ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Ignore max-zone-ttl on dnssec-policy insecure

Browse Source 
Allow larger TTL values in zones that go insecure. This is necessary
because otherwise the zone will not be loaded due to the max-zone-ttl
of P1D that is part of the current insecure policy.

In the keymgr.c code, default back to P1D if the max-zone-ttl is set
to zero.
This commit is contained in:
Matthijs Mekking
2023-07-26 11:50:57 +02:00
parent ce869a521c
commit dc6dafdad1
5 changed files with 30 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bin/named/config.c
View File

@@ -308,6 +308,7 @@ dnssec-policy \"default\" {\n\
};\n\
\n\
dnssec-policy \"insecure\" {\n\
max-zone-ttl 0; \n\
keys { };\n\
inline-signing yes;\n\
};\n\

2
bin/named/zoneconf.c
View File

@@ -1502,7 +1502,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
}
if (use_kasp) {
maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone));
maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone), false);
} else {
obj = NULL;
result = named_config_get(maps, "max-zone-ttl", &obj);

6
lib/dns/include/dns/kasp.h
View File

@@ -415,9 +415,11 @@ dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value);
*/
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp);
dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback);
/*%<
* Get maximum zone TTL.
* Get maximum zone TTL. If 'fallback' is true, return a default maximum TTL
* if the maximum zone TTL is set to unlimited (value 0). Fallback should be
* used if determining key rollover timings in keymgr.c
*
* Requires:
*

8
lib/dns/kasp.c
View File

@@ -29,6 +29,9 @@
#include <dst/dst.h>
/* Default TTLsig (maximum zone ttl) */
#define DEFAULT_TTLSIG 86400
isc_result_t
dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
dns_kasp_t *kasp;
@@ -264,10 +267,13 @@ dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) {
}
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
if (kasp->zone_max_ttl == 0 && fallback) {
return (DEFAULT_TTLSIG);
}
return (kasp->zone_max_ttl);
}

30
lib/dns/keymgr.c
View File

@@ -131,11 +131,11 @@ keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk);
if (ret == ISC_R_SUCCESS && zsk) {
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
/* ZSK: Iret = Dsgn + Dprp + TTLsig */
zsk_remove = retire + dns_kasp_zonemaxttl(kasp) +
dns_kasp_zonepropagationdelay(kasp) +
dns_kasp_retiresafety(kasp) +
dns_kasp_signdelay(kasp);
zsk_remove =
retire + ttlsig + dns_kasp_zonepropagationdelay(kasp) +
dns_kasp_retiresafety(kasp) + dns_kasp_signdelay(kasp);
}
ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk);
if (ret == ISC_R_SUCCESS && ksk) {
@@ -178,7 +178,8 @@ keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) {
if (first) {
/* Also need to wait until the signatures are omnipresent. */
isc_stdtime_t zrrsig_present;
zrrsig_present = published + dns_kasp_zonemaxttl(kasp) +
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
zrrsig_present = published + ttlsig +
dns_kasp_zonepropagationdelay(kasp) +
dns_kasp_publishsafety(kasp);
if (zrrsig_present > syncpublish) {
@@ -259,7 +260,9 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
* No predecessor, wait for zone to be
* completely signed.
*/
syncpub2 = pub + dns_kasp_zonemaxttl(kasp) +
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp,
true);
syncpub2 = pub + ttlsig +
dns_kasp_publishsafety(kasp) +
dns_kasp_zonepropagationdelay(kasp);
}
@@ -1239,6 +1242,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
isc_stdtime_t now, isc_stdtime_t *when) {
isc_result_t ret;
isc_stdtime_t lastchange, dstime, nexttime = now;
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
/*
* No need to wait if we move things into an uncertain state.
@@ -1311,7 +1315,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
*
* We will also add the retire-safety interval.
*/
nexttime = lastchange + dns_kasp_zonemaxttl(kasp) +
nexttime = lastchange + ttlsig +
dns_kasp_zonepropagationdelay(kasp) +
dns_kasp_retiresafety(kasp);
/*
@@ -1584,9 +1588,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now,
/* Get time metadata. */
ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
if (active <= now && ret == ISC_R_SUCCESS) {
dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp);
zone_ttl += dns_kasp_zonepropagationdelay(kasp);
if ((active + zone_ttl) <= now) {
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
ttlsig += dns_kasp_zonepropagationdelay(kasp);
if ((active + ttlsig) <= now) {
zrrsig_state = OMNIPRESENT;
} else {
zrrsig_state = RUMOURED;
@@ -1617,9 +1621,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now,
}
ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
if (retire <= now && ret == ISC_R_SUCCESS) {
dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp);
zone_ttl += dns_kasp_zonepropagationdelay(kasp);
if ((retire + zone_ttl) <= now) {
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
ttlsig += dns_kasp_zonepropagationdelay(kasp);
if ((retire + ttlsig) <= now) {
zrrsig_state = HIDDEN;
} else {
zrrsig_state = UNRETENTIVE;