1947. [func] It is now possible to configure named to accept

expired RRSIGs.  Default "dnssec-accept-expired no;".
                        Setting "dnssec-accept-expired yes;" leaves named
                        vulnerable to replay attacks.  [RT #14685]

CHANGES

@@ -1,3 +1,8 @@
+1947.	[func]		It is now possible to configure named to accept
+			expired RRSIGs.  Default "dnssec-accept-expired no;".
+			Setting "dnssec-accept-expired yes;" leaves named
+			vulnerable to replay attacks.  [RT #14685]
+
 1946.	[bug]		resume_dslookup() could trigger a REQUIRE failure
 			when using forwarders. [RT #15549]
 

bin/named/config.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.62 2005/11/30 03:33:48 marka Exp $ */
+/* $Id: config.c,v 1.63 2006/01/04 02:35:49 marka Exp $ */
 
 /*! \file */
 
@@ -133,6 +133,7 @@ options {\n\
 	acache-cleaning-interval 60;\n\
 	max-acache-size 0;\n\
 	dnssec-enable no; /* Make yes for 9.4. */ \n\
+	dnssec-accept-expired no;\n\
 	clients-per-query 10;\n\
 	max-clients-per-query 100;\n\
 "

bin/named/named.conf.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.14 2005/08/18 00:57:26 marka Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.15 2006/01/04 02:35:49 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -253,13 +253,14 @@ options {
 		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
 		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
 		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
-	}
+	};
 	edns-udp-size <replaceable>integer</replaceable>;
 	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 	dnssec-enable <replaceable>boolean</replaceable>;
 	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+	dnssec-accept-expired <replaceable>boolean</replaceable>;
 
 	empty-server <replaceable>string</replaceable>;
 	empty-contact <replaceable>string</replaceable>;
@@ -399,8 +400,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 	dnssec-enable <replaceable>boolean</replaceable>;
 	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
-
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+	dnssec-accept-expired <replaceable>boolean</replaceable>;
 
 	empty-server <replaceable>string</replaceable>;
 	empty-contact <replaceable>string</replaceable>;

bin/named/query.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.276 2005/11/30 03:33:48 marka Exp $ */
+/* $Id: query.c,v 1.277 2006/01/04 02:35:49 marka Exp $ */
 
 /*! \file */
 
@@ -2360,13 +2360,21 @@ get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
 
 static isc_boolean_t
 verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
-       dns_rdata_t *rdata, isc_mem_t *mctx)
+       dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired)
 {
 	isc_result_t result;
 	dns_fixedname_t fixed;
+	isc_boolean_t ignore = ISC_FALSE;
+
 	dns_fixedname_init(&fixed);
-	result = dns_dnssec_verify2(name, rdataset, key, ISC_FALSE,
-				    mctx, rdata, NULL);
+	
+again:
+	result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx,
+				    rdata, NULL);
+	if (result == DNS_R_SIGEXPIRED && acceptexpired) {
+		ignore = ISC_TRUE;
+		goto again;
+	}
 	if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD)
 		return (ISC_TRUE);
 	return (ISC_FALSE);
@@ -2406,7 +2414,8 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 		do {
 			if (!get_key(client, db, &rrsig, &keyrdataset, &key))
 				break;
-			if (verify(key, name, rdataset, &rdata, client->mctx)) {
+			if (verify(key, name, rdataset, &rdata, client->mctx,
+				   client->view->acceptexpired)) {
 				dst_key_free(&key);
 				dns_rdataset_disassociate(&keyrdataset);
 				mark_secure(client, db, name, rdataset,

bin/named/server.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.451 2005/11/30 03:33:48 marka Exp $ */
+/* $Id: server.c,v 1.452 2006/01/04 02:35:49 marka Exp $ */
 
 /*! \file */
 
@@ -1395,6 +1395,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	INSIST(result == ISC_R_SUCCESS);
 	view->enablednssec = cfg_obj_asboolean(obj);
 
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-accept-expired", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->acceptexpired = cfg_obj_asboolean(obj);
+
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-lookaside", &obj);
 	if (result == ISC_R_SUCCESS) {

doc/arm/Bv9ARM-book.xml

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.283 2005/12/04 23:54:00 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.284 2006/01/04 02:35:49 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -4389,6 +4389,7 @@ category notify { null; };
     <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
     <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
+    <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
     <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
@@ -5476,6 +5477,16 @@ options {
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><command>dnssec-accept-expired</command></term>
+              <listitem>
+                <para>
+		  When verifying DNSSEC signatures accept expired signatures.
+                  The default is <userinput>no</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><command>querylog</command></term>
               <listitem>

lib/dns/include/dns/view.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.97 2005/09/05 00:11:04 marka Exp $ */
+/* $Id: view.h,v 1.98 2006/01/04 02:35:49 marka Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -112,6 +112,7 @@ struct dns_view {
 	isc_boolean_t			additionalfromauth;
 	isc_boolean_t			minimalresponses;
 	isc_boolean_t			enablednssec;
+	isc_boolean_t			acceptexpired;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
 	dns_acl_t *			recursionacl;

lib/dns/validator.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.138 2005/12/04 23:54:00 marka Exp $ */
+/* $Id: validator.c,v 1.139 2006/01/04 02:35:49 marka Exp $ */
 
 /*! \file */
 
@@ -1287,12 +1287,24 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 {
 	isc_result_t result;
 	dns_fixedname_t fixed;
+	isc_boolean_t ignore = ISC_FALSE;
 
 	val->attributes |= VALATTR_TRIEDVERIFY;
 	dns_fixedname_init(&fixed);
+ again:
 	result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
-				    key, ISC_FALSE, val->view->mctx, rdata,
+				    key, ignore, val->view->mctx, rdata,
 				    dns_fixedname_name(&fixed));
+	if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
+		ignore = ISC_TRUE;
+		goto again;
+	}
+	if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
+		validator_log(val, ISC_LOG_INFO,
+			      "accepted expired %sRRSIG (keyid=%u)",
+			      (result == DNS_R_FROMWILDCARD) ?
+			      "" : "wildcard ", keyid);
+	else
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "verify rdataset (keyid=%u): %s",
 			      keyid, isc_result_totext(result));

lib/dns/view.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.133 2005/09/05 00:11:02 marka Exp $ */
+/* $Id: view.c,v 1.134 2006/01/04 02:35:49 marka Exp $ */
 
 /*! \file */
 
@@ -160,6 +160,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->additionalfromcache = ISC_TRUE;
 	view->additionalfromauth = ISC_TRUE;
 	view->enablednssec = ISC_TRUE;
+	view->acceptexpired = ISC_FALSE;
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
 	view->queryacl = NULL;

lib/isccfg/namedconf.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.58 2005/10/26 04:35:56 marka Exp $ */
+/* $Id: namedconf.c,v 1.59 2006/01/04 02:35:49 marka Exp $ */
 
 /*! \file */
 
@@ -770,6 +770,7 @@ view_clauses[] = {
 	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
 	   CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
 	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
 	{ "use-additional-cache", &cfg_type_boolean, 0 },
 	{ "acache-cleaning-interval", &cfg_type_uint32, 0 },