From 080299bf4932f410245ea198388b2f014a3ee28c Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 13 Mar 2025 17:44:49 -0700 Subject: [PATCH] Don't check DNS_KEYFLAG_NOAUTH All DNSKEY keys are able to authenticate. The DNS_KEYTYPE_NOAUTH (and DNS_KEYTYPE_NOCONF) flags were defined for the KEY rdata type, and are not applicable to DNSKEY. Previously, because the DNSKEY implementation was built on top of KEY, the NOAUTH flag prevented authentication in DNSKEYs as well. This has been corrected. (cherry picked from commit 5c21576f82f9f62c2e22aac920a37a4013ac3a80) --- lib/dns/dnssec.c | 35 +---------------------------------- lib/dns/key.c | 3 --- lib/dns/zone.c | 13 ++----------- 3 files changed, 3 insertions(+), 48 deletions(-) diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 58e27cab19..f33c36c9d1 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -193,7 +193,6 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_result_t ret; isc_buffer_t *databuf = NULL; char data[256 + 8]; - uint32_t flags; unsigned int sigsize; dns_fixedname_t fnewname; dns_fixedname_t fsigner; @@ -211,17 +210,6 @@ dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, return DNS_R_INVALIDTIME; } - /* - * Is the key allowed to sign data? - */ - flags = dst_key_flags(key); - if ((flags & DNS_KEYTYPE_NOAUTH) != 0) { - return DNS_R_KEYUNAUTHORIZED; - } - if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { - return DNS_R_KEYUNAUTHORIZED; - } - sig.mctx = mctx; sig.common.rdclass = set->rdclass; sig.common.rdtype = dns_rdatatype_rrsig; @@ -383,7 +371,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, unsigned char data[300]; dst_context_t *ctx = NULL; int labels = 0; - uint32_t flags; bool downcase = false; REQUIRE(name != NULL); @@ -448,19 +435,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, break; } - /* - * Is the key allowed to sign data? - */ - flags = dst_key_flags(key); - if ((flags & DNS_KEYTYPE_NOAUTH) != 0) { - inc_stat(dns_dnssecstats_fail); - return DNS_R_KEYUNAUTHORIZED; - } - if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { - inc_stat(dns_dnssecstats_fail); - return DNS_R_KEYUNAUTHORIZED; - } - again: ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, false, maxbits, &ctx); @@ -1582,9 +1556,7 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp, RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &dnskey)); dst_key_setttl(dnskey, keys.ttl); - if (!is_zone_key(dnskey) || - (dst_key_flags(dnskey) & DNS_KEYTYPE_NOAUTH) != 0) - { + if (!is_zone_key(dnskey)) { goto skip; } @@ -1690,11 +1662,6 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp, } RETERR(result); - /* This should never happen. */ - if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) { - goto skip; - } - /* * Whatever the key's default TTL may have * been, the rdataset TTL takes priority. diff --git a/lib/dns/key.c b/lib/dns/key.c index 6e8091bc75..07bd5cf88e 100644 --- a/lib/dns/key.c +++ b/lib/dns/key.c @@ -134,9 +134,6 @@ bool dst_key_iszonekey(const dst_key_t *key) { REQUIRE(VALID_KEY(key)); - if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0) { - return false; - } if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { return false; } diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 47282e435c..b52fe8204c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6216,9 +6216,7 @@ findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); dst_key_setttl(pubkey, rdataset.ttl); - if (!is_zone_key(pubkey) || - (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) - { + if (!is_zone_key(pubkey)) { goto next; } /* Corrupted .key file? */ @@ -6312,12 +6310,6 @@ findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, * been, the rdataset TTL takes priority. */ dst_key_setttl(keys[count], rdataset.ttl); - - if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { - /* We should never get here. */ - dst_key_free(&keys[count]); - goto next; - } count++; next: if (pubkey != NULL) { @@ -20467,8 +20459,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK | - DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE) + if ((dnskey.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { ISC_LIST_UNLINK(diff->tuples, tuple, link); ISC_LIST_APPEND(tuples, tuple, link);