Check that DS records are only present at delegations

This extends the integrity check to look for stray DS records in the zone.
2025-08-29 13:38:26 +00:00 · 2022-11-24 11:10:58 +11:00 · 2022-11-24 11:10:58 +11:00 · e8e40e2e01
commit e8e40e2e01
parent 8ab496b6e1
5 changed files with 42 additions and 8 deletions
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@ -16,9 +16,8 @@
 # Have the child generate subdomain keys and pass DS sets to us.
 ( cd ../ns3 && $SHELL keygen.sh )

-for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \
-		 nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
-		 cdnskey-delete
+for subdomain in secure nsec3 optout rsasha256 rsasha512 \
+		 nsec3-to-nsec oldsigs dname-at-apex-nsec3
 do
 	cp ../ns3/dsset-$subdomain.example. .
 done
--- a/bin/tests/system/checkzone/zones/bad-ds-2.db
+++ b/bin/tests/system/checkzone/zones/bad-ds-2.db
@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+example.	0	SOA	. . 0 0 0 0 0
+example.	0 	NS	.
+example. 	0	DNSKEY	257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
+foo.example.	0	DS 	14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
--- a/bin/tests/system/masterformat/ns1/example.db
+++ b/bin/tests/system/masterformat/ns1/example.db
@ -37,6 +37,7 @@ dnskey			300	DNSKEY	256 3 13 (
 					3uhPJsJ7ivpbh+w==
 					)
 private-dnskey		300	DNSKEY	256 3 253 ( AAo= )
+ds			300	NS	.
 ds			300	DS	30795 1 1 (
 					310D27F4D82C1FC2400704EA9939FE6E1CEA
 					A3B9 )
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -2734,7 +2734,8 @@ Boolean Options
   records, only in-zone hostnames are checked (for out-of-zone hostnames,
   use :iscman:`named-checkzone`). For NS records, only names below top-of-zone
   are checked (for out-of-zone names and glue consistency checks, use
-   :iscman:`named-checkzone`). The default is ``yes``.
+   :iscman:`named-checkzone`). DS records not at delegations are rejected.
+   The default is ``yes``.

   The use of the SPF record to publish Sender Policy Framework is
   deprecated, as the migration from using TXT records to SPF records was
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -3349,6 +3349,8 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 	dns_name_t *bottom;
 	isc_result_t result;
 	bool ok = true, have_spf, have_txt;
+	int level;
+	char namebuf[DNS_NAME_FORMATSIZE];

 	name = dns_fixedname_initname(&fixed);
 	bottom = dns_fixedname_initname(&fixedbottom);
@ -3383,13 +3385,13 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 		 * Don't check the NS records at the origin.
 		 */
 		if (dns_name_equal(name, &zone->origin)) {
-			goto checkfordname;
+			goto checkfords;
 		}

 		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
 					     0, 0, &rdataset, NULL);
 		if (result != ISC_R_SUCCESS) {
-			goto checkfordname;
+			goto checkfords;
 		}
 		/*
 		 * Remember bottom of zone due to NS.
@ -3410,6 +3412,24 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 		dns_rdataset_disassociate(&rdataset);
 		goto next;

+	checkfords:
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS) {
+			goto checkfordname;
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+		if (zone->type == dns_zone_primary) {
+			level = ISC_LOG_ERROR;
+			ok = false;
+		} else {
+			level = ISC_LOG_WARNING;
+		}
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_zone_log(zone, level, "DS not at delegation point (%s)",
+			     namebuf);
+
 	checkfordname:
 		result = dns_db_findrdataset(db, node, NULL,
 					     dns_rdatatype_dname, 0, 0,
@ -3499,8 +3519,6 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {

 	notxt:
 		if (have_spf && !have_txt) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-
 			dns_name_format(name, namebuf, sizeof(namebuf));
 			dns_zone_log(zone, ISC_LOG_WARNING,
 				     "'%s' found type "