diff --git a/CHANGES b/CHANGES index 074df6f512..72264ef261 100644 --- a/CHANGES +++ b/CHANGES @@ -1,14 +1,5 @@ --- 9.12.0b1 released --- -4773. [bug] Keys specified in "managed-keys" statements - can now only be used when validating key refresh - queries during initialization of RFC 5011 key - maintenance. If initialization fails, DNSSEC - validation of normal queries will also fail. - Previously, validation of normal queries could - succeed using the initializing key, potentially - masking problems with managed-keys. [RT #46077] - 4772. [test] Expanded unit testing framework for libns, using hooks to interrupt query flow and inspect state at specified locations. [RT #46173] diff --git a/bin/named/server.c b/bin/named/server.c index 818838b142..2101c1ded2 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -844,8 +844,7 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig, continue; } - CHECK(dns_keytable_add2(secroots, managed, - managed, &dstkey)); + CHECK(dns_keytable_add(secroots, managed, &dstkey)); } } @@ -1044,8 +1043,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "managed-keys-directory '%s' " - "must be writable and accessible", - directory); + "is not writable", directory); result = ISC_R_NOPERM; goto cleanup; } @@ -6170,8 +6168,8 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) { if (access(directory, DIR_PERM_OK) != 0) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "working directory '%s' must be " - "writable and accessible", directory); + "directory '%s' is not writable", + directory); return (ISC_R_NOPERM); } @@ -6436,7 +6434,7 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) { do { dst_key_t *key = dns_keynode_key(keynode); - if (key != NULL && !dns_keynode_initial(keynode)) { + if (key != NULL) { name = dst_key_name(key); if (n < (sizeof(ids)/sizeof(ids[0]))) { ids[n] = dst_key_id(key); @@ -6445,19 +6443,16 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) { } nextnode = NULL; (void)dns_keytable_nextkeynode(keytable, keynode, &nextnode); - if (keynode != firstnode) { + if (keynode != firstnode) dns_keytable_detachkeynode(keytable, &keynode); - } keynode = nextnode; } while (keynode != NULL); - if (n == 0) { + if (n == 0) return; - } - if (n > 1) { + if (n > 1) qsort(ids, n, sizeof(ids[0]), cid); - } /* * Encoded as "_ta-xxxx\(-xxxx\)*" where xxxx is the hex version of @@ -6467,23 +6462,20 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) { r.base = label; r.length = sizeof(label);; m = snprintf(r.base, r.length, "_ta"); - if (m < 0 || (unsigned)m > r.length) { + if (m < 0 || (unsigned)m > r.length) return; - } isc_textregion_consume(&r, m); for (i = 0; i < n; i++) { m = snprintf(r.base, r.length, "-%04x", ids[i]); - if (m < 0 || (unsigned)m > r.length) { + if (m < 0 || (unsigned)m > r.length) return; - } isc_textregion_consume(&r, m); } dns_fixedname_init(&fixed); tatname = dns_fixedname_name(&fixed); result = dns_name_fromstring2(tatname, label, name, 0, NULL); - if (result != ISC_R_SUCCESS) { + if (result != ISC_R_SUCCESS) return; - } dns_name_format(tatname, namebuf, sizeof(namebuf)); isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, @@ -6492,9 +6484,8 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) { view->name, namebuf); tat = isc_mem_get(dotat_arg->view->mctx, sizeof(*tat)); - if (tat == NULL) { + if (tat == NULL) return; - } tat->mctx = NULL; tat->task = NULL; @@ -8499,8 +8490,7 @@ load_configuration(const char *filename, named_server_t *server, if (access(".", DIR_PERM_OK) != 0) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "the working directory must be " - "writable and accessible"); + "the working directory is not writable"); result = ISC_R_NOPERM; goto cleanup; } diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README index 40310a2d70..8682940f8c 100644 --- a/bin/tests/system/mkeys/README +++ b/bin/tests/system/mkeys/README @@ -16,8 +16,16 @@ is used so it will send TAT queries once per second. ns3 is a validator with a broken key in managed-keys. -ns4 is a validator with a deliberately broken managed-keys.bind and -managed-keys.jnl, causing RFC 5011 initialization to fail. +Tests TODO: -ns5 is a validator which is prevented from getting a response from the -root server, causing key refresh queries to fail. +- initial working KSK + +TODO: test using delv with new trusted key too + +- introduce a REVOKE bit + +- later remove a signature + +- corrupt a signature + +TODO: also same things with dlv auto updates of trust anchor diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh index 8c3e33c71d..a02f05b777 100644 --- a/bin/tests/system/mkeys/clean.sh +++ b/bin/tests/system/mkeys/clean.sh @@ -15,4 +15,3 @@ rm -f */named.memstats */named.run rm -f dig.out* delv.out* rndc.out* signer.out* rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp rm -f ns1/named.conf -rm -rf ns4/nope diff --git a/bin/tests/system/mkeys/ns1/named1.conf b/bin/tests/system/mkeys/ns1/named1.conf index 5f9eeaf91e..0f17bdc16b 100644 --- a/bin/tests/system/mkeys/ns1/named1.conf +++ b/bin/tests/system/mkeys/ns1/named1.conf @@ -10,11 +10,6 @@ controls { /* empty */ }; -acl allowed { - ! 10.53.0.5; - any; -}; - options { query-source address 10.53.0.1; notify-source 10.53.0.1; @@ -27,7 +22,6 @@ options { notify no; dnssec-enable yes; dnssec-validation yes; - allow-query { allowed; }; }; key rndc_key { diff --git a/bin/tests/system/mkeys/ns1/named2.conf b/bin/tests/system/mkeys/ns1/named2.conf index 42f6712859..a033e10d81 100644 --- a/bin/tests/system/mkeys/ns1/named2.conf +++ b/bin/tests/system/mkeys/ns1/named2.conf @@ -10,11 +10,6 @@ controls { /* empty */ }; -acl allowed { - ! 10.53.0.5; - any; -}; - options { query-source address 10.53.0.1; notify-source 10.53.0.1; @@ -27,7 +22,6 @@ options { notify no; dnssec-enable yes; dnssec-validation yes; - allow-query { allowed; }; }; key rndc_key { diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 054422de55..fb134742d2 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -28,8 +28,6 @@ managed-keys { EOF ' > managed.conf cp managed.conf ../ns2/managed.conf -cp managed.conf ../ns4/managed.conf -cp managed.conf ../ns5/managed.conf # Configure a trusted key statement (used by delve) cat $keyname.key | grep -v '^; ' | $PERL -n -e ' diff --git a/bin/tests/system/mkeys/ns2/named.args b/bin/tests/system/mkeys/ns2/named.args index 71e466df40..d222b7faea 100644 --- a/bin/tests/system/mkeys/ns2/named.args +++ b/bin/tests/system/mkeys/ns2/named.args @@ -1 +1 @@ --m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40 -T tat=1 +-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40 diff --git a/bin/tests/system/mkeys/ns4/named.conf b/bin/tests/system/mkeys/ns4/named.conf deleted file mode 100644 index ad3979d7a7..0000000000 --- a/bin/tests/system/mkeys/ns4/named.conf +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - */ - -// NS4 - -controls { /* empty */ }; - -options { - query-source address 10.53.0.4; - notify-source 10.53.0.4; - transfer-source 10.53.0.4; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.4; }; - listen-on-v6 { none; }; - recursion yes; - notify no; - dnssec-enable yes; - dnssec-validation auto; - bindkeys-file "managed.conf"; - managed-keys-directory "nope"; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../common/root.hint"; -}; diff --git a/bin/tests/system/mkeys/ns5/named.conf b/bin/tests/system/mkeys/ns5/named.conf deleted file mode 100644 index 98204929ad..0000000000 --- a/bin/tests/system/mkeys/ns5/named.conf +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - */ - -// NS5 - -options { - query-source address 10.53.0.5; - notify-source 10.53.0.5; - transfer-source 10.53.0.5; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.5; }; - listen-on-v6 { none; }; - recursion yes; - notify no; - dnssec-enable yes; - dnssec-validation auto; - bindkeys-file "managed.conf"; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../common/root.hint"; -}; diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh index bb70fe1df3..d555c4e93e 100644 --- a/bin/tests/system/mkeys/setup.sh +++ b/bin/tests/system/mkeys/setup.sh @@ -16,9 +16,3 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE cp ns1/named1.conf ns1/named.conf cd ns1 && $SHELL sign.sh - -cd ../ns4 -mkdir nope -touch nope/managed-keys.bind -touch nope/managed.keys.bind.jnl -chmod 444 nope/* diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index c5ebc88ac5..b9806f3431 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -28,7 +28,6 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: check positive validation with valid trust anchor ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /' $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 @@ -391,7 +390,6 @@ $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns2 n=`expr $n + 1` echo "I: check positive validation ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /' $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 @@ -448,6 +446,7 @@ rm -f ${revoked}.key ${revoked}.private $SETTIME -D none -R none -K ns1 `cat ns1/managed.key` > /dev/null $SETTIME -D now -K ns1 $standby1 > /dev/null $SETTIME -D now -K ns1 $standby2 > /dev/null +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /' sleep 1 $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>&- $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload . | sed 's/^/I: ns1 /' @@ -455,7 +454,6 @@ sleep 3 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' sleep 1 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /' $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 @@ -539,7 +537,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: check that trust-anchor-telemetry queries are logged ($n)" ret=0 -grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1 +grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns3/named.run > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -564,45 +562,5 @@ grep "name: \." rndc.out.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` -n=`expr $n + 1` -echo "I: check that trust-anchor-telemetry queries contain the correct key ($n)" -ret=0 -# convert the hexadecimal key from the TAT query into decimal and -# compare against the known key. -tathex=`grep "query '_ta-[0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([a-f0-9][a-f0-d]*\)):/\1/'` -tatkey=`$PERL -e 'printf("%d\n", hex(@ARGV[0]));' $tathex` -realkey=`$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots - | grep '; managed' | sed 's#.*SHA256/\([0-9][0-9]*\) ; managed.*#\1#'` -[ "$tatkey" -eq "$realkey" ] || ret=1 -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -n=`expr $n + 1` -echo "I: check initialization fails if managed-keys can't be created ($n)" -ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots | sed 's/^/I: ns4 /' -grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1 -grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1 -grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1 -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -n=`expr $n + 1` -echo "I: check failure to contact root servers does not prevent key refreshes after restart ($n)" -ret=0 -# By the time we get here, ns5 should have attempted refreshing its managed -# keys. These attempts should fail as ns1 is configured to REFUSE all queries -# from ns5. Note we do not configure ns5 with "-T mkeytimers"; this is to -# ensure key refresh retry will be scheduled one hour in the future instead of -# a few seconds in the future, in order to prevent races when ns5 is restarted. -$PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns5 -$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5 -sleep 2 -# ns5/named.run will contain logs from both the old instance and the new -# instance. In order for the test to pass, both must attempt a fetch. -count=`grep -c "Creating key fetch" ns5/named.run` -[ $count -lt 2 ] && ret=1 -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - echo "I:exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/runtime/ns2/named-alt2.conf b/bin/tests/system/runtime/ns2/named-alt2.conf index aaca67dd7e..d18ea86211 100644 --- a/bin/tests/system/runtime/ns2/named-alt2.conf +++ b/bin/tests/system/runtime/ns2/named-alt2.conf @@ -13,7 +13,7 @@ controls { /* empty */ }; options { query-source address 10.53.0.2; port 5300; - pid-file "named2.pid"; + pid-file "named3.pid"; listen-on { 10.53.0.2; 10.53.0.3; }; listen-on-v6 { fd92:7065:b8e:ffff::2; }; recursion no; diff --git a/bin/tests/system/runtime/ns2/named-alt3.conf b/bin/tests/system/runtime/ns2/named-alt3.conf index b5ad847339..69356ea758 100644 --- a/bin/tests/system/runtime/ns2/named-alt3.conf +++ b/bin/tests/system/runtime/ns2/named-alt3.conf @@ -13,7 +13,7 @@ controls { /* empty */ }; options { query-source address 10.53.0.2; port 5300; - pid-file "named2.pid"; + pid-file "named4.pid"; lock-file none; listen-on { 10.53.0.2; 10.53.0.3; }; listen-on-v6 { fd92:7065:b8e:ffff::2; }; diff --git a/bin/tests/system/runtime/tests.sh b/bin/tests/system/runtime/tests.sh index cf285383f5..1d26590ad9 100644 --- a/bin/tests/system/runtime/tests.sh +++ b/bin/tests/system/runtime/tests.sh @@ -37,7 +37,7 @@ ret=0 (cd ns2; $NAMED -c named-alt2.conf -D ns2-extra-2 -X named.lock -m record,size,mctx -d 99 -g -U 4 >> named3.run 2>&1 & ) sleep 2 grep "another named process" ns2/named3.run > /dev/null || ret=1 -[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid` +[ -s ns2/named3.pid ] && $KILL -15 `cat ns2/named3.pid` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -47,60 +47,61 @@ ret=0 (cd ns2; $NAMED -c named-alt3.conf -D ns2-extra-3 -m record,size,mctx -d 99 -g -U 4 >> named4.run 2>&1 & ) sleep 2 grep "another named process" ns2/named4.run > /dev/null && ret=1 -[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid` +[ -s ns2/named4.pid ] && $KILL -15 `cat ns2/named4.pid` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` -if [ ! "$CYGWIN" ]; then - n=`expr $n + 1` - echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)" - ret=0 - cp -f ns2/named-alt4.conf ns2/named.conf - $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1 - grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 - sleep 1 - grep "[^-]directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1 - if [ $ret != 0 ]; then echo "I:failed"; fi - status=`expr $status + $ret` +n=`expr $n + 1` +echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)" +ret=0 +cp -f ns2/named-alt4.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1 +grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +sleep 1 +grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` - n=`expr $n + 1` - echo "I: checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)" - ret=0 - cp -f ns2/named-alt5.conf ns2/named.conf - $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1 - grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 - sleep 1 - grep "managed-keys-directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1 - if [ $ret != 0 ]; then echo "I:failed"; fi - status=`expr $status + $ret` +n=`expr $n + 1` +echo "I: checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)" +ret=0 +cp -f ns2/named-alt5.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1 +grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1 +sleep 1 +grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` - echo "I: kill existing named process" - [ -s "ns2/named.pid" ] && kill -15 `cat ns2/named.pid` +n=`expr $n + 1` +echo "I: checking that named refuses to start if working directory is not writable ($n)" +ret=0 +cd ns2 +$NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 & +sleep 2 +grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1 +# pidfile could be in either place depending on whether the directory +# successfully changed. +[ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1 +[ -s ../named.pid ] && kill -15 `cat ../named.pid` > /dev/null 2>&1 +cd .. +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` - n=`expr $n + 1` - echo "I: checking that named refuses to start if working directory is not writable ($n)" - ret=0 - cd ns2 - $NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 & - sleep 2 - grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1 - cd .. - [ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1 - if [ $ret != 0 ]; then echo "I:failed"; fi - status=`expr $status + $ret` - - n=`expr $n + 1` - echo "I: checking that named refuses to start if managed-keys-directory is not writable ($n)" - ret=0 - cd ns2 - $NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 & - sleep 2 - grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1 - cd .. - [ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1 - if [ $ret != 0 ]; then echo "I:failed"; fi - status=`expr $status + $ret` -fi +n=`expr $n + 1` +echo "I: checking that named refuses to start if managed-keys-directory is not writable ($n)" +ret=0 +cd ns2 +$NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 & +sleep 2 +grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1 +# pidfile could be in either place depending on whether the directory +# successfully changed. +[ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1 +[ -s ../named.pid ] && kill -15 `cat ../named.pid` > /dev/null 2>&1 +cd .. +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` echo "I:exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 944b7bf0f4..0ecb342083 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -492,17 +492,6 @@ are not writable by the effective user ID. [RT #46077] - - - Initializing keys specified in a managed-keys - statement or by dnssec-validation auto; are - no longer treated as valid for any use other than validation of - RFC 5011 initialization queries. The effect of this is that - DNSSEC validation will fail if RFC 5011 key maintenance - cannot be initialized: initialization problems will not be - masked, but will be immediately visible. [RT #46077] - - Previously, update-policy local; accepted diff --git a/lib/dns/client.c b/lib/dns/client.c index 9a8d9b3819..1d8269912e 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -1546,7 +1546,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass, if (result != ISC_R_SUCCESS) goto cleanup; - result = dns_keytable_add2(secroots, ISC_FALSE, ISC_FALSE, &dstkey); + result = dns_keytable_add(secroots, ISC_FALSE, &dstkey); cleanup: if (dstkey != NULL) diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h index ff88c8c680..62c55a9788 100644 --- a/lib/dns/include/dns/keytable.h +++ b/lib/dns/include/dns/keytable.h @@ -102,19 +102,10 @@ dns_keytable_detach(dns_keytable_t **keytablep); isc_result_t dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed, - dst_key_t **keyp) ISC_DEPRECATED; -isc_result_t -dns_keytable_add2(dns_keytable_t *keytable, isc_boolean_t managed, - isc_boolean_t initial, dst_key_t **keyp); + dst_key_t **keyp); /*%< * Add '*keyp' to 'keytable' (using the name in '*keyp'). - * The value of keynode->managed is set to 'managed', and the - * value of keynode->initial is set to 'initial'. ('initial' should - * be only used when adding managed-keys from configuration: this - * indicates a secure root which can be *only* used for validating - * RFC 5011 key refresh queries, but not for other DNSSEC validation. - * Once a key refresh query has validated, we update the keynode - * with inital == ISC_FALSE.) + * The value of keynode->managed is set to 'managed' * * Notes: * @@ -411,19 +402,6 @@ dns_keynode_managed(dns_keynode_t *keynode); * Is this flagged as a managed key? */ -isc_boolean_t -dns_keynode_initial(dns_keynode_t *keynode); -/*%< - * Is this flagged as an initializing key? - */ - -void -dns_keynode_trust(dns_keynode_t *keynode); -/*%< - * Sets keynode->initial to ISC_FALSE in order mark the key as - * trusted: no longer an initializing key. - */ - isc_result_t dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target); /*%< diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c index 9c5e53d867..86324cf18b 100644 --- a/lib/dns/keytable.c +++ b/lib/dns/keytable.c @@ -47,7 +47,6 @@ struct dns_keynode { isc_refcount_t refcount; dst_key_t * key; isc_boolean_t managed; - isc_boolean_t initial; struct dns_keynode * next; }; @@ -166,7 +165,7 @@ dns_keytable_detach(dns_keytable_t **keytablep) { } static isc_result_t -insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial, +insert(dns_keytable_t *keytable, isc_boolean_t managed, const dns_name_t *keyname, dst_key_t **keyp) { isc_result_t result; @@ -181,7 +180,6 @@ insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial, return (result); knode->managed = managed; - knode->initial = initial; RWLOCK(&keytable->rwlock, isc_rwlocktype_write); @@ -235,21 +233,14 @@ insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial, isc_result_t dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed, dst_key_t **keyp) -{ - return (dns_keytable_add2(keytable, managed, ISC_FALSE, keyp)); -} - -isc_result_t -dns_keytable_add2(dns_keytable_t *keytable, isc_boolean_t managed, - isc_boolean_t initial, dst_key_t **keyp) { REQUIRE(keyp != NULL && *keyp != NULL); - return (insert(keytable, managed, initial, dst_key_name(*keyp), keyp)); + return (insert(keytable, managed, dst_key_name(*keyp), keyp)); } isc_result_t dns_keytable_marksecure(dns_keytable_t *keytable, const dns_name_t *name) { - return (insert(keytable, ISC_TRUE, ISC_FALSE, name, NULL)); + return (insert(keytable, ISC_TRUE, name, NULL)); } isc_result_t @@ -653,9 +644,8 @@ dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **text) { if (knode->key == NULL) continue; dst_key_format(knode->key, pbuf, sizeof(pbuf)); - snprintf(obuf, sizeof(obuf), "%s ; %s%s\n", pbuf, - knode->initial ? "initializing " : "", - knode->managed ? "managed" : "trusted"); + snprintf(obuf, sizeof(obuf), "%s ; %s\n", pbuf, + knode->managed ? "managed" : "trusted"); result = putstr(text, obuf); if (result != ISC_R_SUCCESS) break; @@ -733,26 +723,6 @@ dns_keynode_managed(dns_keynode_t *keynode) { return (keynode->managed); } -isc_boolean_t -dns_keynode_initial(dns_keynode_t *keynode) { - /* - * Is this an initailizing key? - */ - REQUIRE(VALID_KEYNODE(keynode)); - - return (keynode->initial); -} - -void -dns_keynode_trust(dns_keynode_t *keynode) { - /* - * This is no longer an initializing key. - */ - REQUIRE(VALID_KEYNODE(keynode)); - - keynode->initial = ISC_FALSE; -} - isc_result_t dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) { isc_result_t result; @@ -766,7 +736,6 @@ dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) { knode->magic = KEYNODE_MAGIC; knode->managed = ISC_FALSE; - knode->initial = ISC_FALSE; knode->key = NULL; knode->next = NULL; diff --git a/lib/dns/tests/keytable_test.c b/lib/dns/tests/keytable_test.c index 7f5c385082..52219b699c 100644 --- a/lib/dns/tests/keytable_test.c +++ b/lib/dns/tests/keytable_test.c @@ -126,7 +126,7 @@ create_tables() { /* Add a normal key */ create_key(257, 3, 5, "example.com", keystr1, &key); - ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key), + ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key), ISC_R_SUCCESS); /* Add a null key */ @@ -185,7 +185,7 @@ ATF_TC_BODY(add, tc) { * nextkeynode() should still return NOTFOUND. */ create_key(257, 3, 5, "example.com", keystr1, &key); - ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key), + ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key), ISC_R_SUCCESS); ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode, &next_keynode), ISC_R_NOTFOUND); @@ -193,7 +193,7 @@ ATF_TC_BODY(add, tc) { /* Add another key (different keydata) */ dns_keytable_detachkeynode(keytable, &keynode); create_key(257, 3, 5, "example.com", keystr2, &key); - ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key), + ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key), ISC_R_SUCCESS); ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"), &keynode), ISC_R_SUCCESS); @@ -209,7 +209,7 @@ ATF_TC_BODY(add, tc) { ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"), &null_keynode), ISC_R_SUCCESS); create_key(257, 3, 5, "null.example", keystr2, &key); - ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key), + ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key), ISC_R_SUCCESS); ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"), &keynode), ISC_R_SUCCESS); @@ -523,7 +523,7 @@ ATF_TC_BODY(nta, tc) { ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); create_key(257, 3, 5, "example", keystr1, &key); - result = dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key); + result = dns_keytable_add(keytable, ISC_FALSE, &key); ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); isc_stdtime_get(&now); diff --git a/lib/dns/validator.c b/lib/dns/validator.c index d0138b800d..db9d4baf0d 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1629,7 +1629,6 @@ validate(dns_validator_t *val, isc_boolean_t resume) { if (vresult == ISC_R_SUCCESS) break; if (val->keynode != NULL) { - dst_key_t *key = NULL; dns_keynode_t *nextnode = NULL; result = dns_keytable_findnextkeynode( val->keytable, @@ -1642,13 +1641,9 @@ validate(dns_validator_t *val, isc_boolean_t resume) { val->key = NULL; break; } - key = dns_keynode_key(val->keynode); - if (key == NULL) + val->key = dns_keynode_key(val->keynode); + if (val->key == NULL) break; - if (dns_keynode_initial(val->keynode)) { - continue; - } - val->key = key; } else { if (get_dst_key(val, val->siginfo, val->keyset) != ISC_R_SUCCESS) @@ -1665,10 +1660,10 @@ validate(dns_validator_t *val, isc_boolean_t resume) { val->view->acceptexpired); } - if (val->keynode != NULL) { + if (val->keynode != NULL) dns_keytable_detachkeynode(val->keytable, &val->keynode); - } else { + else { if (val->key != NULL) dst_key_free(&val->key); if (val->keyset != NULL) { @@ -2028,15 +2023,13 @@ validatezonekey(dns_validator_t *val) { &keynode); break; } - if (! dns_keynode_initial(keynode)) { - result = verify(val, dstkey, - &sigrdata, sig.keyid); - if (result == ISC_R_SUCCESS) { - dns_keytable_detachkeynode( + result = verify(val, dstkey, &sigrdata, + sig.keyid); + if (result == ISC_R_SUCCESS) { + dns_keytable_detachkeynode( val->keytable, &keynode); - break; - } + break; } result = dns_keytable_findnextkeynode( val->keytable, diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 80d9481fed..4966de4cc3 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3934,8 +3934,7 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, */ static void trust_key(dns_zone_t *zone, dns_name_t *keyname, - dns_rdata_dnskey_t *dnskey, isc_boolean_t initial, - isc_mem_t *mctx) + dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; @@ -3954,7 +3953,7 @@ trust_key(dns_zone_t *zone, dns_name_t *keyname, goto failure; CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey)); - CHECK(dns_keytable_add2(sr, ISC_TRUE, initial, &dstkey)); + CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey)); dns_keytable_detach(&sr); failure: @@ -4040,8 +4039,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { /* Add to keytables. */ trusted++; - trust_key(zone, name, &dnskey, - ISC_TF(keydata.addhd == 0), mctx); + trust_key(zone, name, &dnskey, mctx); } if (trusted == 0 && pending != 0) { @@ -4776,9 +4774,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, case dns_zone_key: result = sync_keyzone(zone, db); - if (result != ISC_R_SUCCESS) { + if (result != ISC_R_SUCCESS) goto cleanup; - } break; default: @@ -4928,17 +4925,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, return (result); cleanup: - if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "failed to initialize managed-keys (%s): " - "DNSSEC validation WILL FAIL", - isc_result_totext(result)); - } - for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL; - inc = ISC_LIST_HEAD(zone->newincludes)) - { + inc = ISC_LIST_HEAD(zone->newincludes)) { ISC_LIST_UNLINK(zone->newincludes, inc, link); isc_mem_free(zone->mctx, inc->name); isc_mem_put(zone->mctx, inc, sizeof(*inc)); @@ -9099,7 +9088,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dst_key_t *dstkey; isc_stdtime_t now; int pending = 0; - isc_boolean_t secure = ISC_FALSE, initial = ISC_FALSE; + isc_boolean_t secure = ISC_FALSE; isc_boolean_t free_needed; UNUSED(task); @@ -9176,8 +9165,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { */ for (result = dns_rdataset_first(&kfetch->dnskeysigset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(&kfetch->dnskeysigset)) - { + result = dns_rdataset_next(&kfetch->dnskeysigset)) { dns_keynode_t *keynode = NULL; dns_rdata_reset(&sigrr); @@ -9196,8 +9184,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { break; if (dst_key_alg(dstkey) == sig.algorithm && - dst_key_id(dstkey) == sig.keyid) - { + dst_key_id(dstkey) == sig.keyid) { result = dns_dnssec_verify2(keyname, &kfetch->dnskeyset, dstkey, ISC_FALSE, @@ -9215,9 +9202,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_trust_secure; kfetch->dnskeysigset.trust = dns_trust_secure; - secure = ISC_TRUE; - initial = dns_keynode_initial(keynode); - dns_keynode_trust(keynode); break; } } @@ -9228,11 +9212,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { keynode = nextnode; } - if (keynode != NULL) { + if (keynode != NULL) dns_keytable_detachkeynode(secroots, &keynode); - } - if (secure) { + if (kfetch->dnskeyset.trust == dns_trust_secure) { + secure = ISC_TRUE; break; } } @@ -9241,6 +9225,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { * If we were not able to verify the answer using the current * trusted keys then all we can do is look at any revoked keys. */ + if (!secure) { dns_zone_log(zone, ISC_LOG_DEBUG(3), "DNSKEY set for zone '%s' could not be verified " @@ -9480,13 +9465,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { trustkey = ISC_TRUE; dns_zone_log(zone, ISC_LOG_INFO, "Key %d for zone %s " - "%s: key now trusted", - keytag, namebuf, - initial - ? "initializing key " - "verified" - : "acceptance timer " - "complete"); + "acceptance timer " + "complete: " + "key now trusted", + keytag, namebuf); } } else if (keydata.addhd > now) { /* @@ -9585,7 +9567,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { /* Trust this key. */ result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - trust_key(zone, keyname, &dnskey, ISC_FALSE, mctx); + trust_key(zone, keyname, &dnskey, mctx); } if (secure && !deletekey) { @@ -9607,6 +9589,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { fail_secure(zone, keyname); done: + if (!ISC_LIST_EMPTY(diff.tuples)) { /* Write changes to journal file. */ CHECK(update_soa_serial(kfetch->db, ver, &diff, mctx, @@ -9619,12 +9602,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } failure: - if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "error during managed-keys processing (%s): " - "DNSSEC validation may be at risk", - isc_result_totext(result)); - } + dns_diff_clear(&diff); if (ver != NULL) dns_db_closeversion(kfetch->db, &ver, commit); @@ -9734,7 +9712,7 @@ zone_refreshkeys(dns_zone_t *zone) { } /* Acceptance timer expired? */ - if (kd.addhd < now) + if (kd.addhd != 0 && kd.addhd < now) timer = kd.addhd; /* Or do we just need to refresh the keyset? */