keynode_trust(keynode);
break;
}
}
keynode = nextnode;
}
- if (keynode != NULL) {
+ if (keynode != NULL)
dns_keytable_detachkeynode(secroots, &keynode);
- }
- if (secure) {
+ if (kfetch->dnskeyset.trust == dns_trust_secure) {
+ secure = ISC_TRUE;
break;
}
}
* If we were not able to verify the answer using the current
* trusted keys then all we can do is look at any revoked keys.
*/
+
if (!secure) {
dns_zone_log(zone, ISC_LOG_DEBUG(3),
"DNSKEY set for zone '%s' could not be verified "
trustkey = ISC_TRUE;
dns_zone_log(zone, ISC_LOG_INFO,
"Key %d for zone %s "
- "%s: key now trusted",
- keytag, namebuf,
- initial
- ? "initializing key "
- "verified"
- : "acceptance timer "
- "complete");
+ "acceptance timer "
+ "complete: "
+ "key now trusted",
+ keytag, namebuf);
}
} else if (keydata.addhd > now) {
/*
/* Trust this key. */
result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- trust_key(zone, keyname, &dnskey, ISC_FALSE, mctx);
+ trust_key(zone, keyname, &dnskey, mctx);
}
if (secure && !deletekey) {
fail_secure(zone, keyname);
done:
+
if (!ISC_LIST_EMPTY(diff.tuples)) {
/* Write changes to journal file. */
CHECK(update_soa_serial(kfetch->db, ver, &diff, mctx,
}
failure:
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "error during managed-keys processing (%s): "
- "DNSSEC validation may be at risk",
- isc_result_totext(result));
- }
+
dns_diff_clear(&diff);
if (ver != NULL)
dns_db_closeversion(kfetch->db, &ver, commit);
}
/* Acceptance timer expired? */
- if (kd.addhd < now)
+ if (kd.addhd != 0 && kd.addhd < now)
timer = kd.addhd;
/* Or do we just need to refresh the keyset? */
projects / thirdparty / bind9.git / commitdiff
