From 2152d06c8e62c9e3b783120062f3793a419f86e4 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 29 Jun 2023 10:43:40 +0200 Subject: [PATCH 1/2] Don't add signing records for dyn update DNSKEY We removed DNSSEC management via dynamic update (see issue #3686), this means we also should no longer add signing records (of private type) for DNSKEY records added via dynamic update. --- bin/tests/system/dnssec/tests.sh | 2 +- lib/ns/update.c | 145 ------------------------------- 2 files changed, 1 insertion(+), 146 deletions(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 01d7924b86..33f9a4c490 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2775,7 +2775,7 @@ echo send dig_with_opts +dnssec a update-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 -grep "NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1 +grep "NSEC3 1 0 0 - .*" dig.out.ns4.test$n > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) diff --git a/lib/ns/update.c b/lib/ns/update.c index 7d2f570953..390c97e167 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -2717,147 +2717,6 @@ failure: return (result); } -/* - * Add records to cause the delayed signing of the zone by added DNSKEY - * to remove the RRSIG records generated by a deleted DNSKEY. - */ -static isc_result_t -add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, - dns_dbversion_t *ver, dns_diff_t *diff) { - dns_difftuple_t *tuple, *newtuple = NULL, *next; - dns_rdata_dnskey_t dnskey; - dns_rdata_t rdata = DNS_RDATA_INIT; - bool flag; - isc_region_t r; - isc_result_t result = ISC_R_SUCCESS; - uint16_t keyid; - unsigned char buf[5]; - dns_name_t *name = dns_db_origin(db); - dns_diff_t temp_diff; - - dns_diff_init(diff->mctx, &temp_diff); - - /* - * Extract the DNSKEY tuples from the list. - */ - for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) { - next = ISC_LIST_NEXT(tuple, link); - - if (tuple->rdata.type != dns_rdatatype_dnskey) { - continue; - } - - ISC_LIST_UNLINK(diff->tuples, tuple, link); - ISC_LIST_APPEND(temp_diff.tuples, tuple, link); - } - - /* - * Extract TTL changes pairs, we don't need signing records for these. - */ - for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL; - tuple = next) - { - if (tuple->op == DNS_DIFFOP_ADD) { - /* - * Walk the temp_diff list looking for the - * corresponding delete. - */ - next = ISC_LIST_HEAD(temp_diff.tuples); - while (next != NULL) { - unsigned char *next_data = next->rdata.data; - unsigned char *tuple_data = tuple->rdata.data; - if (next->op == DNS_DIFFOP_DEL && - dns_name_equal(&tuple->name, &next->name) && - next->rdata.length == tuple->rdata.length && - !memcmp(next_data, tuple_data, - next->rdata.length)) - { - ISC_LIST_UNLINK(temp_diff.tuples, next, - link); - ISC_LIST_APPEND(diff->tuples, next, - link); - break; - } - next = ISC_LIST_NEXT(next, link); - } - /* - * If we have not found a pair move onto the next - * tuple. - */ - if (next == NULL) { - next = ISC_LIST_NEXT(tuple, link); - continue; - } - /* - * Find the next tuple to be processed before - * unlinking then complete moving the pair to 'diff'. - */ - next = ISC_LIST_NEXT(tuple, link); - ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); - ISC_LIST_APPEND(diff->tuples, tuple, link); - } else { - next = ISC_LIST_NEXT(tuple, link); - } - } - - /* - * Process the remaining DNSKEY entries. - */ - for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL; - tuple = ISC_LIST_HEAD(temp_diff.tuples)) - { - ISC_LIST_UNLINK(temp_diff.tuples, tuple, link); - ISC_LIST_APPEND(diff->tuples, tuple, link); - - result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK | - DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE) - { - continue; - } - - dns_rdata_toregion(&tuple->rdata, &r); - - keyid = dst_region_computeid(&r); - - buf[0] = dnskey.algorithm; - buf[1] = (keyid & 0xff00) >> 8; - buf[2] = (keyid & 0xff); - buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1; - buf[4] = 0; - rdata.data = buf; - rdata.length = sizeof(buf); - rdata.type = privatetype; - rdata.rdclass = tuple->rdata.rdclass; - - CHECK(rr_exists(db, ver, name, &rdata, &flag)); - if (flag) { - continue; - } - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0, - &rdata, &newtuple)); - CHECK(do_one_tuple(&newtuple, db, ver, diff)); - INSIST(newtuple == NULL); - /* - * Remove any record which says this operation has already - * completed. - */ - buf[4] = 1; - CHECK(rr_exists(db, ver, name, &rdata, &flag)); - if (flag) { - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, - name, 0, &rdata, &newtuple)); - CHECK(do_one_tuple(&newtuple, db, ver, diff)); - INSIST(newtuple == NULL); - } - } - -failure: - dns_diff_clear(&temp_diff); - return (result); -} - static bool isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) { isc_result_t result; @@ -3484,10 +3343,6 @@ update_action(void *arg) { CHECK(rollback_private(db, privatetype, ver, &diff)); - if (is_signing) { - CHECK(add_signing_records(db, privatetype, ver, &diff)); - } - CHECK(add_nsec3param_records(client, zone, db, ver, &diff)); if (is_signing && had_dnskey && !has_dnskey) { From 239c94bc08d45a97d6121b7e041f7356b0c5fe09 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 17 Jul 2023 10:08:11 +0200 Subject: [PATCH 2/2] Add CHANGES entry --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 007564df6c..3d04287fdc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +6210. [func] Don't add signing records for DNSKEY added with dynamic + update. The dynamic update DNSSEC management feature was + removed with GL #3686. [GL !8070] + 6209. [func] Reduce query-response latency by making recursive queries (CNAME, DNAME, NSEC) asynchronous instead of directly calling the respective functions. [GL #4185]