mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Update inline-signing checkconf code

Browse Source 
When using automated DNSSEC management, it is required that the zone
is dynamic, or that inline-signing is enabled (or both). Update the
checkconf code to also allow inline-signing to be enabled within
dnssec-policy.
This commit is contained in:
Matthijs Mekking 2022-12-09 12:22:49 +01:00
parent bbfdcc36c8
commit 495597a91b
7 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
bin/tests/system/checkconf/bad-kasp-inline-signing.conf Normal file
View File

@ -0,0 +1,25 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* inline-signing is a boolean value.
*/
dnssec-policy "inline" {
inline-signing never-ever;
};
zone "." {
type primary;
file "root.db";
dnssec-policy "inline";
};

6
bin/tests/system/checkconf/bad-noddns.conf
View File

@ -11,9 +11,13 @@
* information regarding copyright ownership. * information regarding copyright ownership.
*/ */
dnssec-policy "test" {
inline-signing no;
};
zone example { zone example {
type primary; type primary;
file "example.db"; file "example.db";
dnssec-policy default; dnssec-policy test;
allow-update { none; }; allow-update { none; };
}; };

2
bin/tests/system/checkconf/good-kasp.conf
View File

@ -21,8 +21,8 @@ dnssec-policy "test" {
cds-digest-types { cds-digest-types {
"sha-256"; "sha-256";
}; };
inline-signing yes;
dnskey-ttl 3600; dnskey-ttl 3600;
inline-signing yes;
keys { keys {
ksk key-directory lifetime P1Y algorithm ecdsa256; ksk key-directory lifetime P1Y algorithm ecdsa256;
zsk lifetime P30D algorithm 13; zsk lifetime P30D algorithm 13;

1
bin/tests/system/kasp/ns6/named.conf.in
View File

@ -73,6 +73,7 @@ zone "step1.going-straight-to-none.kasp" {
zone "step1.going-straight-to-none-dynamic.kasp" { zone "step1.going-straight-to-none-dynamic.kasp" {
type primary; type primary;
file "step1.going-straight-to-none-dynamic.kasp.db.signed"; file "step1.going-straight-to-none-dynamic.kasp.db.signed";
inline-signing no;
dnssec-policy "default"; dnssec-policy "default";
allow-update { any; }; allow-update { any; };
}; };

1
bin/tests/system/kasp/ns6/named2.conf.in
View File

@ -87,6 +87,7 @@ zone "step1.going-straight-to-none.kasp" {
zone "step1.going-straight-to-none-dynamic.kasp" { zone "step1.going-straight-to-none-dynamic.kasp" {
type primary; type primary;
file "step1.going-straight-to-none-dynamic.kasp.db.signed"; file "step1.going-straight-to-none-dynamic.kasp.db.signed";
inline-signing no;
dnssec-policy "none"; dnssec-policy "none";
allow-update { any; }; allow-update { any; };
}; };

1
bin/tests/system/zonechecks/ns1/named.conf.in
View File

@ -36,6 +36,7 @@ controls {
}; };
dnssec-policy "zonechecks" { dnssec-policy "zonechecks" {
inline-signing no;
keys { keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;

23
lib/isccfg/check.c
View File

@ -2793,6 +2793,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
bool dlz; bool dlz;
bool ddns = false; bool ddns = false;
bool has_dnssecpolicy = false; bool has_dnssecpolicy = false;
bool kasp_inlinesigning = false;
const void *clauses = NULL; const void *clauses = NULL;
const char *option = NULL; const char *option = NULL;
const char *kaspname = NULL; const char *kaspname = NULL;
@ -3038,10 +3039,13 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
kaspname = cfg_obj_asstring(obj); kaspname = cfg_obj_asstring(obj);
if (strcmp(kaspname, "default") == 0) { if (strcmp(kaspname, "default") == 0) {
has_dnssecpolicy = true; has_dnssecpolicy = true;
kasp_inlinesigning = true;
} else if (strcmp(kaspname, "insecure") == 0) { } else if (strcmp(kaspname, "insecure") == 0) {
has_dnssecpolicy = true; has_dnssecpolicy = true;
kasp_inlinesigning = true;
} else if (strcmp(kaspname, "none") == 0) { } else if (strcmp(kaspname, "none") == 0) {
has_dnssecpolicy = false; has_dnssecpolicy = false;
kasp_inlinesigning = false;
} else { } else {
(void)cfg_map_get(config, "dnssec-policy", &kasps); (void)cfg_map_get(config, "dnssec-policy", &kasps);
for (element = cfg_list_first(kasps); element != NULL; for (element = cfg_list_first(kasps); element != NULL;
@ -3052,7 +3056,24 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
if (strcmp(kaspname, cfg_obj_asstring(kobj)) == if (strcmp(kaspname, cfg_obj_asstring(kobj)) ==
0) 0)
{ {
const cfg_obj_t *inlinesigning = NULL;
const cfg_obj_t *kopt = cfg_tuple_get(
cfg_listelt_value(element),
"options");
if (cfg_map_get(kopt, "inline-signing",
&inlinesigning) ==
ISC_R_SUCCESS)
{
kasp_inlinesigning =
cfg_obj_asboolean(
inlinesigning);
} else {
/* By default true */
kasp_inlinesigning = true;
}
has_dnssecpolicy = true; has_dnssecpolicy = true;
break;
} }
} }
@ -3369,6 +3390,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
res1 = cfg_map_get(zoptions, "inline-signing", &obj); res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if (res1 == ISC_R_SUCCESS) { if (res1 == ISC_R_SUCCESS) {
signing = cfg_obj_asboolean(obj); signing = cfg_obj_asboolean(obj);
} else if (has_dnssecpolicy) {
signing = kasp_inlinesigning;
} }
if (has_dnssecpolicy) { if (has_dnssecpolicy) {