mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Ensure responses sourced from mirror zones have the AD bit set

Browse Source 
Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.
This commit is contained in:
Michał Kępień 2018-06-28 13:38:39 +02:00
parent ad0ec2ea93
commit e3160b27f7
3 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
bin/tests/system/mirror/tests.sh
View File

@ -250,12 +250,24 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo_i "checking flags set in a response sourced from a mirror zone ($n)" echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)"
ret=0 ret=0
$DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1 $DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer. # Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`

6
lib/dns/include/dns/zoneverify.h
View File

@ -30,6 +30,12 @@ ISC_LANG_BEGINDECLS
* *
* The rest of the zone was signed with at least one of the ZSKs * The rest of the zone was signed with at least one of the ZSKs
* present in the DNSKEY RRSET. * present in the DNSKEY RRSET.
*
* Mark all RRsets correctly signed by one of the keys in the DNSKEY RRset at
* zone apex as secure.
*
* If 'secroots' is not NULL, mark the DNSKEY RRset as secure if it is
* correctly signed by at least one key present in 'secroots'.
*/ */
isc_result_t isc_result_t
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,

4
lib/dns/zoneverify.c
View File

@ -912,6 +912,8 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name,
continue; continue;
} }
if (goodsig(vctx, &rdata, name, keyrdataset, rdataset)) { if (goodsig(vctx, &rdata, name, keyrdataset, rdataset)) {
dns_rdataset_settrust(rdataset, dns_trust_secure);
dns_rdataset_settrust(&sigrdataset, dns_trust_secure);
set_algorithms[sig.algorithm] = 1; set_algorithms[sig.algorithm] = 1;
} }
} }
@ -1561,6 +1563,8 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
* The supplied key is a trust anchor. * The supplied key is a trust anchor.
*/ */
dns_keytable_detachkeynode(vctx->secroots, &keynode); dns_keytable_detachkeynode(vctx->secroots, &keynode);
dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
*goodkey = ISC_TRUE; *goodkey = ISC_TRUE;
break; break;
case DNS_R_PARTIALMATCH: case DNS_R_PARTIALMATCH: