mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

Check that DS records are only present at delegations

Browse Source 
This extends the integrity check to look for stray DS records
in the zone.
This commit is contained in:
Mark Andrews
2022-11-24 11:10:58 +11:00
parent 8ab496b6e1
commit e8e40e2e01
5 changed files with 42 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
bin/tests/system/autosign/ns2/keygen.sh
View File

@@ -16,9 +16,8 @@
# Have the child generate subdomain keys and pass DS sets to us. # Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && $SHELL keygen.sh ) ( cd ../ns3 && $SHELL keygen.sh )
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \ for subdomain in secure nsec3 optout rsasha256 rsasha512 \
nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ nsec3-to-nsec oldsigs dname-at-apex-nsec3
cdnskey-delete
do do
cp ../ns3/dsset-$subdomain.example. . cp ../ns3/dsset-$subdomain.example. .
done done

15
bin/tests/system/checkzone/zones/bad-ds-2.db Normal file
View File

@@ -0,0 +1,15 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
example. 0 SOA . . 0 0 0 0 0
example. 0 NS .
example. 0 DNSKEY 257 3 10 AwEAAbqjg7xdvnU2Q/gtLw5LOfr5cDeTRjYuEbkzGrUiVSOSoxcTxuao WS/AFPQHuD8OSLiE/CeZ087JowREXl058rRfae8KMrveY17V0wmKs9N1 F1wf/hRDpXiThlRHWlskp8eSEEIqYrrHgWTesy/xDGIEOFM1gwRo0w8j KdRRJeL2hseTMa+m3rTzrYudUsI0BHLW8PiDUCbG5xgdee8/5YR4847i AAqHIiPJ1Z/IT53OIjMmtv5BUykZ8RYjlJxxX+C+dpRKiK73SQaR3hCB XAYOL9WsDp2/fpmEZpewavkMkdC+j2CX+z27MCS3ASO0AeKK0lcNXwND kgreE+Kr7gc=
foo.example. 0 DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C

1
bin/tests/system/masterformat/ns1/example.db
View File

@@ -37,6 +37,7 @@ dnskey 300 DNSKEY 256 3 13 (
3uhPJsJ7ivpbh+w== 3uhPJsJ7ivpbh+w==
) )
private-dnskey 300 DNSKEY 256 3 253 ( AAo= ) private-dnskey 300 DNSKEY 256 3 253 ( AAo= )
ds 300 NS .
ds 300 DS 30795 1 1 ( ds 300 DS 30795 1 1 (
310D27F4D82C1FC2400704EA9939FE6E1CEA 310D27F4D82C1FC2400704EA9939FE6E1CEA
A3B9 ) A3B9 )

3
doc/arm/reference.rst
View File

@@ -2734,7 +2734,8 @@ Boolean Options
records, only in-zone hostnames are checked (for out-of-zone hostnames, records, only in-zone hostnames are checked (for out-of-zone hostnames,
use :iscman:`named-checkzone`). For NS records, only names below top-of-zone use :iscman:`named-checkzone`). For NS records, only names below top-of-zone
are checked (for out-of-zone names and glue consistency checks, use are checked (for out-of-zone names and glue consistency checks, use
:iscman:`named-checkzone`). The default is ``yes``. :iscman:`named-checkzone`). DS records not at delegations are rejected.
The default is ``yes``.
The use of the SPF record to publish Sender Policy Framework is The use of the SPF record to publish Sender Policy Framework is
deprecated, as the migration from using TXT records to SPF records was deprecated, as the migration from using TXT records to SPF records was

26
lib/dns/zone.c
View File

@@ -3349,6 +3349,8 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
dns_name_t *bottom; dns_name_t *bottom;
isc_result_t result; isc_result_t result;
bool ok = true, have_spf, have_txt; bool ok = true, have_spf, have_txt;
int level;
char namebuf[DNS_NAME_FORMATSIZE];
name = dns_fixedname_initname(&fixed); name = dns_fixedname_initname(&fixed);
bottom = dns_fixedname_initname(&fixedbottom); bottom = dns_fixedname_initname(&fixedbottom);
@@ -3383,13 +3385,13 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
* Don't check the NS records at the origin. * Don't check the NS records at the origin.
*/ */
if (dns_name_equal(name, &zone->origin)) { if (dns_name_equal(name, &zone->origin)) {
goto checkfordname; goto checkfords;
} }
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns, result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
0, 0, &rdataset, NULL); 0, 0, &rdataset, NULL);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
goto checkfordname; goto checkfords;
} }
/* /*
* Remember bottom of zone due to NS. * Remember bottom of zone due to NS.
@@ -3410,6 +3412,24 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
dns_rdataset_disassociate(&rdataset); dns_rdataset_disassociate(&rdataset);
goto next; goto next;
checkfords:
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds,
0, 0, &rdataset, NULL);
if (result != ISC_R_SUCCESS) {
goto checkfordname;
}
dns_rdataset_disassociate(&rdataset);
if (zone->type == dns_zone_primary) {
level = ISC_LOG_ERROR;
ok = false;
} else {
level = ISC_LOG_WARNING;
}
dns_name_format(name, namebuf, sizeof(namebuf));
dns_zone_log(zone, level, "DS not at delegation point (%s)",
namebuf);
checkfordname: checkfordname:
result = dns_db_findrdataset(db, node, NULL, result = dns_db_findrdataset(db, node, NULL,
dns_rdatatype_dname, 0, 0, dns_rdatatype_dname, 0, 0,
@@ -3499,8 +3519,6 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
notxt: notxt:
if (have_spf && !have_txt) { if (have_spf && !have_txt) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(name, namebuf, sizeof(namebuf)); dns_name_format(name, namebuf, sizeof(namebuf));
dns_zone_log(zone, ISC_LOG_WARNING, dns_zone_log(zone, ISC_LOG_WARNING,
"'%s' found type " "'%s' found type "