2968. [security] Named could fail to prove a data set was insecure

before marking it as insecure. One set of conditions that can trigger this occurs naturally when rolling DNSKEY algorithms. [RT #22309]
2025-09-02 07:35:26 +00:00 · 2010-11-16 01:14:51 +00:00
parent 7965c00ca8
commit a27b3757fd
8 changed files with 123 additions and 18 deletions
--- a/5
+++ b/5
@@ -1,3 +1,8 @@
 2968.	[security]	Named could fail to prove a data set was insecure
 			before marking it as insecure.  One set of conditions
 			that can trigger this occurs naturally when rolling
 			DNSKEY algorithms.  [RT #22309]
 2967.	[bug]		'host -D' now turns on debugging messages earlier.
 			[RT #22361]
--- a/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db.in,v 1.10 2007/06/19 23:47:02 tbox Exp $
+; $Id: root.db.in,v 1.11 2010/11/16 01:14:51 marka Exp $
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
@@ -30,3 +30,5 @@ example.		NS	ns2.example.
 ns2.example.		A	10.53.0.2
 dlv.			NS	ns2.dlv.
 ns2.dlv.		A	10.53.0.2
 algroll			NS	ns2.algroll
 ns2.algroll.		A	10.53.0.2
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.33 2010/06/25 23:46:51 tbox Exp $
+# $Id: sign.sh,v 1.34 2010/11/16 01:14:51 marka Exp $
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -30,6 +30,7 @@ zonefile=root.db
 cp ../ns2/dsset-example. .
 cp ../ns2/dsset-dlv. .
 grep "8 [12]" ../ns2/dsset-algroll. > dsset-algroll.
 keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
--- a/bin/tests/system/dnssec/ns2/algroll.db.in
+++ b/bin/tests/system/dnssec/ns2/algroll.db.in
@@ -0,0 +1,32 @@
 ; Copyright (C) 2004, 2007-2010  Internet Systems Consortium, Inc. ("ISC")
 ; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
 ; copyright notice and this permission notice appear in all copies.
 ;
 ; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 ; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 ; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 ; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 ; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 ; $Id: algroll.db.in,v 1.2 2010/11/16 01:14:51 marka Exp $
 $TTL 30	; 5 minutes
@			IN SOA	mname1. . (
 				2000042407 ; serial
 				20         ; refresh (20 seconds)
 				20         ; retry (20 seconds)
 				1814400    ; expire (3 weeks)
 				30       ; minimum (1 hour)
 				)
 			NS	ns2
 ns2			A	10.53.0.2
 ns3			A	10.53.0.3
 a			A	10.0.0.1
 b			A	10.0.0.2
 d			A	10.0.0.4
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: named.conf,v 1.33 2010/09/07 00:58:35 marka Exp $ */
+/* $Id: named.conf,v 1.34 2010/11/16 01:14:51 marka Exp $ */
 // NS2
@@ -90,4 +90,9 @@ zone "single-nsec3" {
 	file "single-nsec3.db.signed";
 };
 zone "algroll" {
 	type master;
 	file "algroll.db.signed";
 };
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.40 2010/09/07 00:58:35 marka Exp $
+# $Id: sign.sh,v 1.41 2010/11/16 01:14:51 marka Exp $
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -142,3 +142,21 @@ keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
 cat $infile $keyname1.key $keyname2.key >$zonefile
 $SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 #
 # algroll has just has the old DNSKEY records removed and is waiting
 # for them to be flushed from caches.  We still need to generate
 # RRSIGs for the old DNSKEY.
 #
 zone=algroll.
 infile=algroll.db.in
 zonefile=algroll.db
 keyold1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
 keyold2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 keynew1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
 keynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
 cat $infile $keynew1.key $keynew2.key >$zonefile
 $SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.70 2010/09/07 00:58:35 marka Exp $
+# $Id: tests.sh,v 1.71 2010/11/16 01:14:51 marka Exp $
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1036,6 +1036,14 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure ($n)"
 ret=0
 $DIG $DIGOPTS ns algroll. @10.53.0.4 > dig.out.ns4.test$n || ret=1
 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 # Run a minimal update test if possible.  This is really just
 # a regression test for RT #2399; more tests should be added.
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: validator.c,v 1.195 2010/06/25 23:50:13 marka Exp $ */
+/* $Id: validator.c,v 1.196 2010/11/16 01:14:51 marka Exp $ */
 #include <config.h>
@@ -393,6 +393,7 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 	isc_boolean_t want_destroy;
 	isc_result_t result;
 	isc_result_t eresult;
 	isc_result_t saved_result;
 	UNUSED(task);
 	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
@@ -429,6 +430,17 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 				val->keyset = &val->frdataset;
 		}
 		result = validate(val, ISC_TRUE);
 		if (result == DNS_R_NOVALIDSIG &&
 		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
 		{
 			saved_result = result;
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "falling back to insecurity proof");
 			val->attributes |= VALATTR_INSECURITY;
 			result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
 			if (result == DNS_R_NOTINSECURE)
 				result = saved_result;
 		}
 		if (result != DNS_R_WAIT)
 			validator_done(val, result);
 	} else {
@@ -620,6 +632,7 @@ keyvalidated(isc_task_t *task, isc_event_t *event) {
 	isc_boolean_t want_destroy;
 	isc_result_t result;
 	isc_result_t eresult;
 	isc_result_t saved_result;
 	UNUSED(task);
 	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
@@ -646,6 +659,17 @@ keyvalidated(isc_task_t *task, isc_event_t *event) {
 		if (val->frdataset.trust >= dns_trust_secure)
 			(void) get_dst_key(val, val->siginfo, &val->frdataset);
 		result = validate(val, ISC_TRUE);
 		if (result == DNS_R_NOVALIDSIG &&
 		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
 		{
 			saved_result = result;
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "falling back to insecurity proof");
 			val->attributes |= VALATTR_INSECURITY;
 			result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
 			if (result == DNS_R_NOTINSECURE)
 				result = saved_result;
 		}
 		if (result != DNS_R_WAIT)
 			validator_done(val, result);
 	} else {
@@ -1908,9 +1932,11 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 		 * was known and "sufficiently good".
 		 */
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						      event->name,
+						    event->name,
-						      val->siginfo->algorithm))
+						    val->siginfo->algorithm)) {
 			resume = ISC_FALSE;
 			continue;
 		}
 		if (!resume) {
 			result = get_key(val, val->siginfo);
@@ -1921,18 +1947,12 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 		}
 		/*
-		 * The key is insecure, so mark the data as insecure also.
+		 * There isn't a secure DNSKEY for this signature so move
 		 * onto the next RRSIG.
 		 */
 		if (val->key == NULL) {
-			if (val->mustbesecure) {
+			resume = ISC_FALSE;
-				validator_log(val, ISC_LOG_WARNING,
+			continue;
 					      "must be secure failure,"
 					      " key is insecure, so mark the"
 					      " data as insecure also.");
 				return (DNS_R_MUSTBESECURE);
 			}
 			markanswer(val, "validate");
 			return (ISC_R_SUCCESS);
 		}
 		do {
@@ -3770,6 +3790,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 				 */
 				result = DNS_R_NOVALIDNSEC;
 				goto out;
 			} else if (DNS_TRUST_PENDING(val->frdataset.trust) ||
 				   DNS_TRUST_ANSWER(val->frdataset.trust)) {
 				/*
 				 * If we have "trust == answer" then this namespace
 				 * has switched from insecure to should be secure.
 				 */
 				result = create_validator(val, tname,
 							  dns_rdatatype_ds,
 							  &val->frdataset,
 							  NULL, dsvalidated,
 							  "proveunsecure");
 				if (result != ISC_R_SUCCESS)
 					goto out;
 				return (DNS_R_WAIT);
 			} else if (val->frdataset.trust < dns_trust_secure) {
 				/*
 				 * This shouldn't happen, since the negative