diff --git a/CHANGES b/CHANGES index 94801c811e..62eea0e322 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853] + 5767. [func] Extend allow-transfer option with 'port' and 'transport' options to restrict zone transfers to a specific port and DNS transport protocol. diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 0214e72579..8cb3f41bbf 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -260,6 +260,10 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) { fatal("can't convert DNSKEY"); } + if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) { + return; + } + if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) { return; } diff --git a/bin/dnssec/dnssec-dsfromkey.rst b/bin/dnssec/dnssec-dsfromkey.rst index 35d62c0bcb..4d68ca80ef 100644 --- a/bin/dnssec/dnssec-dsfromkey.rst +++ b/bin/dnssec/dnssec-dsfromkey.rst @@ -43,6 +43,10 @@ Description The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the ``-C`` option. +By default, only KSKs are converted (keys with flags = 257). The +``-A`` option includes ZSKs (flags = 256). Revoked keys are never +included. + The input keys can be specified in a number of ways: By default, ``dnssec-dsfromkey`` reads a key file named in the format diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index edb6bf7bb9..fecf504855 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2898,6 +2898,18 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "check dnssec-dsfromkey with revoked key ($n)" +ret=0 +dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK +grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK +grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK +test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 +$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1 +test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" + echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" ret=0 dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 diff --git a/doc/man/dnssec-dsfromkey.1in b/doc/man/dnssec-dsfromkey.1in index 75684f1ea1..6964eaacee 100644 --- a/doc/man/dnssec-dsfromkey.1in +++ b/doc/man/dnssec-dsfromkey.1in @@ -44,6 +44,10 @@ dnssec-dsfromkey \- DNSSEC DS RR generation tool The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the \fB\-C\fP option. .sp +By default, only KSKs are converted (keys with flags = 257). The +\fB\-A\fP option includes ZSKs (flags = 256). Revoked keys are never +included. +.sp The input keys can be specified in a number of ways: .sp By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format