diff --git a/bin/named/server.c b/bin/named/server.c index 2842d36933..3aa2d89767 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8981,7 +8981,7 @@ load_configuration(const char *filename, named_server_t *server, dns_kasp_detach(&kasp); } /* - * Create the built-in kasp policies ("default", "none"). + * Create the built-in kasp policies ("default", "insecure"). */ kasp = NULL; CHECK(cfg_kasp_fromconfig(NULL, "default", named_g_mctx, named_g_lctx, @@ -8991,7 +8991,7 @@ load_configuration(const char *filename, named_server_t *server, dns_kasp_detach(&kasp); kasp = NULL; - CHECK(cfg_kasp_fromconfig(NULL, "none", named_g_mctx, named_g_lctx, + CHECK(cfg_kasp_fromconfig(NULL, "insecure", named_g_mctx, named_g_lctx, &kasplist, &kasp)); INSIST(kasp != NULL); dns_kasp_freeze(kasp); @@ -14486,7 +14486,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, CHECK(ISC_R_UNEXPECTEDEND); } - if (dns_zone_use_kasp(zone)) { + if (dns_zone_getkasp(zone) != NULL) { (void)putstr(text, "zone uses dnssec-policy, use rndc dnssec " "command instead"); (void)putnull(text); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 65e7c47459..65ebfffc65 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1228,15 +1228,23 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, result = named_config_get(maps, "dnssec-policy", &obj); if (result == ISC_R_SUCCESS) { kaspname = cfg_obj_asstring(obj); - result = dns_kasplist_find(kasplist, kaspname, &kasp); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR, - "'dnssec-policy '%s' not found ", - kaspname); - RETERR(result); + if (strcmp(kaspname, "none") != 0) { + result = dns_kasplist_find(kasplist, kaspname, + &kasp); + if (result != ISC_R_SUCCESS) { + cfg_obj_log( + obj, named_g_lctx, + ISC_LOG_ERROR, + "dnssec-policy '%s' not found ", + kaspname); + RETERR(result); + } + dns_zone_setkasp(zone, kasp); + use_kasp = true; } - dns_zone_setkasp(zone, kasp); - use_kasp = dns_zone_use_kasp(zone); + } + if (!use_kasp) { + dns_zone_setkasp(zone, NULL); } obj = NULL; @@ -1649,10 +1657,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = cfg_map_get(zoptions, "auto-dnssec", &obj); - if (kasp != NULL && strcmp(dns_kasp_getname(kasp), "none") != 0) - { + if (kasp != NULL) { + bool s2i = (strcmp(dns_kasp_getname(kasp), + "insecure") != 0); dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true); + dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i); dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true); } else if (result == ISC_R_SUCCESS) { const char *arg = cfg_obj_asstring(obj); @@ -1669,11 +1678,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow); dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false); dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint); - } else { - bool s2i = dns_zone_secure_to_insecure(zone, false); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, s2i); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, s2i); } } @@ -2192,13 +2196,6 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, dns_zone_log(zone, ISC_LOG_DEBUG(1), "inline-signing: " "implicitly through dnssec-policy"); - } else { - inline_signing = dns_zone_secure_to_insecure(zone, - true); - dns_zone_log( - zone, ISC_LOG_DEBUG(1), "inline-signing: %s", - inline_signing ? "transitioning to insecure" - : "no"); } } diff --git a/lib/bind9/check.c b/lib/bind9/check.c index b7b2350b57..3db2d97a46 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -2459,6 +2459,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, if (strcmp(kaspname, "default") == 0) { has_dnssecpolicy = true; + } else if (strcmp(kaspname, "insecure") == 0) { + has_dnssecpolicy = true; } else if (strcmp(kaspname, "none") == 0) { has_dnssecpolicy = false; } else { diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index ecaff82ed4..b4780c44c0 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -677,32 +677,6 @@ dns_zone_getkasp(dns_zone_t *zone); *\li 'zone' to be a valid zone. */ -bool -dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig); -/*%< - * Returns true if the zone is transitioning to insecure. - * Only can happen if a zone previously used a dnssec-policy, - * but changed the value to "none" (or removed the configuration - * option). If 'reconfig' is true, only check the key files, - * because the zone structure is not yet updated with the - * newest configuration. - * - * Require: - *\li 'zone' to be a valid zone. - */ - -bool -dns_zone_use_kasp(dns_zone_t *zone); -/*%< - * Check if zone needs to use kasp. - * True if there is a policy that is not "none", - * or if there are state files associated with the keys - * related to this zone. - * - * Require: - *\li 'zone' to be a valid zone. - */ - void dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp); /*%< diff --git a/lib/dns/update.c b/lib/dns/update.c index 1b923f692e..6b8b868b99 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1087,6 +1087,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, bool keyset_kskonly) { isc_result_t result; dns_dbnode_t *node = NULL; + dns_kasp_t *kasp = dns_zone_getkasp(zone); dns_rdataset_t rdataset; dns_rdata_t sig_rdata = DNS_RDATA_INIT; dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone); @@ -1097,7 +1098,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, bool use_kasp = false; isc_mem_t *mctx = diff->mctx; - if (dns_zone_use_kasp(zone)) { + if (kasp != NULL) { check_ksk = false; keyset_kskonly = true; use_kasp = true; diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 6560b26ba1..051a8f0963 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -1290,7 +1290,6 @@ dns_zone_rekey dns_zone_replacedb dns_zone_rpz_enable dns_zone_rpz_enable_db -dns_zone_secure_to_insecure dns_zone_set_parentcatz dns_zone_setadded dns_zone_setalsonotify @@ -1378,7 +1377,6 @@ dns_zone_setzeronosoattl dns_zone_signwithkey dns_zone_synckeyzone dns_zone_unload -dns_zone_use_kasp dns_zone_verifydb dns_zonekey_iszonekey dns_zonemgr_attach diff --git a/lib/dns/zone.c b/lib/dns/zone.c index a4d6b2fa0d..a24c0fa9ec 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -5693,82 +5693,6 @@ dns_zone_getkasp(dns_zone_t *zone) { return (zone->kasp); } -static bool -statefile_exist(dns_zone_t *zone) { - isc_result_t ret; - dns_dnsseckeylist_t keys; - dns_dnsseckey_t *key = NULL; - isc_stdtime_t now; - isc_time_t timenow; - bool found = false; - - TIME_NOW(&timenow); - now = isc_time_seconds(&timenow); - - ISC_LIST_INIT(keys); - - ret = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), - dns_zone_getkeydirectory(zone), now, - dns_zone_getmctx(zone), &keys); - if (ret == ISC_R_SUCCESS) { - for (key = ISC_LIST_HEAD(keys); key != NULL; - key = ISC_LIST_NEXT(key, link)) { - if (dst_key_haskasp(key->key)) { - found = true; - break; - } - } - } - - /* Clean up keys */ - while (!ISC_LIST_EMPTY(keys)) { - key = ISC_LIST_HEAD(keys); - ISC_LIST_UNLINK(keys, key, link); - dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key); - } - - return (found); -} - -bool -dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig) { - REQUIRE(DNS_ZONE_VALID(zone)); - - /* - * If checking during reconfig, the zone is not yet updated - * with the new kasp configuration, so only check the key - * files. - */ - if (reconfig) { - return (statefile_exist(zone)); - } - - if (zone->kasp == NULL) { - return (false); - } - if (strcmp(dns_kasp_getname(zone->kasp), "none") != 0) { - return (false); - } - /* - * "dnssec-policy none", but if there are key state files - * this zone used to be secure but is transitioning back to - * insecure. - */ - return (statefile_exist(zone)); -} - -bool -dns_zone_use_kasp(dns_zone_t *zone) { - dns_kasp_t *kasp = dns_zone_getkasp(zone); - - if (kasp == NULL) { - return (false); - } else if (strcmp(dns_kasp_getname(kasp), "none") != 0) { - return (true); - } - return dns_zone_secure_to_insecure(zone, false); -} - void dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) { REQUIRE(DNS_ZONE_VALID(zone)); @@ -6728,7 +6652,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, unsigned int i, j; bool use_kasp = false; - if (dns_zone_use_kasp(zone)) { + if (dns_zone_getkasp(zone) != NULL) { check_ksk = false; keyset_kskonly = true; use_kasp = true; @@ -7246,7 +7170,7 @@ signed_with_good_key(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node, dns_rdata_reset(&rdata); } - if (dns_zone_use_kasp(zone)) { + if (dns_zone_getkasp(zone) != NULL) { dns_kasp_key_t *kkey; int zsk_count = 0; bool approved; @@ -7458,7 +7382,7 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, } else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK, inception, &when)) { /* Only applies to dnssec-policy. */ - if (dns_zone_use_kasp(zone)) { + if (dns_zone_getkasp(zone) != NULL) { goto next_rdataset; } } @@ -9197,7 +9121,7 @@ zone_sign(dns_zone_t *zone) { signing = ISC_LIST_HEAD(zone->signing); first = true; - if (dns_zone_use_kasp(zone)) { + if (dns_zone_getkasp(zone) != NULL) { check_ksk = false; keyset_kskonly = true; use_kasp = true; @@ -16513,7 +16437,7 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version, * Allow DNSSEC records with dnssec-policy. * WMM: Perhaps add config option for it. */ - if (!dns_zone_use_kasp(zone)) { + if (dns_zone_getkasp(zone) == NULL) { dns_rdataset_disassociate(&rdataset); continue; } @@ -19796,7 +19720,7 @@ zone_rekey(dns_zone_t *zone) { dns__zonediff_t zonediff; bool commit = false, newactive = false; bool newalg = false; - bool fullsign, use_kasp; + bool fullsign; dns_ttl_t ttl = 3600; const char *dir = NULL; isc_mem_t *mctx = NULL; @@ -19870,7 +19794,6 @@ zone_rekey(dns_zone_t *zone) { fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN); kasp = dns_zone_getkasp(zone); - use_kasp = dns_zone_use_kasp(zone); if (kasp != NULL) { LOCK(&kasp->lock); } @@ -19883,10 +19806,14 @@ zone_rekey(dns_zone_t *zone) { isc_result_totext(result)); } - if (use_kasp && (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND)) { + if (kasp != NULL && + (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND)) { result = dns_keymgr_run(&zone->origin, zone->rdclass, dir, mctx, &keys, kasp, now, &nexttime); if (result != ISC_R_SUCCESS) { + if (kasp != NULL) { + UNLOCK(&kasp->lock); + } dnssec_log(zone, ISC_LOG_ERROR, "zone_rekey:dns_dnssec_keymgr failed: %s", isc_result_totext(result)); @@ -19899,12 +19826,17 @@ zone_rekey(dns_zone_t *zone) { } if (result == ISC_R_SUCCESS) { + bool cds_delete = false; + isc_stdtime_t when; + /* * Publish CDS/CDNSKEY DELETE records if the zone is * transitioning from secure to insecure. */ - bool cds_delete = dns_zone_secure_to_insecure(zone, false); - isc_stdtime_t when; + if (kasp != NULL && + strcmp(dns_kasp_getname(kasp), "insecure") == 0) { + cds_delete = true; + } /* * Only update DNSKEY TTL if we have a policy. @@ -20164,7 +20096,7 @@ zone_rekey(dns_zone_t *zone) { /* * If keymgr provided a next time, use the calculated next rekey time. */ - if (use_kasp) { + if (kasp != NULL) { isc_time_t timenext; uint32_t nexttime_seconds; diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 5b458473ca..8a119fb612 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -326,9 +326,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx, } } INSIST(!(dns_kasp_keylist_empty(kasp))); - } else if (strcmp(kaspname, "none") == 0) { - /* "dnssec-policy none": key list must be empty */ - INSIST(strcmp(kaspname, "none") == 0); + } else if (strcmp(kaspname, "insecure") == 0) { + /* "dnssec-policy insecure": key list must be empty */ + INSIST(strcmp(kaspname, "insecure") == 0); INSIST(dns_kasp_keylist_empty(kasp)); } else { /* No keys clause configured, use the "default". */