From 2ebc4776caf9a5fd5ba90e49dec130b44f0aabed Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 9 Aug 2019 16:25:49 +1000
Subject: [PATCH 1/5] implement getoriginnode for sdb

---
 lib/dns/sdb.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 77 insertions(+), 1 deletion(-)

diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index f6bfad0fe8..e7683a7918 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -677,6 +677,82 @@ destroynode(dns_sdbnode_t *node) {
 	detach((dns_db_t **) (void *)&sdb);
 }
 
+static isc_result_t
+getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	dns_sdbimplementation_t *imp;
+	dns_name_t relname;
+	dns_name_t *name;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	imp = sdb->implementation;
+	name = &sdb->common.origin;
+
+	if (imp->methods->lookup2 != NULL) {
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+			dns_name_init(&relname, NULL);
+			name = &relname;
+		}
+	} else {
+		isc_buffer_init(&b, namestr, sizeof(namestr));
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+
+			dns_name_init(&relname, NULL);
+			result = dns_name_totext(&relname, true, &b);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		} else {
+			result = dns_name_totext(name, true, &b);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+		}
+		isc_buffer_putuint8(&b, 0);
+	}
+
+	result = createnode(sdb, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	MAYBE_LOCK(sdb);
+	if (imp->methods->lookup2 != NULL) {
+		result = imp->methods->lookup2(&sdb->common.origin, name,
+					       sdb->dbdata, node, NULL, NULL);
+	} else {
+		result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata,
+					      node, NULL, NULL);
+	}
+	MAYBE_UNLOCK(sdb);
+	if (result != ISC_R_SUCCESS &&
+	    !(result == ISC_R_NOTFOUND &&
+	      imp->methods->authority != NULL))
+	{
+		destroynode(node);
+		return (result);
+	}
+
+	if (imp->methods->authority != NULL) {
+		MAYBE_LOCK(sdb);
+		result = imp->methods->authority(sdb->zone, sdb->dbdata, node);
+		MAYBE_UNLOCK(sdb);
+		if (result != ISC_R_SUCCESS) {
+			destroynode(node);
+			return (result);
+		}
+	}
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
 static isc_result_t
 findnodeext(dns_db_t *db, const dns_name_t *name, bool create,
 	    dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
@@ -1224,7 +1300,7 @@ static dns_dbmethods_t sdb_methods = {
 	ispersistent,
 	overmem,
 	settask,
-	NULL,			/* getoriginnode */
+	getoriginnode,		/* getoriginnode */
 	NULL,			/* transfernode */
 	NULL,			/* getnsec3parameters */
 	NULL,			/* findnsec3node */

From cd40c9fe611ac39977ff837e6ba4b6df4b055833 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 9 Aug 2019 16:26:32 +1000
Subject: [PATCH 2/5] add dns_zone_cdscheck to integrity checks

---
 lib/dns/zone.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 15f8e65415..f52acb8c52 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -4732,6 +4732,16 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 			goto cleanup;
 		}
 
+		if (zone->type == dns_zone_master) {
+			result = dns_zone_cdscheck(zone, db, NULL);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "CDS/CDNSKEY consistency checks "
+					     "failed");
+				goto cleanup;
+			}
+		}
+
 		result = dns_zone_verifydb(zone, db, NULL);
 		if (result != ISC_R_SUCCESS) {
 			goto cleanup;

From 3705605e0b0c89c08d1ae442570748a9e0068612 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 9 Aug 2019 16:27:55 +1000
Subject: [PATCH 3/5] fix dnssec system tests that fail now that we call
 dns_zone_cdscheck

---
 bin/tests/system/dnssec/ns2/sign.sh              | 12 ++++++------
 bin/tests/system/dnssec/tests.sh                 |  4 ++--
 bin/tests/system/resolver/ns6/delegation-only.db |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 7413d7e3e1..ac6c4b3340 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -220,7 +220,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 "$DSFROMKEY" -C "$key2.key" > "$key2.cds"
-cat "$infile" "$key1.key" "$key3.key" "$key2.cds" > "$zonefile"
+cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
 "$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
 
 zone=cds-update.secure
@@ -244,8 +244,8 @@ infile=cds-auto.secure.db.in
 zonefile=cds-auto.secure.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
-cat "$infile" "$key1.cds" > "$zonefile.signed"
+$SETTIME -P sync now "$key1" > /dev/null
+cat "$infile" > "$zonefile.signed"
 
 zone=cdnskey.secure
 infile=cdnskey.secure.db.in
@@ -263,7 +263,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
-cat "$infile" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
+cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
 "$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
 
 zone=cdnskey-update.secure
@@ -287,8 +287,8 @@ infile=cdnskey-auto.secure.db.in
 zonefile=cdnskey-auto.secure.db
 key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
-cat "$infile" "$key1.cds" > "$zonefile.signed"
+$SETTIME -P sync now "$key1" > /dev/null
+cat "$infile" > "$zonefile.signed"
 
 zone=updatecheck-kskonly.secure
 infile=template.secure.db.in
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 54be389d55..3ca6f92475 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3247,7 +3247,7 @@ echo_i "check that CDS records are not signed using ZSK by dnssec-signzone -x ($
 ret=0
 dig_with_opts +noall +answer @10.53.0.2 cds cds-x.secure > dig.out.test$n
 lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
-test "$lines" -eq 1 || ret=1
+test "$lines" -eq 2 || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
@@ -3399,7 +3399,7 @@ echo_i "check that CDNSKEY records are not signed using ZSK by dnssec-signzone -
 ret=0
 dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-x.secure > dig.out.test$n
 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
-test "$lines" -eq 1 || ret=1
+test "$lines" -eq 2 || ret=1
 n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
diff --git a/bin/tests/system/resolver/ns6/delegation-only.db b/bin/tests/system/resolver/ns6/delegation-only.db
index 29e9adbf7a..c9a7ad1850 100644
--- a/bin/tests/system/resolver/ns6/delegation-only.db
+++ b/bin/tests/system/resolver/ns6/delegation-only.db
@@ -17,7 +17,7 @@ $TTL 120
 ;
 @	IN	A	1.2.3.4
 @	IN	AAAA	c::1.2.3.4
-@	IN	CDS	21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2
+@	IN	CDS 	12023 7 2 36FB69A752615831B47EA6EF9EA4619D0FB08ABDA69EA3ED200F4C02FF4921D4
 @	IN	CDNSKEY	256 3 7 AwEAAY9437GPWJHzBeR4FP6eJAie7gh2QSM6LUnbDAHvHOx8MNqgSVRM PZka2rAgivb65/MkT1lXRUegj91iRFP3iggTpCgvdUbcBjsYrdODsrwF YUMIUl1pU0lH9x7KvfFUOfSmG+Rk5UHUWuRZbNyc65Sq69iFXg5c11+8 MAkRoeDF
 ;
 ;	Delegation only test CDS and CDNSKEY records.  These should be rejected

From 30610eb9a5c9371ade1f21db544beccf5a210105 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 23 Aug 2019 14:36:22 +1000
Subject: [PATCH 4/5] add good and bad CDS / CDNSKEY test zones

---
 bin/tests/system/checkzone/zones/bad-cdnskey.db  | 4 ++++
 bin/tests/system/checkzone/zones/bad-cds.db      | 6 ++++++
 bin/tests/system/checkzone/zones/good-cdnskey.db | 4 ++++
 bin/tests/system/checkzone/zones/good-cds.db     | 4 ++++
 4 files changed, 18 insertions(+)
 create mode 100644 bin/tests/system/checkzone/zones/bad-cdnskey.db
 create mode 100644 bin/tests/system/checkzone/zones/bad-cds.db
 create mode 100644 bin/tests/system/checkzone/zones/good-cdnskey.db
 create mode 100644 bin/tests/system/checkzone/zones/good-cds.db

diff --git a/bin/tests/system/checkzone/zones/bad-cdnskey.db b/bin/tests/system/checkzone/zones/bad-cdnskey.db
new file mode 100644
index 0000000000..e3c0ded019
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-cdnskey.db
@@ -0,0 +1,4 @@
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+example. 	0	CDNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTXXXX WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
diff --git a/bin/tests/system/checkzone/zones/bad-cds.db b/bin/tests/system/checkzone/zones/bad-cds.db
new file mode 100644
index 0000000000..9cd48a164f
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/bad-cds.db
@@ -0,0 +1,6 @@
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+; Actual CDS
+; example.	0	CDS 	14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
+example.	0	CDS 	14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0B
diff --git a/bin/tests/system/checkzone/zones/good-cdnskey.db b/bin/tests/system/checkzone/zones/good-cdnskey.db
new file mode 100644
index 0000000000..7ab4b3f4eb
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-cdnskey.db
@@ -0,0 +1,4 @@
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+example. 	0	CDNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
diff --git a/bin/tests/system/checkzone/zones/good-cds.db b/bin/tests/system/checkzone/zones/good-cds.db
new file mode 100644
index 0000000000..dcd5f3997d
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-cds.db
@@ -0,0 +1,4 @@
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+example.	0	CDS 	14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C

From ba26c6eb48ee28920472648b15b14d45ddf6dd0d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 23 Aug 2019 17:49:05 +1000
Subject: [PATCH 5/5] add CHANGES

---
 CHANGES | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGES b/CHANGES
index 7fe616acff..e985cea2c9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5279.	[bug]		When loading, reject zones containing CDS or CDNSKEY
+			RRsets at the zone apex if they would cause DNSSEC
+			validation failures if published in the parent zone
+			as the DS RRset.  [GL #1187]
+
 5278.	[func]		Add YAML output formats for dig, mdig and delv;
 			use the "+yaml" option to enable. [GL #1145]