mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Update smart signing when key is offline

Browse Source 
BIND 9 is smart about when to sign with what key. If a key is offline,
BIND will delete the old signature anyway if there is another key to
sign the RRset with.

With KASP we don't want to fallback to the KSK if the ZSK is missing,
only for the SOA RRset. If the KSK is missing, but we do have a ZSK,
deleting the signature is fine. Otherwise it depends on if we use KASP
or not. Update the 'delsig_ok' function to reflect that.
This commit is contained in:
Matthijs Mekking
2021-04-12 14:45:31 +02:00
parent 3e6fc49c16
commit 6a60bf637d
1 changed files with 80 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
lib/dns/zone.c
View File

@@ -6438,7 +6438,7 @@ set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when,
*/ */
static bool static bool
delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys, delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys,
bool *warn) { bool kasp, bool *warn) {
unsigned int i = 0; unsigned int i = 0;
isc_result_t ret; isc_result_t ret;
bool have_ksk = false, have_zsk = false; bool have_ksk = false, have_zsk = false;
@@ -6482,13 +6482,28 @@ delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys,
*warn = true; *warn = true;
} }
if (have_pksk && have_pzsk) {
return (true);
}
/* /*
* It's okay to delete a signature if there is an active key * Deleting the SOA RRSIG is always okay.
* with the same algorithm to replace it. */
if (rrsig_ptr->covered == dns_rdatatype_soa) {
return (true);
}
/*
* It's okay to delete a signature if there is an active key with the
* same algorithm to replace it, unless that violates the DNSSEC
* policy.
*/ */
if (have_pksk || have_pzsk) { if (have_pksk || have_pzsk) {
if (kasp && have_pzsk) {
return (true); return (true);
} }
return (!kasp);
}
/* /*
* Failing that, it is *not* okay to delete a signature * Failing that, it is *not* okay to delete a signature
@@ -6521,6 +6536,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_rdataset_t rdataset; dns_rdataset_t rdataset;
unsigned int i; unsigned int i;
dns_rdata_rrsig_t rrsig; dns_rdata_rrsig_t rrsig;
bool kasp = (dns_zone_getkasp(zone) != NULL);
bool found; bool found;
int64_t timewarn = 0, timemaybe = 0; int64_t timewarn = 0, timemaybe = 0;
@@ -6563,7 +6579,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
type != dns_rdatatype_cdnskey) type != dns_rdatatype_cdnskey)
{ {
bool warn = false, deleted = false; bool warn = false, deleted = false;
if (delsig_ok(&rrsig, keys, nkeys, &warn)) { if (delsig_ok(&rrsig, keys, nkeys, kasp, &warn)) {
result = update_one_rr(db, ver, zonediff->diff, result = update_one_rr(db, ver, zonediff->diff,
DNS_DIFFOP_DELRESIGN, DNS_DIFFOP_DELRESIGN,
name, rdataset.ttl, name, rdataset.ttl,
@@ -6807,6 +6823,8 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
isc_stdtime_t when; isc_stdtime_t when;
bool ksk = false; bool ksk = false;
bool zsk = false; bool zsk = false;
bool have_ksk = false;
bool have_zsk = false;
kresult = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk); kresult = dst_key_getbool(keys[i], DST_BOOL_KSK, &ksk);
if (kresult != ISC_R_SUCCESS) { if (kresult != ISC_R_SUCCESS) {
@@ -6821,6 +6839,56 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
} }
} }
have_ksk = ksk;
have_zsk = zsk;
both = have_ksk && have_zsk;
for (j = 0; j < nkeys; j++) {
if (both) {
break;
}
if (j == i || ALG(keys[i]) != ALG(keys[j])) {
continue;
}
/*
* Don't consider inactive keys or offline keys.
*/
if (!dst_key_isprivate(keys[j])) {
continue;
}
if (dst_key_inactive(keys[j])) {
continue;
}
if (REVOKE(keys[j])) {
continue;
}
if (!have_ksk) {
kresult = dst_key_getbool(keys[j],
DST_BOOL_KSK,
&have_ksk);
if (kresult != ISC_R_SUCCESS) {
if (KSK(keys[j])) {
have_ksk = true;
}
}
}
if (!have_zsk) {
kresult = dst_key_getbool(keys[j],
DST_BOOL_ZSK,
&have_zsk);
if (kresult != ISC_R_SUCCESS) {
if (!KSK(keys[j])) {
have_zsk = true;
}
}
}
both = have_ksk && have_zsk;
}
if (type == dns_rdatatype_dnskey || if (type == dns_rdatatype_dnskey ||
type == dns_rdatatype_cdnskey || type == dns_rdatatype_cdnskey ||
type == dns_rdatatype_cds) type == dns_rdatatype_cds)
@@ -6836,7 +6904,13 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
/* /*
* Other RRsets are signed with ZSK. * Other RRsets are signed with ZSK.
*/ */
if (type != dns_rdatatype_soa &&
type != zone->privatetype) {
continue; continue;
}
if (have_zsk) {
continue;
}
} else if (!dst_key_is_signing(keys[i], DST_BOOL_ZSK, } else if (!dst_key_is_signing(keys[i], DST_BOOL_ZSK,
inception, &when)) { inception, &when)) {
/* /*