From ee42f66fbe386b07595a2ea445117b1f44d37497 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 25 Jan 2023 16:36:48 +0100 Subject: [PATCH 1/2] Force set DS state after 'rndc dnssec -checkds' Set the DS state after issuing 'rndc dnssec -checkds'. If the DS was published, it should go in RUMOURED state, regardless whether it is already safe to do so according to the state machine. Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or UNRETENTIVE) would allow for easy shoot in the foot situations. Similar, if the DS was withdrawn, the state should be set to UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN) would also allow for easy shoot in the foot situations. --- bin/tests/system/kasp/tests.sh | 16 ++++++++++++---- lib/dns/keymgr.c | 10 ++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 12b77cf071..2be9284cab 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -550,15 +550,23 @@ _wait_for_metadata() { n=$((n+1)) echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" -rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" -retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +# DS State should be forced into RUMOURED. +set_keystate "KEY1" "STATE_DS" "rumoured" +check_keys test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" -rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" -retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +# DS State should be forced into UNRETENTIVE. +set_keystate "KEY1" "STATE_DS" "unretentive" +check_keys test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index d4b76bb19b..757c64678f 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -2273,9 +2273,19 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, } if (dspublish) { + dst_key_state_t s; dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when); + result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s); + if (result != ISC_R_SUCCESS || s != RUMOURED) { + dst_key_setstate(ksk_key->key, DST_KEY_DS, RUMOURED); + } } else { + dst_key_state_t s; dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when); + result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s); + if (result != ISC_R_SUCCESS || s != UNRETENTIVE) { + dst_key_setstate(ksk_key->key, DST_KEY_DS, UNRETENTIVE); + } } if (isc_log_wouldlog(dns_lctx, ISC_LOG_NOTICE)) { From 38ffe5acf3abbd9e7b8b258a306a08fb08afe22e Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 25 Jan 2023 16:43:13 +0100 Subject: [PATCH 2/2] Add CHANGES for #3822 --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index f73e609c15..a46cecb382 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds' + command. [GL #3822] + 6078. [func] Cleanup the memory statistic counters to a bare minumum - InUse with Malloced as alias. [GL #3718]