mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

reject the use of trusted-keys and managed-keys for the same name

Browse Source
This commit is contained in:
Evan Hunt
2019-02-07 15:10:41 -08:00
parent 8a8cd19eb0
commit 37e79bd79c
8 changed files with 309 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
bin/tests/system/checkconf/bad-duplicate-key.conf Normal file
View File

@@ -0,0 +1,34 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
managed-keys {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
};
trusted-keys {
example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};

34
bin/tests/system/checkconf/bad-duplicate-root-key.conf Normal file
View File

@@ -0,0 +1,34 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
managed-keys {
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
};
trusted-keys {
. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};

24
bin/tests/system/checkconf/bad-validation-auto-key.conf Normal file
View File

@@ -0,0 +1,24 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation auto;
};
trusted-keys {
. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};

31
bin/tests/system/checkconf/good-dup-managed-key.conf Normal file
View File

@@ -0,0 +1,31 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
managed-keys {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
example. initial-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};

31
bin/tests/system/checkconf/good-dup-trusted-key.conf Normal file
View File

@@ -0,0 +1,31 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
dnssec-validation yes;
};
trusted-keys {
example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
NQyrszHhWUU=";
example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
6zqCkwuMmrU=";
};

3
bin/tests/system/checkconf/tests.sh
View File

@@ -387,7 +387,8 @@ grep "trusted-key for root from 2010 without updated" checkconf.out$n > /dev/nul
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)"
n=`expr $n + 1`
echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
ret=0
$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1

4
bin/tests/system/mkeys/README
View File

@@ -22,3 +22,7 @@ root server, causing key refresh queries to fail.
ns6 is a validator which has unsupported algorithms, one at start up,
one because of an algorithm rollover.
ns7 is a validator with multiple views configured. It is used for
testing per-view rndc commands and checking interactions between options
related to and potentially affecting RFC 5011 processing.

166
lib/bind9/check.c
View File

@@ -39,6 +39,7 @@
#include <dns/acl.h>
#include <dns/dnstap.h>
#include <dns/fixedname.h>
#include <dns/rbt.h>
#include <dns/rdataclass.h>
#include <dns/rdatatype.h>
#include <dns/rrl.h>
@@ -3263,6 +3264,118 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
return (result);
}
/*
* Check for conflicts between trusted-keys and managed-keys.
*/
static isc_result_t
check_ta_conflicts(const cfg_obj_t *mkeys, const cfg_obj_t *tkeys,
bool autovalidation, isc_mem_t *mctx, isc_log_t *logctx)
{
isc_result_t result = ISC_R_SUCCESS, tresult;
const cfg_listelt_t *elt = NULL, *elt2 = NULL;
dns_fixedname_t fixed;
dns_name_t *name;
const cfg_obj_t *obj;
const char *str;
isc_symtab_t *symtab = NULL;
isc_symvalue_t symvalue;
char namebuf[DNS_NAME_FORMATSIZE];
const char *file;
unsigned int line;
name = dns_fixedname_initname(&fixed);
result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
for (elt = cfg_list_first(mkeys);
elt != NULL;
elt = cfg_list_next(elt))
{
const cfg_obj_t *keylist = cfg_listelt_value(elt);
for (elt2 = cfg_list_first(keylist);
elt2 != NULL;
elt2 = cfg_list_next(elt2))
{
obj = cfg_listelt_value(elt2);
str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
tresult = dns_name_fromstring(name, str, 0, NULL);
if (tresult != ISC_R_SUCCESS) {
/* already reported */
continue;
}
dns_name_format(name, namebuf, sizeof(namebuf));
symvalue.as_cpointer = obj;
tresult = isc_symtab_define(symtab, namebuf, 1,
symvalue,
isc_symexists_reject);
if (tresult != ISC_R_SUCCESS &&
tresult != ISC_R_EXISTS)
{
result = tresult;
continue;
}
}
}
for (elt = cfg_list_first(tkeys);
elt != NULL;
elt = cfg_list_next(elt))
{
const cfg_obj_t *keylist = cfg_listelt_value(elt);
for (elt2 = cfg_list_first(keylist);
elt2 != NULL;
elt2 = cfg_list_next(elt2))
{
obj = cfg_listelt_value(elt2);
str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
result = dns_name_fromstring(name, str, 0, NULL);
if (result != ISC_R_SUCCESS) {
/* already reported */
continue;
}
if (autovalidation &&
dns_name_equal(name, dns_rootname))
{
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"trusted-keys for root zone "
"cannot be used with "
"'dnssec-validation auto'.");
result = ISC_R_FAILURE;
continue;
}
dns_name_format(name, namebuf, sizeof(namebuf));
tresult = isc_symtab_lookup(symtab, namebuf, 1,
&symvalue);
if (tresult == ISC_R_SUCCESS) {
file = cfg_obj_file(symvalue.as_cpointer);
line = cfg_obj_line(symvalue.as_cpointer);
if (file == NULL) {
file = "<unknown file>";
}
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"trusted-keys and managed-keys "
"cannot be used for the "
"same name. managed-key defined "
"(%s:%u)", file, line);
result = ISC_R_FAILURE;
}
}
}
cleanup:
if (symtab != NULL) {
isc_symtab_destroy(&symtab);
}
return (result);
}
typedef enum {
special_zonetype_rpz,
special_zonetype_catz
@@ -3404,7 +3517,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
isc_log_t *logctx, isc_mem_t *mctx)
{
const cfg_obj_t *zones = NULL;
const cfg_obj_t *keys = NULL;
const cfg_obj_t *keys = NULL, *tkeys = NULL, *mkeys = NULL;
#ifndef HAVE_DLOPEN
const cfg_obj_t *dyndb = NULL;
#endif
@@ -3417,6 +3530,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
const cfg_obj_t *options = NULL;
const cfg_obj_t *opts = NULL;
const cfg_obj_t *plugin_list = NULL;
bool autovalidation = false;
unsigned int tflags, mflags;
/*
@@ -3570,14 +3684,14 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
/*
* Check trusted-keys and managed-keys.
*/
keys = NULL;
tkeys = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "trusted-keys", &keys);
if (keys == NULL)
(void)cfg_map_get(config, "trusted-keys", &keys);
(void)cfg_map_get(voptions, "trusted-keys", &tkeys);
if (tkeys == NULL)
(void)cfg_map_get(config, "trusted-keys", &tkeys);
tflags = 0;
for (element = cfg_list_first(keys);
for (element = cfg_list_first(tkeys);
element != NULL;
element = cfg_list_next(element))
{
@@ -3594,33 +3708,34 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
}
if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
"trusted-key for root from 2010 without updated "
"trusted-key from 2017: THIS WILL FAIL AFTER "
"KEY ROLLOVER");
}
if ((tflags & DLV_KSK_KEY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
"trusted-key for dlv.isc.org still present; "
"dlv.isc.org has been shut down");
}
keys = NULL;
mkeys = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "managed-keys", &keys);
if (keys == NULL)
(void)cfg_map_get(config, "managed-keys", &keys);
(void)cfg_map_get(voptions, "managed-keys", &mkeys);
if (mkeys == NULL)
(void)cfg_map_get(config, "managed-keys", &mkeys);
mflags = 0;
for (element = cfg_list_first(keys);
for (element = cfg_list_first(mkeys);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *keylist = cfg_listelt_value(element);
for (element2 = cfg_list_first(keylist);
element2 != NULL;
element2 = cfg_list_next(element2)) {
element2 = cfg_list_next(element2))
{
obj = cfg_listelt_value(element2);
tresult = check_trusted_key(obj, true, &mflags,
logctx);
@@ -3630,13 +3745,13 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
}
if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"managed-key for root from 2010 without updated "
"managed-key from 2017");
}
if ((mflags & DLV_KSK_KEY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"managed-key for dlv.isc.org still present; "
"dlv.isc.org has been shut down");
}
@@ -3644,11 +3759,28 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 &&
(mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0)
{
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"both trusted-keys and managed-keys for the ICANN "
"root are present");
}
obj = NULL;
if (voptions != NULL) {
(void)cfg_map_get(voptions, "dnssec-validation", &obj);
}
if (obj == NULL && options != NULL) {
(void)cfg_map_get(options, "dnssec-validation", &obj);
}
if (obj != NULL && !cfg_obj_isboolean(obj)) {
autovalidation = true;
}
tresult = check_ta_conflicts(mkeys, tkeys,
autovalidation, mctx, logctx);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
/*
* Check options.
*/