Verify mirror zone AXFRs

Update axfr_commit() so that all incoming versions of a mirror zone transferred using AXFR are verified before being used. If zone verification fails, discard the received version of the zone, wait until the next refresh and retry.
2018-06-28 13:38:39 +02:00
parent eaf1c0f6eb
commit d86f1d00ad
10 changed files with 184 additions and 0 deletions
--- a/bin/tests/system/mirror/ns2/named.conf.in
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@@ -9,6 +9,15 @@
 * information regarding copyright ownership.
 */

+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
 options {
 	query-source address 10.53.0.2;
 	notify-source 10.53.0.2;
@@ -19,3 +28,18 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 };
+
+zone "verify-axfr" {
+	type master;
+	file "verify-axfr.db.signed";
+};
+
+zone "verify-unsigned" {
+	type master;
+	file "verify.db.in";
+};
+
+zone "verify-untrusted" {
+	type master;
+	file "verify-untrusted.db.signed";
+};
--- a/bin/tests/system/mirror/ns2/sign.sh
+++ b/bin/tests/system/mirror/ns2/sign.sh
@@ -0,0 +1,48 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+keys_to_trust=""
+
+ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
+UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
+UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
+
+for variant in axfr untrusted; do
+	zone=verify-$variant
+	infile=verify.db.in
+	zonefile=verify-$variant.db
+
+	keyname1=`$KEYGEN -a RSASHA256 -f KSK $zone 2> /dev/null`
+	keyname2=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
+
+	cat $infile $keyname1.key $keyname2.key > $zonefile
+
+	# Prepare a properly signed version of the zone ("*.original.signed").
+	$SIGNER -P -o $zone $zonefile > /dev/null
+	cp $zonefile.signed $zonefile.original.signed
+	# Prepare a version of the zone with a bogus SOA RRSIG ("*.bad.signed").
+	sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_BAD}/;" $zonefile.signed > $zonefile.bad.signed
+	# Prepare another properly signed version of the zone ("*.good.signed").
+	sed "s/${ORIGINAL_SERIAL}/${UPDATED_SERIAL_GOOD}/;" $zonefile > $zonefile.good
+	$SIGNER -P -o $zone $zonefile.good > /dev/null
+	rm -f $zonefile.good
+
+	# Except for the "verify-untrusted" zone, declare the KSK used for
+	# signing the zone to be a trust anchor for ns3.
+	if [ "$variant" != "untrusted" ]; then
+		keys_to_trust="$keys_to_trust $keyname1"
+	fi
+done
+
+keyfile_to_trusted_keys $keys_to_trust > trusted-mirror.conf
--- a/bin/tests/system/mirror/ns2/verify.db.in
+++ b/bin/tests/system/mirror/ns2/verify.db.in
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns2 hostmaster 2000010100 3600 1200 604800 3600
+@		NS	ns2
+ns2		A	10.53.0.2