mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 22:45:39 +00:00
Code Issues Releases Wiki Activity

4837. [bug] dns_update_signatures{inc} (add_sigs) was not

Browse Source 
properly determining if there were active KSK and
                        ZSK keys for a algorithm when update-check-ksk is
                        true (default) leaving records unsigned. [RT #46743]
This commit is contained in:
Mark Andrews
2017-12-04 10:03:51 +11:00
parent 1b0ca5d5bb
commit 196e01da5f
9 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -1,3 +1,8 @@
4837. [bug] dns_update_signatures{inc} (add_sigs) was not
properly determining if there were active KSK and
ZSK keys for a algorithm when update-check-ksk is
true (default) leaving records unsigned. [RT #46743]
--- 9.12.0rc1 released --- --- 9.12.0rc1 released ---
4836. [bug] Zones created using "rndc addzone" could 4836. [bug] Zones created using "rndc addzone" could

6
bin/tests/system/inline/clean.sh
View File

@@ -15,6 +15,8 @@ rm -f ns1/root.db.signed
rm -f ns2/bits.db rm -f ns2/bits.db
rm -f ns2/bits.db.jnl rm -f ns2/bits.db.jnl
rm -f ns1/signer.out rm -f ns1/signer.out
rm -f ns2/inactivezsk.db
rm -f ns2/inactivezsk.db.jnl
rm -f ns2/retransfer.db rm -f ns2/retransfer.db
rm -f ns2/retransfer.db.jnl rm -f ns2/retransfer.db.jnl
rm -f ns2/retransfer3.db rm -f ns2/retransfer3.db
@@ -44,6 +46,10 @@ rm -f ns3/expired.db
rm -f ns3/expired.db.jnl rm -f ns3/expired.db.jnl
rm -f ns3/expired.db.signed rm -f ns3/expired.db.signed
rm -f ns3/expired.db.signed.jnl rm -f ns3/expired.db.signed.jnl
rm -f ns3/inactivezsk.bk
rm -f ns3/inactivezsk.bk.jnl
rm -f ns3/inactivezsk.bk.signed
rm -f ns3/inactivezsk.bk.signed.jnl
rm -f ns3/nsec3.db rm -f ns3/nsec3.db
rm -f ns3/nsec3.db.jnl rm -f ns3/nsec3.db.jnl
rm -f ns3/nsec3.db.signed rm -f ns3/nsec3.db.signed

3
bin/tests/system/inline/ns1/root.db.in
View File

@@ -48,3 +48,6 @@ ns3.externalkey. A 10.53.0.3
retransfer3. NS ns3.retransfer. retransfer3. NS ns3.retransfer.
ns3.retransfer3. A 10.53.0.3 ns3.retransfer3. A 10.53.0.3
inactivezsk. NS ns3.inactivezsk.
ns3.inactivezsk. A 10.53.0.3

6
bin/tests/system/inline/ns2/named.conf
View File

@@ -53,3 +53,9 @@ zone "nsec3-loop" {
file "nsec3-loop.db"; file "nsec3-loop.db";
notify no; notify no;
}; };
zone "inactivezsk" {
type master;
file "inactivezsk.db";
allow-update { any; };
};

8
bin/tests/system/inline/ns3/named.conf
View File

@@ -112,3 +112,11 @@ zone "retransfer3" {
auto-dnssec maintain; auto-dnssec maintain;
file "retransfer3.bk"; file "retransfer3.bk";
}; };
zone "inactivezsk" {
type slave;
masters { 10.53.0.2; };
inline-signing yes;
auto-dnssec maintain;
file "inactivezsk.bk";
};

9
bin/tests/system/inline/ns3/sign.sh
View File

@@ -75,6 +75,15 @@ keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone` keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=inactivezsk
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
for s in a c d h k l m q z for s in a c d h k l m q z
do do
zone=test-$s zone=test-$s

1
bin/tests/system/inline/setup.sh
View File

@@ -16,6 +16,7 @@ rm -f ns1/root.db.signed
touch ns2/trusted.conf touch ns2/trusted.conf
cp ns2/bits.db.in ns2/bits.db cp ns2/bits.db.in ns2/bits.db
cp ns2/bits.db.in ns2/inactivezsk.db
cp ns2/bits.db.in ns2/retransfer.db cp ns2/bits.db.in ns2/retransfer.db
cp ns2/bits.db.in ns2/retransfer3.db cp ns2/bits.db.in ns2/retransfer3.db
rm -f ns2/bits.db.jnl rm -f ns2/bits.db.jnl

31
bin/tests/system/inline/tests.sh
View File

@@ -1022,5 +1022,36 @@ serial=`awk '$4 == "SOA" { print $7 }' dig.out.ns2.post.test$n`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:testing checking that inline signing works with inactive KSK ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1
soa1=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n`
$NSUPDATE << EOF
server 10.53.0.2 5300
update add added.inactivezsk 0 IN TXT added record
send
EOF
for i in 1 2 3 4 5 6 7 8 9 10
do
$DIG $DIGOPTS @10.53.0.3 -p 5300 soa inactivezsk > dig.out.ns3.post.test$n || ret=1
soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
test ${soa1:-0} -ne ${soa2:-0} && break
sleep 1
done
test ${soa1:-0} -ne ${soa2:-0} || ret=1
$DIG $DIGOPTS @10.53.0.3 -p 5300 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
grep "TXT 7 2" dig.out.ns3.test$n > /dev/null || ret=1
grep "TXT 8 2" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status" echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1

6
lib/dns/update.c
View File

@@ -1105,6 +1105,8 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
if (!dst_key_isprivate(keys[i])) if (!dst_key_isprivate(keys[i]))
continue; continue;
if (dst_key_inactive(keys[i])) /* Should be redundant. */
continue;
if (check_ksk && !REVOKE(keys[i])) { if (check_ksk && !REVOKE(keys[i])) {
isc_boolean_t have_ksk, have_nonksk; isc_boolean_t have_ksk, have_nonksk;
@@ -1118,6 +1120,10 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
for (j = 0; j < nkeys; j++) { for (j = 0; j < nkeys; j++) {
if (j == i || ALG(keys[i]) != ALG(keys[j])) if (j == i || ALG(keys[i]) != ALG(keys[j]))
continue; continue;
if (!dst_key_isprivate(keys[j]))
continue;
if (dst_key_inactive(keys[j])) /* SBR */
continue;
if (REVOKE(keys[j])) if (REVOKE(keys[j]))
continue; continue;
if (KSK(keys[j])) if (KSK(keys[j]))