mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

Merge branch '4027-nsec3-of-removed-empty-non-terminal-remains-in-chain-breaking-validation-tools' into 'main'

Browse Source 
Resolve "NSEC3 of removed empty-non-terminal remains in chain, breaking validation tools"

Closes #4027

See merge request isc-projects/bind9!7857
This commit is contained in:
Mark Andrews
2023-04-25 05:44:08 +00:00
parent 2aff1d6efc 7dbb2b877b
commit f0c3881a82
7 changed files with 91 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,3 +1,7 @@
6157. [bug] When removing delegations in an OPTOUT range
empty-non-terminal NSEC3 records generated by
those delegations where not removed. [GL #4027]
6156. [bug] Reimplement the maximum and idle timeouts for incoming 6156. [bug] Reimplement the maximum and idle timeouts for incoming
zone tranfers. [GL #4004] zone tranfers. [GL #4004]

3
bin/tests/system/autosign/clean.sh
View File

@@ -23,14 +23,13 @@ rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f dig.out.* rm -f dig.out.*
rm -f digcomp.out.test* rm -f digcomp.out.test*
rm -f digcomp.out.test*
rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key
rm -f nopriv.key vanishing.key del1.key del2.key rm -f nopriv.key vanishing.key del1.key del2.key
rm -f ns*/managed-keys.bind* rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock rm -f ns*/named.lock
rm -f ns*/named.lock
rm -f ns1/root.db rm -f ns1/root.db
rm -f ns2/example.db rm -f ns2/example.db
rm -f ns2/optout-with-ent.db
rm -f ns2/private.secure.example.db ns2/bar.db rm -f ns2/private.secure.example.db ns2/bar.db
rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
rm -f ns3/*.nzf rm -f ns3/*.nzf

8
bin/tests/system/autosign/ns2/keygen.sh
View File

@@ -54,3 +54,11 @@ do
done done
$KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null $KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
$DSFROMKEY Kbar.+013+60101.key > dsset-bar. $DSFROMKEY Kbar.+013+60101.key > dsset-bar.
# a zone with empty non-terminals.
zone=optout-with-ent
zonefile=optout-with-ent.db
infile=optout-with-ent.db.in
cat $infile > $zonefile
kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null

9
bin/tests/system/autosign/ns2/named.conf.in
View File

@@ -97,4 +97,13 @@ zone "child.optout.example" {
auto-dnssec maintain; auto-dnssec maintain;
}; };
zone "optout-with-ent" {
type primary;
file "optout-with-ent.db";
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
auto-dnssec maintain;
};
include "trusted.conf"; include "trusted.conf";

22
bin/tests/system/autosign/ns2/optout-with-ent.db.in Normal file
View File

@@ -0,0 +1,22 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA ns2.example. . (
2010042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2.example.
sub1.ent NS .
sub2.ent NS .

45
bin/tests/system/autosign/tests.sh
View File

@@ -160,7 +160,7 @@ do
$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
done done
for z in bar. example. private.secure.example. for z in bar. example. private.secure.example. optout-with-ent.
do do
$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
@@ -180,6 +180,9 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "done"; fi if [ $ret != 0 ]; then echo_i "done"; fi
status=$((status + ret)) status=$((status + ret))
echo_i "Convert optout-with-ent from nsec to nsec3"
($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" echo_i "Initial counts of RRSIG expiry fields values for auto signed zones"
for z in . for z in .
do do
@@ -1566,5 +1569,45 @@ n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret)) status=$((status + ret))
echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)"
ret=0
zone=optout-with-ent
hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL
# check that NSEC3 for ENT is present
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1
grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1
# remove first delegation of two delegations, NSEC3 for ENT should remain.
(
echo zone $zone
echo server 10.53.0.2 "$PORT"
echo update del sub1.ent.$zone NS
echo send
) | $NSUPDATE
# check that NSEC3 for ENT is still present
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n
grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1
grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1
# remove second delegation of two delegations, NSEC3 for ENT should be deleted.
(
echo zone $zone
echo server 10.53.0.2 "$PORT"
echo update del sub2.ent.$zone NS
echo send
) | $NSUPDATE
# check that NSEC3 for ENT is gone present
$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n
grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1
grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1
$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n
grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status" echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1

5
lib/dns/nsec3.c
View File

@@ -1440,7 +1440,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
result = dns_dbiterator_seek(dbit, hashname); result = dns_dbiterator_seek(dbit, hashname);
if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) { if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) {
goto success; goto cleanup_orphaned_ents;
} }
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
goto failure; goto failure;
@@ -1452,7 +1452,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
(isc_stdtime_t)0, &rdataset, NULL); (isc_stdtime_t)0, &rdataset, NULL);
dns_db_detachnode(db, &node); dns_db_detachnode(db, &node);
if (result == ISC_R_NOTFOUND) { if (result == ISC_R_NOTFOUND) {
goto success; goto cleanup_orphaned_ents;
} }
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
goto failure; goto failure;
@@ -1537,6 +1537,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
/* /*
* Delete NSEC3 records for now non active nodes. * Delete NSEC3 records for now non active nodes.
*/ */
cleanup_orphaned_ents:
dns_name_init(&empty, NULL); dns_name_init(&empty, NULL);
dns_name_clone(name, &empty); dns_name_clone(name, &empty);
do { do {