mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-08 23:32:05 -04:00
Obsolete dnssec-dnskey-kskonly update-check-ksk
These two configuration options worked in conjunction with 'auto-dnssec' to determine KSK usage, and thus are now obsoleted. However, in the code we keep KSK processing so that when a zone is reconfigured from using 'dnssec-policy' immediately to 'none' (without going through 'insecure'), the zone is not immediately made bogus. Add one more test case for going straight to none, now with a dynamic zone (no inline-signing).
This commit is contained in:
Matthijs Mekking
parent
a8f71f67ac
commit
3e49223a67
20 changed files with 182 additions and 227 deletions
|
|
@ -359,15 +359,12 @@ Options
|
|||
.. option:: -x
|
||||
|
||||
This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys,
|
||||
and should omit signatures from zone-signing keys. (This is similar to the
|
||||
``dnssec-dnskey-kskonly yes;`` zone option in :iscman:`named`.)
|
||||
and should omit signatures from zone-signing keys.
|
||||
|
||||
.. option:: -z
|
||||
|
||||
This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes
|
||||
KSK-flagged keys to sign all records, not just the DNSKEY RRset.
|
||||
(This is similar to the ``update-check-ksk no;`` zone option in
|
||||
:iscman:`named`.)
|
||||
|
||||
.. option:: -3 salt
|
||||
|
||||
|
|
|
|||
|
|
@ -215,7 +215,6 @@ options {\n\
|
|||
check-srv-cname warn;\n\
|
||||
check-wildcard yes;\n\
|
||||
dialup no;\n\
|
||||
dnssec-dnskey-kskonly yes;\n\
|
||||
dnssec-loadkeys-interval 60;\n\
|
||||
dnssec-update-mode maintain;\n\
|
||||
# forward <none>\n\
|
||||
|
|
@ -243,7 +242,6 @@ options {\n\
|
|||
transfer-source *;\n\
|
||||
transfer-source-v6 *;\n\
|
||||
try-tcp-refresh yes; /* BIND 8 compat */\n\
|
||||
update-check-ksk yes;\n\
|
||||
zero-no-soa-ttl yes;\n\
|
||||
zone-statistics terse;\n\
|
||||
};\n\
|
||||
|
|
|
|||
|
|
@ -1593,26 +1593,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
|
|||
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
||||
dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
|
||||
|
||||
obj = NULL;
|
||||
result = named_config_get(maps, "update-check-ksk", &obj);
|
||||
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
||||
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
|
||||
cfg_obj_asboolean(obj));
|
||||
/*
|
||||
* This setting will be ignored if dnssec-policy is used.
|
||||
* named-checkconf will error if both are configured.
|
||||
*/
|
||||
|
||||
obj = NULL;
|
||||
result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
|
||||
INSIST(result == ISC_R_SUCCESS && obj != NULL);
|
||||
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
|
||||
cfg_obj_asboolean(obj));
|
||||
/*
|
||||
* This setting will be ignored if dnssec-policy is used.
|
||||
* named-checkconf will error if both are configured.
|
||||
*/
|
||||
|
||||
obj = NULL;
|
||||
result = named_config_get(maps, "dnssec-loadkeys-interval",
|
||||
&obj);
|
||||
|
|
|
|||
|
|
@ -15,8 +15,6 @@ zone not-inline {
|
|||
type secondary;
|
||||
primaries { 127.0.0.1; };
|
||||
inline-signing no;
|
||||
dnssec-dnskey-kskonly yes;
|
||||
update-check-ksk yes;
|
||||
dnssec-loadkeys-interval 10;
|
||||
|
||||
};
|
||||
|
|
@ -25,7 +23,5 @@ zone inline {
|
|||
type secondary;
|
||||
primaries { 127.0.0.1; };
|
||||
inline-signing yes;
|
||||
dnssec-dnskey-kskonly yes;
|
||||
update-check-ksk yes;
|
||||
dnssec-loadkeys-interval 10;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -17,8 +17,6 @@ zone "nsec3.net" {
|
|||
type primary;
|
||||
file "nsec3.db";
|
||||
dnssec-policy "test";
|
||||
dnssec-dnskey-kskonly yes;
|
||||
dnssec-update-mode maintain;
|
||||
inline-signing no;
|
||||
update-check-ksk yes;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -218,15 +218,9 @@ status=$((status + ret))
|
|||
n=$((n + 1))
|
||||
echo_i "checking options allowed in inline-signing secondaries ($n)"
|
||||
ret=0
|
||||
$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 && ret=1
|
||||
l=$(grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l)
|
||||
[ $l -eq 1 ] || ret=1
|
||||
$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 && ret=1
|
||||
l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l)
|
||||
[ $l -eq 1 ] || ret=1
|
||||
$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 && ret=1
|
||||
l=$(grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l)
|
||||
[ $l -eq 1 ] || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
|
|
@ -490,9 +484,7 @@ echo_i "checking named-checkconf kasp errors ($n)"
|
|||
ret=0
|
||||
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
|
||||
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
|
||||
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
|
||||
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
|
||||
grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
|
||||
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
|
|
|||
|
|
@ -69,6 +69,13 @@ zone "step1.going-straight-to-none.kasp" {
|
|||
dnssec-policy "default";
|
||||
};
|
||||
|
||||
zone "step1.going-straight-to-none-dynamic.kasp" {
|
||||
type primary;
|
||||
file "step1.going-straight-to-none-dynamic.kasp.db.signed";
|
||||
dnssec-policy "default";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
/* These are alorithm rollover test zones. */
|
||||
zone "step1.algorithm-roll.kasp" {
|
||||
type primary;
|
||||
|
|
|
|||
|
|
@ -82,6 +82,13 @@ zone "step1.going-straight-to-none.kasp" {
|
|||
dnssec-policy "none";
|
||||
};
|
||||
|
||||
zone "step1.going-straight-to-none-dynamic.kasp" {
|
||||
type primary;
|
||||
file "step1.going-straight-to-none-dynamic.kasp.db.signed";
|
||||
dnssec-policy "none";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
/*
|
||||
* Zones for testing KSK/ZSK algorithm roll.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -83,6 +83,18 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
|||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||||
|
||||
# This zone is going straight to "none" policy. This is undefined behavior.
|
||||
setup step1.going-straight-to-none-dynamic.kasp
|
||||
echo "$zone" >> zones
|
||||
TactN="now"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||||
CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" > "$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||||
|
||||
#
|
||||
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
|
||||
# algorithm rollover.
|
||||
|
|
|
|||
|
|
@ -3897,6 +3897,44 @@ check_apex
|
|||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
#
|
||||
# Zone step1.going-straight-to-none-dynamic.kasp
|
||||
#
|
||||
set_zone "step1.going-straight-to-none-dynamic.kasp"
|
||||
set_policy "default" "1" "3600"
|
||||
set_server "ns6" "10.53.0.6"
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DS" "omnipresent"
|
||||
# This policy only has one key.
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
|
||||
# The first key is immediately published and activated.
|
||||
created=$(key_get KEY1 CREATED)
|
||||
set_keytime "KEY1" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY1" "ACTIVE" "${created}"
|
||||
set_keytime "KEY1" "SYNCPUBLISH" "${created}"
|
||||
# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
|
||||
check_keytimes
|
||||
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
|
||||
# changes).
|
||||
echo_i "reconfig dnssec-policy to trigger algorithm rollover"
|
||||
|
|
@ -4143,6 +4181,37 @@ check_keys
|
|||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
dnssec_verify
|
||||
|
||||
#
|
||||
# Zone: step1.going-straight-to-none-dynamic.kasp
|
||||
#
|
||||
set_zone "step1.going-straight-to-none-dynamic.kasp"
|
||||
set_policy "none" "1" "3600"
|
||||
set_server "ns6" "10.53.0.6"
|
||||
|
||||
# The zone will go bogus after signatures expire, but remains validly signed for now.
|
||||
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DS" "omnipresent"
|
||||
# This policy only has one key.
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
dnssec_verify
|
||||
|
||||
#
|
||||
# Testing KSK/ZSK algorithm rollover.
|
||||
#
|
||||
|
|
|
|||
|
|
@ -2708,40 +2708,14 @@ Boolean Options
|
|||
The default is ``no``.
|
||||
|
||||
.. namedconf:statement:: update-check-ksk
|
||||
:tags: zone, dnssec
|
||||
:short: Specifies whether to check the KSK bit to determine how a key should be used, when generating RRSIGs for a secure zone.
|
||||
:tags: obsolete
|
||||
|
||||
When set to the default value of ``yes``, check the KSK bit in each
|
||||
key to determine how the key should be used when generating RRSIGs
|
||||
for a secure zone.
|
||||
|
||||
Ordinarily, zone-signing keys (that is, keys without the KSK bit set)
|
||||
are used to sign the entire zone, while key-signing keys (keys with
|
||||
the KSK bit set) are only used to sign the DNSKEY RRset at the zone
|
||||
apex. However, if this option is set to ``no``, then the KSK bit is
|
||||
ignored; KSKs are treated as if they were ZSKs and are used to sign
|
||||
the entire zone. This is similar to the :option:`dnssec-signzone -z`
|
||||
command-line option.
|
||||
|
||||
When this option is set to ``yes``, there must be at least two active
|
||||
keys for every algorithm represented in the DNSKEY RRset: at least
|
||||
one KSK and one ZSK per algorithm. If there is any algorithm for
|
||||
which this requirement is not met, this option is ignored for
|
||||
that algorithm.
|
||||
This option no longer has any effect.
|
||||
|
||||
.. namedconf:statement:: dnssec-dnskey-kskonly
|
||||
:tags: dnssec
|
||||
:short: Specifies that only key-signing keys are used to sign the DNSKEY, CDNSKEY, and CDS RRsets at a zone's apex.
|
||||
:tags: obsolete
|
||||
|
||||
When this option and :any:`update-check-ksk` are both set to ``yes``,
|
||||
only key-signing keys (that is, keys with the KSK bit set) are
|
||||
used to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex.
|
||||
Zone-signing keys (keys without the KSK bit set) are used to sign
|
||||
the remainder of the zone, but not the DNSKEY RRset. This is similar
|
||||
to the :option:`dnssec-signzone -x` command-line option.
|
||||
|
||||
The default is ``yes``. If :any:`update-check-ksk` is set to ``no``, this
|
||||
option is ignored.
|
||||
This option no longer has any effect.
|
||||
|
||||
.. namedconf:statement:: try-tcp-refresh
|
||||
:tags: transfer
|
||||
|
|
|
|||
|
|
@ -115,7 +115,7 @@ options {
|
|||
dnsrps-library <quoted_string>; // not configured
|
||||
dnsrps-options { <unspecified-text> }; // not configured
|
||||
dnssec-accept-expired <boolean>;
|
||||
dnssec-dnskey-kskonly <boolean>;
|
||||
dnssec-dnskey-kskonly <boolean>; // obsolete
|
||||
dnssec-loadkeys-interval <integer>;
|
||||
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
|
||||
dnssec-policy <string>;
|
||||
|
|
@ -298,7 +298,7 @@ options {
|
|||
try-tcp-refresh <boolean>;
|
||||
udp-receive-buffer <integer>;
|
||||
udp-send-buffer <integer>;
|
||||
update-check-ksk <boolean>;
|
||||
update-check-ksk <boolean>; // obsolete
|
||||
update-quota <integer>;
|
||||
use-v4-udp-ports { <portrange>; ... }; // deprecated
|
||||
use-v6-udp-ports { <portrange>; ... }; // deprecated
|
||||
|
|
@ -413,7 +413,7 @@ view <string> [ <class> ] {
|
|||
dnsrps-enable <boolean>; // not configured
|
||||
dnsrps-options { <unspecified-text> }; // not configured
|
||||
dnssec-accept-expired <boolean>;
|
||||
dnssec-dnskey-kskonly <boolean>;
|
||||
dnssec-dnskey-kskonly <boolean>; // obsolete
|
||||
dnssec-loadkeys-interval <integer>;
|
||||
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
|
||||
dnssec-policy <string>;
|
||||
|
|
@ -571,7 +571,7 @@ view <string> [ <class> ] {
|
|||
trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
|
||||
trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
|
||||
try-tcp-refresh <boolean>;
|
||||
update-check-ksk <boolean>;
|
||||
update-check-ksk <boolean>; // obsolete
|
||||
v6-bias <integer>;
|
||||
validate-except { <string>; ... };
|
||||
zero-no-soa-ttl <boolean>;
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ zone <string> [ <class> ] {
|
|||
dialup ( notify | notify-passive | passive | refresh | <boolean> );
|
||||
dlz <string>;
|
||||
dnskey-sig-validity <integer>; // obsolete
|
||||
dnssec-dnskey-kskonly <boolean>;
|
||||
dnssec-dnskey-kskonly <boolean>; // obsolete
|
||||
dnssec-loadkeys-interval <integer>;
|
||||
dnssec-policy <string>;
|
||||
dnssec-secure-to-insecure <boolean>; // obsolete
|
||||
|
|
@ -54,7 +54,7 @@ zone <string> [ <class> ] {
|
|||
sig-signing-signatures <integer>;
|
||||
sig-signing-type <integer>;
|
||||
sig-validity-interval <integer> [ <integer> ]; // obsolete
|
||||
update-check-ksk <boolean>;
|
||||
update-check-ksk <boolean>; // obsolete
|
||||
update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
|
||||
zero-no-soa-ttl <boolean>;
|
||||
zone-statistics ( full | terse | none | <boolean> );
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ zone <string> [ <class> ] {
|
|||
dialup ( notify | notify-passive | passive | refresh | <boolean> );
|
||||
dlz <string>;
|
||||
dnskey-sig-validity <integer>; // obsolete
|
||||
dnssec-dnskey-kskonly <boolean>;
|
||||
dnssec-dnskey-kskonly <boolean>; // obsolete
|
||||
dnssec-loadkeys-interval <integer>;
|
||||
dnssec-policy <string>;
|
||||
dnssec-update-mode ( maintain | no-resign );
|
||||
|
|
@ -56,7 +56,7 @@ zone <string> [ <class> ] {
|
|||
transfer-source ( <ipv4_address> | * );
|
||||
transfer-source-v6 ( <ipv6_address> | * );
|
||||
try-tcp-refresh <boolean>;
|
||||
update-check-ksk <boolean>;
|
||||
update-check-ksk <boolean>; // obsolete
|
||||
zero-no-soa-ttl <boolean>;
|
||||
zone-statistics ( full | terse | none | <boolean> );
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1108,8 +1108,7 @@ static isc_result_t
|
|||
add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
|
||||
dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
|
||||
dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
|
||||
isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk,
|
||||
bool keyset_kskonly) {
|
||||
isc_stdtime_t inception, isc_stdtime_t expire) {
|
||||
isc_result_t result;
|
||||
dns_dbnode_t *node = NULL;
|
||||
dns_kasp_t *kasp = dns_zone_getkasp(zone);
|
||||
|
|
@ -1124,8 +1123,6 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
|
|||
isc_mem_t *mctx = diff->mctx;
|
||||
|
||||
if (kasp != NULL) {
|
||||
check_ksk = false;
|
||||
keyset_kskonly = true;
|
||||
use_kasp = true;
|
||||
}
|
||||
|
||||
|
|
@ -1163,7 +1160,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
|
|||
continue;
|
||||
}
|
||||
|
||||
if (check_ksk && !REVOKE(keys[i])) {
|
||||
if (!REVOKE(keys[i])) {
|
||||
/*
|
||||
* Don't consider inactive keys, however the KSK may be
|
||||
* temporary offline, so do consider KSKs which private
|
||||
|
|
@ -1232,7 +1229,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
|
|||
* CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
|
||||
*/
|
||||
if (dns_rdatatype_iskeymaterial(type)) {
|
||||
if (!KSK(keys[i]) && keyset_kskonly) {
|
||||
if (!KSK(keys[i])) {
|
||||
continue;
|
||||
}
|
||||
} else if (KSK(keys[i])) {
|
||||
|
|
@ -1367,8 +1364,8 @@ static isc_result_t
|
|||
add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
|
||||
dns_dbversion_t *ver, dns_name_t *name, bool cut,
|
||||
dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
|
||||
isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk,
|
||||
bool keyset_kskonly, unsigned int *sigs) {
|
||||
isc_stdtime_t inception, isc_stdtime_t expire,
|
||||
unsigned int *sigs) {
|
||||
isc_result_t result;
|
||||
dns_dbnode_t *node;
|
||||
dns_rdatasetiter_t *iter;
|
||||
|
|
@ -1418,8 +1415,7 @@ add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
|
|||
continue;
|
||||
}
|
||||
result = add_sigs(log, zone, db, ver, name, type, diff, keys,
|
||||
nkeys, inception, expire, check_ksk,
|
||||
keyset_kskonly);
|
||||
nkeys, inception, expire);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup_iterator;
|
||||
}
|
||||
|
|
@ -1469,7 +1465,7 @@ struct dns_update_state {
|
|||
unsigned int nkeys;
|
||||
isc_stdtime_t inception, expire, soaexpire, keyexpire;
|
||||
dns_ttl_t nsecttl;
|
||||
bool check_ksk, keyset_kskonly, build_nsec3;
|
||||
bool build_nsec3;
|
||||
enum {
|
||||
sign_updates,
|
||||
remove_orphaned,
|
||||
|
|
@ -1565,17 +1561,6 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
|
|||
state->keyexpire += now;
|
||||
}
|
||||
|
||||
/*
|
||||
* Do we look at the KSK flag on the DNSKEY to determining which
|
||||
* keys sign which RRsets? First check the zone option then
|
||||
* check the keys flags to make sure at least one has a ksk set
|
||||
* and one doesn't.
|
||||
*/
|
||||
state->check_ksk = ((dns_zone_getoptions(zone) &
|
||||
DNS_ZONEOPT_UPDATECHECKKSK) != 0);
|
||||
state->keyset_kskonly = ((dns_zone_getoptions(zone) &
|
||||
DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
|
||||
|
||||
/*
|
||||
* Calculate the NSEC/NSEC3 TTL as a minimum of the SOA TTL and
|
||||
* MINIMUM field.
|
||||
|
|
@ -1675,9 +1660,7 @@ next_state:
|
|||
log, zone, db, newver, name,
|
||||
type, &state->sig_diff,
|
||||
state->zone_keys, state->nkeys,
|
||||
state->inception, exp,
|
||||
state->check_ksk,
|
||||
state->keyset_kskonly));
|
||||
state->inception, exp));
|
||||
sigs++;
|
||||
}
|
||||
skip:
|
||||
|
|
@ -1879,8 +1862,7 @@ next_state:
|
|||
log, zone, db, newver, name, cut,
|
||||
&state->sig_diff, state->zone_keys,
|
||||
state->nkeys, state->inception,
|
||||
state->expire, state->check_ksk,
|
||||
state->keyset_kskonly, &sigs));
|
||||
state->expire, &sigs));
|
||||
}
|
||||
unlink:
|
||||
ISC_LIST_UNLINK(state->affected.tuples, t, link);
|
||||
|
|
@ -1952,13 +1934,11 @@ next_state:
|
|||
dns_rdatatype_nsec, NULL,
|
||||
&state->sig_diff));
|
||||
} else if (t->op == DNS_DIFFOP_ADD) {
|
||||
CHECK(add_sigs(log, zone, db, newver, &t->name,
|
||||
dns_rdatatype_nsec,
|
||||
&state->sig_diff,
|
||||
state->zone_keys, state->nkeys,
|
||||
state->inception, state->expire,
|
||||
state->check_ksk,
|
||||
state->keyset_kskonly));
|
||||
CHECK(add_sigs(
|
||||
log, zone, db, newver, &t->name,
|
||||
dns_rdatatype_nsec, &state->sig_diff,
|
||||
state->zone_keys, state->nkeys,
|
||||
state->inception, state->expire));
|
||||
sigs++;
|
||||
} else {
|
||||
UNREACHABLE();
|
||||
|
|
@ -2086,8 +2066,7 @@ next_state:
|
|||
log, zone, db, newver, name, cut,
|
||||
&state->sig_diff, state->zone_keys,
|
||||
state->nkeys, state->inception,
|
||||
state->expire, state->check_ksk,
|
||||
state->keyset_kskonly, &sigs));
|
||||
state->expire, &sigs));
|
||||
CHECK(dns_nsec3_addnsec3sx(
|
||||
db, newver, name, state->nsecttl,
|
||||
unsecure, privatetype,
|
||||
|
|
@ -2127,13 +2106,11 @@ next_state:
|
|||
dns_rdatatype_nsec3, NULL,
|
||||
&state->sig_diff));
|
||||
} else if (t->op == DNS_DIFFOP_ADD) {
|
||||
CHECK(add_sigs(log, zone, db, newver, &t->name,
|
||||
dns_rdatatype_nsec3,
|
||||
&state->sig_diff,
|
||||
state->zone_keys, state->nkeys,
|
||||
state->inception, state->expire,
|
||||
state->check_ksk,
|
||||
state->keyset_kskonly));
|
||||
CHECK(add_sigs(
|
||||
log, zone, db, newver, &t->name,
|
||||
dns_rdatatype_nsec3, &state->sig_diff,
|
||||
state->zone_keys, state->nkeys,
|
||||
state->inception, state->expire));
|
||||
sigs++;
|
||||
} else {
|
||||
UNREACHABLE();
|
||||
|
|
|
|||
115
lib/dns/zone.c
115
lib/dns/zone.c
|
|
@ -6546,7 +6546,7 @@ static isc_result_t
|
|||
add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
|
||||
dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
|
||||
unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
|
||||
isc_stdtime_t expire, bool check_ksk, bool keyset_kskonly) {
|
||||
isc_stdtime_t expire) {
|
||||
isc_result_t result;
|
||||
dns_dbnode_t *node = NULL;
|
||||
dns_stats_t *dnssecsignstats;
|
||||
|
|
@ -6558,8 +6558,6 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
|
|||
bool use_kasp = false;
|
||||
|
||||
if (zone->kasp != NULL) {
|
||||
check_ksk = false;
|
||||
keyset_kskonly = true;
|
||||
use_kasp = true;
|
||||
}
|
||||
|
||||
|
|
@ -6598,7 +6596,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
|
|||
continue;
|
||||
}
|
||||
|
||||
if (check_ksk && !REVOKE(keys[i])) {
|
||||
if (!REVOKE(keys[i])) {
|
||||
/*
|
||||
* Don't consider inactive keys, however the KSK may be
|
||||
* temporary offline, so do consider keys which private
|
||||
|
|
@ -6680,7 +6678,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
|
|||
* CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
|
||||
*/
|
||||
if (dns_rdatatype_iskeymaterial(type)) {
|
||||
if (!KSK(keys[i]) && keyset_kskonly) {
|
||||
if (!KSK(keys[i])) {
|
||||
continue;
|
||||
}
|
||||
} else if (KSK(keys[i])) {
|
||||
|
|
@ -6739,7 +6737,6 @@ zone_resigninc(dns_zone_t *zone) {
|
|||
dns_rdataset_t rdataset;
|
||||
dns_rdatatype_t covers;
|
||||
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
|
||||
bool check_ksk, keyset_kskonly = false;
|
||||
isc_result_t result;
|
||||
isc_stdtime_t now, inception, soaexpire, expire, fullexpire, stop;
|
||||
uint32_t sigvalidityinterval, expiryinterval;
|
||||
|
|
@ -6827,9 +6824,6 @@ zone_resigninc(dns_zone_t *zone) {
|
|||
}
|
||||
stop = now + 5;
|
||||
|
||||
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
|
||||
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
|
||||
|
||||
name = dns_fixedname_initname(&fixed);
|
||||
result = dns_db_getsigningtime(db, &rdataset, name);
|
||||
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
|
||||
|
|
@ -6876,8 +6870,7 @@ zone_resigninc(dns_zone_t *zone) {
|
|||
result = add_sigs(db, version, name, zone, covers,
|
||||
zonediff.diff, zone_keys, nkeys, zone->mctx,
|
||||
inception,
|
||||
resign > (now - 300) ? expire : fullexpire,
|
||||
check_ksk, keyset_kskonly);
|
||||
resign > (now - 300) ? expire : fullexpire);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"zone_resigninc:add_sigs -> %s",
|
||||
|
|
@ -6939,7 +6932,7 @@ zone_resigninc(dns_zone_t *zone) {
|
|||
*/
|
||||
result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
|
||||
zonediff.diff, zone_keys, nkeys, zone->mctx,
|
||||
inception, soaexpire, check_ksk, keyset_kskonly);
|
||||
inception, soaexpire);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"zone_resigninc:add_sigs -> %s",
|
||||
|
|
@ -7173,8 +7166,8 @@ static isc_result_t
|
|||
sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
|
||||
dns_dbnode_t *node, dns_dbversion_t *version, bool build_nsec3,
|
||||
bool build_nsec, dst_key_t *key, isc_stdtime_t inception,
|
||||
isc_stdtime_t expire, dns_ttl_t nsecttl, bool is_ksk, bool is_zsk,
|
||||
bool keyset_kskonly, bool is_bottom_of_zone, dns_diff_t *diff,
|
||||
isc_stdtime_t expire, dns_ttl_t nsecttl, bool both, bool is_ksk,
|
||||
bool is_zsk, bool is_bottom_of_zone, dns_diff_t *diff,
|
||||
int32_t *signatures, isc_mem_t *mctx) {
|
||||
isc_result_t result;
|
||||
dns_rdatasetiter_t *iterator = NULL;
|
||||
|
|
@ -7262,10 +7255,10 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
|
|||
* be signed with a key in the current DS RRset,
|
||||
* which would only include KSK's.)
|
||||
*/
|
||||
if (!is_ksk && keyset_kskonly) {
|
||||
if (!is_ksk && both) {
|
||||
goto next_rdataset;
|
||||
}
|
||||
} else if (!is_zsk) {
|
||||
} else if (!is_zsk && both) {
|
||||
goto next_rdataset;
|
||||
} else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK,
|
||||
inception, &when))
|
||||
|
|
@ -7860,8 +7853,7 @@ dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
|
|||
dst_key_t *zone_keys[], unsigned int nkeys,
|
||||
dns_zone_t *zone, isc_stdtime_t inception,
|
||||
isc_stdtime_t expire, isc_stdtime_t keyexpire,
|
||||
isc_stdtime_t now, bool check_ksk, bool keyset_kskonly,
|
||||
dns__zonediff_t *zonediff) {
|
||||
isc_stdtime_t now, dns__zonediff_t *zonediff) {
|
||||
dns_difftuple_t *tuple;
|
||||
isc_result_t result;
|
||||
|
||||
|
|
@ -7885,8 +7877,7 @@ dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
|
|||
}
|
||||
result = add_sigs(db, version, &tuple->name, zone,
|
||||
tuple->rdata.type, zonediff->diff, zone_keys,
|
||||
nkeys, zone->mctx, inception, exp, check_ksk,
|
||||
keyset_kskonly);
|
||||
nkeys, zone->mctx, inception, exp);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"dns__zone_updatesigs:add_sigs -> %s",
|
||||
|
|
@ -7928,7 +7919,6 @@ zone_nsec3chain(dns_zone_t *zone) {
|
|||
dns_nsec3chainlist_t cleanup;
|
||||
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
|
||||
int32_t signatures;
|
||||
bool check_ksk, keyset_kskonly;
|
||||
bool delegation;
|
||||
bool first;
|
||||
isc_result_t result;
|
||||
|
|
@ -8028,9 +8018,6 @@ zone_nsec3chain(dns_zone_t *zone) {
|
|||
expire = soaexpire - 1;
|
||||
}
|
||||
|
||||
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
|
||||
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
|
||||
|
||||
/*
|
||||
* We keep pulling nodes off each iterator in turn until
|
||||
* we have no more nodes to pull off or we reach the limits
|
||||
|
|
@ -8585,7 +8572,7 @@ skip_removals:
|
|||
}
|
||||
result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys,
|
||||
nkeys, zone, inception, expire, 0, now,
|
||||
check_ksk, keyset_kskonly, &zonediff);
|
||||
&zonediff);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
"zone_nsec3chain:dns__zone_updatesigs -> %s",
|
||||
|
|
@ -8599,7 +8586,7 @@ skip_removals:
|
|||
*/
|
||||
result = dns__zone_updatesigs(¶m_diff, db, version, zone_keys,
|
||||
nkeys, zone, inception, expire, 0, now,
|
||||
check_ksk, keyset_kskonly, &zonediff);
|
||||
&zonediff);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
"zone_nsec3chain:dns__zone_updatesigs -> %s",
|
||||
|
|
@ -8620,7 +8607,7 @@ skip_removals:
|
|||
|
||||
result = dns__zone_updatesigs(&nsec_diff, db, version, zone_keys, nkeys,
|
||||
zone, inception, expire, 0, now,
|
||||
check_ksk, keyset_kskonly, &zonediff);
|
||||
&zonediff);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
"zone_nsec3chain:dns__zone_updatesigs -> %s",
|
||||
|
|
@ -8660,7 +8647,7 @@ skip_removals:
|
|||
|
||||
result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
|
||||
zonediff.diff, zone_keys, nkeys, zone->mctx,
|
||||
inception, soaexpire, check_ksk, keyset_kskonly);
|
||||
inception, soaexpire);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
"zone_nsec3chain:add_sigs -> %s",
|
||||
|
|
@ -9028,7 +9015,7 @@ zone_sign(dns_zone_t *zone) {
|
|||
dns_signinglist_t cleanup;
|
||||
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
|
||||
int32_t signatures;
|
||||
bool check_ksk, keyset_kskonly, is_ksk, is_zsk;
|
||||
bool is_ksk, is_zsk;
|
||||
bool with_ksk, with_zsk;
|
||||
bool commit = false;
|
||||
bool is_bottom_of_zone;
|
||||
|
|
@ -9128,13 +9115,7 @@ zone_sign(dns_zone_t *zone) {
|
|||
first = true;
|
||||
|
||||
if (kasp != NULL) {
|
||||
check_ksk = false;
|
||||
keyset_kskonly = true;
|
||||
use_kasp = true;
|
||||
} else {
|
||||
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
|
||||
keyset_kskonly = DNS_ZONE_OPTION(zone,
|
||||
DNS_ZONEOPT_DNSKEYKSKONLY);
|
||||
}
|
||||
dnssec_log(zone, ISC_LOG_DEBUG(3), "zone_sign:use kasp -> %s",
|
||||
use_kasp ? "yes" : "no");
|
||||
|
|
@ -9265,7 +9246,6 @@ zone_sign(dns_zone_t *zone) {
|
|||
|
||||
for (i = 0; !has_alg && i < nkeys; i++) {
|
||||
bool both = false;
|
||||
|
||||
/*
|
||||
* Find the keys we want to sign with.
|
||||
*/
|
||||
|
|
@ -9297,9 +9277,9 @@ zone_sign(dns_zone_t *zone) {
|
|||
}
|
||||
|
||||
/*
|
||||
* Do we do KSK processing?
|
||||
* We do KSK processing.
|
||||
*/
|
||||
if (check_ksk && !REVOKE(zone_keys[i])) {
|
||||
if (!REVOKE(zone_keys[i])) {
|
||||
/*
|
||||
* Don't consider inactive keys, however the key
|
||||
* may be temporary offline, so do consider KSKs
|
||||
|
|
@ -9333,14 +9313,26 @@ zone_sign(dns_zone_t *zone) {
|
|||
is_zsk = true;
|
||||
}
|
||||
}
|
||||
/* Treat as if we have both KSK and ZSK. */
|
||||
both = true;
|
||||
} else if (both || REVOKE(zone_keys[i])) {
|
||||
is_ksk = KSK(zone_keys[i]);
|
||||
is_zsk = !KSK(zone_keys[i]);
|
||||
} else {
|
||||
is_ksk = false;
|
||||
is_zsk = true;
|
||||
is_ksk = KSK(zone_keys[i]);
|
||||
is_zsk = !is_ksk;
|
||||
|
||||
/*
|
||||
* Don't consider inactive keys, however the key
|
||||
* may be temporary offline, so do consider KSKs
|
||||
* which private key files are unavailable.
|
||||
*/
|
||||
both = dst_key_have_ksk_and_zsk(
|
||||
zone_keys, nkeys, i, false, is_ksk,
|
||||
is_zsk, NULL, NULL);
|
||||
if (both || REVOKE(zone_keys[i])) {
|
||||
is_ksk = KSK(zone_keys[i]);
|
||||
is_zsk = !KSK(zone_keys[i]);
|
||||
} else {
|
||||
is_ksk = false;
|
||||
is_zsk = false;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
@ -9356,12 +9348,12 @@ zone_sign(dns_zone_t *zone) {
|
|||
continue;
|
||||
}
|
||||
|
||||
CHECK(sign_a_node(
|
||||
db, zone, name, node, version, build_nsec3,
|
||||
build_nsec, zone_keys[i], inception, expire,
|
||||
zone_nsecttl(zone), is_ksk, is_zsk,
|
||||
(both && keyset_kskonly), is_bottom_of_zone,
|
||||
zonediff.diff, &signatures, zone->mctx));
|
||||
CHECK(sign_a_node(db, zone, name, node, version,
|
||||
build_nsec3, build_nsec, zone_keys[i],
|
||||
inception, expire, zone_nsecttl(zone),
|
||||
both, is_ksk, is_zsk,
|
||||
is_bottom_of_zone, zonediff.diff,
|
||||
&signatures, zone->mctx));
|
||||
/*
|
||||
* If we are adding we are done. Look for other keys
|
||||
* of the same algorithm if deleting.
|
||||
|
|
@ -9449,8 +9441,7 @@ zone_sign(dns_zone_t *zone) {
|
|||
if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
|
||||
result = dns__zone_updatesigs(&post_diff, db, version,
|
||||
zone_keys, nkeys, zone, inception,
|
||||
expire, 0, now, check_ksk,
|
||||
keyset_kskonly, &zonediff);
|
||||
expire, 0, now, &zonediff);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
"zone_sign:dns__zone_updatesigs -> %s",
|
||||
|
|
@ -9495,7 +9486,7 @@ zone_sign(dns_zone_t *zone) {
|
|||
*/
|
||||
result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
|
||||
zonediff.diff, zone_keys, nkeys, zone->mctx,
|
||||
inception, soaexpire, check_ksk, keyset_kskonly);
|
||||
inception, soaexpire);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s",
|
||||
isc_result_totext(result));
|
||||
|
|
@ -19587,8 +19578,7 @@ tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db,
|
|||
dns_dbversion_t *ver, isc_stdtime_t now, dns_diff_t *diff,
|
||||
dns__zonediff_t *zonediff, dst_key_t **keys,
|
||||
unsigned int nkeys, isc_stdtime_t inception,
|
||||
isc_stdtime_t keyexpire, bool check_ksk,
|
||||
bool keyset_kskonly) {
|
||||
isc_stdtime_t keyexpire) {
|
||||
dns_difftuple_t *tuple;
|
||||
isc_result_t result;
|
||||
|
||||
|
|
@ -19613,8 +19603,7 @@ tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db,
|
|||
}
|
||||
result = add_sigs(db, ver, &zone->origin, zone, rrtype,
|
||||
zonediff->diff, keys, nkeys, zone->mctx,
|
||||
inception, keyexpire, check_ksk,
|
||||
keyset_kskonly);
|
||||
inception, keyexpire);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
"sign_apex:add_sigs -> %s",
|
||||
|
|
@ -19631,7 +19620,6 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
|||
isc_stdtime_t now, dns_diff_t *diff, dns__zonediff_t *zonediff) {
|
||||
isc_result_t result;
|
||||
isc_stdtime_t inception, soaexpire, keyexpire;
|
||||
bool check_ksk, keyset_kskonly;
|
||||
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
|
||||
unsigned int nkeys = 0, i;
|
||||
|
||||
|
|
@ -19654,9 +19642,6 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
|||
keyexpire += now;
|
||||
}
|
||||
|
||||
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
|
||||
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
|
||||
|
||||
/*
|
||||
* See if dns__zone_updatesigs() will update DNSKEY/CDS/CDNSKEY
|
||||
* signature and if not cause them to sign so that newly activated
|
||||
|
|
@ -19664,26 +19649,26 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
|||
*/
|
||||
result = tickle_apex_rrset(dns_rdatatype_dnskey, zone, db, ver, now,
|
||||
diff, zonediff, zone_keys, nkeys, inception,
|
||||
keyexpire, check_ksk, keyset_kskonly);
|
||||
keyexpire);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto failure;
|
||||
}
|
||||
result = tickle_apex_rrset(dns_rdatatype_cds, zone, db, ver, now, diff,
|
||||
zonediff, zone_keys, nkeys, inception,
|
||||
keyexpire, check_ksk, keyset_kskonly);
|
||||
keyexpire);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto failure;
|
||||
}
|
||||
result = tickle_apex_rrset(dns_rdatatype_cdnskey, zone, db, ver, now,
|
||||
diff, zonediff, zone_keys, nkeys, inception,
|
||||
keyexpire, check_ksk, keyset_kskonly);
|
||||
keyexpire);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto failure;
|
||||
}
|
||||
|
||||
result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone,
|
||||
inception, soaexpire, keyexpire, now,
|
||||
check_ksk, keyset_kskonly, zonediff);
|
||||
zonediff);
|
||||
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
|
|
|
|||
|
|
@ -39,8 +39,7 @@ dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
|
|||
dst_key_t *zone_keys[], unsigned int nkeys,
|
||||
dns_zone_t *zone, isc_stdtime_t inception,
|
||||
isc_stdtime_t expire, isc_stdtime_t keyxpire,
|
||||
isc_stdtime_t now, bool check_ksk, bool keyset_kskonly,
|
||||
dns__zonediff_t *zonediff);
|
||||
isc_stdtime_t now, dns__zonediff_t *zonediff);
|
||||
|
||||
isc_result_t
|
||||
dns__zone_lookup_nsec3param(dns_zone_t *zone, dns_rdata_nsec3param_t *lookup,
|
||||
|
|
|
|||
|
|
@ -3402,24 +3402,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
|
|||
}
|
||||
}
|
||||
|
||||
obj = NULL;
|
||||
res1 = cfg_map_get(zoptions, "dnssec-dnskey-kskonly", &obj);
|
||||
if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
|
||||
!signing)
|
||||
{
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"dnssec-dnskey-kskonly: requires "
|
||||
"inline-signing when used in secondary "
|
||||
"zone");
|
||||
result = ISC_R_FAILURE;
|
||||
}
|
||||
if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"dnssec-dnskey-kskonly: cannot be "
|
||||
"configured if dnssec-policy is also set");
|
||||
result = ISC_R_FAILURE;
|
||||
}
|
||||
|
||||
obj = NULL;
|
||||
res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj);
|
||||
if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
|
||||
|
|
@ -3432,24 +3414,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
|
|||
result = ISC_R_FAILURE;
|
||||
}
|
||||
|
||||
obj = NULL;
|
||||
res1 = cfg_map_get(zoptions, "update-check-ksk", &obj);
|
||||
if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
|
||||
!signing)
|
||||
{
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"update-check-ksk: requires "
|
||||
"inline-signing when used in secondary "
|
||||
"zone");
|
||||
result = ISC_R_FAILURE;
|
||||
}
|
||||
if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"update-check-ksk: cannot be configured "
|
||||
"if dnssec-policy is also set");
|
||||
result = ISC_R_FAILURE;
|
||||
}
|
||||
|
||||
obj = NULL;
|
||||
res1 = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
|
||||
if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
|
||||
|
|
|
|||
|
|
@ -2275,7 +2275,7 @@ static cfg_clausedef_t zone_clauses[] = {
|
|||
{ "dialup", &cfg_type_dialuptype,
|
||||
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
|
||||
{ "dnssec-dnskey-kskonly", &cfg_type_boolean,
|
||||
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
|
||||
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE },
|
||||
{ "dnssec-loadkeys-interval", &cfg_type_uint32,
|
||||
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
|
||||
{ "dnssec-policy", &cfg_type_astring,
|
||||
|
|
@ -2365,7 +2365,7 @@ static cfg_clausedef_t zone_clauses[] = {
|
|||
{ "try-tcp-refresh", &cfg_type_boolean,
|
||||
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
|
||||
{ "update-check-ksk", &cfg_type_boolean,
|
||||
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
|
||||
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE },
|
||||
{ "use-alt-transfer-source", &cfg_type_boolean,
|
||||
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
|
||||
CFG_CLAUSEFLAG_ANCIENT },
|
||||
|
|
|
|||
|
|
@ -244,7 +244,7 @@ updatesigs_test(const updatesigs_test_params_t *test, dns_zone_t *zone,
|
|||
*/
|
||||
result = dns__zone_updatesigs(&raw_diff, db, version, zone_keys, nkeys,
|
||||
zone, now - 3600, now + 3600, 0, now,
|
||||
true, false, &zonediff);
|
||||
&zonediff);
|
||||
assert_int_equal(result, ISC_R_SUCCESS);
|
||||
assert_true(ISC_LIST_EMPTY(raw_diff.tuples));
|
||||
assert_false(ISC_LIST_EMPTY(zone_diff.tuples));
|
||||
|
|
|
|||
Loading…
Reference in a new issue