From 821f041d8cc8e816a3fb942a75d0b876566b4769 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 5 Oct 2018 12:00:42 -0700 Subject: [PATCH] "dnssec-keys" is now a synonym for "managed-keys" - managed-keys is now deprecated as well as trusted-keys, though it continues to work as a synonym for dnssec-keys - references to managed-keys have been updated throughout the code. - tests have been updated to use dnssec-keys format - also the trusted-keys entries have been removed from the generated bind.keys.h file and are no longer generated by bindkeys.pl. --- bin/delv/delv.c | 56 ++++++---- bin/named/config.c | 4 +- bin/named/server.c | 22 +++- .../checkconf/bad-duplicate-root-key.conf | 2 +- .../system/checkconf/check-dlv-ksk-key.conf | 2 +- .../system/checkconf/check-root-ksk-2010.conf | 2 +- .../system/checkconf/check-root-ksk-2017.conf | 2 +- .../system/checkconf/check-root-ksk-both.conf | 2 +- .../checkconf/check-root-mixed-key.conf | 2 +- .../checkconf/check-root-static-key.conf | 2 +- .../checkconf/good-dup-managed-key.conf | 2 +- bin/tests/system/checkconf/tests.sh | 2 +- bin/tests/system/conf.sh.common | 10 +- bin/tests/system/genzone.sh | 2 +- bin/tests/system/legacy/ns1/trusted.conf | 2 +- bin/tests/system/mkeys/README | 7 +- bin/tests/system/mkeys/ns3/named.conf.in | 2 +- bin/tests/system/rpz/setup.sh | 2 +- bind.keys | 2 +- bind.keys.h | 45 +------- lib/bind9/check.c | 104 ++++++++++++++---- lib/irs/dnsconf.c | 61 ++++++---- lib/irs/include/irs/dnsconf.h | 10 +- lib/isccfg/namedconf.c | 27 +++-- util/bindkeys.pl | 8 +- 25 files changed, 223 insertions(+), 159 deletions(-) diff --git a/bin/delv/delv.c b/bin/delv/delv.c index 7cab8602ea..d07f2bb49f 100644 --- a/bin/delv/delv.c +++ b/bin/delv/delv.c @@ -133,13 +133,13 @@ static bool use_tcp = false; static char *anchorfile = NULL; static char *trust_anchor = NULL; static char *dlv_anchor = NULL; -static int trusted_keys = 0; +static int num_keys = 0; static dns_fixedname_t afn, dfn; static dns_name_t *anchor_name = NULL, *dlv_name = NULL; /* Default bind.keys contents */ -static char anchortext[] = MANAGED_KEYS; +static char anchortext[] = DNSSEC_KEYS; /* * Static function prototypes @@ -642,7 +642,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) { CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in, keyname, &rrdatabuf)); - trusted_keys++; + num_keys++; cleanup: if (result == DST_R_NOCRYPTO) @@ -693,13 +693,15 @@ static isc_result_t setup_dnsseckeys(dns_client_t *client) { isc_result_t result; cfg_parser_t *parser = NULL; - const cfg_obj_t *keys = NULL; + const cfg_obj_t *trusted_keys = NULL; const cfg_obj_t *managed_keys = NULL; + const cfg_obj_t *dnssec_keys = NULL; cfg_obj_t *bindkeys = NULL; const char *filename = anchorfile; - if (!root_validation && !dlv_validation) + if (!root_validation && !dlv_validation) { return (ISC_R_SUCCESS); + } if (filename == NULL) { #ifndef WIN32 @@ -714,27 +716,33 @@ setup_dnsseckeys(dns_client_t *client) { if (trust_anchor == NULL) { trust_anchor = isc_mem_strdup(mctx, "."); - if (trust_anchor == NULL) + if (trust_anchor == NULL) { fatal("out of memory"); + } } - if (trust_anchor != NULL) + if (trust_anchor != NULL) { CHECK(convert_name(&afn, &anchor_name, trust_anchor)); - if (dlv_anchor != NULL) + } + if (dlv_anchor != NULL) { CHECK(convert_name(&dfn, &dlv_name, dlv_anchor)); + } CHECK(cfg_parser_create(mctx, dns_lctx, &parser)); if (access(filename, R_OK) != 0) { - if (anchorfile != NULL) + if (anchorfile != NULL) { fatal("Unable to read key file '%s'", anchorfile); + } } else { result = cfg_parse_file(parser, filename, &cfg_type_bindkeys, &bindkeys); - if (result != ISC_R_SUCCESS) - if (anchorfile != NULL) + if (result != ISC_R_SUCCESS) { + if (anchorfile != NULL) { fatal("Unable to load keys from '%s'", anchorfile); + } + } } if (bindkeys == NULL) { @@ -744,25 +752,34 @@ setup_dnsseckeys(dns_client_t *client) { isc_buffer_add(&b, sizeof(anchortext) - 1); result = cfg_parse_buffer(parser, &b, NULL, 0, &cfg_type_bindkeys, 0, &bindkeys); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { fatal("Unable to parse built-in keys"); + } } INSIST(bindkeys != NULL); - cfg_map_get(bindkeys, "trusted-keys", &keys); + cfg_map_get(bindkeys, "trusted-keys", &trusted_keys); cfg_map_get(bindkeys, "managed-keys", &managed_keys); + cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys); - if (keys != NULL) - CHECK(load_keys(keys, client)); - if (managed_keys != NULL) + if (trusted_keys != NULL) { + CHECK(load_keys(trusted_keys, client)); + } + if (managed_keys != NULL) { CHECK(load_keys(managed_keys, client)); + } + if (dnssec_keys != NULL) { + CHECK(load_keys(dnssec_keys, client)); + } result = ISC_R_SUCCESS; - if (trusted_keys == 0) + if (num_keys == 0) { fatal("No trusted keys were loaded"); + } - if (dlv_validation) + if (dlv_validation) { dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor); + } cleanup: @@ -772,9 +789,10 @@ setup_dnsseckeys(dns_client_t *client) { if (parser != NULL) { cfg_parser_destroy(&parser); } - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s", isc_result_totext(result)); + } return (result); } diff --git a/bin/named/config.c b/bin/named/config.c index add0a46e98..eac60c2713 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -290,10 +290,10 @@ view \"_bind\" chaos {\n\ # \"dnssec-validation auto;\" is set and\n\ # sysconfdir/bind.keys doesn't exist).\n\ #\n\ -# BEGIN MANAGED KEYS\n" +# BEGIN DNSSEC KEYS\n" /* Imported from bind.keys.h: */ -MANAGED_KEYS +DNSSEC_KEYS "# END MANAGED KEYS\n\ \n\ diff --git a/bin/named/server.c b/bin/named/server.c index 6a4fd535d5..4f3c471b25 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -901,7 +901,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots, /* * Add the key to 'secroots'. Keys from a "dnssec-keys" or - * "managed-keys" * statement may be either static or initializing + * "managed-keys" statement may be either static or initializing * keys. If it's not initializing, we don't want to treat it as * managed, so we use 'initializing' twice here, for both the * 'managed' and 'initializing' arguments to dns_keytable_add(). @@ -1002,7 +1002,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, const cfg_obj_t *view_keys = NULL; const cfg_obj_t *global_keys = NULL; const cfg_obj_t *view_managed_keys = NULL; + const cfg_obj_t *view_dnssec_keys = NULL; const cfg_obj_t *global_managed_keys = NULL; + const cfg_obj_t *global_dnssec_keys = NULL; const cfg_obj_t *maps[4]; const cfg_obj_t *voptions = NULL; const cfg_obj_t *options = NULL; @@ -1022,15 +1024,24 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, if (voptions != NULL) { (void) cfg_map_get(voptions, "trusted-keys", &view_keys); + + /* managed-keys and dnssec-keys are synonyms. */ (void) cfg_map_get(voptions, "managed-keys", &view_managed_keys); + (void) cfg_map_get(voptions, "dnssec-keys", + &view_dnssec_keys); + maps[i++] = voptions; } } if (config != NULL) { (void)cfg_map_get(config, "trusted-keys", &global_keys); + + /* managed-keys and dnssec-keys are synonyms. */ (void)cfg_map_get(config, "managed-keys", &global_managed_keys); + (void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys); + (void)cfg_map_get(config, "options", &options); if (options != NULL) { maps[i++] = options; @@ -1061,7 +1072,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, /* * If bind.keys exists and is populated, it overrides - * the managed-keys clause hard-coded in named_g_config. + * the dnssec-keys clause hard-coded in named_g_config. */ if (bindkeys != NULL) { isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY, @@ -1070,7 +1081,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, "from '%s'", view->name, named_g_server->bindkeysfile); - (void)cfg_map_get(bindkeys, "managed-keys", + (void)cfg_map_get(bindkeys, "dnssec-keys", &builtin_keys); if (builtin_keys == NULL) { @@ -1090,7 +1101,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, "using built-in root key for view %s", view->name); - (void)cfg_map_get(named_g_config, "managed-keys", + (void)cfg_map_get(named_g_config, "dnssec-keys", &builtin_keys); } @@ -1110,11 +1121,14 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, CHECK(load_view_keys(view_keys, view, false, NULL, mctx)); CHECK(load_view_keys(view_managed_keys, view, true, NULL, mctx)); + CHECK(load_view_keys(view_dnssec_keys, view, true, NULL, mctx)); if (view->rdclass == dns_rdataclass_in) { CHECK(load_view_keys(global_keys, view, false, NULL, mctx)); CHECK(load_view_keys(global_managed_keys, view, true, NULL, mctx)); + CHECK(load_view_keys(global_dnssec_keys, view, true, + NULL, mctx)); } /* diff --git a/bin/tests/system/checkconf/bad-duplicate-root-key.conf b/bin/tests/system/checkconf/bad-duplicate-root-key.conf index 1e72ad4a6d..9517db941e 100644 --- a/bin/tests/system/checkconf/bad-duplicate-root-key.conf +++ b/bin/tests/system/checkconf/bad-duplicate-root-key.conf @@ -13,7 +13,7 @@ options { dnssec-validation yes; }; -managed-keys { +dnssec-keys { . initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY diff --git a/bin/tests/system/checkconf/check-dlv-ksk-key.conf b/bin/tests/system/checkconf/check-dlv-ksk-key.conf index e08acba3cb..93a0040db0 100644 --- a/bin/tests/system/checkconf/check-dlv-ksk-key.conf +++ b/bin/tests/system/checkconf/check-dlv-ksk-key.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -managed-keys { +dnssec-keys { dlv.isc.org static-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8 +jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ diff --git a/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bin/tests/system/checkconf/check-root-ksk-2010.conf index 6f02bd96ba..edd2b85804 100644 --- a/bin/tests/system/checkconf/check-root-ksk-2010.conf +++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -managed-keys { +dnssec-keys { # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from diff --git a/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bin/tests/system/checkconf/check-root-ksk-2017.conf index bf9f82fc47..af36330646 100644 --- a/bin/tests/system/checkconf/check-root-ksk-2017.conf +++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -managed-keys { +dnssec-keys { # This key (20326) was published in the root zone in 2017. # Servers which were already using the old key (19036) should # roll seamlessly to this new one via RFC 5011 rollover. Servers diff --git a/bin/tests/system/checkconf/check-root-ksk-both.conf b/bin/tests/system/checkconf/check-root-ksk-both.conf index cc76a2ee2b..755ef94279 100644 --- a/bin/tests/system/checkconf/check-root-ksk-both.conf +++ b/bin/tests/system/checkconf/check-root-ksk-both.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -managed-keys { +dnssec-keys { # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from diff --git a/bin/tests/system/checkconf/check-root-mixed-key.conf b/bin/tests/system/checkconf/check-root-mixed-key.conf index a9001c1aed..ba3a02a3f0 100644 --- a/bin/tests/system/checkconf/check-root-mixed-key.conf +++ b/bin/tests/system/checkconf/check-root-mixed-key.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -managed-keys { +dnssec-keys { # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from diff --git a/bin/tests/system/checkconf/check-root-static-key.conf b/bin/tests/system/checkconf/check-root-static-key.conf index cbadc89567..e416944fe6 100644 --- a/bin/tests/system/checkconf/check-root-static-key.conf +++ b/bin/tests/system/checkconf/check-root-static-key.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -managed-keys { +dnssec-keys { # This key (20326) was published in the root zone in 2017. # Servers which were already using the old key (19036) should # roll seamlessly to this new one via RFC 5011 rollover. Servers diff --git a/bin/tests/system/checkconf/good-dup-managed-key.conf b/bin/tests/system/checkconf/good-dup-managed-key.conf index 38533fc85f..391b83c2bc 100644 --- a/bin/tests/system/checkconf/good-dup-managed-key.conf +++ b/bin/tests/system/checkconf/good-dup-managed-key.conf @@ -13,7 +13,7 @@ options { dnssec-validation yes; }; -managed-keys { +dnssec-keys { example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index c719f43b62..0b74c4d128 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -427,7 +427,7 @@ echo_i "check that the dlv.isc.org KSK generates a warning ($n)" ret=0 $CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] || ret=1 -grep "entry for dlv.isc.org still present" checkconf.out$n > /dev/null || ret=1 +grep "trust anchor for dlv.isc.org is present" checkconf.out$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index e15ebb7bd6..1eb8db8053 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -216,7 +216,7 @@ keyfile_to_keys_section() { for keyname in $*; do awk '!/^; /{ printf "\t\""$1"\" " - printf "'"$key_prefix"'" + printf "'"$key_prefix "'" printf $4 " " $5 " " $6 " \"" for (i=7; i<=NF; i++) printf $i printf "\";\n" @@ -226,17 +226,17 @@ keyfile_to_keys_section() { } # keyfile_to_trusted_keys: convert key data contained in the keyfile(s) -# provided to a *static* "managed-keys" section suitable for including in a +# provided to a *static* "dnssec-keys" section suitable for including in a # resolver's configuration file keyfile_to_trusted_keys() { - keyfile_to_keys_section "managed-keys" "static-key" $* + keyfile_to_keys_section "dnssec-keys" "static-key" $* } # keyfile_to_managed_keys: convert key data contained in the keyfile(s) -# provided to a "managed-keys" section suitable for including in a +# provided to a "dnssec-keys" section suitable for including in a # resolver's configuration file keyfile_to_managed_keys() { - keyfile_to_keys_section "managed-keys" "initial-key" $* + keyfile_to_keys_section "dnssec-keys" "initial-key" $* } # nextpart*() - functions for reading files incrementally diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh index cccbab3e8e..b7e1072ab3 100644 --- a/bin/tests/system/genzone.sh +++ b/bin/tests/system/genzone.sh @@ -487,7 +487,7 @@ dlv DLV 30795 1 1 ( ; type 65280-65534 (private use) -; keydata (internal type used for managed-keys) +; keydata (internal type used for managed keys) keydata TYPE65533 \# 0 keydata TYPE65533 \# 6 010203040506 keydata TYPE65533 \# 18 010203040506010203040506010203040506 diff --git a/bin/tests/system/legacy/ns1/trusted.conf b/bin/tests/system/legacy/ns1/trusted.conf index 1548f17d6d..e1abe9ad4b 100644 --- a/bin/tests/system/legacy/ns1/trusted.conf +++ b/bin/tests/system/legacy/ns1/trusted.conf @@ -1,3 +1,3 @@ -managed-keys { +dnssec-keys { "edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB"; }; diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README index 6a4fd4e195..7ae3f3c2f5 100644 --- a/bin/tests/system/mkeys/README +++ b/bin/tests/system/mkeys/README @@ -2,17 +2,16 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC") See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -This is for testing managed-keys, in particular with problems -with RFC 5011 Automated Updates of DNSSEC Trust Anchors. +This is for testing RFC 5011 Automated Updates of DNSSEC Trust Anchors. ns1 is the root server that offers new KSKs and hosts one record for testing. The TTL for the zone's records is 2 seconds. -ns2 is a validator that uses managed-keys. "-T mkeytimers=2/20/40" +ns2 is a validator that uses managed keys. "-T mkeytimers=2/20/40" is used so it will attempt do automated updates frequently. "-T tat=1" is used so it will send TAT queries once per second. -ns3 is a validator with a broken key in managed-keys. +ns3 is a validator with a broken initializing key in dnssec-keys. ns4 is a validator with a deliberately broken managed-keys.bind and managed-keys.jnl, causing RFC 5011 initialization to fail. diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in index 6720b3a632..914d1eb3de 100644 --- a/bin/tests/system/mkeys/ns3/named.conf.in +++ b/bin/tests/system/mkeys/ns3/named.conf.in @@ -41,6 +41,6 @@ zone "." { }; # purposely broken key for testing -managed-keys { +dnssec-keys { "." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q=="; }; diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 2d5bb8a402..3318e33329 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -81,7 +81,7 @@ signzone () { KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2` cat $1/$3 $1/$KEYNAME.key > $1/tmp $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null - sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/managed-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf + sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf DSFILENAME=dsset-${2}${TP} rm $DSFILENAME $1/tmp } diff --git a/bind.keys b/bind.keys index c176f18a2c..e04e4c0567 100644 --- a/bind.keys +++ b/bind.keys @@ -26,7 +26,7 @@ # See https://data.iana.org/root-anchors/root-anchors.xml for current trust # anchor information for the root zone. -managed-keys { +dnssec-keys { # This key (20326) was published in the root zone in 2017. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv diff --git a/bind.keys.h b/bind.keys.h index ec2d0e9233..9fd13febe0 100644 --- a/bind.keys.h +++ b/bind.keys.h @@ -1,6 +1,6 @@ #ifndef BIND_KEYS_H #define BIND_KEYS_H 1 -#define TRUSTED_KEYS "\ +#define DNSSEC_KEYS "\ # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\ # which are included as part of BIND 9. The only trust anchors it contains\n\ # are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\ @@ -29,48 +29,7 @@ # See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\ # anchor information for the root zone.\n\ \n\ -trusted-keys {\n\ - # This key (20326) was published in the root zone in 2017.\n\ - . 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ - +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ - ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\ - 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\ - oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\ - RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\ - R1AkUTV74bU=\";\n\ -};\n\ -" - -#define MANAGED_KEYS "\ -# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\ -# which are included as part of BIND 9. The only trust anchors it contains\n\ -# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\ -# be configured elsewhere; if they are configured here, they will not be\n\ -# recognized or used by named.\n\ -#\n\ -# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\ -# named.conf options, or else leave \"dnssec-validation\" unset. If\n\ -# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\ -# ignored; keys will need to be explicitly configured in named.conf for\n\ -# validation to work. \"auto\" is the default setting, unless named is\n\ -# built with \"configure --disable-auto-validation\", in which case the\n\ -# default is \"yes\".\n\ -#\n\ -# This file is NOT expected to be user-configured.\n\ -#\n\ -# Servers being set up for the first time can use the contents of this file\n\ -# as initializing keys; thereafter, the keys in the managed key database\n\ -# will be trusted and maintained automatically.\n\ -#\n\ -# These keys are current as of Mar 2019. If any key fails to initialize\n\ -# correctly, it may have expired. In that event you should replace this\n\ -# file with a current version. The latest version of bind.keys can always\n\ -# be obtained from ISC at https://www.isc.org/bind-keys.\n\ -#\n\ -# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\ -# anchor information for the root zone.\n\ -\n\ -managed-keys {\n\ +dnssec-keys {\n\ # This key (20326) was published in the root zone in 2017.\n\ . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 5a55a3e352..f2baa933ba 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -3514,7 +3514,9 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const cfg_obj_t *opts = NULL; const cfg_obj_t *plugin_list = NULL; bool autovalidation = false; - unsigned int tflags, mflags; + bool enablednssec, enablevalidation; + const char *valstr = "no"; + unsigned int tflags = 0, dflags = 0, mflags = 0; /* * Get global options block @@ -3665,7 +3667,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, isc_symtab_destroy(&symtab); /* - * Check trusted-keys and managed-keys. + * Check trusted-keys and dnssec-keys/managed-keys. */ tkeys = NULL; if (voptions != NULL) { @@ -3675,7 +3677,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, (void)cfg_map_get(config, "trusted-keys", &tkeys); } - tflags = 0; for (element = cfg_list_first(tkeys); element != NULL; element = cfg_list_next(element)) @@ -3695,27 +3696,88 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, } if ((tflags & ROOT_KSK_STATIC) != 0) { - cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING, "trusted-keys entry for the root zone " "WILL FAIL after key rollover - use " - "managed-keys with initial-key instead."); + "dnssec-keys with initial-key instead."); } if ((tflags & DLV_KSK_KEY) != 0) { - cfg_obj_log(keys, logctx, ISC_LOG_WARNING, - "trusted-keys entry for dlv.isc.org is still " - "present: dlv.isc.org has been shut down"); + cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING, + "trust anchor for dlv.isc.org is present; " + "dlv.isc.org has been shut down"); } + keys = NULL; + if (voptions != NULL) { + (void)cfg_map_get(voptions, "dnssec-keys", &keys); + } + if (keys == NULL) { + (void)cfg_map_get(config, "dnssec-keys", &keys); + } + + for (element = cfg_list_first(keys); + element != NULL; + element = cfg_list_next(element)) + { + const cfg_obj_t *keylist = cfg_listelt_value(element); + for (element2 = cfg_list_first(keylist); + element2 != NULL; + element2 = cfg_list_next(element2)) + { + obj = cfg_listelt_value(element2); + tresult = check_trusted_key(obj, true, &dflags, + logctx); + if (tresult != ISC_R_SUCCESS) { + result = tresult; + } + } + } + + if ((dflags & ROOT_KSK_STATIC) != 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "static-key entry for the root zone " + "WILL FAIL after key rollover - use " + "dnssec-keys with initial-key instead."); + } + + if ((dflags & ROOT_KSK_2010) != 0 && (dflags & ROOT_KSK_2017) == 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "initial-key entry for the root zone " + "uses the 2010 key without the updated " + "2017 key"); + } + + if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "both trusted-keys and dnssec-keys " + "for the root zone are present"); + } + + if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "both initial-key and static-key entries for the " + "root zone are present"); + } + + if ((dflags & DLV_KSK_KEY) != 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "trust anchor for dlv.isc.org is present; " + "dlv.isc.org has been shut down"); + } + + /* + * "managed-keys" is a backward-compatible synonym for + * "dnssec-keys"; perform the same checks. + */ mkeys = NULL; if (voptions != NULL) { (void)cfg_map_get(voptions, "managed-keys", &mkeys); } - if (keys == NULL) { + if (mkeys == NULL) { (void)cfg_map_get(config, "managed-keys", &mkeys); } - mflags = 0; for (element = cfg_list_first(mkeys); element != NULL; element = cfg_list_next(element)) @@ -3735,34 +3797,34 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, } if ((mflags & ROOT_KSK_STATIC) != 0) { - cfg_obj_log(keys, logctx, ISC_LOG_WARNING, - "managed-keys static-key entry for the root zone " + cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING, + "static-key entry for the root zone " "WILL FAIL after key rollover - use " - "managed-keys with initial-key instead."); + "dnssec-keys with initial-key instead."); } if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) { - cfg_obj_log(keys, logctx, ISC_LOG_WARNING, - "managed-keys initial-key entry for the root zone " + cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING, + "initial-key entry for the root zone " "uses the 2010 key without the updated " "2017 key"); } if ((tflags & ROOT_KSK_ANY) != 0 && (mflags & ROOT_KSK_ANY) != 0) { - cfg_obj_log(keys, logctx, ISC_LOG_WARNING, - "both trusted-keys and managed-keys for the " - "root zone are present"); + cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING, + "both trusted-keys and managed-keys " + "for the root zone are present"); } if ((mflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) { - cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING, "both initial-key and static-key entries for the " "root zone are present"); } if ((mflags & DLV_KSK_KEY) != 0) { - cfg_obj_log(keys, logctx, ISC_LOG_WARNING, - "managed-keys entry for dlv.isc.org still present; " + cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING, + "trust anchor for dlv.isc.org is present; " "dlv.isc.org has been shut down"); } diff --git a/lib/irs/dnsconf.c b/lib/irs/dnsconf.c index 5e77e4775f..c7c32d22db 100644 --- a/lib/irs/dnsconf.c +++ b/lib/irs/dnsconf.c @@ -164,19 +164,13 @@ configure_key(isc_mem_t *mctx, const cfg_obj_t *key, irs_dnsconf_t *conf, } static isc_result_t -configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj, - dns_rdataclass_t rdclass) +configure_keygroup(irs_dnsconf_t *conf, const cfg_obj_t *keys, + dns_rdataclass_t rdclass) { isc_result_t result; - isc_mem_t *mctx = conf->mctx; - const cfg_obj_t *keys = NULL; const cfg_obj_t *key, *keylist; const cfg_listelt_t *element, *element2; - - cfg_map_get(cfgobj, "trusted-keys", &keys); - if (keys == NULL) { - return (ISC_R_SUCCESS); - } + isc_mem_t *mctx = conf->mctx; for (element = cfg_list_first(keys); element != NULL; @@ -195,27 +189,46 @@ configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj, } } + return (ISC_R_SUCCESS); +} + +static isc_result_t +configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj, + dns_rdataclass_t rdclass) +{ + isc_result_t result; + const cfg_obj_t *keys = NULL; + + cfg_map_get(cfgobj, "trusted-keys", &keys); + if (keys == NULL) { + return (ISC_R_SUCCESS); + } + + result = configure_keygroup(conf, keys, rdclass); + if (result != ISC_R_SUCCESS) { + return (result); + } + + keys = NULL; + cfg_map_get(cfgobj, "dnssec-keys", &keys); + if (keys == NULL) { + return (ISC_R_SUCCESS); + } + + result = configure_keygroup(conf, keys, rdclass); + if (result != ISC_R_SUCCESS) { + return (result); + } + keys = NULL; cfg_map_get(cfgobj, "managed-keys", &keys); if (keys == NULL) { return (ISC_R_SUCCESS); } - for (element = cfg_list_first(keys); - element != NULL; - element = cfg_list_next(element)) - { - keylist = cfg_listelt_value(element); - for (element2 = cfg_list_first(keylist); - element2 != NULL; - element2 = cfg_list_next(element2)) - { - key = cfg_listelt_value(element2); - result = configure_key(mctx, key, conf, rdclass); - if (result != ISC_R_SUCCESS) { - return (result); - } - } + result = configure_keygroup(conf, keys, rdclass); + if (result != ISC_R_SUCCESS) { + return (result); } return (ISC_R_SUCCESS); diff --git a/lib/irs/include/irs/dnsconf.h b/lib/irs/include/irs/dnsconf.h index ecebc454e0..7e6f78d936 100644 --- a/lib/irs/include/irs/dnsconf.h +++ b/lib/irs/include/irs/dnsconf.h @@ -23,11 +23,11 @@ * Notes: * This module is very experimental and the configuration syntax or library * interfaces may change in future versions. Currently, only static - * key configuration is supported; "trusted-keys" and "managed-keys" - * statements will be parsed exactly as they are in named.conf, except - * that all "managed-keys" entries will be treated as if they were - * configured with "static-key", even if they were actually configured - * with "initial-key". + * key configuration is supported; "trusted-keys" and "dnssec-keys"/ + * "managed-keys" statements will be parsed exactly as they are in + * named.conf, except that "dnssec-keys" and "managed-keys" entries will + * be treated as if they were configured with "static-key", even if they + * were actually configured with "initial-key". */ #include diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 0c728141f0..de4f4a2c10 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -446,8 +446,8 @@ static cfg_type_t cfg_type_dnsseckey = { }; /*% - * A managed key initialization specifier, as used in the - * "managed-keys" statement. + * A key initialization specifier, as used in the + * "dnssec-keys" (or synonymous "managed-keys") statement. */ static const char *init_enums[] = { "static-key", "initial-key", NULL }; static cfg_type_t cfg_type_keyinit = { @@ -625,8 +625,8 @@ static cfg_type_t cfg_type_keylist = { }; /*% A list of dnssec keys, as in "trusted-keys". Deprecated. */ -static cfg_type_t cfg_type_dnsseckeys = { - "dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list, +static cfg_type_t cfg_type_trustedkeys = { + "trustedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_dnsseckey }; @@ -636,8 +636,8 @@ static cfg_type_t cfg_type_dnsseckeys = { * "initial-key" or "static-key". If "initial-key", then the key is * RFC 5011 managed; if "static-key", then the key never changes. */ -static cfg_type_t cfg_type_managedkeys = { - "managedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list, +static cfg_type_t cfg_type_dnsseckeys = { + "dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_managedkey }; @@ -986,10 +986,12 @@ namedconf_or_view_clauses[] = { { "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI }, { "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI }, { "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI }, - { "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI }, + { "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, + { "managed-keys", &cfg_type_dnsseckeys, + CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED }, { "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI }, { "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI }, - { "trusted-keys", &cfg_type_dnsseckeys, + { "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED }, { "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI }, { NULL, NULL, 0 } @@ -1000,8 +1002,11 @@ namedconf_or_view_clauses[] = { */ static cfg_clausedef_t bindkeys_clauses[] = { - { "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI }, - { "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, + { "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, + { "managed-keys", &cfg_type_dnsseckeys, + CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED }, + { "trusted-keys", &cfg_type_trustedkeys, + CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED }, { NULL, NULL, 0 } }; @@ -2290,7 +2295,7 @@ LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = { &cfg_rep_map, namedconf_clausesets }; -/*% The bind.keys syntax (trusted-keys/managed-keys only). */ +/*% The bind.keys syntax (dnssec-keys/managed-keys/trusted-keys only). */ static cfg_clausedef_t * bindkeys_clausesets[] = { bindkeys_clauses, diff --git a/util/bindkeys.pl b/util/bindkeys.pl index 0fd5856062..2fd9219ee3 100755 --- a/util/bindkeys.pl +++ b/util/bindkeys.pl @@ -23,15 +23,9 @@ while (<>) { $lines .= $_ . "\n"; } -my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n"; - -$lines =~ s/managed-keys/trusted-keys/; -$lines =~ s/\s+initial-key//g; -my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n"; +my $mkey = '#define DNSSEC_KEYS "\\' . "\n" . $lines . "\"\n"; print "#ifndef BIND_KEYS_H\n"; print "#define BIND_KEYS_H 1\n"; -print $tkey; -print "\n"; print $mkey; print "#endif /* BIND_KEYS_H */\n";