From e3160b27f74ec7f00435c6c342eab41c28f70a01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 28 Jun 2018 13:38:39 +0200 Subject: [PATCH] Ensure responses sourced from mirror zones have the AD bit set Zone RRsets are assigned trust level "ultimate" upon load, which causes the AD bit to not be set in responses coming from slave zones, including mirror zones. Make dns_zoneverify_dnssec() update the trust level of verified RRsets to "secure" so that the AD bit is set in such responses. No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in case of any DNSSEC failure, which causes the mirror zone version being verified to be discarded. --- bin/tests/system/mirror/tests.sh | 14 +++++++++++++- lib/dns/include/dns/zoneverify.h | 6 ++++++ lib/dns/zoneverify.c | 4 ++++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh index dfadcf05c6..e95f97122c 100644 --- a/bin/tests/system/mirror/tests.sh +++ b/bin/tests/system/mirror/tests.sh @@ -250,12 +250,24 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking flags set in a response sourced from a mirror zone ($n)" +echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/lib/dns/include/dns/zoneverify.h b/lib/dns/include/dns/zoneverify.h index 594c6ecc08..46865ce900 100644 --- a/lib/dns/include/dns/zoneverify.h +++ b/lib/dns/include/dns/zoneverify.h @@ -30,6 +30,12 @@ ISC_LANG_BEGINDECLS * * The rest of the zone was signed with at least one of the ZSKs * present in the DNSKEY RRSET. + * + * Mark all RRsets correctly signed by one of the keys in the DNSKEY RRset at + * zone apex as secure. + * + * If 'secroots' is not NULL, mark the DNSKEY RRset as secure if it is + * correctly signed by at least one key present in 'secroots'. */ isc_result_t dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index cf130963e8..3cf5790cdd 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -912,6 +912,8 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name, continue; } if (goodsig(vctx, &rdata, name, keyrdataset, rdataset)) { + dns_rdataset_settrust(rdataset, dns_trust_secure); + dns_rdataset_settrust(&sigrdataset, dns_trust_secure); set_algorithms[sig.algorithm] = 1; } } @@ -1561,6 +1563,8 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey, * The supplied key is a trust anchor. */ dns_keytable_detachkeynode(vctx->secroots, &keynode); + dns_rdataset_settrust(&vctx->keyset, dns_trust_secure); + dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure); *goodkey = ISC_TRUE; break; case DNS_R_PARTIALMATCH: