2785. [bug] Revoked keys could fail to self-sign [RT #20652]

diff --git a/CHANGES b/CHANGES
index 547ccbebe9c0559dbdb35f16902b24c14e4076ad..55d6b21a31b54eff88088788d83e879cd19853ae 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+       --- 9.7.0b3 released ---
+
+2785.  [bug]           Revoked keys could fail to self-sign [RT #20652]
+
 2784.  [bug]           TC was not always being set when required glue was
                        dropped. [RT #20655]
 
@@ -7,8 +11,6 @@
 2782.  [port]          win32: use getaddrinfo() for hostname lookups.
                        [RT #20650]
 
-       --- 9.7.0b3 released ---
-
 2781.  [bug]           Inactive keys could be used for signing. [RT #20649]
 
 2780.  [bug]           dnssec-keygen -A none didn't properly unset the

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 4bc1df205691a75c40e907ff955b1a191472f93d..f31bd751da72d6998fed97576361dd5ff8f507cd 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.254 2009/11/23 02:55:40 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.255 2009/11/24 03:42:31 each Exp $ */
 
 /*! \file */
 
@@ -2754,6 +2754,7 @@ report(const char *format, ...) {
        va_start(args, format);
        vfprintf(stderr, format, args);
        va_end(args);
+       putc('\n', stderr);
 }
 
 static void

diff --git a/bin/named/update.c b/bin/named/update.c
index 4fb9fb0df6ec8458bb4c1c9821ebbfd9019f2b48..68afe207c4799eee55d10d7102c7bb2b7970d42a 100644 (file)
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.170 2009/11/23 02:55:41 each Exp $ */
+/* $Id: update.c,v 1.171 2009/11/24 03:42:32 each Exp $ */
 
 #include <config.h>
 
@@ -3928,6 +3928,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
                                memcpy(buf, rdata.data, rdata.length);
                                buf[1] |= DNS_NSEC3FLAG_UPDATE;
                                rdata.data = buf;
+
                                /*
                                 * Force the TTL to zero for NSEC3PARAM records.
                                 */

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 4ecb5044faafc2e8d824ff8d248abfcce52e1800..9e0b6514a19fd686dcf64fc4d7b518225897df79 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.113 2009/11/23 23:48:16 tbox Exp $
+ * $Id: dnssec.c,v 1.114 2009/11/24 03:42:32 each Exp $
  */
 
 /*! \file */
@@ -635,12 +635,41 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
                                          DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
                                          directory,
                                          mctx, &keys[count]);
+
+               /*
+                * If the key was revoked and the private file
+                * doesn't exist, maybe it was revoked internally
+                * by named.  Try loading the unrevoked version.
+                */
+               if (result == ISC_R_FILENOTFOUND) {
+                       isc_uint32_t flags;
+                       flags = dst_key_flags(pubkey);
+                       if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+                               dst_key_setflags(pubkey,
+                                                flags & ~DNS_KEYFLAG_REVOKE);
+                               result = dst_key_fromfile(dst_key_name(pubkey),
+                                                         dst_key_id(pubkey),
+                                                         dst_key_alg(pubkey),
+                                                         DST_TYPE_PUBLIC|
+                                                         DST_TYPE_PRIVATE,
+                                                         directory,
+                                                         mctx, &keys[count]);
+                               if (result == ISC_R_SUCCESS &&
+                                   dst_key_pubcompare(pubkey, keys[count],
+                                                      ISC_FALSE)) {
+                                       dst_key_setflags(keys[count], flags);
+                               }
+                               dst_key_setflags(pubkey, flags);
+                       }
+               }
+
                if (result == ISC_R_FILENOTFOUND) {
                        keys[count] = pubkey;
                        pubkey = NULL;
                        count++;
                        goto next;
                }
+
                if (result != ISC_R_SUCCESS)
                        goto failure;
 
@@ -1463,7 +1492,7 @@ publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
        RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
 
        dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
-       report("Fetching %s %d/%s from key %s\n",
+       report("Fetching %s %d/%s from key %s.",
               key->ksk ?  (allzsk ?  "KSK/ZSK" : "KSK") : "ZSK",
               dst_key_id(key->key), alg,
               key->source == dns_keysource_user ?  "file" : "repository");
@@ -1502,7 +1531,7 @@ remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
        char alg[80];
 
        dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
-       report("Removing %s key %d/%s from DNSKEY RRset.\n",
+       report("Removing %s key %d/%s from DNSKEY RRset.",
               reason, dst_key_id(key->key), alg);
 
        RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index aa4fbd01fabff97b646bcf7c1b396cd14e2e5ee3..a398ab453d96b86cbe03811a069e5066ac949c07 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.531 2009/11/23 02:55:41 each Exp $ */
+/* $Id: zone.c,v 1.532 2009/11/24 03:42:32 each Exp $ */
 
 /*! \file */
 
@@ -4592,6 +4592,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                                continue;
 
                /* Calculate the signature, creating a RRSIG RDATA. */
+               isc_buffer_clear(&buffer);
                CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
                                      &inception, &expire,
                                      mctx, &buffer, &sig_rdata));
@@ -4923,6 +4924,7 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
                        result = ISC_R_SUCCESS;
                return (result);
        }
+
        dns_rdataset_init(&rdataset);
        isc_buffer_init(&buffer, data, sizeof(data));
        seen_rr = seen_soa = seen_ns = seen_dname = seen_nsec =
@@ -4996,6 +4998,7 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
                if (signed_with_key(db, node, version, rdataset.type, key))
                        goto next_rdataset;
                /* Calculate the signature, creating a RRSIG RDATA. */
+               isc_buffer_clear(&buffer);
                CHECK(dns_dnssec_sign(name, &rdataset, key, &inception,
                                      &expire, mctx, &buffer, &rdata));
                /* Update the database and journal with the RRSIG. */
@@ -6450,7 +6453,8 @@ zone_sign(dns_zone_t *zone) {
                                 * Find the key we want to remove.
                                 */
                                if (ALG(zone_keys[i]) == signing->algorithm &&
-                                   dst_key_id(zone_keys[i]) == signing->keyid) {
+                                   dst_key_id(zone_keys[i]) == signing->keyid)
+                               {
                                        if (KSK(zone_keys[i]))
                                                dst_key_free(&zone_keys[i]);
                                        continue;
@@ -6553,7 +6557,7 @@ zone_sign(dns_zone_t *zone) {
                                                break;
                                }
                        }
-                       if (both)
+                       if (both || REVOKE(zone_keys[i]))
                                is_ksk = KSK(zone_keys[i]);
                        else
                                is_ksk = ISC_FALSE;
@@ -6762,7 +6766,8 @@ zone_sign(dns_zone_t *zone) {
        for (i = 0; i < nkeys; i++)
                dst_key_free(&zone_keys[i]);
 
-       INSIST(node == NULL);
+       if (node != NULL)
+               dns_db_detachnode(db, &node);
 
        if (version != NULL) {
                dns_db_closeversion(db, &version, ISC_FALSE);
@@ -13439,7 +13444,7 @@ zone_rekey(dns_zone_t *zone) {
        dns_dbnode_t *node = NULL;
        dns_dbversion_t *ver = NULL;
        dns_rdataset_t soaset, soasigs, keyset, keysigs;
-       dns_dnsseckeylist_t dnskeys, keys, oldkeys;
+       dns_dnsseckeylist_t dnskeys, keys, rmkeys;
        dns_dnsseckey_t *key;
        dns_diff_t diff;
        isc_boolean_t commit = ISC_FALSE;
@@ -13452,7 +13457,7 @@ zone_rekey(dns_zone_t *zone) {
 
        ISC_LIST_INIT(dnskeys);
        ISC_LIST_INIT(keys);
-       ISC_LIST_INIT(oldkeys);
+       ISC_LIST_INIT(rmkeys);
        dns_rdataset_init(&soaset);
        dns_rdataset_init(&soasigs);
        dns_rdataset_init(&keyset);
@@ -13490,7 +13495,7 @@ zone_rekey(dns_zone_t *zone) {
                isc_boolean_t check_ksk;
                check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
 
-               CHECK(dns_dnssec_updatekeys(&dnskeys, &keys, &oldkeys,
+               CHECK(dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
                                            &zone->origin, ttl, &diff,
                                            ISC_TF(!check_ksk), mctx, logmsg));
                if (!ISC_LIST_EMPTY(diff.tuples)) {
@@ -13507,7 +13512,7 @@ zone_rekey(dns_zone_t *zone) {
        dns_db_closeversion(db, &ver, commit);
 
        if (commit) {
-               for (key = ISC_LIST_HEAD(oldkeys);
+               for (key = ISC_LIST_HEAD(rmkeys);
                     key != NULL;
                     key = ISC_LIST_NEXT(key, link)) {
                        zone_signwithkey(zone, dst_key_alg(key->key),
@@ -13539,22 +13544,16 @@ zone_rekey(dns_zone_t *zone) {
                 * key metadata indicates there is a key change event
                 * scheduled in the future, set the key refresh timer.
                 */
-//HERE
-dns_zone_log(zone, ISC_LOG_NOTICE, "1");
                if (!DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
                        break;
-dns_zone_log(zone, ISC_LOG_NOTICE, "2");
 
                result = next_keyevent(key->key, &then);
                if (result != ISC_R_SUCCESS)
                        continue;
-dns_zone_log(zone, ISC_LOG_NOTICE, "3");
 
                isc_time_set(&timethen, then, 0);
                if (isc_time_isepoch(&zone->refreshkeytime) ||
                    isc_time_compare(&timethen, &zone->refreshkeytime) < 0) {
-//HERE
-dns_zone_log(zone, ISC_LOG_NOTICE, "setting refreshkeytime to %d\n", then);
                        zone->refreshkeytime = timethen;
                        zone_settimer(zone, &timenow);
                }
@@ -13567,7 +13566,7 @@ dns_zone_log(zone, ISC_LOG_NOTICE, "setting refreshkeytime to %d\n", then);
 
        clear_keylist(&dnskeys, mctx);
        clear_keylist(&keys, mctx);
-       clear_keylist(&oldkeys, mctx);
+       clear_keylist(&rmkeys, mctx);
 
        if (ver != NULL)
                dns_db_closeversion(db, &ver, ISC_FALSE);