Ensure responses sourced from mirror zones have the AD bit set

Zone RRsets are assigned trust level "ultimate" upon load, which causes the AD bit to not be set in responses coming from slave zones, including mirror zones. Make dns_zoneverify_dnssec() update the trust level of verified RRsets to "secure" so that the AD bit is set in such responses. No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in case of any DNSSEC failure, which causes the mirror zone version being verified to be discarded.
2025-08-28 21:17:54 +00:00 · 2018-06-28 13:38:39 +02:00 · 2018-06-28 13:38:39 +02:00 · e3160b27f7
commit e3160b27f7
parent ad0ec2ea93
3 changed files with 23 additions and 1 deletions
--- a/bin/tests/system/mirror/tests.sh
+++ b/bin/tests/system/mirror/tests.sh
@ -250,12 +250,24 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

 n=`expr $n + 1`
-echo_i "checking flags set in a response sourced from a mirror zone ($n)"
+echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1
 # Check response code and flags in the answer.
 grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
 grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

--- a/lib/dns/include/dns/zoneverify.h
+++ b/lib/dns/include/dns/zoneverify.h
@ -30,6 +30,12 @@ ISC_LANG_BEGINDECLS
 *
 *   The rest of the zone was signed with at least one of the ZSKs
 *   present in the DNSKEY RRSET.
+ *
+ * Mark all RRsets correctly signed by one of the keys in the DNSKEY RRset at
+ * zone apex as secure.
+ *
+ * If 'secroots' is not NULL, mark the DNSKEY RRset as secure if it is
+ * correctly signed by at least one key present in 'secroots'.
 */
 isc_result_t
 dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@ -912,6 +912,8 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name,
 			continue;
 		}
 		if (goodsig(vctx, &rdata, name, keyrdataset, rdataset)) {
+			dns_rdataset_settrust(rdataset, dns_trust_secure);
+			dns_rdataset_settrust(&sigrdataset, dns_trust_secure);
 			set_algorithms[sig.algorithm] = 1;
 		}
 	}
@ -1561,6 +1563,8 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
 		 * The supplied key is a trust anchor.
 		 */
 		dns_keytable_detachkeynode(vctx->secroots, &keynode);
+		dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
+		dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
 		*goodkey = ISC_TRUE;
 		break;
 	case DNS_R_PARTIALMATCH: