mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-01 15:05:23 +00:00
2495. [bug] Tighten RRSIG checks. [RT #18795]
This commit is contained in:
Mark Andrews
2
CHANGES
2
CHANGES
@@ -1,3 +1,5 @@
|
|||||||
|
2495. [bug] Tighten RRSIG checks. [RT #18795]
|
||||||
|
|
||||||
2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
|
2494. [bug] isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
|
||||||
installed. [RT #18826]
|
installed. [RT #18826]
|
||||||
|
|
||||||
|
|||||||
@@ -29,7 +29,7 @@
|
|||||||
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* $Id: dnssec-signzone.c,v 1.208 2008/09/26 01:27:08 marka Exp $ */
|
/* $Id: dnssec-signzone.c,v 1.209 2008/11/14 22:53:46 marka Exp $ */
|
||||||
|
|
||||||
/*! \file */
|
/*! \file */
|
||||||
|
|
||||||
@@ -2784,6 +2784,9 @@ main(int argc, char *argv[]) {
|
|||||||
fatal("cannot load dnskey %s: %s", argv[i],
|
fatal("cannot load dnskey %s: %s", argv[i],
|
||||||
isc_result_totext(result));
|
isc_result_totext(result));
|
||||||
|
|
||||||
|
if (!dns_name_equal(gorigin, dst_key_name(newkey)))
|
||||||
|
fatal("key %s not at origin\n", argv[i]);
|
||||||
|
|
||||||
key = ISC_LIST_HEAD(keylist);
|
key = ISC_LIST_HEAD(keylist);
|
||||||
while (key != NULL) {
|
while (key != NULL) {
|
||||||
dst_key_t *dkey = key->key;
|
dst_key_t *dkey = key->key;
|
||||||
@@ -2821,6 +2824,9 @@ main(int argc, char *argv[]) {
|
|||||||
fatal("cannot load dnskey %s: %s", dskeyfile[i],
|
fatal("cannot load dnskey %s: %s", dskeyfile[i],
|
||||||
isc_result_totext(result));
|
isc_result_totext(result));
|
||||||
|
|
||||||
|
if (!dns_name_equal(gorigin, dst_key_name(newkey)))
|
||||||
|
fatal("key %s not at origin\n", dskeyfile[i]);
|
||||||
|
|
||||||
key = ISC_LIST_HEAD(keylist);
|
key = ISC_LIST_HEAD(keylist);
|
||||||
while (key != NULL) {
|
while (key != NULL) {
|
||||||
dst_key_t *dkey = key->key;
|
dst_key_t *dkey = key->key;
|
||||||
|
|||||||
@@ -16,7 +16,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* $Id: dnssec.c,v 1.91 2007/09/14 04:32:50 marka Exp $
|
* $Id: dnssec.c,v 1.92 2008/11/14 22:53:46 marka Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*! \file */
|
/*! \file */
|
||||||
@@ -366,6 +366,9 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
|||||||
if (ret != ISC_R_SUCCESS)
|
if (ret != ISC_R_SUCCESS)
|
||||||
return (ret);
|
return (ret);
|
||||||
|
|
||||||
|
if (set->type != sig.covered)
|
||||||
|
return (DNS_R_SIGINVALID);
|
||||||
|
|
||||||
if (isc_serial_lt(sig.timeexpire, sig.timesigned))
|
if (isc_serial_lt(sig.timeexpire, sig.timesigned))
|
||||||
return (DNS_R_SIGINVALID);
|
return (DNS_R_SIGINVALID);
|
||||||
|
|
||||||
@@ -381,6 +384,27 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
|||||||
return (DNS_R_SIGEXPIRED);
|
return (DNS_R_SIGEXPIRED);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* NS, SOA and DNSSKEY records are signed by their owner.
|
||||||
|
* DS records are signed by the parent.
|
||||||
|
*/
|
||||||
|
switch (set->type) {
|
||||||
|
case dns_rdatatype_ns:
|
||||||
|
case dns_rdatatype_soa:
|
||||||
|
case dns_rdatatype_dnskey:
|
||||||
|
if (!dns_name_equal(name, &sig.signer))
|
||||||
|
return (DNS_R_SIGINVALID);
|
||||||
|
break;
|
||||||
|
case dns_rdatatype_ds:
|
||||||
|
if (dns_name_equal(name, &sig.signer))
|
||||||
|
return (DNS_R_SIGINVALID);
|
||||||
|
/* FALLTHROUGH */
|
||||||
|
default:
|
||||||
|
if (!dns_name_issubdomain(name, &sig.signer))
|
||||||
|
return (DNS_R_SIGINVALID);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Is the key allowed to sign data?
|
* Is the key allowed to sign data?
|
||||||
*/
|
*/
|
||||||
@@ -541,6 +565,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
|
|||||||
if (!is_zone_key(pubkey) ||
|
if (!is_zone_key(pubkey) ||
|
||||||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
|
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
|
||||||
goto next;
|
goto next;
|
||||||
|
/* Corrupted .key file? */
|
||||||
|
if (!dns_name_equal(name, dst_key_name(pubkey)))
|
||||||
|
goto next;
|
||||||
keys[count] = NULL;
|
keys[count] = NULL;
|
||||||
result = dst_key_fromfile(dst_key_name(pubkey),
|
result = dst_key_fromfile(dst_key_name(pubkey),
|
||||||
dst_key_id(pubkey),
|
dst_key_id(pubkey),
|
||||||
|
|||||||
@@ -31,7 +31,7 @@
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* Principal Author: Brian Wellington
|
* Principal Author: Brian Wellington
|
||||||
* $Id: dst_api.c,v 1.15 2008/09/24 02:46:22 marka Exp $
|
* $Id: dst_api.c,v 1.16 2008/11/14 22:53:46 marka Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*! \file */
|
/*! \file */
|
||||||
@@ -997,6 +997,13 @@ dst_key_read_public(const char *filename, int type,
|
|||||||
NEXTTOKEN(lex, opt, &token);
|
NEXTTOKEN(lex, opt, &token);
|
||||||
if (token.type != isc_tokentype_string)
|
if (token.type != isc_tokentype_string)
|
||||||
BADTOKEN();
|
BADTOKEN();
|
||||||
|
|
||||||
|
/*
|
||||||
|
* We don't support "@" in .key files.
|
||||||
|
*/
|
||||||
|
if (!strcmp(DST_AS_STR(token), "@"))
|
||||||
|
BADTOKEN();
|
||||||
|
|
||||||
dns_fixedname_init(&name);
|
dns_fixedname_init(&name);
|
||||||
isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
|
isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
|
||||||
isc_buffer_add(&b, strlen(DST_AS_STR(token)));
|
isc_buffer_add(&b, strlen(DST_AS_STR(token)));
|
||||||
|
|||||||
@@ -15,7 +15,7 @@
|
|||||||
* PERFORMANCE OF THIS SOFTWARE.
|
* PERFORMANCE OF THIS SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* $Id: validator.c,v 1.162 2008/09/24 02:46:22 marka Exp $ */
|
/* $Id: validator.c,v 1.163 2008/11/14 22:53:46 marka Exp $ */
|
||||||
|
|
||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
|
||||||
@@ -1544,6 +1544,23 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
|
|||||||
*/
|
*/
|
||||||
if (dns_rdatatype_atparent(val->event->rdataset->type))
|
if (dns_rdatatype_atparent(val->event->rdataset->type))
|
||||||
return (DNS_R_CONTINUE);
|
return (DNS_R_CONTINUE);
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
* SOA and NS RRsets can only be signed by a key with
|
||||||
|
* the same name.
|
||||||
|
*/
|
||||||
|
if (val->event->rdataset->type == dns_rdatatype_soa ||
|
||||||
|
val->event->rdataset->type == dns_rdatatype_ns) {
|
||||||
|
const char *typename;
|
||||||
|
|
||||||
|
if (val->event->rdataset->type == dns_rdatatype_soa)
|
||||||
|
typename = "SOA";
|
||||||
|
else
|
||||||
|
typename = "NS";
|
||||||
|
validator_log(val, ISC_LOG_DEBUG(3),
|
||||||
|
"%s signer mismatch", typename);
|
||||||
|
return (DNS_R_CONTINUE);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -2115,6 +2132,10 @@ validatezonekey(dns_validator_t *val) {
|
|||||||
&sigrdata);
|
&sigrdata);
|
||||||
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
|
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
|
||||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||||
|
|
||||||
|
if (!dns_name_equal(val->event->name, &sig.signer))
|
||||||
|
continue;
|
||||||
|
|
||||||
result = dns_keytable_findkeynode(val->keytable,
|
result = dns_keytable_findkeynode(val->keytable,
|
||||||
val->event->name,
|
val->event->name,
|
||||||
sig.algorithm,
|
sig.algorithm,
|
||||||
@@ -2355,7 +2376,11 @@ validatezonekey(dns_validator_t *val) {
|
|||||||
if (ds.key_tag != sig.keyid ||
|
if (ds.key_tag != sig.keyid ||
|
||||||
ds.algorithm != sig.algorithm)
|
ds.algorithm != sig.algorithm)
|
||||||
continue;
|
continue;
|
||||||
|
if (!dns_name_equal(val->event->name, &sig.signer)) {
|
||||||
|
validator_log(val, ISC_LOG_DEBUG(3),
|
||||||
|
"DNSKEY signer mismatch");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
dstkey = NULL;
|
dstkey = NULL;
|
||||||
result = dns_dnssec_keyfromrdata(val->event->name,
|
result = dns_dnssec_keyfromrdata(val->event->name,
|
||||||
&keyrdata,
|
&keyrdata,
|
||||||
|
|||||||
Reference in New Issue
Block a user