ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

add validator support for static DS-style trust anchors

Browse Source
This commit is contained in:
Evan Hunt
2019-09-18 10:03:19 -07:00
parent 4d3ed3f4ea
commit 8aaee26548
1 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
lib/dns/validator.c
View File

@@ -1883,6 +1883,8 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) {
* Attempts positive response validation of an RRset containing zone keys * Attempts positive response validation of an RRset containing zone keys
* (i.e. a DNSKEY rrset). * (i.e. a DNSKEY rrset).
* *
* Caller must be holding the validator lock.
*
* Returns: * Returns:
* \li ISC_R_SUCCESS Validation completed successfully * \li ISC_R_SUCCESS Validation completed successfully
* \li DNS_R_WAIT Validation has started but is waiting * \li DNS_R_WAIT Validation has started but is waiting
@@ -1894,14 +1896,31 @@ validate_dnskey(dns_validator_t *val) {
isc_result_t result; isc_result_t result;
dns_rdata_t dsrdata = DNS_RDATA_INIT; dns_rdata_t dsrdata = DNS_RDATA_INIT;
dns_rdata_t keyrdata = DNS_RDATA_INIT; dns_rdata_t keyrdata = DNS_RDATA_INIT;
dns_keynode_t *keynode = NULL;
dns_rdata_ds_t ds; dns_rdata_ds_t ds;
bool supported_algorithm; bool supported_algorithm;
char digest_types[256]; char digest_types[256];
/* /*
* Caller must be holding the validator lock. * If we don't already have a DS RRset, check to see if there's
* a DS style trust anchor configured for this key.
*/ */
if (val->dsset == NULL) {
result = dns_keytable_find(val->keytable,
val->event->name, &keynode);
if (result == ISC_R_SUCCESS) {
val->dsset = dns_keynode_dsset(keynode);
if (val->dsset == NULL) {
dns_keytable_detachkeynode(val->keytable,
&keynode);
}
}
}
/*
* If that didn't work, see if there's a key-style trust anchor we
* can validate against. If not, look up the DS at the parent.
*/
if (val->dsset == NULL) { if (val->dsset == NULL) {
isc_result_t tresult = ISC_R_SUCCESS; isc_result_t tresult = ISC_R_SUCCESS;
@@ -1945,6 +1964,7 @@ validate_dnskey(dns_validator_t *val) {
INSIST(val->dsset != NULL); INSIST(val->dsset != NULL);
if (val->dsset->trust < dns_trust_secure) { if (val->dsset->trust < dns_trust_secure) {
INSIST(keynode == NULL);
return (markanswer(val, "validate_dnskey (2)", "insecure DS")); return (markanswer(val, "validate_dnskey (2)", "insecure DS"));
} }
@@ -2048,6 +2068,12 @@ validate_dnskey(dns_validator_t *val) {
validator_log(val, ISC_LOG_DEBUG(3), validator_log(val, ISC_LOG_DEBUG(3),
"no RRSIG matching DS key"); "no RRSIG matching DS key");
} }
if (keynode != NULL) {
val->dsset = NULL;
dns_keytable_detachkeynode(val->keytable, &keynode);
}
if (result == ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) {
marksecure(val->event); marksecure(val->event);
validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)"); validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");