From: Evan Hunt Date: Mon, 31 Jul 2017 17:43:57 +0000 (-0700) Subject: [master] parse numeric domain names correctly X-Git-Tag: v9.12.0a1~158 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=681deaaa398a364ebe6352f1f8afe3db0caee0fc;p=thirdparty%2Fbind9.git [master] parse numeric domain names correctly 4666. [bug] dnssec-keymgr: Domain names beginning with digits (0-9) could cause a parser error when reading the policy file. This now works correctly so long as the domain name is quoted. [RT #45641] --- diff --git a/CHANGES b/CHANGES index f1588a547c8..ee2025ff43c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4666. [bug] dnssec-keymgr: Domain names beginning with digits (0-9) + could cause a parser error when reading the policy + file. This now works correctly so long as the domain + name is quoted. [RT #45641] + 4665. [protocol] Added support for ED25519 and ED448 DNSSEC signing algorithms (RFC 8080). (Note: these algorithms depend on code currently in the development branch diff --git a/bin/python/dnssec-keymgr.docbook b/bin/python/dnssec-keymgr.docbook index e07212160db..3fce31f43c2 100644 --- a/bin/python/dnssec-keymgr.docbook +++ b/bin/python/dnssec-keymgr.docbook @@ -103,125 +103,125 @@ OPTIONS - -c file - - - If is specified, then the DNSSEC - policy is read from . (If not - specified, then the policy is read from - /etc/dnssec-policy.conf; if that file - doesn't exist, a built-in global default policy is used.) - - + -c file + + + If is specified, then the DNSSEC + policy is read from . (If not + specified, then the policy is read from + /etc/dnssec-policy.conf; if that file + doesn't exist, a built-in global default policy is used.) + + - -f - - - Force: allow updating of key events even if they are - already in the past. This is not recommended for use with - zones in which keys have already been published. However, - if a set of keys has been generated all of which have - publication and activation dates in the past, but the - keys have not been published in a zone as yet, then this - option can be used to clean them up and turn them into a - proper series of keys with appropriate rollover intervals. - - + -f + + + Force: allow updating of key events even if they are + already in the past. This is not recommended for use with + zones in which keys have already been published. However, + if a set of keys has been generated all of which have + publication and activation dates in the past, but the + keys have not been published in a zone as yet, then this + option can be used to clean them up and turn them into a + proper series of keys with appropriate rollover intervals. + + - -g keygen-path - - - Specifies a path to a dnssec-keygen binary. - Used for testing. - See also the option. - - + -g keygen-path + + + Specifies a path to a dnssec-keygen binary. + Used for testing. + See also the option. + + - -h - - - Print the dnssec-keymgr help summary - and exit. - - + -h + + + Print the dnssec-keymgr help summary + and exit. + + - -K directory - - - Sets the directory in which keys can be found. Defaults to the - current working directory. - - + -K directory + + + Sets the directory in which keys can be found. Defaults to the + current working directory. + + - -k - - - Only apply policies to KSK keys. - See also the option. - - + -k + + + Only apply policies to KSK keys. + See also the option. + + - -q - - - Quiet: suppress printing of dnssec-keygen - and dnssec-settime. - - + -q + + + Quiet: suppress printing of dnssec-keygen + and dnssec-settime. + + - -r randomdev - - - Specifies a path to a file containing random data. - This is passed to the dnssec-keygen binary - using its option. + -r randomdev + + + Specifies a path to a file containing random data. + This is passed to the dnssec-keygen binary + using its option. - - + + - -s settime-path - - - Specifies a path to a dnssec-settime binary. - Used for testing. - See also the option. - - + -s settime-path + + + Specifies a path to a dnssec-settime binary. + Used for testing. + See also the option. + + - -v - - + -v + + Print the dnssec-keymgr version and exit. - - + + - -z - - - Only apply policies to ZSK keys. - See also the option. - - + -z + + + Only apply policies to ZSK keys. + See also the option. + + @@ -260,6 +260,7 @@ ( ) set policy for a single zone by name. A zone policy can inherit a policy class by including a option. + Zone names beginning with digits (i.e., 0-9) must be quoted. @@ -272,7 +273,7 @@ The key algorithm. If no policy is defined, the default is - RSASHA256. + RSASHA256. @@ -281,21 +282,21 @@ The length of time to ensure that keys will be correct; no action - will be taken to create new keys to be activated after this time. - This can be represented as a number of seconds, or as a duration using + will be taken to create new keys to be activated after this time. + This can be represented as a number of seconds, or as a duration using human-readable units (examples: "1y" or "6 months"). A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. - If no policy is configured, the default is six months. + If no policy is configured, the default is six months. directory - + Specifies the directory in which keys should be stored. - + @@ -306,8 +307,8 @@ Takes two arguments: keytype (eihter "zsk" or "ksk") and size. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is - configured, the default is 1024 bits for DSA keys and 2048 for - RSA. + configured, the default is 1024 bits for DSA keys and 2048 for + RSA. @@ -337,11 +338,11 @@ How long before activation a key should be published. Note: If - is not set, this value is ignored. + is not set, this value is ignored. Takes two arguments: keytype (either "zsk" or "ksk") and a duration. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is - one month. + one month. @@ -353,8 +354,8 @@ Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is - configured, the default is one year for ZSK's. KSK's do not - roll over by default. + configured, the default is one year for ZSK's. KSK's do not + roll over by default. @@ -373,18 +374,18 @@ - Enable scheduling of KSK rollovers using the - and options to - dnssec-keygen and - dnssec-settime. Check the parent zone - (as in dnssec-checkds) to determine when it's - safe for the key to roll. + Enable scheduling of KSK rollovers using the + and options to + dnssec-keygen and + dnssec-settime. Check the parent zone + (as in dnssec-checkds) to determine when it's + safe for the key to roll. - Allow configuration of standby keys and use of the REVOKE bit, - for keys that use RFC 5011 semantics. + Allow configuration of standby keys and use of the REVOKE bit, + for keys that use RFC 5011 semantics. diff --git a/bin/python/isc/policy.py.in b/bin/python/isc/policy.py.in index 9ae3e55427e..2c6fbd6a7b9 100644 --- a/bin/python/isc/policy.py.in +++ b/bin/python/isc/policy.py.in @@ -538,6 +538,16 @@ class dnssec_policy: p[0] = p[1] pass + def p_domain(self, p): + '''domain : STR + | QSTRING + | KEYTYPE + | DATESUFFIX''' + p[0] = p[1].strip() + if not re.match(r'^[\w.-][\w.-]*$', p[0]): + raise PolicyException('invalid domain') + pass + def p_new_policy(self, p): "new_policy :" self.current = Policy() @@ -550,7 +560,7 @@ class dnssec_policy: pass def p_zone_policy(self, p): - "zone_policy : ZONE name new_policy policy_option_group SEMI" + "zone_policy : ZONE domain new_policy policy_option_group SEMI" self.current.name = p[2].rstrip('.') self.current.is_zone = True self.zone_policy[p[2].rstrip('.').lower()] = self.current diff --git a/bin/python/isc/tests/policy_test.py.in b/bin/python/isc/tests/policy_test.py.in index f365cb77666..047449e8de1 100644 --- a/bin/python/isc/tests/policy_test.py.in +++ b/bin/python/isc/tests/policy_test.py.in @@ -78,5 +78,12 @@ class PolicyTest(unittest.TestCase): '(5184000/5184000) combined exceed ' 'rollover period 7776000')) + def test_numeric_zone(self): + pol = policy.dnssec_policy() + pol.load('test-policies/05-numeric-zone.pol') + + p = pol.policy('99example.test', novalidate=True) + self.assertEqual(p.validate(), (True, "")) + if __name__ == "__main__": unittest.main() diff --git a/bin/python/isc/tests/test-policies/05-numeric-zone.pol b/bin/python/isc/tests/test-policies/05-numeric-zone.pol new file mode 100644 index 00000000000..995cf3118dd --- /dev/null +++ b/bin/python/isc/tests/test-policies/05-numeric-zone.pol @@ -0,0 +1,12 @@ +/* + * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +// Zone policy that uses a numeric name +zone "99example.test" { + coverage 6mo; +}; diff --git a/bin/tests/system/keymgr/policy.sample b/bin/tests/system/keymgr/policy.sample index 5d15e547f09..c2607335842 100644 --- a/bin/tests/system/keymgr/policy.sample +++ b/bin/tests/system/keymgr/policy.sample @@ -46,3 +46,10 @@ zone example.com { coverage 5 mon; algorithm nsec3rsasha1; }; + +/* + * This confirms that zones starting with digits are accepted. + */ +zone "99example.com" { + policy global; +};