mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
Check dnssec-policy key roles for validity
For each algorithm there must be a key performing the KSK and
ZSK rolls. After reading the keys from named.conf check that
each algorithm present has both rolls. CSK implicitly has both
rolls.
(cherry picked from commit 9bcf45f4ce
)
This commit is contained in:
@@ -262,7 +262,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
|
||||
const cfg_listelt_t *element = NULL;
|
||||
const char *kaspname = NULL;
|
||||
dns_kasp_t *kasp = NULL;
|
||||
int i = 0;
|
||||
size_t i = 0;
|
||||
|
||||
REQUIRE(kaspp != NULL && *kaspp == NULL);
|
||||
|
||||
@@ -323,6 +323,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
|
||||
|
||||
(void)confget(maps, "keys", &keys);
|
||||
if (keys != NULL) {
|
||||
char role[256] = { 0 };
|
||||
dns_kasp_key_t *kkey = NULL;
|
||||
|
||||
for (element = cfg_list_first(keys); element != NULL;
|
||||
element = cfg_list_next(element))
|
||||
{
|
||||
@@ -333,6 +336,36 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
|
||||
}
|
||||
}
|
||||
INSIST(!(dns_kasp_keylist_empty(kasp)));
|
||||
dns_kasp_freeze(kasp);
|
||||
for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
|
||||
kkey = ISC_LIST_NEXT(kkey, link))
|
||||
{
|
||||
uint32_t keyalg = dns_kasp_key_algorithm(kkey);
|
||||
INSIST(keyalg < ARRAY_SIZE(role));
|
||||
|
||||
if (dns_kasp_key_zsk(kkey)) {
|
||||
role[keyalg] |= DNS_KASP_KEY_ROLE_ZSK;
|
||||
}
|
||||
|
||||
if (dns_kasp_key_ksk(kkey)) {
|
||||
role[keyalg] |= DNS_KASP_KEY_ROLE_KSK;
|
||||
}
|
||||
}
|
||||
dns_kasp_thaw(kasp);
|
||||
for (i = 0; i < ARRAY_SIZE(role); i++) {
|
||||
if (role[i] != 0 && role[i] != (DNS_KASP_KEY_ROLE_ZSK |
|
||||
DNS_KASP_KEY_ROLE_KSK))
|
||||
{
|
||||
cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
|
||||
"dnssec-policy: algorithm %zu "
|
||||
"requires both KSK and ZSK roles",
|
||||
i);
|
||||
result = ISC_R_FAILURE;
|
||||
}
|
||||
}
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup;
|
||||
}
|
||||
} else if (strcmp(kaspname, "insecure") == 0) {
|
||||
/* "dnssec-policy insecure": key list must be empty */
|
||||
INSIST(strcmp(kaspname, "insecure") == 0);
|
||||
|
Reference in New Issue
Block a user