From 6fa2a0691e1d701b361611069ab97471b8cd29bd Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 5 Dec 2017 09:25:09 +1100 Subject: [PATCH] 4838. [bug] zone.c:add_sigs was not properly determining if there were active KSK and ZSK keys for a algorithm when update-check-ksk is true (default) leaving records unsigned with one or more DNSKEY algorithms. [RT #46754] --- CHANGES | 10 ++++++++- bin/tests/system/autosign/clean.sh | 1 + .../autosign/ns3/inaczsk2.example.db.in | 21 +++++++++++++++++++ bin/tests/system/autosign/ns3/keygen.sh | 9 ++++++++ bin/tests/system/autosign/ns3/named.conf | 7 +++++++ bin/tests/system/autosign/tests.sh | 10 ++++++++- lib/dns/zone.c | 6 ++++++ 7 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 bin/tests/system/autosign/ns3/inaczsk2.example.db.in diff --git a/CHANGES b/CHANGES index 8989437953..3030ca8017 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,15 @@ +4838. [bug] zone.c:add_sigs was not properly determining + if there were active KSK and ZSK keys for + a algorithm when update-check-ksk is true + (default) leaving records unsigned with one or + more DNSKEY algorithms. [RT #46754] + 4837. [bug] dns_update_signatures{inc} (add_sigs) was not properly determining if there were active KSK and ZSK keys for a algorithm when update-check-ksk is - true (default) leaving records unsigned. [RT #46743] + true (default) leaving records unsigned when there + were multiple DNSKEY algorithms for the zone. + [RT #46743] --- 9.12.0rc1 released --- diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index ac393db64d..e3f7e3e72e 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -28,6 +28,7 @@ rm -f ns2/private.secure.example.db ns2/bar.db rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf rm -f ns3/autonsec3.example.db +rm -f ns3/inaczsk2.example.db rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/kskonly.example.db rm -f ns3/nozsk.example.db ns3/inaczsk.example.db diff --git a/bin/tests/system/autosign/ns3/inaczsk2.example.db.in b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in new file mode 100644 index 0000000000..8a7f25cee8 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in @@ -0,0 +1,21 @@ +; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index b3ded65eb6..9add14916a 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -273,3 +273,12 @@ cp $infile $zonefile ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out $KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# A zone that has a published inactive key that is autosigned. +# +setup inaczsk2.example +cp $infile $zonefile +ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf index b66093039f..cacb8a539e 100644 --- a/bin/tests/system/autosign/ns3/named.conf +++ b/bin/tests/system/autosign/ns3/named.conf @@ -249,4 +249,11 @@ zone "kskonly.example" { auto-dnssec maintain; }; +zone "inaczsk2.example" { + type master; + file "inaczsk2.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + include "trusted.conf"; diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index e30d06306b..152843d87c 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -72,7 +72,7 @@ do $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 done - for z in bar. example. + for z in bar. example. inaczsk2.example. do $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 @@ -1231,5 +1231,13 @@ if [ "$lret" != 0 ]; then ret=$lret; fi if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check that zone with inactive zsk is properly autosigned ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.out +grep "SOA 7 2" dig.out.ns3.out > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 45c1754695..8c5eccea2c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6407,6 +6407,8 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, if (!dst_key_isprivate(keys[i])) continue; + if (dst_key_inactive(keys[i])) /* Should be redundant. */ + continue; if (check_ksk && !REVOKE(keys[i])) { isc_boolean_t have_ksk, have_nonksk; @@ -6420,6 +6422,10 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, for (j = 0; j < nkeys; j++) { if (j == i || ALG(keys[i]) != ALG(keys[j])) continue; + if (!dst_key_isprivate(keys[j])) + continue; + if (dst_key_inactive(keys[j])) /* SBR */ + continue; if (REVOKE(keys[j])) continue; if (KSK(keys[j]))