Merge branch '4517-dnssec-verify-reports-errors-in-nsec3-chain' into 'main'

Resolve "dnssec-verify reports errors in NSEC3 chain" Closes #4517 See merge request isc-projects/bind9!8631
2025-08-31 14:35:26 +00:00 · 2024-05-16 01:52:55 +00:00
parent 333d1881f9 e4dbf4be8e
commit ed5b9b0898
11 changed files with 27 additions and 15 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
+6389.	[bug]		dnssec-verify and dnssec-signzone could fail if there
+			was an obscured DNSKEY RRset at a delegatation.
+			[GL #4517]
+
 6388.	[placeholder]

 6387.	[func]		Added a new statistics variable "recursive high-water"
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -1167,7 +1167,7 @@ has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
 * Signs all records at a name.
 */
 static void
-signname(dns_dbnode_t *node, dns_name_t *name) {
+signname(dns_dbnode_t *node, bool apex, dns_name_t *name) {
 	isc_result_t result;
 	dns_rdataset_t rdataset;
 	dns_rdatasetiter_t *rdsiter;
@@ -1218,6 +1218,10 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 			dns_name_format(name, namebuf, sizeof(namebuf));
 			fatal("'%s': found DS RRset without NS RRset\n",
 			      namebuf);
+		} else if (rdataset.type == dns_rdatatype_dnskey && !apex) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			fatal("'%s': Non-apex DNSKEY RRset\n", namebuf);
 		}

 		signset(&del, &add, node, name, &rdataset);
@@ -1537,7 +1541,7 @@ signapex(void) {
 	check_result(result, "dns_dbiterator_seek()");
 	result = dns_dbiterator_current(gdbiter, &node, name);
 	check_dns_dbiterator_current(result);
-	signname(node, name);
+	signname(node, true, name);
 	dumpnode(name, node);
 	dns_db_detachnode(gdb, &node);
 	result = dns_dbiterator_first(gdbiter);
@@ -1666,7 +1670,7 @@ assignwork(void *arg) {

 	UNLOCK(&namelock);

-	signname(node, dns_fixedname_name(&fname));
+	signname(node, false, dns_fixedname_name(&fname));

 	/*%
 	 * Write a node to the output file, and restart the worker task.
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -30,7 +30,6 @@ g			A	10.0.0.7
 z			A	10.0.0.26
 a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 x			CNAME	a
-zz			DNSKEY	258 3 5 Cg==

 private			NS	ns.private
 ns.private		A	10.53.0.2
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3905,9 +3905,9 @@ ret=0
 dig_with_opts any x.insecure.example. @10.53.0.3 >dig.out.ns3.1.test$n || ret=1
 grep "status: NOERROR" dig.out.ns3.1.test$n >/dev/null || ret=1
 grep "ANSWER: 0," dig.out.ns3.1.test$n >/dev/null || ret=1
-dig_with_opts any zz.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1
+dig_with_opts any z.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1
 grep "status: NOERROR" dig.out.ns3.2.test$n >/dev/null || ret=1
-# DNSKEY+RRSIG, NSEC+RRSIG
+# A+RRSIG, NSEC+RRSIG
 grep "ANSWER: 4," dig.out.ns3.2.test$n >/dev/null || ret=1
 n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
--- a/bin/tests/system/doth/example.axfr.good
+++ b/bin/tests/system/doth/example.axfr.good
@@ -1,5 +1,6 @@
 example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
 example.		3600	IN	NS	ns2.example.
+example.		3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 a01.example.		3600	IN	A	0.0.0.0
 a02.example.		3600	IN	A	255.255.255.255
 a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
@@ -2541,7 +2542,6 @@ dlv.example.		3600	IN	DLV	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
 dname01.example.	3600	IN	DNAME	dname-target.
 dname02.example.	3600	IN	DNAME	dname-target.example.
 dname03.example.	3600	IN	DNAME	.
-dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 doa01.example.		3600	IN	DOA	1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7
 doa02.example.		3600	IN	DOA	0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8=
 ds01.example.		3600	IN	NS	ns42.example.
--- a/bin/tests/system/doth/example8.axfr.good
+++ b/bin/tests/system/doth/example8.axfr.good
@@ -1,5 +1,6 @@
 example8.		86400	IN	SOA	ns2.example8. hostmaster.example8. 1397051952 5 5 1814400 3600
 example8.		3600	IN	NS	ns2.example8.
+example8.		3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 a01.example8.		3600	IN	A	0.0.0.0
 a02.example8.		3600	IN	A	255.255.255.255
 a601.example8.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
@@ -2541,7 +2542,6 @@ dlv.example8.		3600	IN	DLV	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
 dname01.example8.	3600	IN	DNAME	dname-target.
 dname02.example8.	3600	IN	DNAME	dname-target.example8.
 dname03.example8.	3600	IN	DNAME	.
-dnskey01.example8.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 doa01.example8.		3600	IN	DOA	1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7
 doa02.example8.		3600	IN	DOA	0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8=
 ds01.example8.		3600	IN	DS	12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13
--- a/bin/tests/system/genzone.sh
+++ b/bin/tests/system/genzone.sh
@@ -277,7 +277,7 @@ nsec03			NSEC	. TYPE1
 nsec04			NSEC	. TYPE127

 ; type 48
-dnskey01		DNSKEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
+@			DNSKEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
 				9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV
 				sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg
 				a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= )
--- a/bin/tests/system/verify/zones/unsigned.db
+++ b/bin/tests/system/verify/zones/unsigned.db
@@ -26,4 +26,6 @@ secure		NS	secure
 secure		DS	1312 50 100 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0
 secure  	A	1.2.3.4
 secure  	AAAA	2002::1.2.3.4
+; obscured DNSKEY, regression test for [GL #4517]
+secure		DNSKEY	256 3 3 VGhpcyBzaG9ydCBzbmlwcGV0IG9mIHRleHQgaXMgc2FkIGFuZCBtZWFuaW5nbGVzcy4K
 out-of-zone.	A	1.2.3.4
--- a/bin/tests/system/xfer/dig1.good
+++ b/bin/tests/system/xfer/dig1.good
@@ -1,6 +1,7 @@
 example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
 example.		3600	IN	NS	ns2.example.
 example.		3600	IN	NS	ns3.example.
+example.		3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 a01.example.		3600	IN	A	0.0.0.0
 a02.example.		3600	IN	A	255.255.255.255
 a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
@@ -42,7 +43,6 @@ dlv.example.		3600	IN	DLV	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
 dname01.example.	3600	IN	DNAME	dname-target.
 dname02.example.	3600	IN	DNAME	dname-target.example.
 dname03.example.	3600	IN	DNAME	.
-dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 doa01.example.		3600	IN	DOA	1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7
 doa02.example.		3600	IN	DOA	0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8=
 ds01.example.		3600	IN	DS	12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13
--- a/bin/tests/system/xfer/dig2.good
+++ b/bin/tests/system/xfer/dig2.good
@@ -1,6 +1,7 @@
 example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
 example.		3600	IN	NS	ns2.example.
 example.		3600	IN	NS	ns3.example.
+example.		3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 a01.example.		3600	IN	A	0.0.0.1
 a02.example.		3600	IN	A	255.255.255.255
 a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
@@ -42,7 +43,6 @@ dlv.example.		3600	IN	DLV	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
 dname01.example.	3600	IN	DNAME	dname-target.
 dname02.example.	3600	IN	DNAME	dname-target.example.
 dname03.example.	3600	IN	DNAME	.
-dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 doa01.example.		3600	IN	DOA	1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7
 doa02.example.		3600	IN	DOA	0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8=
 ds01.example.		3600	IN	NS	ns42.example.
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -940,7 +940,6 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 		 * other than NSEC and DS is not signed at a delegation.
 		 */
 		if (rdataset.type != dns_rdatatype_rrsig &&
-		    rdataset.type != dns_rdatatype_dnskey &&
 		    (!delegation || rdataset.type == dns_rdatatype_ds ||
 		     rdataset.type == dns_rdatatype_nsec))
 		{
@@ -955,11 +954,12 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 			if (rdataset.type > maxtype) {
 				maxtype = rdataset.type;
 			}
-		} else if (rdataset.type != dns_rdatatype_rrsig &&
-			   rdataset.type != dns_rdatatype_dnskey)
-		{
+		} else if (rdataset.type != dns_rdatatype_rrsig) {
 			if (rdataset.type == dns_rdatatype_ns) {
 				dns_nsec_setbit(types, rdataset.type, 1);
+				if (rdataset.type > maxtype) {
+					maxtype = rdataset.type;
+				}
 			}
 			result = check_no_rrsig(vctx, &rdataset, name, node);
 			if (result != ISC_R_SUCCESS) {
@@ -969,6 +969,9 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 			}
 		} else {
 			dns_nsec_setbit(types, rdataset.type, 1);
+			if (rdataset.type > maxtype) {
+				maxtype = rdataset.type;
+			}
 		}
 		dns_rdataset_disassociate(&rdataset);
 		result = dns_rdatasetiter_next(rdsiter);