upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-26 00:30:05 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

improve handling of trailing dots in dnssec-keymgr and dnssec-coverage

Browse source 
- mishandling of trailing dots caused bad behavior with the
  root zone or names like "example.com."
- fixing this exposed an error in dnssec-coverage caused the
  wrong return value if there were KSK errors but no ZSK errors
- incidentally silenced the dnssec-keygen output in the coverage
  system test
This commit is contained in:
Evan Hunt 2019-01-21 13:12:26 -08:00
parent 58e4d00c43
commit 1ccf4e6c16
7 changed files with 68 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -1,3 +1,6 @@
5143. [bug] dnssec-keymgr and dnssec-coverage failed to find
key files for zone names ending in ".". [GL #560]
5142. [cleanup] Removed "configure --disable-rpz-nsip" and
"--disable-rpz-nsdname" options. "nsip-enable"
and "nsdname-enable" both now default to yes,

5
bin/python/isc/coverage.py.in
View file

@ -188,6 +188,9 @@ def parse_args():
if args.filename and len(args.zone) > 1:
fatal("ERROR: -f can only be used with one zone.")
# strip trailing dots
args.zone = [x[:-1] for x in args.zone if len(x) > 1 and x[-1] == '.']
# convert from time arguments to seconds
try:
if args.maxttl:
@ -251,7 +254,7 @@ def main():
print("PHASE 1--Loading keys to check for internal timing problems")
try:
kd = keydict(path=args.path, zone=args.zone, keyttl=args.keyttl)
kd = keydict(path=args.path, zones=args.zone, keyttl=args.keyttl)
except Exception as e:
fatal('ERROR: Unable to build key dictionary: ' + str(e))

2
bin/python/isc/eventlist.py.in
View file

@ -73,7 +73,7 @@ class eventlist:
kok = self.checkzone(z, "KSK", until, output)
if not no_zsk and z in self._Z.keys():
found = True
kok = self.checkzone(z, "ZSK", until, output)
zok = self.checkzone(z, "ZSK", until, output)
if not found:
output("ERROR: No key events found")

9
bin/python/isc/keydict.py.in
View file

@ -49,15 +49,18 @@ class keydict:
self._keydict[key.name][key.alg][key.keyid] = key
def readone(self, path, zone):
match='K' + zone + '.+*.private'
if not zone.endswith('.'):
zone += '.'
match='K' + zone + '+*.private'
files = glob.glob(os.path.join(path, match))
found = False
for infile in files:
key = dnskey(infile, path, self._defttl)
if key.name != zone: # shouldn't ever happen
if key.fullname != zone: # shouldn't ever happen
continue
self._keydict[key.name][key.alg][key.keyid] = key
keyname=key.name if zone != '.' else '.'
self._keydict[keyname][key.alg][key.keyid] = key
found = True
return found

70
bin/tests/system/coverage/setup.sh
View file

@ -20,115 +20,115 @@ ln -s $CHECKZONE named-compilezone
dir=01-ksk-inactive
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 2: ZSK goes inactive before successor is active
dir=02-zsk-inactive
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 3: KSK is unpublished before its successor is published
dir=03-ksk-unpublished
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 4: ZSK is unpublished before its successor is published
dir=04-zsk-unpublished
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 5: KSK deleted and successor published before KSK is deactivated
# and successor activated.
dir=05-ksk-unpub-active
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 6: ZSK deleted and successor published before ZSK is deactivated
# and successor activated.
dir=06-zsk-unpub-active
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 7: KSK rolled with insufficient delay after prepublication.
dir=07-ksk-ttl
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
# allow only 1 day between publication and activation
$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 8: ZSK rolled with insufficient delay after prepublication.
dir=08-zsk-ttl
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
# allow only 1 day between publication and activation
$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 9: KSK goes inactive before successor is active, but checking ZSKs
dir=09-check-zsk
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
ksk2=`$KEYGEN -K $dir -S $ksk1`
ksk2=`$KEYGEN -q -K $dir -S $ksk1`
$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
# Test 10: ZSK goes inactive before successor is active, but checking KSKs
dir=10-check-ksk
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 11: ZSK goes inactive before successor is active, but after cutoff
dir=11-cutoff
rm -f $dir/K*.key
rm -f $dir/K*.private
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
zsk2=`$KEYGEN -K $dir -S $zsk1`
zsk2=`$KEYGEN -q -K $dir -S $zsk1`
$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
# Test 12: Too early KSK deletion
dir=12-ksk-deletion
ksk1=`$KEYGEN -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com`
ksk2=`$KEYGEN -K $dir -S $ksk1.key example.com`
ksk1=`$KEYGEN -q -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com`
ksk2=`$KEYGEN -q -K $dir -S $ksk1.key example.com`

6
bin/tests/system/keymgr/clean.sh
View file

@ -9,10 +9,8 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f */K*.key
rm -f */K*.private
rm -f Kexample.com.*.key
rm -f Kexample.com.*.private
rm -f K*.key */K*.key
rm -f K*.private */K*.private
rm -f coverage.* keymgr.* settime.*
rm -f ns*/managed-keys.bind*
rm -f policy.out

17
bin/tests/system/keymgr/tests.sh
View file

@ -104,6 +104,23 @@ for dir in [0-9][0-9]-*; do
status=`expr $status + $ret`
done
echo_i "checking domains ending in . ($n)"
ret=0
$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.1.$n 2>&1
nkeys=`grep dnssec-keygen keymgr.1.$n | wc -l`
[ "$nkeys" -eq 2 ] || ret=1
$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.2.$n 2>&1
nkeys=`grep dnssec-keygen keymgr.2.$n | wc -l`
[ "$nkeys" -eq 0 ] || ret=1
$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.3.$n 2>&1
nkeys=`grep dnssec-keygen keymgr.3.$n | wc -l`
[ "$nkeys" -eq 2 ] || ret=1
$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.4.$n 2>&1
nkeys=`grep dnssec-keygen keymgr.4.$n | wc -l`
[ "$nkeys" -eq 0 ] || ret=1
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking policy.conf parser ($n)"
ret=0
${PYTHON} testpolicy.py policy.sample > policy.out