Do not check SEP bit for mirror zone trust anchors

author Michał Kępień <michal@isc.org>

Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)

committer Michał Kępień <michal@isc.org>

Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)
author Michał Kępień <michal@isc.org>
Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)
committer Michał Kępień <michal@isc.org>
Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)
diff --git a/bin/tests/system/mirror/ns2/named.conf.in b/bin/tests/system/mirror/ns2/named.conf.in

index 1b616e52a8c080cd99e453c53001b6d5bb67abd5..f3e78c456974b11793ef164ed17b613fc531b800 100644 (file)
--- a/bin/tests/system/mirror/ns2/named.conf.in
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@@ -55,6 +55,11 @@ zone "verify-axfr" {
         file "verify-axfr.db.signed";
  };
  
+zone "verify-csk" {
+       type master;
+       file "verify-csk.db.signed";
+};
+
  zone "verify-ixfr" {
         type master;
         file "verify-ixfr.db.signed";
diff --git a/bin/tests/system/mirror/ns2/sign.sh b/bin/tests/system/mirror/ns2/sign.sh

index 57df68db1b405599da1f2005bde48fe9167f5fa1..140ebb940374770e6f77c8076a6ea1808cdd92c4 100644 (file)
--- a/bin/tests/system/mirror/ns2/sign.sh
+++ b/bin/tests/system/mirror/ns2/sign.sh
@@ -32,6 +32,18 @@ done
  # the "root" zone on ns1.
  keys_to_trust="$keys_to_trust $keyname1"
  
+# Prepare a zone signed using a Combined Signing Key (CSK) without the SEP bit
+# set and add that key to the list of keys to trust.
+zone=verify-csk
+infile=verify.db.in
+zonefile=verify-csk.db
+
+keyname=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
+cat $infile $keyname.key > $zonefile
+$SIGNER -P -o $zone $zonefile > /dev/null
+keys_to_trust="$keys_to_trust $keyname"
+
+# Prepare remaining zones used in the test.
  ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
  UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
  UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in

index edf6a21702933a186f22859b144bc7b977d8ff23..e851b8cbf1ab6b14b46d37a2400e0aa937167db3 100644 (file)
--- a/bin/tests/system/mirror/ns3/named.conf.in
+++ b/bin/tests/system/mirror/ns3/named.conf.in
@@ -56,6 +56,12 @@ zone "verify-axfr" {
         file "verify-axfr.db.mirror";
  };
  
+zone "verify-csk" {
+       type mirror;
+       masters { 10.53.0.2; };
+       file "verify-csk.db.mirror";
+};
+
  zone "verify-ixfr" {
         type mirror;
         masters { 10.53.0.2; };
diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh

index b0203341c1cfcb22f6d7da7d806be15ae786d56c..d4ed7d3ad27b8a7c728b8cfc6f733a575aaf6f54 100644 (file)
--- a/bin/tests/system/mirror/tests.sh
+++ b/bin/tests/system/mirror/tests.sh
@@ -92,11 +92,23 @@ wait_for_transfer verify-untrusted
  $DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1
  grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
  grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
-nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted KSK DNSKEY found" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1
  nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
  status=`expr $status + $ret`
  
+n=`expr $n + 1`
+echo_i "checking that a mirror zone signed using a CSK without the SEP bit set is accepted ($n)"
+ret=0
+nextpartreset ns3/named.run
+wait_for_transfer verify-csk
+$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
  n=`expr $n + 1`
  echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ($n)"
  ret=0
diff --git a/lib/dns/zone.c b/lib/dns/zone.c

index 7504c0c0872ef6fd4710dd3195b93d89e75b9f8d..467ad4ae5470789bbdde34a95e6d459f0d80a1e1 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -19816,7 +19816,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
  
         origin = dns_db_origin(db);
         result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
-                                      zone->mctx, false, false);
+                                      zone->mctx, true, false);
  
   done:
         if (secroots != NULL) {
author	Michał Kępień <michal@isc.org>
	Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)
committer	Michał Kępień <michal@isc.org>
	Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)
bin/tests/system/mirror/ns2/named.conf.in		patch \| blob \| blame \| history
bin/tests/system/mirror/ns2/sign.sh		patch \| blob \| blame \| history
bin/tests/system/mirror/ns3/named.conf.in		patch \| blob \| blame \| history
bin/tests/system/mirror/tests.sh		patch \| blob \| blame \| history
lib/dns/zone.c		patch \| blob \| blame \| history