From b7cdc3583e3643c2177a62bd94ca598360a83fc3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 8 Apr 2021 10:49:28 +1000 Subject: [PATCH 1/3] Be more precise with the stopping conditions in zone_resigninc If there happens to be a RRSIG(SOA) that is not at the zone apex for any reason it should not be considered as a stopping condition for incremental zone signing. --- lib/dns/zone.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 261c6242a7..031fa4827c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -7089,8 +7089,10 @@ zone_resigninc(dns_zone_t *zone) { * recent signature. */ /* XXXMPA increase number of RRsets signed pre call */ - if (covers == dns_rdatatype_soa || i++ > zone->signatures || - resign > stop) { + if ((covers == dns_rdatatype_soa && + dns_name_equal(name, &zone->origin)) || + i++ > zone->signatures || resign > stop) + { break; } From 24bf4b946a864d0ac5a0bab6bfc49d89b58fba48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 23 Apr 2021 14:26:48 +0200 Subject: [PATCH 2/3] Test handling of non-apex RRSIG(SOA) RRsets Add a check to the "dnssec" system test which ensures that RRSIG(SOA) RRsets present anywhere else than at the zone apex are automatically removed after a zone containing such RRsets is loaded. --- bin/tests/system/dnssec/ns7/sign.sh | 12 +++++++++++- bin/tests/system/dnssec/tests.sh | 8 ++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh index 1165d2ac39..296434413d 100644 --- a/bin/tests/system/dnssec/ns7/sign.sh +++ b/bin/tests/system/dnssec/ns7/sign.sh @@ -25,8 +25,18 @@ k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$k1.key" "$k2.key" > "$zonefile" +# The awk script below achieves two goals: +# +# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so +# that these two records (forming a single RRset) are not placed immediately +# next to each other; the test then checks if RRSIG RRsets split this way are +# correctly added to resigning heaps, +# +# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the +# zone apex; the test then checks whether such signatures are automatically +# removed from the zone after it is loaded. "$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1 awk 'BEGIN { r = ""; } $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; } { print } - END { print r }' "$zonefile.unsplit" > "$zonefile.signed" + END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed" diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 25494e9184..0620562e25 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3244,6 +3244,14 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)" +ret=0 +dig_with_opts split-rrsig AXFR @10.53.0.7 > dig.out.test$n || ret=1 +grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)" ret=0 alg=1 From 47a7b042e5bdadddeb5894edc468c4b472c77cb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 23 Apr 2021 14:26:48 +0200 Subject: [PATCH 3/3] Add CHANGES entry --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 4afb91c41e..0561ee1770 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5627. [bug] RRSIG(SOA) RRsets placed anywhere else than at zone apex + were triggering infinite resigning loops. This has been + fixed. [GL #2650] + 5626. [bug] When generating new keys, check for keyid conflicts between new keys too. [GL #2628]