Treat records below a DNAME as out-of-zone data

DNAME records indicate bottom of zone and thus no records below a DNAME should be DNSSEC-signed or included in NSEC(3) chains. Add a helper function, has_dname(), for detecting DNAME records at a given node. Prevent signing DNAME-obscured records. Check that DNAME-obscured records are not signed.
2018-06-13 12:19:54 +02:00
parent cf9fd889a6
commit 75c0d85fc4
5 changed files with 77 additions and 4 deletions
--- a/bin/tests/system/verify/tests.sh
+++ b/bin/tests/system/verify/tests.sh
@@ -58,7 +58,7 @@ do
 		expect1="signature has expired"
 		expect2="No self-signed .*DNSKEY found"
 		;;
-	*.out-of-zone-nsec|*.below-bottom-of-zone-nsec)
+	*.out-of-zone-nsec|*.below-bottom-of-zone-nsec|*.below-dname-nsec)
 		expect1="unexpected NSEC RRset at"
 		;;
 	*.nsec.broken-chain)
--- a/bin/tests/system/verify/zones/genzones.sh
+++ b/bin/tests/system/verify/zones/genzones.sh
@@ -42,6 +42,13 @@ $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
 $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n

+setup ksk+zsk.nsec.apex-dname good
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+cp unsigned.db ${file}.tmp
+echo "@ DNAME data" >> ${file}.tmp
+$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
+
 # A set of nsec3 zones.
 setup zsk-only.nsec3 good
 $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
@@ -56,11 +63,18 @@ $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
 $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n

-setup ksk+zsk.outout good
+setup ksk+zsk.optout good
 $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
 $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n

+setup ksk+zsk.nsec3.apex-dname good
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+cp unsigned.db ${file}.tmp
+echo "@ DNAME data" >> ${file}.tmp
+$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
+
 # A set of zones with only DNSKEY records.
 setup zsk-only.dnskeyonly bad
 key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n
@@ -151,7 +165,7 @@ $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s
 echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
 $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n

-# extra NSEC record below bottom of one
+# extra NSEC record below bottom of zone
 setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
 zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
 ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
@@ -162,6 +176,15 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$
 # dnssec-signzone signs any node with a NSEC record.
 awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file}

+# extra NSEC record below DNAME
+setup ksk+zsk.nsec.below-dname-nsec bad
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
+echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file}
+$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
+
 # missing NSEC3 record at empty node
 # extract the hash fields from the empty node's NSEC 3 record then fix up
 # the NSEC3 chain to remove it