mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-25 11:38:29 +00:00
Code Issues Releases Wiki Activity

Error if signatures-refresh is too high

Browse Source 
The signatures-refresh should not near the signatures-validity value,
to prevent operational instability. Same is true when checking against
signatures-validity-dnskey.
This commit is contained in:
Matthijs Mekking 2022-05-06 16:54:49 +02:00
parent e7322e8f78
commit 82fd89107f
3 changed files with 86 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf Normal file
View File

@ -0,0 +1,44 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "bad-sigrefresh" {
keys {
csk lifetime unlimited algorithm 13;
};
signatures-validity P10D;
signatures-validity-dnskey P20D;
signatures-refresh P9DT1S;
};
dnssec-policy "bad-sigrefresh-dnskey" {
keys {
csk lifetime unlimited algorithm 13;
};
signatures-validity P20D;
signatures-validity-dnskey P10D;
signatures-refresh P9DT1S;
};
zone "sigrefresh.example.net" {
type primary;
file "sigrefresh.example.db";
dnssec-policy "bad-sigrefresh";
};
zone "dnskey.example.net" {
type primary;
file "dnskey.example.db";
dnssec-policy "bad-sigrefresh-dnskey";
};

11
bin/tests/system/checkconf/tests.sh
View File

@ -528,6 +528,17 @@ grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < ch
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp signatures refresh errors ($n)"
ret=0
$CHECKCONF kasp-bad-signatures-refresh.conf > checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" < checkconf.out$n > /dev/null || ret=1
lines=$(wc -l < "checkconf.out$n")
if [ $lines != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo_i "checking named-checkconf kasp predefined key length ($n)" echo_i "checking named-checkconf kasp predefined key length ($n)"
ret=0 ret=0

38
lib/isccfg/kaspconf.c
View File

@ -268,6 +268,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
const char *kaspname = NULL; const char *kaspname = NULL;
dns_kasp_t *kasp = NULL; dns_kasp_t *kasp = NULL;
size_t i = 0; size_t i = 0;
uint32_t sigrefresh = 0, sigvalidity = 0;
REQUIRE(kaspp != NULL && *kaspp == NULL); REQUIRE(kaspp != NULL && *kaspp == NULL);
@ -308,13 +309,36 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
maps[i] = NULL; maps[i] = NULL;
/* Configuration: Signatures */ /* Configuration: Signatures */
dns_kasp_setsigrefresh(kasp, get_duration(maps, "signatures-refresh", sigrefresh = get_duration(maps, "signatures-refresh",
DNS_KASP_SIG_REFRESH)); DNS_KASP_SIG_REFRESH);
dns_kasp_setsigvalidity(kasp, get_duration(maps, "signatures-validity", dns_kasp_setsigrefresh(kasp, sigrefresh);
DNS_KASP_SIG_VALIDITY));
dns_kasp_setsigvalidity_dnskey( sigvalidity = get_duration(maps, "signatures-validity",
kasp, get_duration(maps, "signatures-validity-dnskey", DNS_KASP_SIG_VALIDITY);
DNS_KASP_SIG_VALIDITY_DNSKEY)); if (sigrefresh >= (sigvalidity * 0.9)) {
cfg_obj_log(config, logctx, ISC_LOG_ERROR,
"dnssec-policy: policy '%s' signatures-refresh "
"must be at most 90%% of the signatures-validity",
kaspname);
result = ISC_R_FAILURE;
}
dns_kasp_setsigvalidity(kasp, sigvalidity);
sigvalidity = get_duration(maps, "signatures-validity-dnskey",
DNS_KASP_SIG_VALIDITY_DNSKEY);
if (sigrefresh >= (sigvalidity * 0.9)) {
cfg_obj_log(
config, logctx, ISC_LOG_ERROR,
"dnssec-policy: policy '%s' signatures-refresh must be "
"at most 90%% of the signatures-validity-dnskey",
kaspname);
result = ISC_R_FAILURE;
}
dns_kasp_setsigvalidity_dnskey(kasp, sigvalidity);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/* Configuration: Keys */ /* Configuration: Keys */
dns_kasp_setdnskeyttl( dns_kasp_setdnskeyttl(