upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-26 19:41:04 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add built-in dnssec-policy "insecure"

Browse source 
Add a new built-in policy "insecure", to be used to gracefully unsign
a zone. Previously you could just remove the 'dnssec-policy'
configuration from your zone statement, or remove it.

The built-in policy "none" (or not configured) now actually means
no DNSSEC maintenance for the corresponding zone. So if you
immediately reconfigure your zone from whatever policy to "none",
your zone will temporarily be seen as bogus by validating resolvers.

This means we can remove the functions 'dns_zone_use_kasp()' and
'dns_zone_secure_to_insecure()' again. We also no longer have to
check for the existence of key state files to figure out if a zone
is transitioning to insecure.

(cherry picked from commit 2710d9a11d)
This commit is contained in:
Matthijs Mekking 2021-04-21 16:09:06 +02:00
parent fdf7be247d
commit 375112a623
8 changed files with 49 additions and 145 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
bin/named/server.c
View file

@ -8981,7 +8981,7 @@ load_configuration(const char *filename, named_server_t *server,
dns_kasp_detach(&kasp);
}
/*
* Create the built-in kasp policies ("default", "none").
* Create the built-in kasp policies ("default", "insecure").
*/
kasp = NULL;
CHECK(cfg_kasp_fromconfig(NULL, "default", named_g_mctx, named_g_lctx,
@ -8991,7 +8991,7 @@ load_configuration(const char *filename, named_server_t *server,
dns_kasp_detach(&kasp);
kasp = NULL;
CHECK(cfg_kasp_fromconfig(NULL, "none", named_g_mctx, named_g_lctx,
CHECK(cfg_kasp_fromconfig(NULL, "insecure", named_g_mctx, named_g_lctx,
&kasplist, &kasp));
INSIST(kasp != NULL);
dns_kasp_freeze(kasp);
@ -14486,7 +14486,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
CHECK(ISC_R_UNEXPECTEDEND);
}
if (dns_zone_use_kasp(zone)) {
if (dns_zone_getkasp(zone) != NULL) {
(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
"command instead");
(void)putnull(text);

43
bin/named/zoneconf.c
View file

@ -1228,15 +1228,23 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
result = named_config_get(maps, "dnssec-policy", &obj);
if (result == ISC_R_SUCCESS) {
kaspname = cfg_obj_asstring(obj);
result = dns_kasplist_find(kasplist, kaspname, &kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
"'dnssec-policy '%s' not found ",
kaspname);
RETERR(result);
if (strcmp(kaspname, "none") != 0) {
result = dns_kasplist_find(kasplist, kaspname,
&kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(
obj, named_g_lctx,
ISC_LOG_ERROR,
"dnssec-policy '%s' not found ",
kaspname);
RETERR(result);
}
dns_zone_setkasp(zone, kasp);
use_kasp = true;
}
dns_zone_setkasp(zone, kasp);
use_kasp = dns_zone_use_kasp(zone);
}
if (!use_kasp) {
dns_zone_setkasp(zone, NULL);
}
obj = NULL;
@ -1649,10 +1657,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (kasp != NULL && strcmp(dns_kasp_getname(kasp), "none") != 0)
{
if (kasp != NULL) {
bool s2i = (strcmp(dns_kasp_getname(kasp),
"insecure") != 0);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
} else if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
@ -1669,11 +1678,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
} else {
bool s2i = dns_zone_secure_to_insecure(zone, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, s2i);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, s2i);
}
}
@ -2192,13 +2196,6 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"inline-signing: "
"implicitly through dnssec-policy");
} else {
inline_signing = dns_zone_secure_to_insecure(zone,
true);
dns_zone_log(
zone, ISC_LOG_DEBUG(1), "inline-signing: %s",
inline_signing ? "transitioning to insecure"
: "no");
}
}

2
lib/bind9/check.c
View file

@ -2459,6 +2459,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
if (strcmp(kaspname, "default") == 0) {
has_dnssecpolicy = true;
} else if (strcmp(kaspname, "insecure") == 0) {
has_dnssecpolicy = true;
} else if (strcmp(kaspname, "none") == 0) {
has_dnssecpolicy = false;
} else {

26
lib/dns/include/dns/zone.h
View file

@ -677,32 +677,6 @@ dns_zone_getkasp(dns_zone_t *zone);
*\li 'zone' to be a valid zone.
*/
bool
dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig);
/*%<
* Returns true if the zone is transitioning to insecure.
* Only can happen if a zone previously used a dnssec-policy,
* but changed the value to "none" (or removed the configuration
* option). If 'reconfig' is true, only check the key files,
* because the zone structure is not yet updated with the
* newest configuration.
*
* Require:
*\li 'zone' to be a valid zone.
*/
bool
dns_zone_use_kasp(dns_zone_t *zone);
/*%<
* Check if zone needs to use kasp.
* True if there is a policy that is not "none",
* or if there are state files associated with the keys
* related to this zone.
*
* Require:
*\li 'zone' to be a valid zone.
*/
void
dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp);
/*%<

3
lib/dns/update.c
View file

@ -1087,6 +1087,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
bool keyset_kskonly) {
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_kasp_t *kasp = dns_zone_getkasp(zone);
dns_rdataset_t rdataset;
dns_rdata_t sig_rdata = DNS_RDATA_INIT;
dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone);
@ -1097,7 +1098,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
bool use_kasp = false;
isc_mem_t *mctx = diff->mctx;
if (dns_zone_use_kasp(zone)) {
if (kasp != NULL) {
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;

2
lib/dns/win32/libdns.def.in
View file

@ -1290,7 +1290,6 @@ dns_zone_rekey
dns_zone_replacedb
dns_zone_rpz_enable
dns_zone_rpz_enable_db
dns_zone_secure_to_insecure
dns_zone_set_parentcatz
dns_zone_setadded
dns_zone_setalsonotify
@ -1378,7 +1377,6 @@ dns_zone_setzeronosoattl
dns_zone_signwithkey
dns_zone_synckeyzone
dns_zone_unload
dns_zone_use_kasp
dns_zone_verifydb
dns_zonekey_iszonekey
dns_zonemgr_attach

106
lib/dns/zone.c
View file

@ -5693,82 +5693,6 @@ dns_zone_getkasp(dns_zone_t *zone) {
return (zone->kasp);
}
static bool
statefile_exist(dns_zone_t *zone) {
isc_result_t ret;
dns_dnsseckeylist_t keys;
dns_dnsseckey_t *key = NULL;
isc_stdtime_t now;
isc_time_t timenow;
bool found = false;
TIME_NOW(&timenow);
now = isc_time_seconds(&timenow);
ISC_LIST_INIT(keys);
ret = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone),
dns_zone_getkeydirectory(zone), now,
dns_zone_getmctx(zone), &keys);
if (ret == ISC_R_SUCCESS) {
for (key = ISC_LIST_HEAD(keys); key != NULL;
key = ISC_LIST_NEXT(key, link)) {
if (dst_key_haskasp(key->key)) {
found = true;
break;
}
}
}
/* Clean up keys */
while (!ISC_LIST_EMPTY(keys)) {
key = ISC_LIST_HEAD(keys);
ISC_LIST_UNLINK(keys, key, link);
dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
}
return (found);
}
bool
dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig) {
REQUIRE(DNS_ZONE_VALID(zone));
/*
* If checking during reconfig, the zone is not yet updated
* with the new kasp configuration, so only check the key
* files.
*/
if (reconfig) {
return (statefile_exist(zone));
}
if (zone->kasp == NULL) {
return (false);
}
if (strcmp(dns_kasp_getname(zone->kasp), "none") != 0) {
return (false);
}
/*
* "dnssec-policy none", but if there are key state files
* this zone used to be secure but is transitioning back to
* insecure.
*/
return (statefile_exist(zone));
}
bool
dns_zone_use_kasp(dns_zone_t *zone) {
dns_kasp_t *kasp = dns_zone_getkasp(zone);
if (kasp == NULL) {
return (false);
} else if (strcmp(dns_kasp_getname(kasp), "none") != 0) {
return (true);
}
return dns_zone_secure_to_insecure(zone, false);
}
void
dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) {
REQUIRE(DNS_ZONE_VALID(zone));
@ -6728,7 +6652,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
unsigned int i, j;
bool use_kasp = false;
if (dns_zone_use_kasp(zone)) {
if (dns_zone_getkasp(zone) != NULL) {
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;
@ -7246,7 +7170,7 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
dns_rdata_reset(&rdata);
}
if (dns_zone_use_kasp(zone)) {
if (dns_zone_getkasp(zone) != NULL) {
dns_kasp_key_t *kkey;
int zsk_count = 0;
bool approved;
@ -7458,7 +7382,7 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
} else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK,
inception, &when)) {
/* Only applies to dnssec-policy. */
if (dns_zone_use_kasp(zone)) {
if (dns_zone_getkasp(zone) != NULL) {
goto next_rdataset;
}
}
@ -9197,7 +9121,7 @@ zone_sign(dns_zone_t *zone) {
signing = ISC_LIST_HEAD(zone->signing);
first = true;
if (dns_zone_use_kasp(zone)) {
if (dns_zone_getkasp(zone) != NULL) {
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;
@ -16513,7 +16437,7 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
* Allow DNSSEC records with dnssec-policy.
* WMM: Perhaps add config option for it.
*/
if (!dns_zone_use_kasp(zone)) {
if (dns_zone_getkasp(zone) == NULL) {
dns_rdataset_disassociate(&rdataset);
continue;
}
@ -19796,7 +19720,7 @@ zone_rekey(dns_zone_t *zone) {
dns__zonediff_t zonediff;
bool commit = false, newactive = false;
bool newalg = false;
bool fullsign, use_kasp;
bool fullsign;
dns_ttl_t ttl = 3600;
const char *dir = NULL;
isc_mem_t *mctx = NULL;
@ -19870,7 +19794,6 @@ zone_rekey(dns_zone_t *zone) {
fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
kasp = dns_zone_getkasp(zone);
use_kasp = dns_zone_use_kasp(zone);
if (kasp != NULL) {
LOCK(&kasp->lock);
}
@ -19883,10 +19806,14 @@ zone_rekey(dns_zone_t *zone) {
isc_result_totext(result));
}
if (use_kasp && (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND)) {
if (kasp != NULL &&
(result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND)) {
result = dns_keymgr_run(&zone->origin, zone->rdclass, dir, mctx,
&keys, kasp, now, &nexttime);
if (result != ISC_R_SUCCESS) {
if (kasp != NULL) {
UNLOCK(&kasp->lock);
}
dnssec_log(zone, ISC_LOG_ERROR,
"zone_rekey:dns_dnssec_keymgr failed: %s",
isc_result_totext(result));
@ -19899,12 +19826,17 @@ zone_rekey(dns_zone_t *zone) {
}
if (result == ISC_R_SUCCESS) {
bool cds_delete = false;
isc_stdtime_t when;
/*
* Publish CDS/CDNSKEY DELETE records if the zone is
* transitioning from secure to insecure.
*/
bool cds_delete = dns_zone_secure_to_insecure(zone, false);
isc_stdtime_t when;
if (kasp != NULL &&
strcmp(dns_kasp_getname(kasp), "insecure") == 0) {
cds_delete = true;
}
/*
* Only update DNSKEY TTL if we have a policy.
@ -20164,7 +20096,7 @@ zone_rekey(dns_zone_t *zone) {
/*
* If keymgr provided a next time, use the calculated next rekey time.
*/
if (use_kasp) {
if (kasp != NULL) {
isc_time_t timenext;
uint32_t nexttime_seconds;

6
lib/isccfg/kaspconf.c
View file

@ -326,9 +326,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
}
}
INSIST(!(dns_kasp_keylist_empty(kasp)));
} else if (strcmp(kaspname, "none") == 0) {
/* "dnssec-policy none": key list must be empty */
INSIST(strcmp(kaspname, "none") == 0);
} else if (strcmp(kaspname, "insecure") == 0) {
/* "dnssec-policy insecure": key list must be empty */
INSIST(strcmp(kaspname, "insecure") == 0);
INSIST(dns_kasp_keylist_empty(kasp));
} else {
/* No keys clause configured, use the "default". */