diff --git a/CHANGES b/CHANGES index 25767b261a..4857eb3046 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3020. [bug] auto-dnssec failed to correctly update the zone when + changing the DNSKEY RRset. [RT #23232] + 3019. [func] Test: check apex NSEC3 records after adding DNSKEY record via UPDATE. [RT #23229] diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index 84b8914345..aaa2817c7a 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -13,7 +13,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: example.db.in,v 1.25 2011/02/14 23:53:43 marka Exp $ +; $Id: example.db.in,v 1.26 2011/02/15 22:02:36 marka Exp $ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( @@ -110,3 +110,9 @@ ns.kskonly A 10.53.0.3 update-nsec3 NS ns.update-nsec3 ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 7e90594253..9b6f1d1b3c 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.42 2011/02/14 23:53:44 marka Exp $ +# $Id: sign.sh,v 1.43 2011/02/15 22:02:36 marka Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -31,7 +31,8 @@ zonefile=example.db ( cd ../ns3 && sh sign.sh ) for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \ - optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 + optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \ + auto-nsec auto-nsec3 do cp ../ns3/dsset-$subdomain.example. . done diff --git a/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in new file mode 100644 index 0000000000..09f63fc020 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/auto-nsec.example.db.in @@ -0,0 +1,45 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: auto-nsec.example.db.in,v 1.2 2011/02/15 22:02:36 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in new file mode 100644 index 0000000000..49e1029169 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in @@ -0,0 +1,45 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: auto-nsec3.example.db.in,v 1.2 2011/02/15 22:02:36 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a + +private NS ns.private +ns.private A 10.53.0.2 + +insecure NS ns.insecure +ns.insecure A 10.53.0.2 + +nosoa NS ns.nosoa +ns.nosoa A 10.53.0.7 + +normalthenrrsig A 10.0.0.28 +rrsigonly A 10.0.0.29 diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index 2bf03bece5..f3bb617e05 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.41 2011/02/14 23:53:44 marka Exp $ */ +/* $Id: named.conf,v 1.42 2011/02/15 22:02:36 marka Exp $ */ // NS3 @@ -178,4 +178,18 @@ zone "update-nsec3.example" { file "update-nsec3.example.db.signed"; }; +zone "auto-nsec.example" { + type master; + auto-dnssec maintain; + allow-update { !0.0.0.0; }; + file "auto-nsec.example.db.signed"; +}; + +zone "auto-nsec3.example" { + type master; + auto-dnssec maintain; + allow-update { !0.0.0.0; }; + file "auto-nsec3.example.db.signed"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 7edea92908..e820f23e86 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.35 2011/02/14 23:53:44 marka Exp $ +# $Id: sign.sh,v 1.36 2011/02/15 22:02:36 marka Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -285,3 +285,33 @@ kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` cat $infile $kskname.key $zskname.key >$zonefile $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A NSEC signed zone that will have auto-dnssec enabled and +# extra keys not in the initial signed zone. +# +zone=auto-nsec.example. +infile=auto-nsec.example.db.in +zonefile=auto-nsec.example.db + +kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +kskname=`$KEYGEN -q -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A NSEC3 signed zone that will have auto-dnssec enabled and +# extra keys not in the initial signed zone. +# +zone=auto-nsec3.example. +infile=auto-nsec3.example.db.in +zonefile=auto-nsec3.example.db + +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +cat $infile $kskname.key $zskname.key >$zonefile +$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index d7bb493b62..506d9e79a6 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -15,7 +15,9 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.19 2011/01/04 23:47:13 tbox Exp $ +# $Id: setup.sh,v 1.20 2011/02/15 22:02:36 marka Exp $ + +sh clean.sh ../../../tools/genrandom 400 random.data diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 5af35b92a7..4dc452d2a5 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,13 +15,13 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.75 2011/02/14 23:53:43 marka Exp $ +# $Id: tests.sh,v 1.76 2011/02/15 22:02:36 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh status=0 -n=0 +n=1 rm -f dig.out.* @@ -1135,5 +1135,25 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +grep "IN.NSEC[^3].* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +grep "IN.NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 7ca4a6d2cc..1ff3da382e 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.584 2011/02/07 00:10:36 marka Exp $ */ +/* $Id: zone.c,v 1.585 2011/02/15 22:02:36 marka Exp $ */ /*! \file */ @@ -13649,7 +13649,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, static isc_result_t sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, - dns_rdatatype_t type, dns_diff_t *diff) + dns_diff_t *diff, dns_diff_t *sig_diff) { isc_result_t result; isc_stdtime_t now, inception, soaexpire; @@ -13673,23 +13673,15 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY); - result = del_sigs(zone, db, ver, &zone->origin, type, diff, - zone_keys, nkeys, now); - if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "sign_apex:del_sigs -> %s\n", - dns_result_totext(result)); - goto failure; - } - - result = add_sigs(db, ver, &zone->origin, type, diff, zone_keys, - nkeys, zone->mctx, inception, soaexpire, - check_ksk, keyset_kskonly); + result = update_sigs(diff, db, ver, zone_keys, nkeys, zone, + inception, soaexpire, now, check_ksk, + keyset_kskonly, sig_diff); if (result != ISC_R_SUCCESS) - dns_zone_log(zone, ISC_LOG_ERROR, "sign_apex:add_sigs -> %s\n", + dns_zone_log(zone, ISC_LOG_ERROR, + "sign_apex:update_sigs -> %s\n", dns_result_totext(result)); - failure: + for (i = 0; i < nkeys; i++) dst_key_free(&zone_keys[i]); return (result); @@ -13804,6 +13796,26 @@ signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) { return (ISC_FALSE); } +static isc_result_t +add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, + dns_diff_t *diff) +{ + dns_name_t *origin; + isc_boolean_t build_nsec3; + isc_result_t result; + + origin = dns_db_origin(db); + CHECK(dns_private_chains(db, ver, zone->privatetype, NULL, + &build_nsec3)); + if (build_nsec3) + CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone->minimum, + ISC_FALSE, zone->privatetype, diff)); + CHECK(updatesecure(db, ver, origin, zone->minimum, ISC_TRUE, diff)); + + failure: + return (result); +} + static void zone_rekey(dns_zone_t *zone) { isc_result_t result; @@ -13813,7 +13825,7 @@ zone_rekey(dns_zone_t *zone) { dns_rdataset_t soaset, soasigs, keyset, keysigs; dns_dnsseckeylist_t dnskeys, keys, rmkeys; dns_dnsseckey_t *key; - dns_diff_t diff; + dns_diff_t diff, sig_diff; isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE; isc_boolean_t fullsign; dns_ttl_t ttl = 3600; @@ -13836,6 +13848,7 @@ zone_rekey(dns_zone_t *zone) { dir = dns_zone_getkeydirectory(zone); mctx = zone->mctx; dns_diff_init(mctx, &diff); + dns_diff_init(mctx, &sig_diff); CHECK(dns_zone_getdb(zone, &db)); CHECK(dns_db_newversion(db, &ver)); @@ -13904,14 +13917,12 @@ zone_rekey(dns_zone_t *zone) { dnskey_sane(zone, db, ver, &diff)) { CHECK(dns_diff_apply(&diff, db, ver)); CHECK(clean_nsec3param(zone, db, ver, &diff)); - CHECK(sign_apex(zone, db, ver, dns_rdatatype_dnskey, - &diff)); CHECK(add_signing_records(db, zone->privatetype, ver, &diff)); CHECK(increment_soa_serial(db, ver, &diff, mctx)); - CHECK(sign_apex(zone, db, ver, dns_rdatatype_soa, - &diff)); - CHECK(zone_journal(zone, &diff, "zone_rekey")); + CHECK(add_chains(zone, db, ver, &diff)); + CHECK(sign_apex(zone, db, ver, &diff, &sig_diff)); + CHECK(zone_journal(zone, &sig_diff, "zone_rekey")); commit = ISC_TRUE; } } @@ -13936,7 +13947,7 @@ zone_rekey(dns_zone_t *zone) { * Has a new key become active? If so, is it for * a new algorithm? */ - for (tuple = ISC_LIST_HEAD(diff.tuples); + for (tuple = ISC_LIST_HEAD(sig_diff.tuples); tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link)) { dns_rdata_dnskey_t dnskey; @@ -14015,7 +14026,7 @@ zone_rekey(dns_zone_t *zone) { * the full zone, but only with the newly-added * keys. */ - for (tuple = ISC_LIST_HEAD(diff.tuples); + for (tuple = ISC_LIST_HEAD(sig_diff.tuples); tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link)) { dns_rdata_dnskey_t dnskey; @@ -14056,7 +14067,7 @@ zone_rekey(dns_zone_t *zone) { * Cause the zone to add/delete NSEC3 chains for the * deferred NSEC3PARAM changes. */ - for (tuple = ISC_LIST_HEAD(diff.tuples); + for (tuple = ISC_LIST_HEAD(sig_diff.tuples); tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link)) { unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; @@ -14129,6 +14140,7 @@ zone_rekey(dns_zone_t *zone) { failure: dns_diff_clear(&diff); + dns_diff_clear(&sig_diff); clear_keylist(&dnskeys, mctx); clear_keylist(&keys, mctx);