From: Matthijs Mekking Date: Thu, 27 Aug 2020 12:32:52 +0000 (+0200) Subject: Log when CDS/CDNSKEY is published in zone. X-Git-Tag: v9.17.5~11^2~1 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=f9ef5120c1428b7696756c08ebe2f4ab3ff618fd;p=thirdparty%2Fbind9.git Log when CDS/CDNSKEY is published in zone. Log when named decides to add a CDS/CDNSKEY record to the zone. Now you understand how the bug was found that was fixed in the previous commits. --- diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 3de31e57344..08691cfcfd1 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1172,6 +1172,26 @@ check_subdomain() { status=$((status+ret)) } +# Check if "CDS/CDNSKEY Published" is logged. +check_cdslog() { + _dir=$1 + _zone=$2 + _key=$3 + + _alg=$(key_get $_key ALG_STR) + _id=$(key_get $_key ID) + + n=$((n+1)) + echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)" + ret=0 + + grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + # # rndc dnssec -checkds # @@ -2720,6 +2740,8 @@ check_keytimes check_apex check_subdomain dnssec_verify +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY1 # The DS can be introduced. We ignore any parent registration delay, so set # the DS publish time to now. @@ -3150,6 +3172,8 @@ set_keystate "KEY3" "STATE_DS" "rumoured" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY3 # Set expected key times: # - The old keys were activated 60 days ago (5184000 seconds). @@ -3395,6 +3419,8 @@ set_keystate "KEY2" "STATE_DS" "rumoured" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY2 # Set expected key times: # - This key was activated 186 days ago (16070400 seconds). @@ -3713,6 +3739,8 @@ set_keystate "KEY2" "STATE_DS" "rumoured" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY2 # Set expected key times: # - This key was activated 186 days ago (16070400 seconds). @@ -4678,6 +4706,8 @@ set_keystate "KEY3" "STATE_DS" "rumoured" check_keys wait_for_done_signing check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY3 # Set expected key times: # - The old keys were activated 9 hours ago (32400 seconds). @@ -5037,6 +5067,8 @@ set_keystate "KEY2" "STATE_DS" "rumoured" check_keys wait_for_done_signing check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# Check that CDS publication is logged. +check_cdslog "$DIR" "$ZONE" KEY2 # Set expected key times: # - The old key was activated 9 hours ago (32400 seconds). diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 4d2f864bfa8..4b26e65606a 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1984,14 +1984,27 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, cds_sha256.type = dns_rdatatype_cds; if (syncpublish(key->key, now)) { + char keystr[DST_KEY_FORMATSIZE]; + dst_key_format(key->key, keystr, sizeof(keystr)); + if (!dns_rdataset_isassociated(cdnskey) || !exists(cdnskey, &cdnskeyrdata)) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_DNSSEC, + ISC_LOG_INFO, + "CDS for key %s is now published", + keystr); RETERR(addrdata(&cdnskeyrdata, diff, origin, ttl, mctx)); } /* Only publish SHA-256 (SHA-1 is deprecated) */ if (!dns_rdataset_isassociated(cds) || !exists(cds, &cds_sha256)) { + isc_log_write( + dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO, + "CDNSKEY for key %s is now published", + keystr); RETERR(addrdata(&cds_sha256, diff, origin, ttl, mctx)); }