From: Matthijs Mekking Date: Tue, 7 Dec 2021 12:59:42 +0000 (+0100) Subject: Fix bug introduced by #763 related to offline keys X-Git-Tag: v9.17.22~7^2~3 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=beeefe35c4a05bb69e9730190039fdf3e9fea1ba;p=thirdparty%2Fbind9.git Fix bug introduced by #763 related to offline keys In some cases we want to keep expired signatures. For example, if the KSK is offline, we don't want to fall back to signing with the ZSK. We could remove the signatures, but in any case we end up with a broken zone. The change made for GL #763 prevented the behavior to sign the DNSKEY RRset with the ZSK if the KSK was offline (and signatures were expired). The change causes the definition of "having both keys": if one key is offline, we still consider having both keys, so we don't fallback signing with the ZSK if KSK is offline. That change also works the other way, if the ZSK is offline, we don't fallback signing with the KSK. This commit fixes that, so we only fallback signing zone RRsets with the KSK, not signing key RRsets with the ZSK. --- diff --git a/lib/dns/update.c b/lib/dns/update.c index cfbe4405c49..3349015788e 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1157,8 +1157,8 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, } /* Don't consider inactive keys, however - * the key may be temporary offline, so do - * consider keys which private key files are + * the KSK may be temporary offline, so do + * consider KSKs which private key files are * unavailable. */ if (dst_key_inactive(keys[j])) { @@ -1170,7 +1170,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, } if (KSK(keys[j])) { have_ksk = true; - } else { + } else if (dst_key_isprivate(keys[j])) { have_nonksk = true; } both = have_ksk && have_nonksk; diff --git a/lib/dns/zone.c b/lib/dns/zone.c index be02dbea29e..6df19b0dc0b 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3523,7 +3523,8 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { result = dns_rdata_tostruct(&rdata, &dnskey, NULL); INSIST(result == ISC_R_SUCCESS); - /* RFC 3110, section 4: Performance Considerations: + /* + * RFC 3110, section 4: Performance Considerations: * * A public exponent of 3 minimizes the effort needed to verify * a signature. Use of 3 as the public exponent is weak for @@ -7111,8 +7112,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, continue; } - /* Don't consider inactive keys, however - * the key may be temporary offline, so do + /* + * Don't consider inactive keys, however + * the KSK may be temporary offline, so do * consider keys which private key files are * unavailable. */ @@ -7125,7 +7127,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, } if (KSK(keys[j])) { have_ksk = true; - } else { + } else if (dst_key_isprivate(keys[j])) { have_nonksk = true; } both = have_ksk && have_nonksk; @@ -9756,9 +9758,10 @@ zone_sign(dns_zone_t *zone) { ALG(zone_keys[j]))) { continue; } - /* Don't consider inactive keys, however + /* + * Don't consider inactive keys, however * the key may be temporary offline, so - * do consider keys which private key + * do consider KSKs which private key * files are unavailable. */ if (dst_key_inactive(zone_keys[j])) { @@ -9769,7 +9772,8 @@ zone_sign(dns_zone_t *zone) { } if (KSK(zone_keys[j])) { have_ksk = true; - } else { + } else if (dst_key_isprivate( + zone_keys[j])) { have_nonksk = true; } both = have_ksk && have_nonksk; @@ -14891,8 +14895,10 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { timeout = 30; } - /* Save request parameters so we can reuse them later on - for resolving missing glue A/AAAA records. */ + /* + * Save request parameters so we can reuse them later on + * for resolving missing glue A/AAAA records. + */ cb_args = isc_mem_get(zone->mctx, sizeof(*cb_args)); cb_args->stub = stub; cb_args->tsig_key = key;