From 529fa790a90e2234abe726a135c0c1f5b66a8e65 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 9 Jan 2024 17:01:07 +1100 Subject: [PATCH] Fail if there are non apex DNSKEYs DNSSEC only works when DNSKEYs are self signed. This only occurs when the DNSKEY RRset is at the apex. Cause dnssec-signzone to fail if it attempts to sign an non-apex DNSKEY RRset. (cherry picked from commit b3efc15be429d940a98baa4715959071e2581502) --- bin/dnssec/dnssec-signzone.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index d67ac3dd63..41f1fc1a47 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1168,7 +1168,7 @@ has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) { * Signs all records at a name. */ static void -signname(dns_dbnode_t *node, dns_name_t *name) { +signname(dns_dbnode_t *node, bool apex, dns_name_t *name) { isc_result_t result; dns_rdataset_t rdataset; dns_rdatasetiter_t *rdsiter; @@ -1219,6 +1219,10 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_name_format(name, namebuf, sizeof(namebuf)); fatal("'%s': found DS RRset without NS RRset\n", namebuf); + } else if (rdataset.type == dns_rdatatype_dnskey && !apex) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namebuf, sizeof(namebuf)); + fatal("'%s': Non-apex DNSKEY RRset\n", namebuf); } signset(&del, &add, node, name, &rdataset); @@ -1579,7 +1583,7 @@ signapex(void) { check_result(result, "dns_dbiterator_seek()"); result = dns_dbiterator_current(gdbiter, &node, name); check_dns_dbiterator_current(result); - signname(node, name); + signname(node, true, name); dumpnode(name, node); cleannode(gdb, gversion, node); dns_db_detachnode(gdb, &node); @@ -1753,7 +1757,7 @@ sign(isc_task_t *task, isc_event_t *event) { fname = sevent->fname; isc_event_free(&event); - signname(node, dns_fixedname_name(fname)); + signname(node, false, dns_fixedname_name(fname)); wevent = (sevent_t *)isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE, writenode, NULL, sizeof(sevent_t));