From 00f5ea91cf6d3897f24efb2ba097bda1df24082f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 5 Dec 2017 16:09:47 +1100 Subject: [PATCH] 4839. [bug] zone.c:zone_sign was not properly determining if there were active KSK and ZSK keys for a algorithm when update-check-ksk is true (default) leaving records unsigned with one or more DNSKEY algorithms. [RT #46774] --- CHANGES | 6 +++ bin/tests/system/autosign/clean.sh | 1 + .../autosign/ns3/inaczsk3.example.db.in | 21 +++++++++ bin/tests/system/autosign/ns3/keygen.sh | 11 +++++ bin/tests/system/autosign/ns3/named.conf | 7 +++ bin/tests/system/autosign/tests.sh | 45 ++++++++++++++++++- lib/dns/zone.c | 12 +++++ 7 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/autosign/ns3/inaczsk3.example.db.in diff --git a/CHANGES b/CHANGES index 3030ca8017..70a2be014b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +4839. [bug] zone.c:zone_sign was not properly determining + if there were active KSK and ZSK keys for + a algorithm when update-check-ksk is true + (default) leaving records unsigned with one or + more DNSKEY algorithms. [RT #46774] + 4838. [bug] zone.c:add_sigs was not properly determining if there were active KSK and ZSK keys for a algorithm when update-check-ksk is true diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index e3f7e3e72e..c29497fcbb 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -29,6 +29,7 @@ rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf rm -f ns3/autonsec3.example.db rm -f ns3/inaczsk2.example.db +rm -f ns3/inaczsk3.example.db rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/kskonly.example.db rm -f ns3/nozsk.example.db ns3/inaczsk.example.db diff --git a/bin/tests/system/autosign/ns3/inaczsk3.example.db.in b/bin/tests/system/autosign/ns3/inaczsk3.example.db.in new file mode 100644 index 0000000000..8a7f25cee8 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inaczsk3.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 9add14916a..9afbc34bf1 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -282,3 +282,14 @@ cp $infile $zonefile ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out $KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A zone that starts with a active KSK + ZSK and a inactive ZSK which becomes +# a zone with a active KSK and a inactive ZSK after 20 seconds. +# +setup inaczsk3.example +cp $infile $zonefile +ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -D now+20 $zone > kg.out 2>&1 || dumpit kg.out +$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf index cacb8a539e..7ca8823b3c 100644 --- a/bin/tests/system/autosign/ns3/named.conf +++ b/bin/tests/system/autosign/ns3/named.conf @@ -256,4 +256,11 @@ zone "inaczsk2.example" { auto-dnssec maintain; }; +zone "inaczsk3.example" { + type master; + file "inaczsk3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + include "trusted.conf"; diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 2fd331643b..2627937aa2 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -72,7 +72,7 @@ do $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 done - for z in bar. example. inaczsk2.example. + for z in bar. example. inaczsk2.example. inaczsk3.example do $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 @@ -86,6 +86,28 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; else echo "I:done"; fi status=`expr $status + $ret` +# +# Check that zone is initially signed with a ZSK and not a KSK. +# +echo "I:check that zone with active and inactive ZSK and active KSK is properly resigned after the active ZSK is deleted - stage 1 ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n +kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ` +grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1 +grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 +count=`awk 'BEGIN { count = 0 } + $4 == "RRSIG" && $5 == "CNAME" { count++ } + END {print count}' dig.out.ns3.test$n` +test $count -eq 1 || ret=1 +count=`awk 'BEGIN { count = 0 } + $4 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n` +test $count -eq 3 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)" ret=0 # these commands should result in an empty file: @@ -1239,5 +1261,26 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +# +# Check that zone is now signed with the KSK. +# +echo "I:check that zone with active and inactive ZSK and active KSK is properly resigned after the active ZSK is deleted - stage 2 ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n +kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | + $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ` +grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 +count=`awk 'BEGIN { count = 0 } + $4 == "RRSIG" && $5 == "CNAME" { count++ } + END {print count}' dig.out.ns3.test$n` +test $count -eq 1 || ret=1 +count=`awk 'BEGIN { count = 0 } + $4 == "DNSKEY" { count++ } + END {print count}' dig.out.ns3.test$n` +test $count -eq 2 || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 8c5eccea2c..221308cda1 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -8515,6 +8515,11 @@ zone_sign(dns_zone_t *zone) { */ if (!dst_key_isprivate(zone_keys[i])) continue; + /* + * Should be redundant. + */ + if (dst_key_inactive(zone_keys[i])) + continue; /* * When adding look for the specific key. @@ -8549,6 +8554,13 @@ zone_sign(dns_zone_t *zone) { ALG(zone_keys[i]) != ALG(zone_keys[j])) continue; + if (!dst_key_isprivate(zone_keys[j])) + continue; + /* + * Should be redundant. + */ + if (dst_key_inactive(zone_keys[j])) + continue; if (REVOKE(zone_keys[j])) continue; if (KSK(zone_keys[j]))