ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

1942. [bug] If the name of a DNSKEY match that of one in

Browse Source 
trusted-keys do not attempt to validate the DNSKEY
                        using the parents DS RRset. [RT #15649]
This commit is contained in:
Mark Andrews
2005-12-04 23:54:01 +00:00
parent 6e3b7da810
commit cf224bbf7b
5 changed files with 154 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/dns/include/dns/keytable.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keytable.h,v 1.13 2005/04/29 00:22:59 marka Exp $ */
/* $Id: keytable.h,v 1.14 2005/12/04 23:54:01 marka Exp $ */
#ifndef DNS_KEYTABLE_H
#define DNS_KEYTABLE_H 1
@@ -135,7 +135,8 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
dns_keynode_t **keynodep);
/*%<
* Search for a key named 'name', matching 'algorithm' and 'tag' in
* 'keytable'.
* 'keytable'. This finds the first instance which matches. Use
* dns_keytable_findnextkeynode() to find other instances.
*
* Requires:
*
@@ -148,6 +149,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
* Returns:
*
*\li ISC_R_SUCCESS
*\li DNS_R_PARTIALMATCH the name existed in the keytable.
*\li ISC_R_NOTFOUND
*
*\li Any other result indicates an error.
@@ -158,7 +160,7 @@ dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep);
/*%<
* Search for the next key with the same properties as 'keynode' in
* 'keytable'.
* 'keytable' as found by dns_keytable_findkeynode().
*
* Requires:
*

11
lib/dns/keytable.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keytable.c,v 1.31 2005/07/12 01:00:15 marka Exp $ */
/* $Id: keytable.c,v 1.32 2005/12/04 23:54:00 marka Exp $ */
/*! \file */
@@ -236,6 +236,13 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
/*
* Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
* as that indicates that 'name' was not found.
*
* DNS_R_PARTIALMATCH indicates that the name was found but we
* didn't get a match on algorithm and key id arguments.
*/
knode = NULL;
data = NULL;
result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
@@ -253,7 +260,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
UNLOCK(&keytable->lock);
*keynodep = knode;
} else
result = ISC_R_NOTFOUND;
result = DNS_R_PARTIALMATCH;
} else if (result == DNS_R_PARTIALMATCH)
result = ISC_R_NOTFOUND;

23
lib/dns/validator.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.137 2005/11/30 05:01:34 marka Exp $ */
/* $Id: validator.c,v 1.138 2005/12/04 23:54:00 marka Exp $ */
/*! \file */
@@ -1623,12 +1623,14 @@ validatezonekey(dns_validator_t *val) {
dns_rdata_t keyrdata = DNS_RDATA_INIT;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
char namebuf[DNS_NAME_FORMATSIZE];
dns_keytag_t keytag;
dns_rdata_ds_t ds;
dns_rdata_dnskey_t key;
dns_rdata_rrsig_t sig;
dst_key_t *dstkey;
isc_boolean_t supported_algorithm;
isc_boolean_t atsep = ISC_FALSE;
/*
* Caller must be holding the validator lock.
@@ -1659,6 +1661,9 @@ validatezonekey(dns_validator_t *val) {
sig.algorithm,
sig.keyid,
&keynode);
if (result == DNS_R_PARTIALMATCH ||
result == ISC_R_SUCCESS)
atsep = ISC_TRUE;
while (result == ISC_R_SUCCESS) {
dstkey = dns_keynode_key(keynode);
result = verify(val, dstkey, &sigrdata,
@@ -1697,6 +1702,22 @@ validatezonekey(dns_validator_t *val) {
return (DNS_R_NOVALIDDS);
}
if (atsep) {
/*
* We have not found a key to verify this DNSKEY
* RRset. As this is a SEP we have to assume that
* the RRset is invalid.
*/
dns_name_format(val->event->name, namebuf,
sizeof(namebuf));
validator_log(val, ISC_LOG_DEBUG(2),
"unable to find a DNSKEY which verifies "
"the DNSKEY RRset and also matches one "
"of specified trusted-keys for '%s'",
namebuf);
return (DNS_R_NOVALIDKEY);
}
/*
* Otherwise, try to find the DS record.
*/