]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
4847. [bug] dnssec-dnskey-kskonly was not being honoured for
authorMark Andrews <marka@isc.org>
Wed, 13 Dec 2017 01:40:36 +0000 (12:40 +1100)
committerMark Andrews <marka@isc.org>
Wed, 13 Dec 2017 01:40:36 +0000 (12:40 +1100)
                        CDS and CDNSKEY. [RT #46755]

CHANGES
bin/tests/system/dnssec/clean.sh
bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in [new file with mode: 0644]
bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in [new file with mode: 0644]
bin/tests/system/dnssec/ns2/named.conf
bin/tests/system/dnssec/ns2/sign.sh
bin/tests/system/dnssec/tests.sh
lib/dns/update.c
lib/dns/zone.c

diff --git a/CHANGES b/CHANGES
index 57f1bcfab670e6ec2f2c5853de6ce97abe3a85ba..703b411e3b4f67878f43c7e6bc75decb9299e8a2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4847.  [bug]           dnssec-dnskey-kskonly was not being honoured for
+                       CDS and CDNSKEY. [RT #46755]
+
 4846.  [test]          Adjust timing values in runtime system test. Address
                        named.pid removal races in runtime system test.
                        [RT #46800]
index d4549dc266c21eeb09c42c7d4574edad9f3b50b0..5abf6250b3c47116bc3d7667b9612aad071bd33e 100644 (file)
@@ -28,10 +28,12 @@ rm -f ns1/managed.key.id
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
 rm -f ns2/algroll.db
 rm -f ns2/badparam.db ns2/badparam.db.bad
+rm -f ns2/cdnskey-kskonly.secure.db
 rm -f ns2/cdnskey-update.secure.db
-rm -f ns2/cdnskey.secure.db
 rm -f ns2/cdnskey-x.secure.db
+rm -f ns2/cdnskey.secure.db
 rm -f ns2/cds-auto.secure.db ns2/cds-auto.secure.db.jnl
+rm -f ns2/cds-kskonly.secure.db
 rm -f ns2/cds-update.secure.db ns2/cds-update.secure.db.jnl
 rm -f ns2/cds.secure.db ns2/cds-x.secure.db
 rm -f ns2/dlv.db
@@ -52,6 +54,7 @@ rm -f ns3/future.example.db ns3/trusted-future.key
 rm -f ns3/inline.example.db.signed
 rm -f ns3/kskonly.example.db
 rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
+rm -f ns3/managed-future.example.db
 rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
 rm -f ns3/nsec3.nsec3.example.db
 rm -f ns3/nsec3.optout.example.db
@@ -59,6 +62,7 @@ rm -f ns3/optout-unknown.example.db ns3/optout.example.db
 rm -f ns3/optout.nsec3.example.db
 rm -f ns3/optout.optout.example.db
 rm -f ns3/publish-inactive.example.db
+rm -f ns3/revkey.example.db
 rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
 rm -f ns3/secure.below-cname.example.db
 rm -f ns3/secure.nsec3.example.db
@@ -70,8 +74,6 @@ rm -f ns3/split-smart.example.db
 rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
 rm -f ns3/ttlpatch.example.db.patched
 rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
-rm -f ns3/revkey.example.db
-rm -f ns3/managed-future.example.db
 rm -f ns4/managed-keys.bind*
 rm -f ns4/named.conf
 rm -f ns4/named.conf ns5/named.conf
@@ -82,10 +84,10 @@ rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
 rm -f nsupdate.out*
 rm -f rndc.out.*
 rm -f signer/*.db
+rm -f signer/*.signed.post*
+rm -f signer/*.signed.pre*
 rm -f signer/example.db.after signer/example.db.before
 rm -f signer/example.db.changed
 rm -f signer/nsec3param.out
 rm -f signer/signer.out.*
 rm -f signing.out*
-rm -f signer/*.signed.pre*
-rm -f signer/*.signed.post*
diff --git a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in
new file mode 100644 (file)
index 0000000..9a70a37
--- /dev/null
@@ -0,0 +1,9 @@
+; Copyright (C) 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL 3600
+@      SOA     ns2.example. . 1 3600 1200 86400 1200
+@      NS      ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in
new file mode 100644 (file)
index 0000000..9a70a37
--- /dev/null
@@ -0,0 +1,9 @@
+; Copyright (C) 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL 3600
+@      SOA     ns2.example. . 1 3600 1200 86400 1200
+@      NS      ns2.example.
index b76f7f3777ce29ba7b74677123216f337d211039..3a22345d88df63d77fc0cd1ad22dafaf7b8f83fd 100644 (file)
@@ -113,6 +113,13 @@ zone "cds-update.secure" {
        allow-update { any; };
 };
 
+zone "cds-kskonly.secure" {
+       type master;
+       dnssec-dnskey-kskonly yes;
+       file "cds-kskonly.secure.db.signed";
+       allow-update { any; };
+};
+
 zone "cds-auto.secure" {
        type master;
        file "cds-auto.secure.db.signed";
@@ -136,6 +143,13 @@ zone "cdnskey-update.secure" {
        allow-update { any; };
 };
 
+zone "cdnskey-kskonly.secure" {
+       type master;
+       dnssec-dnskey-kskonly yes;
+       file "cdnskey-kskonly.secure.db.signed";
+       allow-update { any; };
+};
+
 zone "cdnskey-auto.secure" {
        type master;
        file "cdnskey-auto.secure.db.signed";
index fb4744d3e43e48bce851ef30c7d1a90c28985ee0..2f26bd0970d4a2553851664496f060fc6004c53b 100644 (file)
@@ -212,6 +212,14 @@ key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $key1.key $key2.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
 
+zone=cds-kskonly.secure
+infile=cds-kskonly.secure.db.in
+zonefile=cds-kskonly.secure.db
+key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+cat $infile $key1.key $key2.key > $zonefile
+$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+
 zone=cds-auto.secure
 infile=cds-auto.secure.db.in
 zonefile=cds-auto.secure.db
@@ -247,6 +255,14 @@ key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $key1.key $key2.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
 
+zone=cdnskey-kskonly.secure
+infile=cdnskey-kskonly.secure.db.in
+zonefile=cdnskey-kskonly.secure.db
+key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+cat $infile $key1.key $key2.key > $zonefile
+$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+
 zone=cdnskey-auto.secure
 infile=cdnskey-auto.secure.db.in
 zonefile=cdnskey-auto.secure.db
index 42defc579f9b35e0d05db33e3ef923e33dc7b31f..c76045a2787e79261720e392957b415a3de00037 100644 (file)
@@ -3080,6 +3080,29 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:check that CDS records are signed only using KSK when added by"
+echo "I:    nsupdate when dnssec-dnskey-kskonly is yes ($n)"
+ret=0
+(
+echo zone cds-kskonly.secure
+echo server 10.53.0.2 5300
+echo update delete cds-kskonly.secure CDS
+echo send
+$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-kskonly.secure |
+grep "DNSKEY.257" |
+$DSFROMKEY -C -f - -T 1 cds-kskonly.secure |
+sed "s/^/update add /"
+echo send
+) | $NSUPDATE
+$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
+lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l`
+test ${lines:-0} -eq 1 || ret=1
+lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l`
+test ${lines:-0} -eq 2 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)"
 ret=0
 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n
@@ -3225,6 +3248,26 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:check that CDNSKEY records are signed only using KSK when added by"
+echo "I:    nsupdate when dnssec-dnskey-kskonly is yes ($n)"
+ret=0
+(
+echo zone cdnskey-kskonly.secure
+echo server 10.53.0.2 5300
+echo update delete cdnskey-kskonly.secure CDNSKEY
+$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure |
+sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
+echo send
+) | $NSUPDATE
+$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
+lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
+test ${lines:-0} -eq 1 || ret=1
+lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
+test ${lines:-0} -eq 1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking initialization with a revoked managed key ($n)"
 ret=0
 cp ns5/named2.conf ns5/named.conf
index 6cbb4a38de9e1ae076faa4244d9f18895d4aa352..076b2c11854cc13b9af169d53596bb86d9de94b8 100644 (file)
@@ -1137,20 +1137,21 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
                }
 
                if (both) {
-                       if (type == dns_rdatatype_dnskey) {
+                       /*
+                        * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+                        */
+                       if (type == dns_rdatatype_dnskey ||
+                           type == dns_rdatatype_cdnskey ||
+                           type == dns_rdatatype_cds)
+                       {
                                if (!KSK(keys[i]) && keyset_kskonly)
                                        continue;
                        } else if (KSK(keys[i])) {
-                               /*
-                                * CDS and CDNSKEY are signed with KSK
-                                * (RFC 7344, 4.1).
-                               */
-                               if (type != dns_rdatatype_cds &&
-                                   type != dns_rdatatype_cdnskey)
-                                       continue;
+                               continue;
                        }
-               } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+               } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
                        continue;
+               }
 
                /* Calculate the signature, creating a RRSIG RDATA. */
                CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
index 221308cda1220df6316f2726835afd816a368fbc..5bf23ad39117c3bc78d3afcc025ca083b51e216b 100644 (file)
@@ -6438,16 +6438,21 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                        }
                }
                if (both) {
+                       /*
+                        * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+                        */
                        if (type == dns_rdatatype_dnskey ||
                            type == dns_rdatatype_cdnskey ||
                            type == dns_rdatatype_cds)
                        {
                                if (!KSK(keys[i]) && keyset_kskonly)
                                        continue;
-                       } else if (KSK(keys[i]))
-                               continue;
-               } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+                       } else if (KSK(keys[i])) {
                                continue;
+                       }
+               } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
+                       continue;
+               }
 
                /* Calculate the signature, creating a RRSIG RDATA. */
                isc_buffer_clear(&buffer);