From 4d1bbe308d29b0052218c69aceff8f101b4fc0b6 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 13 Dec 2017 12:40:36 +1100
Subject: [PATCH] 4847.   [bug]           dnssec-dnskey-kskonly was not being
 honoured for                         CDS and CDNSKEY. [RT #46755]

---
 CHANGES                                       |  3 ++
 bin/tests/system/dnssec/clean.sh              | 12 +++---
 .../dnssec/ns2/cdnskey-kskonly.secure.db.in   |  9 ++++
 .../dnssec/ns2/cds-kskonly.secure.db.in       |  9 ++++
 bin/tests/system/dnssec/ns2/named.conf        | 14 ++++++
 bin/tests/system/dnssec/ns2/sign.sh           | 16 +++++++
 bin/tests/system/dnssec/tests.sh              | 43 +++++++++++++++++++
 lib/dns/update.c                              | 19 ++++----
 lib/dns/zone.c                                | 11 +++--
 9 files changed, 119 insertions(+), 17 deletions(-)
 create mode 100644 bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in
 create mode 100644 bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in

diff --git a/CHANGES b/CHANGES
index 57f1bcfab6..703b411e3b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4847.	[bug]		dnssec-dnskey-kskonly was not being honoured for
+			CDS and CDNSKEY. [RT #46755]
+
 4846.	[test]		Adjust timing values in runtime system test. Address
 			named.pid removal races in runtime system test.
 			[RT #46800]
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index d4549dc266..5abf6250b3 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -28,10 +28,12 @@ rm -f ns1/managed.key.id
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
 rm -f ns2/algroll.db
 rm -f ns2/badparam.db ns2/badparam.db.bad
+rm -f ns2/cdnskey-kskonly.secure.db
 rm -f ns2/cdnskey-update.secure.db
-rm -f ns2/cdnskey.secure.db
 rm -f ns2/cdnskey-x.secure.db
+rm -f ns2/cdnskey.secure.db
 rm -f ns2/cds-auto.secure.db ns2/cds-auto.secure.db.jnl
+rm -f ns2/cds-kskonly.secure.db
 rm -f ns2/cds-update.secure.db ns2/cds-update.secure.db.jnl
 rm -f ns2/cds.secure.db ns2/cds-x.secure.db
 rm -f ns2/dlv.db
@@ -52,6 +54,7 @@ rm -f ns3/future.example.db ns3/trusted-future.key
 rm -f ns3/inline.example.db.signed
 rm -f ns3/kskonly.example.db
 rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
+rm -f ns3/managed-future.example.db
 rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
 rm -f ns3/nsec3.nsec3.example.db
 rm -f ns3/nsec3.optout.example.db
@@ -59,6 +62,7 @@ rm -f ns3/optout-unknown.example.db ns3/optout.example.db
 rm -f ns3/optout.nsec3.example.db
 rm -f ns3/optout.optout.example.db
 rm -f ns3/publish-inactive.example.db
+rm -f ns3/revkey.example.db
 rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
 rm -f ns3/secure.below-cname.example.db
 rm -f ns3/secure.nsec3.example.db
@@ -70,8 +74,6 @@ rm -f ns3/split-smart.example.db
 rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
 rm -f ns3/ttlpatch.example.db.patched
 rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
-rm -f ns3/revkey.example.db
-rm -f ns3/managed-future.example.db
 rm -f ns4/managed-keys.bind*
 rm -f ns4/named.conf
 rm -f ns4/named.conf ns5/named.conf
@@ -82,10 +84,10 @@ rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
 rm -f nsupdate.out*
 rm -f rndc.out.*
 rm -f signer/*.db
+rm -f signer/*.signed.post*
+rm -f signer/*.signed.pre*
 rm -f signer/example.db.after signer/example.db.before
 rm -f signer/example.db.changed
 rm -f signer/nsec3param.out
 rm -f signer/signer.out.*
 rm -f signing.out*
-rm -f signer/*.signed.pre*
-rm -f signer/*.signed.post*
diff --git a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in
new file mode 100644
index 0000000000..9a70a37ff2
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in
@@ -0,0 +1,9 @@
+; Copyright (C) 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in
new file mode 100644
index 0000000000..9a70a37ff2
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in
@@ -0,0 +1,9 @@
+; Copyright (C) 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf
index b76f7f3777..3a22345d88 100644
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -113,6 +113,13 @@ zone "cds-update.secure" {
 	allow-update { any; };
 };
 
+zone "cds-kskonly.secure" {
+	type master;
+	dnssec-dnskey-kskonly yes;
+	file "cds-kskonly.secure.db.signed";
+	allow-update { any; };
+};
+
 zone "cds-auto.secure" {
 	type master;
 	file "cds-auto.secure.db.signed";
@@ -136,6 +143,13 @@ zone "cdnskey-update.secure" {
 	allow-update { any; };
 };
 
+zone "cdnskey-kskonly.secure" {
+	type master;
+	dnssec-dnskey-kskonly yes;
+	file "cdnskey-kskonly.secure.db.signed";
+	allow-update { any; };
+};
+
 zone "cdnskey-auto.secure" {
 	type master;
 	file "cdnskey-auto.secure.db.signed";
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index fb4744d3e4..2f26bd0970 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -212,6 +212,14 @@ key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $key1.key $key2.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
 
+zone=cds-kskonly.secure
+infile=cds-kskonly.secure.db.in
+zonefile=cds-kskonly.secure.db
+key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+cat $infile $key1.key $key2.key > $zonefile
+$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+
 zone=cds-auto.secure
 infile=cds-auto.secure.db.in
 zonefile=cds-auto.secure.db
@@ -247,6 +255,14 @@ key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $key1.key $key2.key > $zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
 
+zone=cdnskey-kskonly.secure
+infile=cdnskey-kskonly.secure.db.in
+zonefile=cdnskey-kskonly.secure.db
+key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+cat $infile $key1.key $key2.key > $zonefile
+$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+
 zone=cdnskey-auto.secure
 infile=cdnskey-auto.secure.db.in
 zonefile=cdnskey-auto.secure.db
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 42defc579f..c76045a278 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3080,6 +3080,29 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:check that CDS records are signed only using KSK when added by"
+echo "I:    nsupdate when dnssec-dnskey-kskonly is yes ($n)"
+ret=0
+(
+echo zone cds-kskonly.secure
+echo server 10.53.0.2 5300
+echo update delete cds-kskonly.secure CDS
+echo send
+$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cds-kskonly.secure |
+grep "DNSKEY.257" |
+$DSFROMKEY -C -f - -T 1 cds-kskonly.secure |
+sed "s/^/update add /"
+echo send
+) | $NSUPDATE
+$DIG $DIGOPTS +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
+lines=`awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l`
+test ${lines:-0} -eq 1 || ret=1
+lines=`awk '$4 == "CDS" {print}' dig.out.test$n | wc -l`
+test ${lines:-0} -eq 2 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate ($n)"
 ret=0
 $DIG $DIGOPTS +noauth +noadd +nodnssec +adflag -p 5300 @10.53.0.3 optout-unknown.example SOA > dig.out.ns3.test$n
@@ -3225,6 +3248,26 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:check that CDNSKEY records are signed only using KSK when added by"
+echo "I:    nsupdate when dnssec-dnskey-kskonly is yes ($n)"
+ret=0
+(
+echo zone cdnskey-kskonly.secure
+echo server 10.53.0.2 5300
+echo update delete cdnskey-kskonly.secure CDNSKEY
+$DIG $DIGOPTS +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure |
+sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p'
+echo send
+) | $NSUPDATE
+$DIG $DIGOPTS +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
+lines=`awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
+test ${lines:-0} -eq 1 || ret=1
+lines=`awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l`
+test ${lines:-0} -eq 1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking initialization with a revoked managed key ($n)"
 ret=0
 cp ns5/named2.conf ns5/named.conf
diff --git a/lib/dns/update.c b/lib/dns/update.c
index 6cbb4a38de..076b2c1185 100644
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1137,20 +1137,21 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		}
 
 		if (both) {
-			if (type == dns_rdatatype_dnskey) {
+			/*
+			 * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+			 */
+			if (type == dns_rdatatype_dnskey ||
+			    type == dns_rdatatype_cdnskey ||
+			    type == dns_rdatatype_cds)
+			{
 				if (!KSK(keys[i]) && keyset_kskonly)
 					continue;
 			} else if (KSK(keys[i])) {
-				/*
-				 * CDS and CDNSKEY are signed with KSK
-				 * (RFC 7344, 4.1).
-				*/
-				if (type != dns_rdatatype_cds &&
-				    type != dns_rdatatype_cdnskey)
-					continue;
+				continue;
 			}
-		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
 			continue;
+		}
 
 		/* Calculate the signature, creating a RRSIG RDATA. */
 		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 221308cda1..5bf23ad391 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6438,16 +6438,21 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 			}
 		}
 		if (both) {
+			/*
+			 * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+			 */
 			if (type == dns_rdatatype_dnskey ||
 			    type == dns_rdatatype_cdnskey ||
 			    type == dns_rdatatype_cds)
 			{
 				if (!KSK(keys[i]) && keyset_kskonly)
 					continue;
-			} else if (KSK(keys[i]))
-				continue;
-		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+			} else if (KSK(keys[i])) {
 				continue;
+			}
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
+			continue;
+		}
 
 		/* Calculate the signature, creating a RRSIG RDATA. */
 		isc_buffer_clear(&buffer);