mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

dnssec: do not publish CDS records when -Psync is in the future

Browse Source 
This is a bug I encountered when trying to schedule an algorithm
rollover. My plan, for a zone whose maximum TTL is 48h, was to sign
with the new algorithm and schedule a change of CDS records for more
than 48 hours in the future, roughly like this:

    $ dnssec-keygen -a 13 -fk -Psync now+50h $zone
    $ dnssec-keygen -a 13 $zone
    $ dnssec-settime -Dsync now+50h $zone_ksk_old

However the algorithm 13 CDS was published immediately, which could
have made the zone bogus.

To reveal the bug using the `smartsign` test, this change just adds a
KSK with all its times in the future, so it should not affect the
existing checks at all. But the final check (that there are no CDS or
CDSNSKEY records after -Dsync) fails with the old `syncpublish()`
logic, because the future key's sync records appear early. With the
new `syncpublish()` logic the future key does not affect the test, as
expected, and it now passes.
This commit is contained in:
Tony Finch 2020-01-14 19:23:31 +00:00 committed by Mark Andrews
parent ccf7bbab5d
commit 4227b7969b
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bin/tests/system/smartsign/tests.sh
View File

@ -55,6 +55,9 @@ cksk4=`$REVOKE $cksk3`
echo_i "setting up sync key" echo_i "setting up sync key"
cksk5=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now $czone` cksk5=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now $czone`
echo_i "and future sync key"
cksk6=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now+1mo $czone`
echo_i "generating parent keys" echo_i "generating parent keys"
pzsk=`$KEYGEN -q -a rsasha1 $pzone` pzsk=`$KEYGEN -q -a rsasha1 $pzone`
pksk=`$KEYGEN -q -a rsasha1 -fk $pzone` pksk=`$KEYGEN -q -a rsasha1 -fk $pzone`
@ -348,6 +351,7 @@ awk 'BEGIN { r=1 } $2 == "CDS" { r=0 } END { exit r }' $cfile.signed || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
# this also checks that the future sync record is not yet published
echo_i "checking sync record deletion" echo_i "checking sync record deletion"
ret=0 ret=0
$SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null $SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null

15
lib/dns/dnssec.c
View File

@ -648,6 +648,7 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) {
isc_stdtime_t when; isc_stdtime_t when;
dst_key_state_t state; dst_key_state_t state;
int major, minor; int major, minor;
bool publish;
/* /*
* Is this an old-style key? * Is this an old-style key?
@ -670,18 +671,16 @@ syncpublish(dst_key_t *key, isc_stdtime_t now) {
} }
/* If no kasp state, check timings. */ /* If no kasp state, check timings. */
publish = false;
result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when); result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when);
if (result != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS && when < now) {
return (false); publish = true;
} }
result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when); result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
if (result != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS && when < now) {
return (true); publish = false;
} }
if (when <= now) { return (publish);
return (false);
}
return (true);
} }
/*%< /*%<