From d24297343f094e2316f8cc7c6652476dd8d18f5c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 12 Oct 2022 17:01:57 +1100 Subject: [PATCH] Don't sign the raw zone The raw zone is not supposed to be signed. DNSKEY records in a raw zone should not trigger zone signing. The update code needs to be able to identify when it is working on a raw zone. Add dns_zone_israw() and dns_zone_issecure() enable it to do this. Also, we need to check the case for 'auto-dnssec maintain'. --- lib/dns/include/dns/zone.h | 6 ++++++ lib/dns/zone.c | 20 ++++++++++++++++++++ lib/ns/update.c | 13 ++++++++++--- 3 files changed, 36 insertions(+), 3 deletions(-) diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index c431f38703..7041523702 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -2317,6 +2317,12 @@ dns_zone_link(dns_zone_t *zone, dns_zone_t *raw); void dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw); +bool +dns_zone_israw(dns_zone_t *zone); + +bool +dns_zone_issecure(dns_zone_t *zone); + isc_result_t dns_zone_keydone(dns_zone_t *zone, const char *data); /*%< diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 922cdd3334..40682992fa 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -22189,6 +22189,26 @@ dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) { UNLOCK(&zone->lock); } +bool +dns_zone_israw(dns_zone_t *zone) { + bool israw; + REQUIRE(DNS_ZONE_VALID(zone)); + LOCK(&zone->lock); + israw = zone->secure != NULL; + UNLOCK(&zone->lock); + return (israw); +} + +bool +dns_zone_issecure(dns_zone_t *zone) { + bool issecure; + REQUIRE(DNS_ZONE_VALID(zone)); + LOCK(&zone->lock); + issecure = zone->raw != NULL; + UNLOCK(&zone->lock); + return (issecure); +} + struct keydone { bool all; unsigned char data[5]; diff --git a/lib/ns/update.c b/lib/ns/update.c index 493637f147..efffd4054d 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -2900,6 +2900,7 @@ update_action(void *arg) { dns_ttl_t maxttl = 0; uint32_t maxrecords; uint64_t records; + bool is_inline, is_maintain, is_signing; dns_diff_init(mctx, &diff); dns_diff_init(mctx, &temp); @@ -2910,6 +2911,10 @@ update_action(void *arg) { dns_zone_getssutable(zone, &ssutable); options = dns_zone_getoptions(zone); + is_inline = (!dns_zone_israw(zone) && dns_zone_issecure(zone)); + is_maintain = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0); + is_signing = is_inline || (!is_inline && is_maintain); + /* * Get old and new versions now that queryacl has been checked. */ @@ -3435,7 +3440,7 @@ update_action(void *arg) { goto failure; } } - if (!ISC_LIST_EMPTY(diff.tuples)) { + if (!ISC_LIST_EMPTY(diff.tuples) && is_signing) { result = dns_zone_cdscheck(zone, db, ver); if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) { update_log(client, zone, LOGLEVEL_PROTOCOL, @@ -3481,11 +3486,13 @@ update_action(void *arg) { CHECK(rollback_private(db, privatetype, ver, &diff)); - CHECK(add_signing_records(db, privatetype, ver, &diff)); + if (is_signing) { + CHECK(add_signing_records(db, privatetype, ver, &diff)); + } CHECK(add_nsec3param_records(client, zone, db, ver, &diff)); - if (had_dnskey && !has_dnskey) { + if (is_signing && had_dnskey && !has_dnskey) { /* * We are transitioning from secure to insecure. * Cause all NSEC3 chains to be deleted. When the