-2000. [bug] memmove()/strtol() fix was incomplete. [#RT 15812]
+2001. [func] Check the KSK flag when updating a secure dynamic zone.
+ New zone option "update-check-ksk yes;". [RT #15817]
+
+2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]
1999. [func] Implement "rrset-order fixed". [RT #13662]
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.70 2006/03/03 00:43:34 marka Exp $ */
+/* $Id: config.c,v 1.71 2006/03/06 01:27:51 marka Exp $ */
/*! \file */
check-mx-cname warn;\n\
check-srv-cname warn;\n\
zero-no-soa-ttl yes;\n\
+ update-check-ksk yes;\n\
};\n\
"
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.conf.docbook,v 1.19 2006/01/05 23:45:33 marka Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.20 2006/03/06 01:27:51 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
allow-transfer { <replaceable>address_match_element</replaceable>; ... };
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
+ update-check-ksk <replaceable>boolean</replaceable>;
notify <replaceable>notifytype</replaceable>;
notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
allow-transfer { <replaceable>address_match_element</replaceable>; ... };
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
+ update-check-ksk <replaceable>boolean</replaceable>;
notify <replaceable>notifytype</replaceable>;
notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
( name | subdomain | wildcard | self ) <replaceable>string</replaceable>
<replaceable>rrtypelist</replaceable>; ...
};
+ update-check-ksk <replaceable>boolean</replaceable>;
notify <replaceable>notifytype</replaceable>;
notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: update.c,v 1.128 2006/03/03 00:43:34 marka Exp $ */
+/* $Id: update.c,v 1.129 2006/03/06 01:27:51 marka Exp $ */
#include <config.h>
#include <dns/events.h>
#include <dns/fixedname.h>
#include <dns/journal.h>
+#include <dns/keyvalues.h>
#include <dns/message.h>
#include <dns/nsec.h>
#include <dns/rdataclass.h>
return (result);
}
+static isc_boolean_t
+ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
+ isc_boolean_t ret = ISC_FALSE;
+ isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
+ isc_result_t result;
+ dns_dbnode_t *node = NULL;
+ dns_rdataset_t rdataset;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdata_dnskey_t dnskey;
+
+ dns_rdataset_init(&rdataset);
+ CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
+ CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
+ &rdataset, NULL));
+ CHECK(dns_rdataset_first(&rdataset));
+ while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
+ dns_rdataset_current(&rdataset, &rdata);
+ CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
+ if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
+ == DNS_KEYOWNER_ZONE) {
+ if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
+ have_ksk = ISC_TRUE;
+ else
+ have_nonksk = ISC_TRUE;
+ }
+ dns_rdata_reset(&rdata);
+ result = dns_rdataset_next(&rdataset);
+ }
+ if (have_ksk && have_nonksk)
+ ret = ISC_TRUE;
+ failure:
+ if (dns_rdataset_isassociated(&rdataset))
+ dns_rdataset_disassociate(&rdataset);
+ if (node != NULL)
+ dns_db_detachnode(db, &node);
+ return (ret);
+}
+
/*%
* Add RRSIG records for an RRset, recording the change in "diff".
*/
add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
- isc_stdtime_t expire)
+ isc_stdtime_t expire, isc_boolean_t check_ksk)
{
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_db_detachnode(db, &node);
for (i = 0; i < nkeys; i++) {
+
+ if (check_ksk && type != dns_rdatatype_dnskey &&
+ (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
+ continue;
+
/* Calculate the signature, creating a RRSIG RDATA. */
CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
&inception, &expire,
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
dns_dbnode_t *node = NULL;
+ isc_boolean_t check_ksk;
dns_diff_init(client->mctx, &diffnames);
dns_diff_init(client->mctx, &affected);
inception = now - 3600; /* Allow for some clock skew. */
expire = now + sigvalidityinterval;
+ /*
+ * Do we look at the KSK flag on the DNSKEY to determining which
+ * keys sign which RRsets? First check the zone option then
+ * check the keys flags to make sure atleast one has a ksk set
+ * and one doesn't.
+ */
+ check_ksk = ISC_TF((dns_zone_getoptions(zone) &
+ DNS_ZONEOPT_UPDATECHECKKSK) != 0);
+ if (check_ksk)
+ check_ksk = ksk_sanity(db, newver);
+
/*
* Get the NSEC's TTL from the SOA MINIMUM field.
*/
CHECK(add_sigs(db, newver, name, type,
&sig_diff, zone_keys, nkeys,
client->mctx, inception,
- expire));
+ expire, check_ksk));
}
skip:
/* Skip any other updates to the same RRset. */
} else if (t->op == DNS_DIFFOP_ADD) {
CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec,
&sig_diff, zone_keys, nkeys,
- client->mctx, inception, expire));
+ client->mctx, inception, expire,
+ check_ksk));
} else {
INSIST(0);
}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zoneconf.c,v 1.131 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: zoneconf.c,v 1.132 2006/03/06 01:27:52 marka Exp $ */
/*% */
INSIST(0);
dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
+
+ obj = NULL;
+ result = ns_config_get(maps, "update-check-ksk", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
+ cfg_obj_asboolean(obj));
}
/*
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.20 2006/01/04 00:37:24 marka Exp $
+# $Id: sign.sh,v 1.21 2006/03/06 01:27:52 marka Exp $
RANDFILE=../random.data
infile=dynamic.example.db.in
zonefile=dynamic.example.db
-keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname2=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
-cat $infile $keyname.key >$zonefile
+cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.296 2006/02/26 22:54:46 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.297 2006/03/06 01:27:52 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
<optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
<optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><command>update-check-ksk</command></term>
+ <listitem>
+ <para>
+ When regenerating the RRSIGs following a UPDATE
+ request to a secure zone, check the KSK flag on
+ the DNSKEY RR to determine if this key should be
+ used to generate the RRSIG. This flag is ignored
+ if there are not DNSKEY RRs both with and without
+ a KSK. Default yes.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</sect3>
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>update-check-ksk</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>database</command></term>
<listitem>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.c,v 1.71 2006/03/03 00:43:35 marka Exp $ */
+/* $Id: check.c,v 1.72 2006/03/06 01:27:52 marka Exp $ */
/*! \file */
{ "check-mx-cname", MASTERZONE },
{ "check-srv-cname", MASTERZONE },
{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
+ { "update-check-ksk", MASTERZONE },
};
static optionstable dialups[] = {
*/
/*
- * $Id: dnssec.c,v 1.85 2005/11/30 03:33:49 marka Exp $
+ * $Id: dnssec.c,v 1.86 2006/03/06 01:27:52 marka Exp $
*/
/*! \file */
isc_result_t
dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
- dns_dbnode_t *node, dns_name_t *name,
- const char *directory, isc_mem_t *mctx,
- unsigned int maxkeys, dst_key_t **keys,
- unsigned int *nkeys)
+ dns_dbnode_t *node, dns_name_t *name,
+ const char *directory, isc_mem_t *mctx,
+ unsigned int maxkeys, dst_key_t **keys,
+ unsigned int *nkeys)
{
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.h,v 1.143 2006/02/28 02:39:51 marka Exp $ */
+/* $Id: zone.h,v 1.144 2006/03/06 01:27:52 marka Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
#define DNS_ZONEOPT_IGNOREMXCNAME 0x00100000U /*%< ignore MX CNAME check */
#define DNS_ZONEOPT_WARNSRVCNAME 0x00200000U /*%< warn on SRV CNAME check */
#define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U /*%< ignore SRV CNAME check */
+#define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U /*%< check dnskey KSK flag */
#ifndef NOMINUM_PUBLIC
/*
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: namedconf.c,v 1.66 2006/02/28 02:39:52 marka Exp $ */
+/* $Id: namedconf.c,v 1.67 2006/03/06 01:27:52 marka Exp $ */
/*! \file */
{ "check-srv-cname", &cfg_type_checkmode, 0 },
{ "check-sibling", &cfg_type_boolean, 0 },
{ "zero-no-soa-ttl", &cfg_type_boolean, 0 },
+ { "update-check-ksk", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
projects / thirdparty / bind9.git / commitdiff
