mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00
Code Issues Releases Wiki Activity

Don't sign the raw zone

Browse Source 
The raw zone is not supposed to be signed.  DNSKEY records in a raw zone
should not trigger zone signing.  The update code needs to be able to
identify when it is working on a raw zone.  Add dns_zone_israw() and
dns_zone_issecure() enable it to do this. Also, we need to check the
case for 'auto-dnssec maintain'.
This commit is contained in:
Mark Andrews 2022-10-12 17:01:57 +11:00 committed by Matthijs Mekking
parent 508c60ad90
commit d24297343f
3 changed files with 36 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/dns/include/dns/zone.h
View File

@ -2317,6 +2317,12 @@ dns_zone_link(dns_zone_t *zone, dns_zone_t *raw);
void void
dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw); dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw);
bool
dns_zone_israw(dns_zone_t *zone);
bool
dns_zone_issecure(dns_zone_t *zone);
isc_result_t isc_result_t
dns_zone_keydone(dns_zone_t *zone, const char *data); dns_zone_keydone(dns_zone_t *zone, const char *data);
/*%< /*%<

20
lib/dns/zone.c
View File

@ -22189,6 +22189,26 @@ dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) {
UNLOCK(&zone->lock); UNLOCK(&zone->lock);
} }
bool
dns_zone_israw(dns_zone_t *zone) {
bool israw;
REQUIRE(DNS_ZONE_VALID(zone));
LOCK(&zone->lock);
israw = zone->secure != NULL;
UNLOCK(&zone->lock);
return (israw);
}
bool
dns_zone_issecure(dns_zone_t *zone) {
bool issecure;
REQUIRE(DNS_ZONE_VALID(zone));
LOCK(&zone->lock);
issecure = zone->raw != NULL;
UNLOCK(&zone->lock);
return (issecure);
}
struct keydone { struct keydone {
bool all; bool all;
unsigned char data[5]; unsigned char data[5];

13
lib/ns/update.c
View File

@ -2900,6 +2900,7 @@ update_action(void *arg) {
dns_ttl_t maxttl = 0; dns_ttl_t maxttl = 0;
uint32_t maxrecords; uint32_t maxrecords;
uint64_t records; uint64_t records;
bool is_inline, is_maintain, is_signing;
dns_diff_init(mctx, &diff); dns_diff_init(mctx, &diff);
dns_diff_init(mctx, &temp); dns_diff_init(mctx, &temp);
@ -2910,6 +2911,10 @@ update_action(void *arg) {
dns_zone_getssutable(zone, &ssutable); dns_zone_getssutable(zone, &ssutable);
options = dns_zone_getoptions(zone); options = dns_zone_getoptions(zone);
is_inline = (!dns_zone_israw(zone) && dns_zone_issecure(zone));
is_maintain = ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0);
is_signing = is_inline || (!is_inline && is_maintain);
/* /*
* Get old and new versions now that queryacl has been checked. * Get old and new versions now that queryacl has been checked.
*/ */
@ -3435,7 +3440,7 @@ update_action(void *arg) {
goto failure; goto failure;
} }
} }
if (!ISC_LIST_EMPTY(diff.tuples)) { if (!ISC_LIST_EMPTY(diff.tuples) && is_signing) {
result = dns_zone_cdscheck(zone, db, ver); result = dns_zone_cdscheck(zone, db, ver);
if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) { if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) {
update_log(client, zone, LOGLEVEL_PROTOCOL, update_log(client, zone, LOGLEVEL_PROTOCOL,
@ -3481,11 +3486,13 @@ update_action(void *arg) {
CHECK(rollback_private(db, privatetype, ver, &diff)); CHECK(rollback_private(db, privatetype, ver, &diff));
CHECK(add_signing_records(db, privatetype, ver, &diff)); if (is_signing) {
CHECK(add_signing_records(db, privatetype, ver, &diff));
}
CHECK(add_nsec3param_records(client, zone, db, ver, &diff)); CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
if (had_dnskey && !has_dnskey) { if (is_signing && had_dnskey && !has_dnskey) {
/* /*
* We are transitioning from secure to insecure. * We are transitioning from secure to insecure.
* Cause all NSEC3 chains to be deleted. When the * Cause all NSEC3 chains to be deleted. When the