From cf4e1143ea8a585fb2234ec8dbc88e4eebe9ed4b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 5 Dec 2005 00:00:03 +0000 Subject: [PATCH] 1942. [bug] If the name of a DNSKEY match that of one in trusted-keys do not attempt to validate the DNSKEY using the parents DS RRset. [RT #15649] --- CHANGES | 4 + doc/arm/Bv9ARM-book.xml | 150 +++++++++++++++++++++++++-------- lib/dns/include/dns/keytable.h | 8 +- lib/dns/keytable.c | 11 ++- lib/dns/validator.c | 23 ++++- 5 files changed, 154 insertions(+), 42 deletions(-) diff --git a/CHANGES b/CHANGES index cb760f4e3e..cd42e11d18 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +1942. [bug] If the name of a DNSKEY match that of one in + trusted-keys do not attempt to validate the DNSKEY + using the parents DS RRset. [RT #15649] + 1941. [bug] ncache_adderesult() should set eresult even if no rdataset is passed to it. [RT #15642] diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 03dfbcc76b..a40180a0c4 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -2410,19 +2410,95 @@ allow-update { key host1-host2. ;}; Configuring Servers - - Unlike BIND 8, - BIND 9 does not verify signatures on - load, - so zone keys for authoritative zones do not need to be specified - in the configuration file. + + To enable named to respond appropriately + to DNS requests from DNSSEC aware clients + dnssec-enable must be set to yes. - - The public key for any security root must be present in - the configuration file's trusted-keys - statement, as described later in this document. + + To enable named to validate answers from + other servers both dnssec-enable and + dnssec-validate must be set and some + some trusted-keys must be configured + into named.conf. + + + trusted-keys are copies of DNSKEY RRs + for zones that are used to form the first link the the + cryptographic chain of trust. All keys listed in + trusted-keys (and corresponding zones) + are deemed to exist and only the listed keys will be used + to validated the DNSKEY RRset that they are from. + + + + trusted-keys are described in more detail + later in this document. + + + + Unlike BIND 8, BIND + 9 does not verify signatures on load, so zone keys for + authoritative zones do not need to be specified in the + configuration file. + + + + After DNSSEC gets established, a typical DNSSEC configuration + will look something like the following. It has a one or + more public keys for the root. This allows answers from + outside the organization to be validated. It will also + have several keys for parts of the namespace the organization + controls. These are here to ensure that named is immune + to compromises in the DNSSEC components of the security + of parent zones. + + + +trusted-keys { + + /* Root Key */ +"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/ + E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3 + zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz + MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M + /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M + iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI + Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3"; + +/* Key for out organizations forward zone */ +example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe + 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb + OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC + lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt + 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b + iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn + SCThlHf3xiYleDbt/o1OTQ09A0="; + +/* Key for our reverse zone. */ +2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA + VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0 + tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0 + yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ + 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06 + zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL + 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD + 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib"; +}; + +options { + ... + dnssec-enable yes; + dnssec-validation yes; +}; + + + + None of the keys listed in this example are valid. In particular + the root key is not valid. + @@ -7577,34 +7653,36 @@ query-source-v6 address * port *; - - <command>trusted-keys</command> Statement Definition - and Usage - - The trusted-keys statement defines DNSSEC - security roots. DNSSEC is described in . A - security root is defined when the public key for a - non-authoritative - zone is known, but cannot be securely obtained through DNS, either - because it is the DNS root zone or because its parent zone is - unsigned. - Once a key has been configured as a trusted key, it is treated as - if it had been validated and proven secure. The resolver attempts - DNSSEC validation on all DNS data in subdomains of a security - root. + + <command>trusted-keys</command> Statement Definition + and Usage + + The trusted-keys statement defines + DNSSEC security roots. DNSSEC is described in . A security root is defined when the + public key for a non-authoritative zone is known, but + cannot be securely obtained through DNS, either because + it is the DNS root zone or because its parent zone is + unsigned. Once a key has been configured as a trusted + key, it is treated as if it had been validated and + proven secure. The resolver attempts DNSSEC validation + on all DNS data in subdomains of a security root. - All zones listed in trusted-keys are deemed - to exist regardless of what parent zones say. + All keys (and corresponding zones) listed in + trusted-keys are deemed to exist regardless + of what parent zones say. Similarly for all keys listed in + trusted-keys only those keys are + used to validate the DNSKEY RRset. The parents DS RRset + will not be used. - - The trusted-keys statement can - contain - multiple key entries, each consisting of the key's domain name, - flags, protocol, algorithm, and the Base-64 representation of the - key data. - - + + The trusted-keys statement can contain + multiple key entries, each consisting of the key's + domain name, flags, protocol, algorithm, and the Base-64 + representation of the key data. + + <command>view</command> Statement Grammar diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h index 6c6e449b29..b8bfcc148e 100644 --- a/lib/dns/include/dns/keytable.h +++ b/lib/dns/include/dns/keytable.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: keytable.h,v 1.11.18.2 2005/04/29 00:16:14 marka Exp $ */ +/* $Id: keytable.h,v 1.11.18.3 2005/12/05 00:00:03 marka Exp $ */ #ifndef DNS_KEYTABLE_H #define DNS_KEYTABLE_H 1 @@ -135,7 +135,8 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name, dns_keynode_t **keynodep); /*%< * Search for a key named 'name', matching 'algorithm' and 'tag' in - * 'keytable'. + * 'keytable'. This finds the first instance which matches. Use + * dns_keytable_findnextkeynode() to find other instances. * * Requires: * @@ -148,6 +149,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name, * Returns: * *\li ISC_R_SUCCESS + *\li DNS_R_PARTIALMATCH the name existed in the keytable. *\li ISC_R_NOTFOUND * *\li Any other result indicates an error. @@ -158,7 +160,7 @@ dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode, dns_keynode_t **nextnodep); /*%< * Search for the next key with the same properties as 'keynode' in - * 'keytable'. + * 'keytable' as found by dns_keytable_findkeynode(). * * Requires: * diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c index 8b3cffa966..ec0f8e42b7 100644 --- a/lib/dns/keytable.c +++ b/lib/dns/keytable.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: keytable.c,v 1.28.18.3 2005/07/12 01:22:20 marka Exp $ */ +/* $Id: keytable.c,v 1.28.18.4 2005/12/05 00:00:03 marka Exp $ */ /*! \file */ @@ -236,6 +236,13 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name, RWLOCK(&keytable->rwlock, isc_rwlocktype_read); + /* + * Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname() + * as that indicates that 'name' was not found. + * + * DNS_R_PARTIALMATCH indicates that the name was found but we + * didn't get a match on algorithm and key id arguments. + */ knode = NULL; data = NULL; result = dns_rbt_findname(keytable->table, name, 0, NULL, &data); @@ -253,7 +260,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name, UNLOCK(&keytable->lock); *keynodep = knode; } else - result = ISC_R_NOTFOUND; + result = DNS_R_PARTIALMATCH; } else if (result == DNS_R_PARTIALMATCH) result = ISC_R_NOTFOUND; diff --git a/lib/dns/validator.c b/lib/dns/validator.c index c5a3283b39..100f3fa463 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.119.18.18 2005/11/30 04:58:32 marka Exp $ */ +/* $Id: validator.c,v 1.119.18.19 2005/12/05 00:00:03 marka Exp $ */ /*! \file */ @@ -1623,12 +1623,14 @@ validatezonekey(dns_validator_t *val) { dns_rdata_t keyrdata = DNS_RDATA_INIT; dns_rdata_t sigrdata = DNS_RDATA_INIT; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; dns_keytag_t keytag; dns_rdata_ds_t ds; dns_rdata_dnskey_t key; dns_rdata_rrsig_t sig; dst_key_t *dstkey; isc_boolean_t supported_algorithm; + isc_boolean_t atsep = ISC_FALSE; /* * Caller must be holding the validator lock. @@ -1659,6 +1661,9 @@ validatezonekey(dns_validator_t *val) { sig.algorithm, sig.keyid, &keynode); + if (result == DNS_R_PARTIALMATCH || + result == ISC_R_SUCCESS) + atsep = ISC_TRUE; while (result == ISC_R_SUCCESS) { dstkey = dns_keynode_key(keynode); result = verify(val, dstkey, &sigrdata, @@ -1697,6 +1702,22 @@ validatezonekey(dns_validator_t *val) { return (DNS_R_NOVALIDDS); } + if (atsep) { + /* + * We have not found a key to verify this DNSKEY + * RRset. As this is a SEP we have to assume that + * the RRset is invalid. + */ + dns_name_format(val->event->name, namebuf, + sizeof(namebuf)); + validator_log(val, ISC_LOG_DEBUG(2), + "unable to find a DNSKEY which verifies " + "the DNSKEY RRset and also matches one " + "of specified trusted-keys for '%s'", + namebuf); + return (DNS_R_NOVALIDKEY); + } + /* * Otherwise, try to find the DS record. */