From: Tony Finch Date: Wed, 30 Jan 2019 18:25:21 +0000 (+0000) Subject: Deprecate SHA-1 CDS records X-Git-Tag: v9.15.0~6^2~1 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=8785f6fa3415471491fac58ca4a5fc06f0db4e30;p=thirdparty%2Fbind9.git Deprecate SHA-1 CDS records This affects CDS records generated by `named` and `dnssec-signzone` based on `-P sync` and `-D sync` key timing instructions. This is for conformance with the DS/CDS algorithm requirements in https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update --- diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 4dfa7276fb2..b51f411dacd 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1909,8 +1909,8 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, for (key = ISC_LIST_HEAD(*keys); key != NULL; key = ISC_LIST_NEXT(key, link)) { - dns_rdata_t cdsrdata1 = DNS_RDATA_INIT; - dns_rdata_t cdsrdata2 = DNS_RDATA_INIT; + dns_rdata_t cds_sha1 = DNS_RDATA_INIT; + dns_rdata_t cds_sha256 = DNS_RDATA_INIT; dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT; dns_name_t *origin = dst_key_name(key->key); @@ -1918,69 +1918,83 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, &cdnskeyrdata)); /* + * We construct the SHA-1 version of the record so we can + * delete any old records generated by previous versions of + * BIND. We only add SHA-256 records. + * * XXXMPA we need to be able to specify the DS algorithms * to be used here and below with rmkeys. */ RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata, DNS_DSDIGEST_SHA1, dsbuf1, - &cdsrdata1)); + &cds_sha1)); RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata, DNS_DSDIGEST_SHA256, dsbuf2, - &cdsrdata2)); + &cds_sha256)); /* * Now that the we have created the DS records convert * the rdata to CDNSKEY and CDS for comparison. */ cdnskeyrdata.type = dns_rdatatype_cdnskey; - cdsrdata1.type = dns_rdatatype_cds; - cdsrdata2.type = dns_rdatatype_cds; + cds_sha1.type = dns_rdatatype_cds; + cds_sha256.type = dns_rdatatype_cds; if (syncpublish(key->key, now)) { if (!dns_rdataset_isassociated(cdnskey) || !exists(cdnskey, &cdnskeyrdata)) + { RETERR(publish(&cdnskeyrdata, diff, origin, ttl, mctx)); + } + /* Only publish SHA-256 (SHA-1 is deprecated) */ if (!dns_rdataset_isassociated(cds) || - !exists(cds, &cdsrdata1)) - RETERR(publish(&cdsrdata1, diff, origin, - ttl, mctx)); - if (!dns_rdataset_isassociated(cds) || - !exists(cds, &cdsrdata2)) - RETERR(publish(&cdsrdata2, diff, origin, + !exists(cds, &cds_sha256)) + { + RETERR(publish(&cds_sha256, diff, origin, ttl, mctx)); + } } if (dns_rdataset_isassociated(cds) && - syncdelete(key->key, now)) { - if (exists(cds, &cdsrdata1)) - RETERR(delrdata(&cdsrdata1, diff, origin, + syncdelete(key->key, now)) + { + /* Delete both SHA-1 and SHA-256 */ + if (exists(cds, &cds_sha1)) { + RETERR(delrdata(&cds_sha1, diff, origin, cds->ttl, mctx)); - if (exists(cds, &cdsrdata2)) - RETERR(delrdata(&cdsrdata2, diff, origin, + } + if (exists(cds, &cds_sha256)) { + RETERR(delrdata(&cds_sha256, diff, origin, cds->ttl, mctx)); + } } if (dns_rdataset_isassociated(cdnskey) && - syncdelete(key->key, now)) { - if (exists(cdnskey, &cdnskeyrdata)) + syncdelete(key->key, now)) + { + if (exists(cdnskey, &cdnskeyrdata)) { RETERR(delrdata(&cdnskeyrdata, diff, origin, cdnskey->ttl, mctx)); + } } } if (!dns_rdataset_isassociated(cds) && !dns_rdataset_isassociated(cdnskey)) + { return (ISC_R_SUCCESS); + } /* * Unconditionaly remove CDS/DNSKEY records for removed keys. */ for (key = ISC_LIST_HEAD(*rmkeys); key != NULL; - key = ISC_LIST_NEXT(key, link)) { - dns_rdata_t cdsrdata1 = DNS_RDATA_INIT; - dns_rdata_t cdsrdata2 = DNS_RDATA_INIT; + key = ISC_LIST_NEXT(key, link)) + { + dns_rdata_t cds_sha1 = DNS_RDATA_INIT; + dns_rdata_t cds_sha256 = DNS_RDATA_INIT; dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT; dns_name_t *origin = dst_key_name(key->key); @@ -1990,22 +2004,25 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, if (dns_rdataset_isassociated(cds)) { RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata, DNS_DSDIGEST_SHA1, dsbuf1, - &cdsrdata1)); + &cds_sha1)); RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata, DNS_DSDIGEST_SHA256, dsbuf2, - &cdsrdata2)); - if (exists(cds, &cdsrdata1)) - RETERR(delrdata(&cdsrdata1, diff, origin, + &cds_sha256)); + if (exists(cds, &cds_sha1)) { + RETERR(delrdata(&cds_sha1, diff, origin, cds->ttl, mctx)); - if (exists(cds, &cdsrdata2)) - RETERR(delrdata(&cdsrdata2, diff, origin, + } + if (exists(cds, &cds_sha256)) { + RETERR(delrdata(&cds_sha256, diff, origin, cds->ttl, mctx)); + } } if (dns_rdataset_isassociated(cdnskey)) { - if (exists(cdnskey, &cdnskeyrdata)) + if (exists(cdnskey, &cdnskeyrdata)) { RETERR(delrdata(&cdnskeyrdata, diff, origin, cdnskey->ttl, mctx)); + } } }