mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Update smart signing when key is offline

Browse Source 
BIND 9 is smart about when to sign with what key. If a key is offline,
BIND will delete the old signature anyway if there is another key to
sign the RRset with.

With KASP we don't want to fallback to the KSK if the ZSK is missing,
only for the SOA RRset. If the KSK is missing, but we do have a ZSK,
deleting the signature is fine. Otherwise it depends on if we use KASP
or not. Update the 'delsig_ok' function to reflect that.
This commit is contained in:
Matthijs Mekking 2021-04-12 14:45:31 +02:00
parent 3e6fc49c16
commit 6a60bf637d
1 changed files with 80 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
lib/dns/zone.c
View File

@ -6438,7 +6438,7 @@ set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when,
*/
static bool
delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys,
bool *warn) {
bool kasp, bool *warn) {
unsigned int i = 0;
isc_result_t ret;
bool have_ksk = false, have_zsk = false;
@ -6482,12 +6482,27 @@ delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys,
*warn = true;
}
if (have_pksk && have_pzsk) {
return (true);
}
/*
* It's okay to delete a signature if there is an active key
* with the same algorithm to replace it.
* Deleting the SOA RRSIG is always okay.
*/
if (rrsig_ptr->covered == dns_rdatatype_soa) {
return (true);
}
/*
* It's okay to delete a signature if there is an active key with the
* same algorithm to replace it, unless that violates the DNSSEC
* policy.
*/
if (have_pksk || have_pzsk) {
return (true);
if (kasp && have_pzsk) {
return (true);
}
return (!kasp);
}
/*
@ -6521,6 +6536,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_rdataset_t rdataset;
unsigned int i;
dns_rdata_rrsig_t rrsig;
bool kasp = (dns_zone_getkasp(zone) != NULL);
bool found;
int64_t timewarn = 0, timemaybe = 0;
@ -6563,7 +6579,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
type != dns_rdatatype_cdnskey)
{
bool warn = false, deleted = false;
if (delsig_ok(&rrsig, keys, nkeys, &warn)) {
if (delsig_ok(&rrsig, keys, nkeys, kasp, &warn)) {
result = update_one_rr(db, ver, zonediff->diff,
DNS_DIFFOP_DELRESIGN,
name, rdataset.ttl,
@ -6807,6 +6823,8 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
isc_stdtime_t when;
bool ksk = false;
bool zsk = false;
bool have_ksk = false;
bool have_zsk = false;
kresult = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk);
if (kresult != ISC_R_SUCCESS) {
@ -6821,6 +6839,56 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
}
}
have_ksk = ksk;
have_zsk = zsk;
both = have_ksk && have_zsk;
for (j = 0; j < nkeys; j++) {
if (both) {
break;
}
if (j == i || ALG(keys[i]) != ALG(keys[j])) {
continue;
}
/*
* Don't consider inactive keys or offline keys.
*/
if (!dst_key_isprivate(keys[j])) {
continue;
}
if (dst_key_inactive(keys[j])) {
continue;
}
if (REVOKE(keys[j])) {
continue;
}
if (!have_ksk) {
kresult = dst_key_getbool(keys[j],
DST_BOOL_KSK,
&have_ksk);
if (kresult != ISC_R_SUCCESS) {
if (KSK(keys[j])) {
have_ksk = true;
}
}
}
if (!have_zsk) {
kresult = dst_key_getbool(keys[j],
DST_BOOL_ZSK,
&have_zsk);
if (kresult != ISC_R_SUCCESS) {
if (!KSK(keys[j])) {
have_zsk = true;
}
}
}
both = have_ksk && have_zsk;
}
if (type == dns_rdatatype_dnskey ||
type == dns_rdatatype_cdnskey ||
type == dns_rdatatype_cds)
@ -6836,7 +6904,13 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
/*
* Other RRsets are signed with ZSK.
*/
continue;
if (type != dns_rdatatype_soa &&
type != zone->privatetype) {
continue;
}
if (have_zsk) {
continue;
}
} else if (!dst_key_is_signing(keys[i], DST_BOOL_ZSK,
inception, &when)) {
/*