mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 06:55:30 +00:00
Code Issues Releases Wiki Activity

Merge branch '853-dnssec-dsfromkey-doesn-t-omit-revoked-ksk' into 'main'

Browse Source 
Resolve "dnssec-dsfromkey doesn't omit revoked KSK"

Closes #853

See merge request isc-projects/bind9!5460
This commit is contained in:
Mark Andrews
2021-11-30 11:08:28 +00:00
parent 3443938b99 d632df3c11
commit db2aad0e96
5 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,3 +1,5 @@
5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853]
5767. [func] Extend allow-transfer option with 'port' and 5767. [func] Extend allow-transfer option with 'port' and
'transport' options to restrict zone transfers to 'transport' options to restrict zone transfers to
a specific port and DNS transport protocol. a specific port and DNS transport protocol.

4
bin/dnssec/dnssec-dsfromkey.c
View File

@@ -260,6 +260,10 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
fatal("can't convert DNSKEY"); fatal("can't convert DNSKEY");
} }
if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
return;
}
if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) { if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
return; return;
} }

4
bin/dnssec/dnssec-dsfromkey.rst
View File

@@ -43,6 +43,10 @@ Description
The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
(RRs), or CDS (Child DS) RRs with the ``-C`` option. (RRs), or CDS (Child DS) RRs with the ``-C`` option.
By default, only KSKs are converted (keys with flags = 257). The
``-A`` option includes ZSKs (flags = 256). Revoked keys are never
included.
The input keys can be specified in a number of ways: The input keys can be specified in a number of ways:
By default, ``dnssec-dsfromkey`` reads a key file named in the format By default, ``dnssec-dsfromkey`` reads a key file named in the format

12
bin/tests/system/dnssec/tests.sh
View File

@@ -2898,6 +2898,18 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret)) status=$((status+ret))
echo_i "check dnssec-dsfromkey with revoked key ($n)"
ret=0
dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK
grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK
grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK
test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1
$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1
test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)"
ret=0 ret=0
dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1

4
doc/man/dnssec-dsfromkey.1in
View File

@@ -44,6 +44,10 @@ dnssec-dsfromkey \- DNSSEC DS RR generation tool
The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records
(RRs), or CDS (Child DS) RRs with the \fB\-C\fP option. (RRs), or CDS (Child DS) RRs with the \fB\-C\fP option.
.sp .sp
By default, only KSKs are converted (keys with flags = 257). The
\fB\-A\fP option includes ZSKs (flags = 256). Revoked keys are never
included.
.sp
The input keys can be specified in a number of ways: The input keys can be specified in a number of ways:
.sp .sp
By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format