From ff65f077790228ff7c5d9de9d46fbd7f7efafbc6 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 11 Jul 2022 10:18:56 +0200 Subject: [PATCH 1/4] Fix kasp system test bugs Fix a comment, ensuring the right parameters are used (zone is parameter $3, not $2) and add view and policy parameters to the comment. Fix the view tests and test the correct view (example3 instead of example2). Fix placement of "n=$((n+1)" for two test cases. --- bin/tests/system/kasp.sh | 6 +++--- bin/tests/system/kasp/tests.sh | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index 785b69c770..f4058f6400 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -823,9 +823,9 @@ check_keys() { status=$((status+ret)) } -# Call rndc dnssec -status on server $1 for zone $2 and check output. -# This is a loose verification, it just tests if the right policy -# name is returned, and if all expected keys are listed. The rndc +# Call rndc dnssec -status on server $1 for zone $3 in view $4 with policy $2 +# and check output. This is a loose verification, it just tests if the right +# policy name is returned, and if all expected keys are listed. The rndc # dnssec -status output also lists whether a key is published, # used for signing, is retired, or is removed, and if not when # it is scheduled to do so, and it shows the states for the various diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 6d63c5d70d..52007245bb 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1911,12 +1911,12 @@ status=$((status+ret)) TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3" wait_for_nsec check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3" check_apex dnssec_verify n=$((n+1)) # check subdomain -echo_i "check TXT example.net (in-view example2) rrset is signed correctly ($n)" +echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" @@ -4671,6 +4671,7 @@ _check_soa_ttl() { test ${ttl2:-0} -eq $2 || return 1 } +n=$((n+1)) echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" TSIG= ret=0 @@ -4684,8 +4685,8 @@ wait_for_log 3 "all zones loaded" ns6/named.run retry_quiet 10 _check_soa_ttl 300 300 || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -n=$((n+1)) +n=$((n+1)) echo_i "Check that restart with zone changes and deleted journal works ($n)" TSIG= ret=0 @@ -4702,7 +4703,6 @@ wait_for_log 3 "all zones loaded" ns6/named.run retry_quiet 10 _check_soa_ttl 300 400 || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -n=$((n+1)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From efa8a4e88de7715e69badd10e3ba948a50935d16 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 11 Jul 2022 10:25:47 +0200 Subject: [PATCH 2/4] Test setting of inline-signing with dnssec-policy When dnssec-policy is used, and the zone is not dynamic, BIND will assume that the zone is inline-signed. Add test cases to verify this. --- bin/tests/system/kasp.sh | 22 ++++++++++++++++++++++ bin/tests/system/kasp/clean.sh | 2 +- bin/tests/system/kasp/ns4/named.conf.in | 4 ++++ bin/tests/system/kasp/tests.sh | 24 ++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index f4058f6400..03ff93c4c4 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -864,6 +864,28 @@ check_dnssecstatus() { status=$((status+ret)) } +# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if +# inline-signing is enabled. +check_inlinesigning() { + _server=$1 + _zone=$2 + _view=$3 + + _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 + grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 +} + +# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if +# the zone is dynamic. +check_isdynamic() { + _server=$1 + _zone=$2 + _view=$3 + + _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 + grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 +} + # Check if RRset of type $1 in file $2 is signed with the right keys. # The right keys are the ones that expect a signature and matches the role $3. _check_signatures() { diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 174bed21e4..637e5e0ce7 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -29,7 +29,7 @@ rm -f ns*/zones ns*/*.db.infile rm -f ns*/*.zsk1 ns*/*.zsk2 rm -f ns3/legacy-keys.* rm -f *.created published.test* retired.test* -rm -f rndc.dnssec.*.out.* +rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.* rm -f python.out.* rm -f *-supported.file rm -f created.key-* unused.key-* diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in index c3f19a9396..568587e09b 100644 --- a/bin/tests/system/kasp/ns4/named.conf.in +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -145,9 +145,12 @@ view "none" { view "example1" { match-clients { key "keyforview1"; }; + allow-update { any; }; + zone "example.net" { type primary; file "example1.db"; + // Dynamic zone, inline-signing disabled, policy inerhited. }; }; @@ -157,6 +160,7 @@ view "example2" { zone "example.net" { type primary; file "example2.db"; + // Static zone, inline-signing, policy inherited. }; }; diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 52007245bb..9c6cea20c8 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1880,8 +1880,16 @@ set_keytimes_csk_policy check_keytimes check_apex dnssec_verify +# check zonestatus n=$((n+1)) +echo_i "check $ZONE (view example1) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic" +check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # check subdomain +n=$((n+1)) echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" @@ -1897,8 +1905,16 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" check_apex dnssec_verify +# check zonestatus n=$((n+1)) +echo_i "check $ZONE (view example2) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected" +check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # check subdomain +n=$((n+1)) echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" @@ -1914,8 +1930,16 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3" check_apex dnssec_verify +# check zonestatus n=$((n+1)) +echo_i "check $ZONE (view example3) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected" +check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # check subdomain +n=$((n+1)) echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" From 576b21b1682605a7d04e51c8a7721180f828b2d7 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 11 Jul 2022 10:30:44 +0200 Subject: [PATCH 3/4] Inherit dnssec-policy in check for inline-signing When dnssec-policy is used, and the zone is not dynamic, BIND will assume that the zone is inline-signed. But the function responsible for this did not inherit the dnssec-policy option from the view or options level, and thus never enabled inline-signing, while the zone should have been. This is fixed by this commit. --- bin/named/zoneconf.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index f3a721daca..9bc94ee597 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -2132,6 +2132,7 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, const cfg_obj_t *updatepolicy = NULL; bool zone_is_dynamic = false; bool inline_signing = false; + bool dnssec_policy = false; (void)cfg_map_get(config, "options", &options); @@ -2183,16 +2184,23 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, * inline-signing. */ signing = NULL; - if (!inline_signing && !zone_is_dynamic && - cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS && - signing != NULL) - { - if (strcmp(cfg_obj_asstring(signing), "none") != 0) { - inline_signing = true; - dns_zone_log(zone, ISC_LOG_DEBUG(1), - "inline-signing: " - "implicitly through dnssec-policy"); - } + res = cfg_map_get(zoptions, "dnssec-policy", &signing); + if (res != ISC_R_SUCCESS && voptions != NULL) { + res = cfg_map_get(voptions, "dnssec-policy", &signing); + } + if (res != ISC_R_SUCCESS && options != NULL) { + res = cfg_map_get(options, "dnssec-policy", &signing); + } + if (res == ISC_R_SUCCESS) { + dnssec_policy = (strcmp(cfg_obj_asstring(signing), "none") != + 0); + } + + if (!inline_signing && !zone_is_dynamic && dnssec_policy) { + inline_signing = true; + dns_zone_log(zone, ISC_LOG_DEBUG(1), + "inline-signing: " + "implicitly through dnssec-policy"); } return (inline_signing); From 689215a6759383d2e67da3a1a7f39779e10f592a Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 11 Jul 2022 10:34:24 +0200 Subject: [PATCH 4/4] Add release note and change entry for #3438 Bug worth mentioning. --- CHANGES | 3 +++ doc/notes/notes-current.rst | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/CHANGES b/CHANGES index d14ab756c5..9d936a7fe8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5923. [bug] Fix inheritance for dnssec-policy when checking for + inline-signing. [GL #3438] + 5922. [bug] Forwarding of UPDATE message could fail with the introduction of netmgr. This has been fixed. [GL #3389] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 489f3e2928..eecc87eb4c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -42,3 +42,7 @@ Bug Fixes - A DNS compression would be applied on the root zone name if it is repeatedly used in the same RRSet. :gl:`#3423` + +- Non-dynamic zones that inherit dnssec-policy from the view or + options level were not marked as inline-signed, and thus were never + scheduled to be re-signed. This is now fixed. :gl:`#3438`