Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones. Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.
Section 4 of RFC 7706 suggests that responses sourced from a local copy
of a zone should not have the AA bit set. Follow that recommendation by
setting 'qctx->authoritative' to ISC_FALSE when a response to a query is
coming from a mirror zone.
When a resolver is a regular slave (i.e. not a mirror) for some zone,
non-recursive queries for names below that slaved zone will return a
delegation sourced from it. This behavior is suboptimal for mirror
zones as their contents should rather be treated as validated, cached
DNS responses. Modify query_delegation() and query_zone_delegation() to
permit clients allowed cache access to check its contents for a better
answer when responding to non-recursive queries.
Make ns3 mirror the "root" zone from ns1 and query the former for a
properly signed record below the root. Ensure ns1 is not queried during
resolution and that the AD bit is set in the response.
As mirror zone files are verified when they are loaded from disk, verify
journal files as well to ensure invalid data is not used. Reuse the
journals generated during IXFR tests to test this.
Update axfr_commit() so that all incoming versions of a mirror zone
transferred using AXFR are verified before being used. If zone
verification fails, discard the received version of the zone, wait until
the next refresh and retry.
Add a function for determining whether the supplied version of a mirror
zone passes DNSSEC validation and is signed using a trusted key. Define
a new libdns result signifying a zone verification failure.
Extend check_dnskey_sigs() so that, if requested, it checks whether the
DNSKEY RRset at zone apex is signed by at least one trust anchor. The
trust anchor table is passed as an argument to dns_zoneverify_dnssec()
and passed around in the verification context structure. Neither
dnssec-signzone nor dnssec-verify are yet modified to make use of that
feature, though.
The system test helper function nextpart() always updates the "lines
read so far" marker ("<file>.prev") when it is called, which somewhat
limits its flexibility. Add two new helper functions, nextpartpeek()
and nextpartreset(), so that certain parts of log files can be easily
examined more than once. Add some documentation to help understand the
purpose of each function in the nextpart*() family.
Add a new slave-only boolean configuration option, "mirror", along with
its corresponding dns_zoneopt_t enum and a helper function for checking
whether that option was set for a given zone. This commit does not
introduce any behavior changes yet.
With "dnssec-validation" now defaulting to "auto", it needs to be
explicitly set to "yes" (the previous default value) for all validating
resolvers used in system tests. Ensure that requirement is satisfied by
the resolvers used in the "rpz" system test.
Change 4897 modified the way the $DNSRPS_TEST_MODE variable is used in
bin/tests/system/rpz/tests.sh without updating all references to it,
which i.a. causes the $native and $dnsrps variables to not be set in the
default testing mode, effectively preventing failed checks from being
propagated to the final result of the test. Use $mode instead of
$DNSRPS_TEST_MODE where appropriate to fix error handling in the "rpz"
system test.
