diff --git a/CHANGES b/CHANGES index 333f0e7d1f..7802216b8a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +6389. [bug] dnssec-verify and dnssec-signzone could fail if there + was an obscured DNSKEY RRset at a delegatation. + [GL #4517] + 6388. [placeholder] 6387. [func] Added a new statistics variable "recursive high-water" diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 7b85464180..b38de8e942 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1167,7 +1167,7 @@ has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) { * Signs all records at a name. */ static void -signname(dns_dbnode_t *node, dns_name_t *name) { +signname(dns_dbnode_t *node, bool apex, dns_name_t *name) { isc_result_t result; dns_rdataset_t rdataset; dns_rdatasetiter_t *rdsiter; @@ -1218,6 +1218,10 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_name_format(name, namebuf, sizeof(namebuf)); fatal("'%s': found DS RRset without NS RRset\n", namebuf); + } else if (rdataset.type == dns_rdatatype_dnskey && !apex) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namebuf, sizeof(namebuf)); + fatal("'%s': Non-apex DNSKEY RRset\n", namebuf); } signset(&del, &add, node, name, &rdataset); @@ -1537,7 +1541,7 @@ signapex(void) { check_result(result, "dns_dbiterator_seek()"); result = dns_dbiterator_current(gdbiter, &node, name); check_dns_dbiterator_current(result); - signname(node, name); + signname(node, true, name); dumpnode(name, node); dns_db_detachnode(gdb, &node); result = dns_dbiterator_first(gdbiter); @@ -1666,7 +1670,7 @@ assignwork(void *arg) { UNLOCK(&namelock); - signname(node, dns_fixedname_name(&fname)); + signname(node, false, dns_fixedname_name(&fname)); /*% * Write a node to the output file, and restart the worker task. diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index 883e06790b..b82b280219 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -30,7 +30,6 @@ g A 10.0.0.7 z A 10.0.0.26 a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 x CNAME a -zz DNSKEY 258 3 5 Cg== private NS ns.private ns.private A 10.53.0.2 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index ffbba1b033..413af09f7f 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3905,9 +3905,9 @@ ret=0 dig_with_opts any x.insecure.example. @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 grep "status: NOERROR" dig.out.ns3.1.test$n >/dev/null || ret=1 grep "ANSWER: 0," dig.out.ns3.1.test$n >/dev/null || ret=1 -dig_with_opts any zz.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +dig_with_opts any z.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 grep "status: NOERROR" dig.out.ns3.2.test$n >/dev/null || ret=1 -# DNSKEY+RRSIG, NSEC+RRSIG +# A+RRSIG, NSEC+RRSIG grep "ANSWER: 4," dig.out.ns3.2.test$n >/dev/null || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" diff --git a/bin/tests/system/doth/example.axfr.good b/bin/tests/system/doth/example.axfr.good index 581a0c5cd3..176c824f4a 100644 --- a/bin/tests/system/doth/example.axfr.good +++ b/bin/tests/system/doth/example.axfr.good @@ -1,5 +1,6 @@ example. 86400 IN SOA ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600 example. 3600 IN NS ns2.example. +example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= a01.example. 3600 IN A 0.0.0.0 a02.example. 3600 IN A 255.255.255.255 a601.example. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff @@ -2541,7 +2542,6 @@ dlv.example. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 dname01.example. 3600 IN DNAME dname-target. dname02.example. 3600 IN DNAME dname-target.example. dname03.example. 3600 IN DNAME . -dnskey01.example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= doa01.example. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 doa02.example. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= ds01.example. 3600 IN NS ns42.example. diff --git a/bin/tests/system/doth/example8.axfr.good b/bin/tests/system/doth/example8.axfr.good index fe00a90577..97b05323d7 100644 --- a/bin/tests/system/doth/example8.axfr.good +++ b/bin/tests/system/doth/example8.axfr.good @@ -1,5 +1,6 @@ example8. 86400 IN SOA ns2.example8. hostmaster.example8. 1397051952 5 5 1814400 3600 example8. 3600 IN NS ns2.example8. +example8. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= a01.example8. 3600 IN A 0.0.0.0 a02.example8. 3600 IN A 255.255.255.255 a601.example8. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff @@ -2541,7 +2542,6 @@ dlv.example8. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 dname01.example8. 3600 IN DNAME dname-target. dname02.example8. 3600 IN DNAME dname-target.example8. dname03.example8. 3600 IN DNAME . -dnskey01.example8. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= doa01.example8. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 doa02.example8. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= ds01.example8. 3600 IN DS 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh index 13ac32f1ea..40bf221a3b 100644 --- a/bin/tests/system/genzone.sh +++ b/bin/tests/system/genzone.sh @@ -277,7 +277,7 @@ nsec03 NSEC . TYPE1 nsec04 NSEC . TYPE127 ; type 48 -dnskey01 DNSKEY 512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY +@ DNSKEY 512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY 9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= ) diff --git a/bin/tests/system/verify/zones/unsigned.db b/bin/tests/system/verify/zones/unsigned.db index 1e7cd2b677..7febeefc33 100644 --- a/bin/tests/system/verify/zones/unsigned.db +++ b/bin/tests/system/verify/zones/unsigned.db @@ -26,4 +26,6 @@ secure NS secure secure DS 1312 50 100 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 secure A 1.2.3.4 secure AAAA 2002::1.2.3.4 +; obscured DNSKEY, regression test for [GL #4517] +secure DNSKEY 256 3 3 VGhpcyBzaG9ydCBzbmlwcGV0IG9mIHRleHQgaXMgc2FkIGFuZCBtZWFuaW5nbGVzcy4K out-of-zone. A 1.2.3.4 diff --git a/bin/tests/system/xfer/dig1.good b/bin/tests/system/xfer/dig1.good index 4908f8ed1d..27285100d7 100644 --- a/bin/tests/system/xfer/dig1.good +++ b/bin/tests/system/xfer/dig1.good @@ -1,6 +1,7 @@ example. 86400 IN SOA ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600 example. 3600 IN NS ns2.example. example. 3600 IN NS ns3.example. +example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= a01.example. 3600 IN A 0.0.0.0 a02.example. 3600 IN A 255.255.255.255 a601.example. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff @@ -42,7 +43,6 @@ dlv.example. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 dname01.example. 3600 IN DNAME dname-target. dname02.example. 3600 IN DNAME dname-target.example. dname03.example. 3600 IN DNAME . -dnskey01.example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= doa01.example. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 doa02.example. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= ds01.example. 3600 IN DS 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 diff --git a/bin/tests/system/xfer/dig2.good b/bin/tests/system/xfer/dig2.good index 4993815af8..5b1d93d09c 100644 --- a/bin/tests/system/xfer/dig2.good +++ b/bin/tests/system/xfer/dig2.good @@ -1,6 +1,7 @@ example. 86400 IN SOA ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600 example. 3600 IN NS ns2.example. example. 3600 IN NS ns3.example. +example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= a01.example. 3600 IN A 0.0.0.1 a02.example. 3600 IN A 255.255.255.255 a601.example. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff @@ -42,7 +43,6 @@ dlv.example. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 dname01.example. 3600 IN DNAME dname-target. dname02.example. 3600 IN DNAME dname-target.example. dname03.example. 3600 IN DNAME . -dnskey01.example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= doa01.example. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 doa02.example. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= ds01.example. 3600 IN NS ns42.example. diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index 684ab9984c..3419ef1f91 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -940,7 +940,6 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node, * other than NSEC and DS is not signed at a delegation. */ if (rdataset.type != dns_rdatatype_rrsig && - rdataset.type != dns_rdatatype_dnskey && (!delegation || rdataset.type == dns_rdatatype_ds || rdataset.type == dns_rdatatype_nsec)) { @@ -955,11 +954,12 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node, if (rdataset.type > maxtype) { maxtype = rdataset.type; } - } else if (rdataset.type != dns_rdatatype_rrsig && - rdataset.type != dns_rdatatype_dnskey) - { + } else if (rdataset.type != dns_rdatatype_rrsig) { if (rdataset.type == dns_rdatatype_ns) { dns_nsec_setbit(types, rdataset.type, 1); + if (rdataset.type > maxtype) { + maxtype = rdataset.type; + } } result = check_no_rrsig(vctx, &rdataset, name, node); if (result != ISC_R_SUCCESS) { @@ -969,6 +969,9 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node, } } else { dns_nsec_setbit(types, rdataset.type, 1); + if (rdataset.type > maxtype) { + maxtype = rdataset.type; + } } dns_rdataset_disassociate(&rdataset); result = dns_rdatasetiter_next(rdsiter);