1942. [bug] If the name of a DNSKEY match that of one in

                        trusted-keys do not attempt to validate the DNSKEY
                        using the parents DS RRset. [RT #15649]

diff --git a/CHANGES b/CHANGES
index cb760f4e3e42201a82d3767c91d32ba7164235bc..cd42e11d185370fbc0024b2b3c05d0e6d0b105d6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1942.  [bug]           If the name of a DNSKEY match that of one in
+                       trusted-keys do not attempt to validate the DNSKEY
+                       using the parents DS RRset. [RT #15649]
+
 1941.  [bug]           ncache_adderesult() should set eresult even if no
                        rdataset is passed to it. [RT #15642]
 

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 03dfbcc76bb074fd96aa2a8e256ad34ce0bd036a..a40180a0c45edbab8aa241ccd10d936b043c8152 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.39 2005/11/03 00:57:58 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.40 2005/12/05 00:00:03 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -2410,19 +2410,95 @@ allow-update { key host1-host2. ;};
       <sect2>
         <title>Configuring Servers</title>
 
-        <para>
-          Unlike <acronym>BIND</acronym> 8,
-          <acronym>BIND</acronym> 9 does not verify signatures on
-          load,
-          so zone keys for authoritative zones do not need to be specified
-          in the configuration file.
+       <para>
+         To enable <command>named</command> to respond appropriately
+         to DNS requests from DNSSEC aware clients
+         <command>dnssec-enable</command> must be set to yes.
         </para>
 
-        <para>
-          The public key for any security root must be present in
-          the configuration file's <command>trusted-keys</command>
-          statement, as described later in this document.
+       <para>
+         To enable <command>named</command> to validate answers from
+         other servers both <command>dnssec-enable</command> and
+         <command>dnssec-validate</command> must be set and some
+         some <command>trusted-keys</command> must be configured
+         into <filename>named.conf</filename>.
         </para>
+         
+       <para>
+         <command>trusted-keys</command> are copies of DNSKEY RRs
+         for zones that are used to form the first link the the
+         cryptographic chain of trust.  All keys listed in
+         <command>trusted-keys</command> (and corresponding zones)
+         are deemed to exist and only the listed keys will be used
+         to validated the DNSKEY RRset that they are from.
+       </para>
+
+       <para>
+         <command>trusted-keys</command> are described in more detail
+         later in this document.
+       </para>
+
+       <para>
+         Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
+         9 does not verify signatures on load, so zone keys for
+         authoritative zones do not need to be specified in the
+         configuration file.
+       </para>
+
+       <para>
+         After DNSSEC gets established, a typical DNSSEC configuration
+         will look something like the following.  It has a one or
+         more public keys for the root.  This allows answers from
+         outside the organization to be validated.  It will also
+         have several keys for parts of the namespace the organization
+         controls.  These are here to ensure that named is immune
+         to compromises in the DNSSEC components of the security
+         of parent zones.
+       </para>
+
+<programlisting>
+trusted-keys {
+
+       /* Root Key */
+"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
+            E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
+            zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
+            MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
+            /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
+            iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
+            Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
+
+/* Key for out organizations forward zone */
+example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
+                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
+                     OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
+                     lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
+                     8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
+                     iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
+                     SCThlHf3xiYleDbt/o1OTQ09A0=";
+
+/* Key for our reverse zone. */
+2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
+                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
+                               tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
+                               yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
+                               4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
+                               zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
+                               7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
+                               52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+};
+
+options {
+       ...
+       dnssec-enable yes;
+       dnssec-validation yes;
+};
+</programlisting>
+
+       <note>
+         None of the keys listed in this example are valid.  In particular
+         the root key is not valid.
+       </note>
 
       </sect2>
 
@@ -7577,34 +7653,36 @@ query-source-v6 address * port *;
 </programlisting>
 
         </sect2>
-        <sect2>
-          <title><command>trusted-keys</command> Statement Definition
-            and Usage</title>
-          <para>
-            The <command>trusted-keys</command> statement defines DNSSEC
-            security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A
-            security root is defined when the public key for a
-            non-authoritative
-            zone is known, but cannot be securely obtained through DNS, either
-            because it is the DNS root zone or because its parent zone is
-            unsigned.
-            Once a key has been configured as a trusted key, it is treated as
-            if it had been validated and proven secure. The resolver attempts
-            DNSSEC validation on all DNS data in subdomains of a security
-            root.
+       <sect2>
+         <title><command>trusted-keys</command> Statement Definition
+           and Usage</title>
+         <para>
+           The <command>trusted-keys</command> statement defines
+           DNSSEC security roots. DNSSEC is described in <xref
+           linkend="DNSSEC"/>. A security root is defined when the
+           public key for a non-authoritative zone is known, but
+           cannot be securely obtained through DNS, either because
+           it is the DNS root zone or because its parent zone is
+           unsigned.  Once a key has been configured as a trusted
+           key, it is treated as if it had been validated and
+           proven secure. The resolver attempts DNSSEC validation
+           on all DNS data in subdomains of a security root.
          </para>
          <para>
-           All zones listed in <command>trusted-keys</command> are deemed
-           to exist regardless of what parent zones say.
+           All keys (and corresponding zones) listed in
+           <command>trusted-keys</command> are deemed to exist regardless
+           of what parent zones say.  Similarly for all keys listed in
+           <command>trusted-keys</command> only those keys are
+           used to validate the DNSKEY RRset.  The parents DS RRset
+           will not be used.
          </para>
-          <para>
-            The <command>trusted-keys</command> statement can
-            contain
-            multiple key entries, each consisting of the key's domain name,
-            flags, protocol, algorithm, and the Base-64 representation of the
-            key data.
-          </para>
-        </sect2>
+         <para>
+           The <command>trusted-keys</command> statement can contain
+           multiple key entries, each consisting of the key's
+           domain name, flags, protocol, algorithm, and the Base-64
+           representation of the key data.
+         </para>
+       </sect2>
 
         <sect2 id="view_statement_grammar">
           <title><command>view</command> Statement Grammar</title>

diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index 6c6e449b2995acb6d0e484bdff672933e68fbbd8..b8bfcc148eaadd9eeb64b493a1e01f38bcde63ca 100644 (file)
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.h,v 1.11.18.2 2005/04/29 00:16:14 marka Exp $ */
+/* $Id: keytable.h,v 1.11.18.3 2005/12/05 00:00:03 marka Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
@@ -135,7 +135,8 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
                         dns_keynode_t **keynodep);
 /*%<
  * Search for a key named 'name', matching 'algorithm' and 'tag' in
- * 'keytable'.
+ * 'keytable'.  This finds the first instance which matches.  Use
+ * dns_keytable_findnextkeynode() to find other instances.
  *
  * Requires:
  *
@@ -148,6 +149,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
  * Returns:
  *
  *\li  ISC_R_SUCCESS
+ *\li  DNS_R_PARTIALMATCH      the name existed in the keytable.
  *\li  ISC_R_NOTFOUND
  *
  *\li  Any other result indicates an error.
@@ -158,7 +160,7 @@ dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
                                             dns_keynode_t **nextnodep);
 /*%<
  * Search for the next key with the same properties as 'keynode' in
- * 'keytable'.
+ * 'keytable' as found by dns_keytable_findkeynode().
  *
  * Requires:
  *

diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
index 8b3cffa966170267d0c910bb0aefe186904d2958..ec0f8e42b778ca846b1c41a8cbf22f3d3286d65b 100644 (file)
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.c,v 1.28.18.3 2005/07/12 01:22:20 marka Exp $ */
+/* $Id: keytable.c,v 1.28.18.4 2005/12/05 00:00:03 marka Exp $ */
 
 /*! \file */
 
@@ -236,6 +236,13 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 
        RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
 
+       /*
+        * Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
+        * as that indicates that 'name' was not found.
+        *
+        * DNS_R_PARTIALMATCH indicates that the name was found but we
+        * didn't get a match on algorithm and key id arguments.
+        */
        knode = NULL;
        data = NULL;
        result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
@@ -253,7 +260,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
                        UNLOCK(&keytable->lock);
                        *keynodep = knode;
                } else
-                       result = ISC_R_NOTFOUND;
+                       result = DNS_R_PARTIALMATCH;
        } else if (result == DNS_R_PARTIALMATCH)
                result = ISC_R_NOTFOUND;
 

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index c5a3283b39e83b97e7e9b41fa719f7bdb566462a..100f3fa4634a3273841fd92318b1d8c07c025e14 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.119.18.18 2005/11/30 04:58:32 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.19 2005/12/05 00:00:03 marka Exp $ */
 
 /*! \file */
 
@@ -1623,12 +1623,14 @@ validatezonekey(dns_validator_t *val) {
        dns_rdata_t keyrdata = DNS_RDATA_INIT;
        dns_rdata_t sigrdata = DNS_RDATA_INIT;
        unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+       char namebuf[DNS_NAME_FORMATSIZE];
        dns_keytag_t keytag;
        dns_rdata_ds_t ds;
        dns_rdata_dnskey_t key;
        dns_rdata_rrsig_t sig;
        dst_key_t *dstkey;
        isc_boolean_t supported_algorithm;
+       isc_boolean_t atsep = ISC_FALSE;
 
        /*
         * Caller must be holding the validator lock.
@@ -1659,6 +1661,9 @@ validatezonekey(dns_validator_t *val) {
                                                          sig.algorithm,
                                                          sig.keyid,
                                                          &keynode);
+                       if (result == DNS_R_PARTIALMATCH ||
+                           result == ISC_R_SUCCESS)
+                               atsep = ISC_TRUE;
                        while (result == ISC_R_SUCCESS) {
                                dstkey = dns_keynode_key(keynode);
                                result = verify(val, dstkey, &sigrdata,
@@ -1697,6 +1702,22 @@ validatezonekey(dns_validator_t *val) {
                                return (DNS_R_NOVALIDDS);
                }
 
+               if (atsep) {
+                       /*
+                        * We have not found a key to verify this DNSKEY
+                        * RRset.  As this is a SEP we have to assume that
+                        * the RRset is invalid.
+                        */
+                       dns_name_format(val->event->name, namebuf,
+                                       sizeof(namebuf));
+                       validator_log(val, ISC_LOG_DEBUG(2),
+                                     "unable to find a DNSKEY which verifies "
+                                     "the DNSKEY RRset and also matches one "
+                                     "of specified trusted-keys for '%s'",
+                                     namebuf);
+                       return (DNS_R_NOVALIDKEY);
+               }
+
                /*
                 * Otherwise, try to find the DS record.
                 */