From 235a64a5a4c0143b183bd55f6ed756741d4d7880 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 12 Dec 2018 14:06:10 +0100 Subject: [PATCH 1/5] Don't free key in compute_tag in case of failure If `dns_dnssec_keyfromrdata` failed we don't need to call `dst_key_free` because no `dstkey` was created. Doing so nevertheless will result in an assertion failure. This can happen if the key uses an unsupported algorithm. --- lib/dns/zone.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index a4e0f42e44..fd18e51273 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3931,9 +3931,10 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, dns_rdatatype_dnskey, dnskey, &buffer); result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { *tag = dst_key_id(dstkey); - dst_key_free(&dstkey); + dst_key_free(&dstkey); + } return (result); } From 38c2bdba0a5b785ef9f2da2329838b931754b3e4 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 19 Dec 2018 18:45:43 +0100 Subject: [PATCH 2/5] Add tests for mkeys with unsupported algorithm These tests check if a key with an unsupported algorithm in managed-keys is ignored and when seeing an algorithm rollover to an unsupported algorithm, the new key will be ignored too. --- bin/tests/system/mkeys/README | 3 + bin/tests/system/mkeys/clean.sh | 3 +- bin/tests/system/mkeys/ns1/root.db | 20 +- bin/tests/system/mkeys/ns1/sign.sh | 7 +- bin/tests/system/mkeys/ns1/unsupported.key | 1 + bin/tests/system/mkeys/ns6/named.args | 1 + bin/tests/system/mkeys/ns6/named.conf.in | 19 +- bin/tests/system/mkeys/ns6/setup.sh | 30 +++ .../system/mkeys/ns6/unsupported-managed.key | 1 + bin/tests/system/mkeys/ns7/named.conf.in | 50 +++++ bin/tests/system/mkeys/setup.sh | 2 + bin/tests/system/mkeys/tests.sh | 70 ++++++- util/copyrights | 198 +++++++++--------- 13 files changed, 275 insertions(+), 130 deletions(-) create mode 100644 bin/tests/system/mkeys/ns1/unsupported.key create mode 100644 bin/tests/system/mkeys/ns6/named.args create mode 100644 bin/tests/system/mkeys/ns6/setup.sh create mode 100644 bin/tests/system/mkeys/ns6/unsupported-managed.key create mode 100644 bin/tests/system/mkeys/ns7/named.conf.in diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README index 8e1b407664..07910cbb6e 100644 --- a/bin/tests/system/mkeys/README +++ b/bin/tests/system/mkeys/README @@ -19,3 +19,6 @@ managed-keys.jnl, causing RFC 5011 initialization to fail. ns5 is a validator which is prevented from getting a response from the root server, causing key refresh queries to fail. + +ns6 is a validator which has unsupported algorithms, one at start up, +one because of an algorithm rollover. diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh index f79c2ce114..8c9c1d14f5 100644 --- a/bin/tests/system/mkeys/clean.sh +++ b/bin/tests/system/mkeys/clean.sh @@ -16,9 +16,10 @@ rm -f */named.conf rm -f */named.memstats */named.run */named.run.prev rm -f dig.out* delv.out* rndc.out* signer.out* rm -f dsset-. ns1/dsset-. +rm -f ns1/zone.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp rm -f ns5/named.args -rm -f ns6/view1.mkeys ns6/view2.mkeys +rm -f ns7/view1.mkeys ns7/view2.mkeys rm -rf ns4/nope diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db index 6ba922af09..0070f13942 100644 --- a/bin/tests/system/mkeys/ns1/root.db +++ b/bin/tests/system/mkeys/ns1/root.db @@ -8,16 +8,16 @@ ; information regarding copyright ownership. $TTL 20 -. IN SOA gson.nominum.com. a.root.servers.nil. ( - 2000042100 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 2 ; minimum - ) -. NS a.root-servers.nil. -a.root-servers.nil. A 10.53.0.1 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 ; no delegation -example. TXT "This is a test." +example. TXT "This is a test." diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 4b392cc147..b24f9d5ddf 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -26,13 +26,18 @@ cp managed.conf ../ns2/managed.conf cp managed.conf ../ns4/managed.conf cp managed.conf ../ns5/managed.conf -# Configure a trusted key statement (used by delv) +# Configure a trusted key statement (used by delv). keyfile_to_trusted_keys $keyname > trusted.conf +# Prepare an unsupported algorithm key. +unsupportedkey=K.+003+28683 +cp unsupported.key "${unsupportedkey}.key" + # # Save keyname and keyid for managed key id test. # echo "$keyname" > managed.key +echo "$zskkeyname" > zone.key keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'` keyid=`expr $keyid + 0` echo "$keyid" > managed.key.id diff --git a/bin/tests/system/mkeys/ns1/unsupported.key b/bin/tests/system/mkeys/ns1/unsupported.key new file mode 100644 index 0000000000..7435d03b63 --- /dev/null +++ b/bin/tests/system/mkeys/ns1/unsupported.key @@ -0,0 +1 @@ +. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB diff --git a/bin/tests/system/mkeys/ns6/named.args b/bin/tests/system/mkeys/ns6/named.args new file mode 100644 index 0000000000..02f8f670f6 --- /dev/null +++ b/bin/tests/system/mkeys/ns6/named.args @@ -0,0 +1 @@ +-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20 diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in index 37ddaa16ec..8d76f7f2e7 100644 --- a/bin/tests/system/mkeys/ns6/named.conf.in +++ b/bin/tests/system/mkeys/ns6/named.conf.in @@ -22,8 +22,8 @@ options { recursion yes; notify no; dnssec-enable yes; - dnssec-validation auto; - bindkeys-file "managed.conf"; + dnssec-validation yes; + trust-anchor-telemetry no; }; key rndc_key { @@ -35,16 +35,9 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -view view1 { - zone "." { - type hint; - file "../../common/root.hint"; - }; +zone "." { + type hint; + file "../../common/root.hint"; }; -view view2 { - zone "." { - type hint; - file "../../common/root.hint"; - }; -}; +include "managed.conf"; diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh new file mode 100644 index 0000000000..5ba1647da5 --- /dev/null +++ b/bin/tests/system/mkeys/ns6/setup.sh @@ -0,0 +1,30 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=. +zonefile=root.db + +# an RSA key +rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.` + +# a key with unsupported algorithm +unsupportedkey=Kunknown.+255+00000 +cp unsupported-managed.key "${unsupportedkey}.key" + +# root key +rootkey=`cat ../ns1/managed.key` +cp "../ns1/${rootkey}.key" . + +# Configure the resolving server with a managed trusted key. +keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf diff --git a/bin/tests/system/mkeys/ns6/unsupported-managed.key b/bin/tests/system/mkeys/ns6/unsupported-managed.key new file mode 100644 index 0000000000..be872a00f0 --- /dev/null +++ b/bin/tests/system/mkeys/ns6/unsupported-managed.key @@ -0,0 +1 @@ +unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6 diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in new file mode 100644 index 0000000000..a9aba00733 --- /dev/null +++ b/bin/tests/system/mkeys/ns7/named.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion yes; + notify no; + dnssec-enable yes; + dnssec-validation auto; + bindkeys-file "managed.conf"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +view view1 { + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; + +view view2 { + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh index cfc5e560fc..13a662192f 100644 --- a/bin/tests/system/mkeys/setup.sh +++ b/bin/tests/system/mkeys/setup.sh @@ -20,10 +20,12 @@ copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf cp ns5/named1.args ns5/named.args ( cd ns1 && $SHELL sign.sh ) +( cd ns6 && $SHELL setup.sh ) cp ns2/managed.conf ns2/managed1.conf diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index ea4ba381f5..da6d2643eb 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -745,7 +745,7 @@ nextpart ns5/named.run > /dev/null mkeys_reconfig_on 1 wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run mkeys_secroots_on 5 -grep '; managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 +grep '; managed' ns5/named.secroots > /dev/null || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be # correctly refreshed and resolving should succeed $DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1 @@ -755,17 +755,71 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "reinitialize trust anchors, add unsupported algorithm ($n)" +ret=0 +$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6 +rm -f ns6/managed-keys.bind* +nextpart ns6/named.run > /dev/null +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6 +# log when an unsupported algorithm is encountered during startup +wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "skipping unsupported algorithm in managed-keys ($n)" +ret=0 +mkeys_status_on 6 > rndc.out.$n 2>&1 +# there should still be only two keys listed (for . and rsasha256.) +count=`grep -c "keyid: " rndc.out.$n` +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=`grep -c "trust" rndc.out.$n` +[ "$count" -eq 2 ] || ret=1 + +n=`expr $n + 1` +echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)" +ret=0 +cp ns1/root.db ns1/root.db.orig +ksk=`cat ns1/managed.key` +zsk=`cat ns1/zone.key` +cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db +grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1 +$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1 +grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1 +cp ns1/root.db.orig ns1/root.db +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "skipping unsupported algorithm in rollover ($n)" +ret=0 +mkeys_reload_on 1 +mkeys_refresh_on 6 +mkeys_status_on 6 > rndc.out.$n 2>&1 +# there should still be only two keys listed (for . and rsasha256.) +count=`grep -c "keyid: " rndc.out.$n` +[ "$count" -eq 2 ] || ret=1 +# two lines indicating trust status +count=`grep -c "trust" rndc.out.$n` +[ "$count" -eq 2 ] || ret=1 +# log when an unsupported algorithm is encountered during rollover +wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo_i "check 'rndc managed-keys' and views ($n)" ret=0 -$RNDCCMD 10.53.0.6 managed-keys refresh in view1 > rndc.out.ns6.view1.test$n || ret=1 -grep "refreshing managed keys for 'view1'" rndc.out.ns6.view1.test$n > /dev/null || ret=1 -lines=`wc -l < rndc.out.ns6.view1.test$n` +$RNDCCMD 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1 +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1 +lines=`wc -l < rndc.out.ns7.view1.test$n` [ $lines -eq 1 ] || ret=1 -$RNDCCMD 10.53.0.6 managed-keys refresh > rndc.out.ns6.view2.test$n || ret=1 -lines=`wc -l < rndc.out.ns6.view2.test$n` -grep "refreshing managed keys for 'view1'" rndc.out.ns6.view2.test$n > /dev/null || ret=1 -grep "refreshing managed keys for 'view2'" rndc.out.ns6.view2.test$n > /dev/null || ret=1 +$RNDCCMD 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1 +lines=`wc -l < rndc.out.ns7.view2.test$n` +grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 +grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1 [ $lines -eq 2 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/util/copyrights b/util/copyrights index ed3b9e4ffd..b0b2e2eb22 100644 --- a/util/copyrights +++ b/util/copyrights @@ -156,7 +156,7 @@ ./bin/dnssec/win32/verify.vcxproj.filters.in X 2013,2015,2018,2019 ./bin/dnssec/win32/verify.vcxproj.in X 2013,2014,2015,2016,2017,2018,2019 ./bin/dnssec/win32/verify.vcxproj.user X 2013,2018,2019 -./bin/named/Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018 +./bin/named/Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./bin/named/bind9.xsl SGML 2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019 ./bin/named/bind9.xsl.h X 2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./bin/named/builtin.c C 2001,2002,2003,2004,2005,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 @@ -425,22 +425,22 @@ ./bin/tests/system/checkds/dig.bat BAT 2016,2018,2019 ./bin/tests/system/checkds/dig.pl PERL 2014,2016,2017,2018,2019 ./bin/tests/system/checkds/dig.sh SH 2012,2013,2016,2017,2018,2019 -./bin/tests/system/checkds/missing.example.dlv.example.dlv.db X 2012,2018 -./bin/tests/system/checkds/missing.example.dnskey.db X 2012,2018 -./bin/tests/system/checkds/missing.example.ds.db X 2012,2018 -./bin/tests/system/checkds/none.example.dlv.example.dlv.db X 2012,2018 -./bin/tests/system/checkds/none.example.dnskey.db X 2012,2018 -./bin/tests/system/checkds/none.example.ds.db X 2012,2018 -./bin/tests/system/checkds/ok.example.dlv.example.dlv.db X 2012,2018 -./bin/tests/system/checkds/ok.example.dnskey.db X 2012,2018 -./bin/tests/system/checkds/ok.example.ds.db X 2012,2018 -./bin/tests/system/checkds/prep.example.db X 2017,2018 -./bin/tests/system/checkds/prep.example.ds.db X 2017,2018 +./bin/tests/system/checkds/missing.example.dlv.example.dlv.db X 2012,2018,2019 +./bin/tests/system/checkds/missing.example.dnskey.db X 2012,2018,2019 +./bin/tests/system/checkds/missing.example.ds.db X 2012,2018,2019 +./bin/tests/system/checkds/none.example.dlv.example.dlv.db X 2012,2018,2019 +./bin/tests/system/checkds/none.example.dnskey.db X 2012,2018,2019 +./bin/tests/system/checkds/none.example.ds.db X 2012,2018,2019 +./bin/tests/system/checkds/ok.example.dlv.example.dlv.db X 2012,2018,2019 +./bin/tests/system/checkds/ok.example.dnskey.db X 2012,2018,2019 +./bin/tests/system/checkds/ok.example.ds.db X 2012,2018,2019 +./bin/tests/system/checkds/prep.example.db X 2017,2018,2019 +./bin/tests/system/checkds/prep.example.ds.db X 2017,2018,2019 ./bin/tests/system/checkds/setup.sh SH 2012,2013,2014,2016,2018,2019 ./bin/tests/system/checkds/tests.sh SH 2012,2013,2014,2016,2017,2018,2019 -./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db X 2012,2018 -./bin/tests/system/checkds/wrong.example.dnskey.db X 2012,2018 -./bin/tests/system/checkds/wrong.example.ds.db X 2012,2018 +./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db X 2012,2018,2019 +./bin/tests/system/checkds/wrong.example.dnskey.db X 2012,2018,2019 +./bin/tests/system/checkds/wrong.example.ds.db X 2012,2018,2019 ./bin/tests/system/checknames/clean.sh SH 2004,2007,2012,2014,2015,2016,2018,2019 ./bin/tests/system/checknames/setup.sh SH 2004,2007,2012,2014,2016,2018,2019 ./bin/tests/system/checknames/tests.sh SH 2004,2007,2012,2013,2014,2015,2016,2018,2019 @@ -536,11 +536,11 @@ ./bin/tests/system/dnssec/clean.sh SH 2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./bin/tests/system/dnssec/dnssec_update_test.pl PERL 2002,2004,2007,2010,2012,2016,2018,2019 ./bin/tests/system/dnssec/ns1/sign.sh SH 2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018,2019 -./bin/tests/system/dnssec/ns2/rfc2335.example.db X 2004,2018 +./bin/tests/system/dnssec/ns2/rfc2335.example.db X 2004,2018,2019 ./bin/tests/system/dnssec/ns2/sign.sh SH 2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019 ./bin/tests/system/dnssec/ns3/sign.sh SH 2000,2001,2002,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./bin/tests/system/dnssec/ns3/unsupported-algorithm.key X 2018,2019 -./bin/tests/system/dnssec/ns5/.gitignore X 2015,2018 +./bin/tests/system/dnssec/ns5/.gitignore X 2015,2018,2019 ./bin/tests/system/dnssec/ns5/sign.sh SH 2015,2016,2017,2018,2019 ./bin/tests/system/dnssec/ns6/named.args X 2013,2014,2016,2018,2019 ./bin/tests/system/dnssec/ns6/sign.sh SH 2013,2014,2016,2017,2018,2019 @@ -585,8 +585,8 @@ ./bin/tests/system/dyndb/driver/AUTHORS X 2015,2018,2019 ./bin/tests/system/dyndb/driver/COPYING X 2015,2016,2018,2019 ./bin/tests/system/dyndb/driver/README X 2015,2018,2019 -./bin/tests/system/dyndb/driver/db.c X 2015,2016,2017,2018 -./bin/tests/system/dyndb/driver/db.h X 2015,2016,2018 +./bin/tests/system/dyndb/driver/db.c X 2015,2016,2017,2018,2019 +./bin/tests/system/dyndb/driver/db.h X 2015,2016,2018,2019 ./bin/tests/system/dyndb/driver/driver.c X 2015,2016,2018,2019 ./bin/tests/system/dyndb/driver/instance.c X 2015,2016,2018,2019 ./bin/tests/system/dyndb/driver/instance.h X 2015,2016,2018,2019 @@ -645,8 +645,8 @@ ./bin/tests/system/formerr/twoquestions X 2013,2018,2019 ./bin/tests/system/forward/ans6/startme X 2019 ./bin/tests/system/forward/clean.sh SH 2000,2001,2004,2007,2012,2014,2015,2016,2018,2019 -./bin/tests/system/forward/ns1/example.db X 2000,2001,2018 -./bin/tests/system/forward/ns2/example.db X 2000,2001,2018 +./bin/tests/system/forward/ns1/example.db X 2000,2001,2018,2019 +./bin/tests/system/forward/ns2/example.db X 2000,2001,2018,2019 ./bin/tests/system/forward/prereq.sh SH 2019 ./bin/tests/system/forward/setup.sh SH 2018,2019 ./bin/tests/system/forward/tests.sh SH 2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019 @@ -760,7 +760,7 @@ ./bin/tests/system/keymgr/tests.sh SH 2016,2018,2019 ./bin/tests/system/legacy/build.sh SH 2014,2016,2017,2018,2019 ./bin/tests/system/legacy/clean.sh SH 2014,2016,2018,2019 -./bin/tests/system/legacy/ns1/trusted.conf X 2014,2018 +./bin/tests/system/legacy/ns1/trusted.conf X 2014,2018,2019 ./bin/tests/system/legacy/ns10/named.ednsrefused X 2018,2019 ./bin/tests/system/legacy/ns2/named.dropedns X 2014,2018,2019 ./bin/tests/system/legacy/ns3/named.dropedns X 2014,2018,2019 @@ -768,10 +768,10 @@ ./bin/tests/system/legacy/ns4/named.args X 2014,2018,2019 ./bin/tests/system/legacy/ns5/named.args X 2014,2018,2019 ./bin/tests/system/legacy/ns5/named.notcp X 2014,2018,2019 -./bin/tests/system/legacy/ns6/edns512.db.signed X 2014,2018 +./bin/tests/system/legacy/ns6/edns512.db.signed X 2014,2018,2019 ./bin/tests/system/legacy/ns6/named.args X 2014,2018,2019 ./bin/tests/system/legacy/ns6/sign.sh SH 2014,2016,2018,2019 -./bin/tests/system/legacy/ns7/edns512-notcp.db.signed X 2014,2018 +./bin/tests/system/legacy/ns7/edns512-notcp.db.signed X 2014,2018,2019 ./bin/tests/system/legacy/ns7/named.args X 2014,2018,2019 ./bin/tests/system/legacy/ns7/named.notcp X 2014,2018,2019 ./bin/tests/system/legacy/ns7/sign.sh SH 2014,2016,2018,2019 @@ -822,10 +822,14 @@ ./bin/tests/system/mkeys/README TXT.BRIEF 2015,2016,2017,2018,2019 ./bin/tests/system/mkeys/clean.sh SH 2015,2016,2017,2018,2019 ./bin/tests/system/mkeys/ns1/sign.sh SH 2015,2016,2017,2018,2019 +./bin/tests/system/mkeys/ns1/unsupported.key X 2018,2019 ./bin/tests/system/mkeys/ns2/named.args X 2015,2016,2017,2018,2019 ./bin/tests/system/mkeys/ns3/named.args X 2015,2016,2017,2018,2019 ./bin/tests/system/mkeys/ns5/named1.args X 2017,2018,2019 ./bin/tests/system/mkeys/ns5/named2.args X 2017,2018,2019 +./bin/tests/system/mkeys/ns6/named.args X 2018,2019 +./bin/tests/system/mkeys/ns6/setup.sh SH 2018,2019 +./bin/tests/system/mkeys/ns6/unsupported-managed.key X 2018,2019 ./bin/tests/system/mkeys/setup.sh SH 2015,2016,2017,2018,2019 ./bin/tests/system/mkeys/tests.sh SH 2015,2016,2017,2018,2019 ./bin/tests/system/names/clean.sh SH 2015,2016,2018,2019 @@ -933,7 +937,7 @@ ./bin/tests/system/rpz/ckdnsrps.sh SH 2017,2018,2019 ./bin/tests/system/rpz/clean.sh SH 2011,2012,2013,2014,2016,2017,2018,2019 ./bin/tests/system/rpz/dnsrps.c C 2017,2018,2019 -./bin/tests/system/rpz/dnsrpzd-license.conf X 2017,2018 +./bin/tests/system/rpz/dnsrpzd-license.conf X 2017,2018,2019 ./bin/tests/system/rpz/ns3/crash1 X 2011,2013,2018,2019 ./bin/tests/system/rpz/ns3/crash2 X 2011,2012,2013,2018,2019 ./bin/tests/system/rpz/ns5/named.args X 2013,2014,2018,2019 @@ -1101,17 +1105,17 @@ ./bin/tests/system/tsiggss/clean.sh SH 2010,2011,2014,2015,2016,2018,2019 ./bin/tests/system/tsiggss/ns1/administrator.ccache X 2010,2018,2019 ./bin/tests/system/tsiggss/ns1/dns.keytab X 2010,2018,2019 -./bin/tests/system/tsiggss/ns1/example.nil.db.in X 2011,2018 +./bin/tests/system/tsiggss/ns1/example.nil.db.in X 2011,2018,2019 ./bin/tests/system/tsiggss/ns1/testdenied.ccache X 2010,2018,2019 ./bin/tests/system/tsiggss/prereq.sh SH 2010,2011,2012,2014,2016,2018,2019 ./bin/tests/system/tsiggss/setup.sh SH 2010,2011,2012,2014,2016,2017,2018,2019 ./bin/tests/system/tsiggss/tests.sh SH 2010,2011,2014,2016,2017,2018,2019 ./bin/tests/system/ttl/clean.sh X 2018,2019 -./bin/tests/system/ttl/ns1/max-example.db X 2018 -./bin/tests/system/ttl/ns1/min-example.db X 2018 -./bin/tests/system/ttl/ns1/named.conf.in X 2018 -./bin/tests/system/ttl/ns2/hints.db X 2018 -./bin/tests/system/ttl/ns2/named.conf.in X 2018 +./bin/tests/system/ttl/ns1/max-example.db X 2018,2019 +./bin/tests/system/ttl/ns1/min-example.db X 2018,2019 +./bin/tests/system/ttl/ns1/named.conf.in X 2018,2019 +./bin/tests/system/ttl/ns2/hints.db X 2018,2019 +./bin/tests/system/ttl/ns2/named.conf.in X 2018,2019 ./bin/tests/system/ttl/setup.sh X 2018,2019 ./bin/tests/system/ttl/tests.sh X 2018,2019 ./bin/tests/system/unknown/clean.sh SH 2000,2001,2004,2007,2012,2013,2014,2015,2016,2018,2019 @@ -1185,10 +1189,10 @@ ./bin/tests/system/zonechecks/clean.sh SH 2004,2007,2012,2014,2015,2016,2018,2019 ./bin/tests/system/zonechecks/setup.sh SH 2012,2013,2014,2015,2016,2017,2018,2019 ./bin/tests/system/zonechecks/tests.sh SH 2004,2007,2009,2012,2013,2014,2015,2016,2018,2019 -./bin/tests/testdata/wire/wire_test.data X 1999,2000,2001,2018 -./bin/tests/testdata/wire/wire_test.data2 X 1999,2000,2001,2018 -./bin/tests/testdata/wire/wire_test.data3 X 1999,2000,2001,2018 -./bin/tests/testdata/wire/wire_test.data4 X 1999,2000,2001,2018 +./bin/tests/testdata/wire/wire_test.data X 1999,2000,2001,2018,2019 +./bin/tests/testdata/wire/wire_test.data2 X 1999,2000,2001,2018,2019 +./bin/tests/testdata/wire/wire_test.data3 X 1999,2000,2001,2018,2019 +./bin/tests/testdata/wire/wire_test.data4 X 1999,2000,2001,2018,2019 ./bin/tests/virtual-time/README TXT.BRIEF 2010,2016,2018,2019 ./bin/tests/virtual-time/autosign-ksk/clean.sh SH 2010,2012,2015,2016,2018,2019 ./bin/tests/virtual-time/autosign-ksk/ns1/sign.sh SH 2010,2012,2016,2018,2019 @@ -1345,7 +1349,7 @@ ./contrib/dlz/example/Makefile X 2010,2013,2018,2019 ./contrib/dlz/example/README X 2011,2012,2013,2014,2018,2019 ./contrib/dlz/example/dlz_example.c X 2010,2011,2012,2013,2014,2018,2019 -./contrib/dlz/example/named.conf X 2011,2014,2018 +./contrib/dlz/example/named.conf X 2011,2014,2018,2019 ./contrib/dlz/example/win32/DLLMain.c X 2011,2016,2018,2019 ./contrib/dlz/example/win32/dxdriver.def X 2011,2018,2019 ./contrib/dlz/example/win32/dxdriver.dsp X 2018,2019 @@ -1356,7 +1360,7 @@ ./contrib/dlz/modules/bdbhpt/testing/README X 2015,2018,2019 ./contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl X 2013,2018,2019 ./contrib/dlz/modules/bdbhpt/testing/dns-data.txt X 2013,2015,2018,2019 -./contrib/dlz/modules/bdbhpt/testing/named.conf X 2015,2018 +./contrib/dlz/modules/bdbhpt/testing/named.conf X 2015,2018,2019 ./contrib/dlz/modules/common/dlz_dbi.c X 2013,2014,2016,2018,2019 ./contrib/dlz/modules/filesystem/Makefile X 2013,2018,2019 ./contrib/dlz/modules/filesystem/dir.c X 2013,2018,2019 @@ -1371,19 +1375,19 @@ ./contrib/dlz/modules/ldap/testing/README X 2013,2018,2019 ./contrib/dlz/modules/ldap/testing/dlz.schema X 2013,2018,2019 ./contrib/dlz/modules/ldap/testing/example.ldif X 2013,2018,2019 -./contrib/dlz/modules/ldap/testing/named.conf X 2013,2018 -./contrib/dlz/modules/ldap/testing/slapd.conf X 2013,2018 +./contrib/dlz/modules/ldap/testing/named.conf X 2013,2018,2019 +./contrib/dlz/modules/ldap/testing/slapd.conf X 2013,2018,2019 ./contrib/dlz/modules/mysql/dlz_mysql_dynamic.c X 2013,2016,2018,2019 ./contrib/dlz/modules/mysql/testing/README X 2013,2018,2019 -./contrib/dlz/modules/mysql/testing/dlz.data X 2013,2017,2018 +./contrib/dlz/modules/mysql/testing/dlz.data X 2013,2017,2018,2019 ./contrib/dlz/modules/mysql/testing/dlz.schema X 2013,2018,2019 -./contrib/dlz/modules/mysql/testing/named.conf X 2013,2018 +./contrib/dlz/modules/mysql/testing/named.conf X 2013,2018,2019 ./contrib/dlz/modules/mysqldyn/README X 2014,2018,2019 ./contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c X 2014,2015,2018,2019 ./contrib/dlz/modules/mysqldyn/testing/README X 2014,2018,2019 -./contrib/dlz/modules/mysqldyn/testing/dlz.data X 2014,2018 +./contrib/dlz/modules/mysqldyn/testing/dlz.data X 2014,2018,2019 ./contrib/dlz/modules/mysqldyn/testing/dlz.schema X 2014,2018,2019 -./contrib/dlz/modules/mysqldyn/testing/named.conf X 2014,2018 +./contrib/dlz/modules/mysqldyn/testing/named.conf X 2014,2018,2019 ./contrib/dlz/modules/perl/Makefile X 2013,2018,2019 ./contrib/dlz/modules/perl/README X 2013,2018,2019 ./contrib/dlz/modules/perl/dlz_perl_callback.xs X 2013,2018,2019 @@ -1391,18 +1395,18 @@ ./contrib/dlz/modules/perl/dlz_perl_driver.c X 2013,2015,2016,2018,2019 ./contrib/dlz/modules/perl/dlz_perl_driver.h X 2013,2018,2019 ./contrib/dlz/modules/perl/testing/dlz_perl_example.pm X 2013,2018,2019 -./contrib/dlz/modules/perl/testing/named.conf X 2013,2018 +./contrib/dlz/modules/perl/testing/named.conf X 2013,2018,2019 ./contrib/dlz/modules/sqlite3/Makefile X 2014,2018,2019 ./contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c X 2014,2016,2018,2019 ./contrib/dlz/modules/sqlite3/testing/README X 2014,2018,2019 -./contrib/dlz/modules/sqlite3/testing/dlz.data X 2014,2018 +./contrib/dlz/modules/sqlite3/testing/dlz.data X 2014,2018,2019 ./contrib/dlz/modules/sqlite3/testing/dlz.schema X 2014,2018,2019 -./contrib/dlz/modules/sqlite3/testing/named.conf X 2014,2018 +./contrib/dlz/modules/sqlite3/testing/named.conf X 2014,2018,2019 ./contrib/dlz/modules/wildcard/Makefile X 2013,2018,2019 ./contrib/dlz/modules/wildcard/README X 2013,2018,2019 ./contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c X 2013,2015,2016,2018,2019 -./contrib/dlz/modules/wildcard/testing/named.conf X 2013,2018 -./contrib/dnspriv/nginx.conf SH 2017,2018 +./contrib/dlz/modules/wildcard/testing/named.conf X 2013,2018,2019 +./contrib/dnspriv/nginx.conf SH 2017,2018,2019 ./contrib/kasp/README X 2016,2018,2019 ./contrib/kasp/kasp.xml X 2016,2018,2019 ./contrib/kasp/kasp2policy.py X 2016,2018,2019 @@ -1426,7 +1430,7 @@ ./doc/arm/Bv9ARM.ch10.html X 2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./doc/arm/Bv9ARM.ch11.html X 2015,2016,2017,2018,2019 ./doc/arm/Bv9ARM.ch12.html X 2015,2016,2017,2018,2019 -./doc/arm/Bv9ARM.conf X 2015,2018 +./doc/arm/Bv9ARM.conf X 2015,2018,2019 ./doc/arm/Bv9ARM.html X 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./doc/arm/Bv9ARM.pdf X 2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./doc/arm/README-SGML TXT.BRIEF 2000,2001,2004,2015,2016,2018,2019 @@ -1488,7 +1492,7 @@ ./doc/arm/masters.grammar.xml SGML 2018,2019 ./doc/arm/mirror.zoneopt.xml SGML 2018,2019 ./doc/arm/notes-wrapper.xml SGML 2014,2015,2016,2018,2019 -./doc/arm/notes.conf X 2015,2018 +./doc/arm/notes.conf X 2015,2018,2019 ./doc/arm/notes.html X 2014,2015,2016,2017,2018,2019 ./doc/arm/notes.pdf X 2014,2015,2016,2017,2018,2019 ./doc/arm/notes.txt X 2018,2019 @@ -1531,7 +1535,7 @@ ./doc/dev/coding.html HTML 1999,2000,2001,2002,2004,2007,2016,2018,2019 ./doc/dev/cvs-usage TXT.BRIEF 2000,2001,2004,2016,2018,2019 ./doc/dev/magic_numbers TXT.BRIEF 1999,2000,2001,2002,2004,2016,2018,2019 -./doc/dev/rdata.md MKD 1999,2000,2001,2004,2007,2016,2017,2018 +./doc/dev/rdata.md MKD 1999,2000,2001,2004,2007,2016,2017,2018,2019 ./doc/dev/release TXT.BRIEF 2000,2001,2002,2003,2004,2005,2006,2007,2009,2014,2016,2018,2019 ./doc/dev/results TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019 ./doc/dev/tests TXT.BRIEF 2000,2001,2004,2016,2018,2019 @@ -1624,7 +1628,7 @@ ./lib/dns/client.c C 2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./lib/dns/clientinfo.c C 2011,2014,2016,2018,2019 ./lib/dns/compress.c C 1999,2000,2001,2004,2005,2006,2007,2015,2016,2017,2018,2019 -./lib/dns/db.c C 1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2015,2016,2017,2018 +./lib/dns/db.c C 1999,2000,2001,2003,2004,2005,2007,2008,2009,2011,2012,2013,2015,2016,2017,2018,2019 ./lib/dns/dbiterator.c C 1999,2000,2001,2004,2005,2007,2016,2018,2019 ./lib/dns/dbtable.c C 1999,2000,2001,2004,2005,2007,2013,2016,2018,2019 ./lib/dns/diff.c C 2000,2001,2002,2003,2004,2005,2007,2008,2009,2011,2013,2014,2015,2016,2017,2018,2019 @@ -1667,7 +1671,7 @@ ./lib/dns/include/dns/client.h C 2009,2013,2014,2016,2017,2018,2019 ./lib/dns/include/dns/clientinfo.h C 2011,2014,2016,2018,2019 ./lib/dns/include/dns/compress.h C 1999,2000,2001,2002,2004,2005,2006,2007,2009,2015,2016,2017,2018,2019 -./lib/dns/include/dns/db.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018 +./lib/dns/include/dns/db.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./lib/dns/include/dns/dbiterator.h C 1999,2000,2001,2004,2005,2006,2007,2016,2018,2019 ./lib/dns/include/dns/dbtable.h C 1999,2000,2001,2004,2005,2006,2007,2016,2018,2019 ./lib/dns/include/dns/diff.h C 2000,2001,2004,2005,2006,2007,2008,2009,2010,2013,2016,2018,2019 @@ -2014,7 +2018,7 @@ ./lib/dns/tests/result_test.c C 2018,2019 ./lib/dns/tests/rsa_test.c C 2016,2018,2019 ./lib/dns/tests/sigs_test.c C 2018,2019 -./lib/dns/tests/testdata/dbiterator/zone2.data X 2011,2018 +./lib/dns/tests/testdata/dbiterator/zone2.data X 2011,2018,2019 ./lib/dns/tests/testdata/dnstap/dnstap.saved X 2015,2017,2018,2019 ./lib/dns/tests/testdata/dnstap/dnstap.text X 2015,2017,2018,2019 ./lib/dns/tests/testdata/dnstap/query.auth X 2015,2018,2019 @@ -2025,29 +2029,29 @@ ./lib/dns/tests/testdata/dst/Ktest.+008+11349.private X 2018,2019 ./lib/dns/tests/testdata/dst/Ktest.+013+49130.key X 2018,2019 ./lib/dns/tests/testdata/dst/Ktest.+013+49130.private X 2018,2019 -./lib/dns/tests/testdata/dst/test1.data X 2018 +./lib/dns/tests/testdata/dst/test1.data X 2018,2019 ./lib/dns/tests/testdata/dst/test1.ecdsa256sig X 2018,2019 ./lib/dns/tests/testdata/dst/test1.rsasha256sig X 2018,2019 -./lib/dns/tests/testdata/dst/test2.data X 2018 -./lib/dns/tests/testdata/dstrandom/random.data X 2017,2018 -./lib/dns/tests/testdata/master/master1.data X 2011,2018 -./lib/dns/tests/testdata/master/master10.data X 2011,2018 -./lib/dns/tests/testdata/master/master11.data X 2011,2018 -./lib/dns/tests/testdata/master/master12.data.in X 2011,2018 -./lib/dns/tests/testdata/master/master13.data.in X 2011,2018 -./lib/dns/tests/testdata/master/master14.data.in X 2011,2018 -./lib/dns/tests/testdata/master/master15.data X 2012,2018 -./lib/dns/tests/testdata/master/master16.data X 2012,2018 -./lib/dns/tests/testdata/master/master17.data X 2012,2018 -./lib/dns/tests/testdata/master/master18.data X 2018 -./lib/dns/tests/testdata/master/master2.data X 2011,2018 -./lib/dns/tests/testdata/master/master3.data X 2011,2018 -./lib/dns/tests/testdata/master/master4.data X 2011,2018 -./lib/dns/tests/testdata/master/master5.data X 2011,2018 -./lib/dns/tests/testdata/master/master6.data X 2011,2018 -./lib/dns/tests/testdata/master/master7.data X 2011,2018 -./lib/dns/tests/testdata/master/master8.data X 2011,2018 -./lib/dns/tests/testdata/master/master9.data X 2011,2018 +./lib/dns/tests/testdata/dst/test2.data X 2018,2019 +./lib/dns/tests/testdata/dstrandom/random.data X 2017,2018,2019 +./lib/dns/tests/testdata/master/master1.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master10.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master11.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master12.data.in X 2011,2018,2019 +./lib/dns/tests/testdata/master/master13.data.in X 2011,2018,2019 +./lib/dns/tests/testdata/master/master14.data.in X 2011,2018,2019 +./lib/dns/tests/testdata/master/master15.data X 2012,2018,2019 +./lib/dns/tests/testdata/master/master16.data X 2012,2018,2019 +./lib/dns/tests/testdata/master/master17.data X 2012,2018,2019 +./lib/dns/tests/testdata/master/master18.data X 2018,2019 +./lib/dns/tests/testdata/master/master2.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master3.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master4.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master5.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master6.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master7.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master8.data X 2011,2018,2019 +./lib/dns/tests/testdata/master/master9.data X 2011,2018,2019 ./lib/dns/tests/testkeys/Kexample.+008+20386.key X 2018,2019 ./lib/dns/tests/testkeys/Kexample.+008+20386.private X 2018,2019 ./lib/dns/tests/testkeys/Kexample.+008+37464.key X 2018,2019 @@ -2101,23 +2105,23 @@ ./lib/irs/resconf.c C 2009,2011,2012,2014,2015,2016,2017,2018,2019 ./lib/irs/tests/Kyuafile X 2017,2018,2019 ./lib/irs/tests/resconf_test.c C 2016,2018,2019 -./lib/irs/tests/testdata/domain.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/nameserver-v4.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/nameserver-v6-scoped.conf CONF-SH 2018 -./lib/irs/tests/testdata/nameserver-v6.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/options-bad-ndots.conf CONF-SH 2018 -./lib/irs/tests/testdata/options-debug.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/options-empty.conf CONF-SH 2018 -./lib/irs/tests/testdata/options-ndots.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/options-timeout.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/options-unknown.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/options.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/port.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/resolv.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/search.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/sortlist-v4.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/timeout.conf CONF-SH 2016,2018 -./lib/irs/tests/testdata/unknown.conf CONF-SH 2016,2018 +./lib/irs/tests/testdata/domain.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/nameserver-v4.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/nameserver-v6-scoped.conf CONF-SH 2018,2019 +./lib/irs/tests/testdata/nameserver-v6.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/options-bad-ndots.conf CONF-SH 2018,2019 +./lib/irs/tests/testdata/options-debug.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/options-empty.conf CONF-SH 2018,2019 +./lib/irs/tests/testdata/options-ndots.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/options-timeout.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/options-unknown.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/options.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/port.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/resolv.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/search.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/sortlist-v4.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/timeout.conf CONF-SH 2016,2018,2019 +./lib/irs/tests/testdata/unknown.conf CONF-SH 2016,2018,2019 ./lib/irs/version.c C 2009,2016,2018,2019 ./lib/irs/win32/DLLMain.c C 2014,2016,2018,2019 ./lib/irs/win32/include/irs/netdb.h C 2014,2016,2017,2018,2019 @@ -2153,8 +2157,8 @@ ./lib/isc/hmac.c C 2000,2001,2004,2005,2006,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./lib/isc/ht.c C 2016,2017,2018,2019 ./lib/isc/httpd.c C 2006,2007,2008,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019 -./lib/isc/include/Makefile.in MAKE 1998,1999,2000,2001,2004,2007,2012,2014,2016,2018 -./lib/isc/include/isc/Makefile.in MAKE 1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018 +./lib/isc/include/Makefile.in MAKE 1998,1999,2000,2001,2004,2007,2012,2014,2016,2018,2019 +./lib/isc/include/isc/Makefile.in MAKE 1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019 ./lib/isc/include/isc/aes.h C 2014,2016,2018,2019 ./lib/isc/include/isc/app.h C 1999,2000,2001,2004,2005,2006,2007,2009,2013,2014,2015,2016,2018,2019 ./lib/isc/include/isc/assertions.h C 1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009,2016,2017,2018,2019 @@ -2264,7 +2268,7 @@ ./lib/isc/pk11_result.c C 2014,2015,2016,2018,2019 ./lib/isc/pool.c C 2013,2015,2016,2018,2019 ./lib/isc/portset.c C 2008,2016,2017,2018,2019 -./lib/isc/pthreads/Makefile.in MAKE 1998,1999,2000,2001,2004,2007,2009,2012,2016,2018 +./lib/isc/pthreads/Makefile.in MAKE 1998,1999,2000,2001,2004,2007,2009,2012,2016,2018,2019 ./lib/isc/pthreads/condition.c C 1998,1999,2000,2001,2004,2005,2007,2012,2016,2018,2019 ./lib/isc/pthreads/include/isc/condition.h C 1998,1999,2000,2001,2004,2005,2007,2016,2018,2019 ./lib/isc/pthreads/include/isc/mutex.h C 1998,1999,2000,2001,2002,2004,2005,2007,2016,2018,2019 @@ -2364,8 +2368,8 @@ ./lib/isc/win32/errno2result.h C 2000,2001,2004,2005,2007,2016,2018,2019 ./lib/isc/win32/file.c C 2000,2001,2002,2004,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019 ./lib/isc/win32/fsaccess.c C 2000,2001,2002,2004,2007,2013,2016,2017,2018,2019 -./lib/isc/win32/include/Makefile.in MAKE 1999,2000,2001,2004,2007,2012,2014,2016,2018 -./lib/isc/win32/include/isc/Makefile.in MAKE 1999,2000,2001,2004,2007,2012,2013,2014,2015,2016,2018 +./lib/isc/win32/include/Makefile.in MAKE 1999,2000,2001,2004,2007,2012,2014,2016,2018,2019 +./lib/isc/win32/include/isc/Makefile.in MAKE 1999,2000,2001,2004,2007,2012,2013,2014,2015,2016,2018,2019 ./lib/isc/win32/include/isc/bind_registry.h C 2001,2004,2007,2016,2018,2019 ./lib/isc/win32/include/isc/bindevt.h C 2001,2004,2007,2016,2018,2019 ./lib/isc/win32/include/isc/condition.h C 1998,1999,2000,2001,2004,2007,2016,2018,2019 From f09352d20a9d360e50683cd1d2fc52ccedcd77a0 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 19 Dec 2018 18:47:43 +0100 Subject: [PATCH 3/5] Update keyfetch_done compute_tag check If in keyfetch_done the compute_tag fails (because for example the algorithm is not supported), don't crash, but instead ignore the key. --- lib/dns/include/dst/dst.h | 3 +-- lib/dns/zone.c | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 2e7f643c28..3146d88cb9 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -70,8 +70,7 @@ typedef struct dst_context dst_context_t; #define DST_ALG_HMACSHA512 165 /* XXXMPA */ #define DST_ALG_INDIRECT 252 #define DST_ALG_PRIVATE 254 -#define DST_ALG_EXPAND 255 -#define DST_MAX_ALGS 255 +#define DST_MAX_ALGS 256 /*% A buffer of this size is large enough to hold any key */ #define DST_KEY_MAXSIZE 1280 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index fd18e51273..f2087658c8 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9653,6 +9653,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_keydata_todnskey(&keydata, &dnskey, NULL); result = compute_tag(keyname, &dnskey, mctx, &keytag); + if (result != ISC_R_SUCCESS) { + /* + * Skip if we cannot compute the key tag. + * This may happen if the algorithm is unsupported + */ + dns_zone_log(zone, ISC_LOG_ERROR, + "Cannot compute tag for key in zone %s: %s " + "(skipping)", + namebuf, dns_result_totext(result)); + continue; + } RUNTIME_CHECK(result == ISC_R_SUCCESS); /* @@ -9766,6 +9777,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } result = compute_tag(keyname, &dnskey, mctx, &keytag); + if (result != ISC_R_SUCCESS) { + /* + * Skip if we cannot compute the key tag. + * This may happen if the algorithm is unsupported + */ + dns_zone_log(zone, ISC_LOG_ERROR, + "Cannot compute tag for key in zone %s: %s " + "(skipping)", + namebuf, dns_result_totext(result)); + continue; + } RUNTIME_CHECK(result == ISC_R_SUCCESS); revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0); From e7c12bffbd2a3e88cdd033da914e85a23fa602d1 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 20 Dec 2018 10:22:02 +0100 Subject: [PATCH 4/5] CHANGES, notes --- CHANGES | 5 ++++- doc/arm/notes.xml | 8 ++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index cc94c87f28..0fef5cd366 100644 --- a/CHANGES +++ b/CHANGES @@ -159,7 +159,10 @@ 5119. [placeholder] -5118. [placeholder] +5118. [security] Named could crash if it is managing a key with + `managed-keys` and the authoritative zone is rolling + the key to an unsupported algorithm. (CVE-2018-5745) + [GL #780] 5117. [placeholder] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 83cdfc2bae..e7ebbd0fb2 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -140,6 +140,14 @@ for records in the zone. [GL #771] + + + named could crash if it managed a DNSSEC + security root with managed-keys and the + authoritative zone rolled the key to an algorithm not supported + by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] + + From 3022633d795bc9f04103ac9a354c026ce9b4eea3 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 21 Dec 2018 15:55:44 -0800 Subject: [PATCH 5/5] use algorithm 255 for both unsupported keys --- bin/tests/system/mkeys/ns1/sign.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index b24f9d5ddf..413fa20081 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -30,7 +30,7 @@ cp managed.conf ../ns5/managed.conf keyfile_to_trusted_keys $keyname > trusted.conf # Prepare an unsupported algorithm key. -unsupportedkey=K.+003+28683 +unsupportedkey=Kunknown.+255+00000 cp unsupported.key "${unsupportedkey}.key" #