diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index 4eff7aadf5..e6fb455c3d 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -359,15 +359,12 @@ Options .. option:: -x This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys, - and should omit signatures from zone-signing keys. (This is similar to the - ``dnssec-dnskey-kskonly yes;`` zone option in :iscman:`named`.) + and should omit signatures from zone-signing keys. .. option:: -z This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes KSK-flagged keys to sign all records, not just the DNSKEY RRset. - (This is similar to the ``update-check-ksk no;`` zone option in - :iscman:`named`.) .. option:: -3 salt diff --git a/bin/named/config.c b/bin/named/config.c index a13cd73844..451d930976 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -215,7 +215,6 @@ options {\n\ check-srv-cname warn;\n\ check-wildcard yes;\n\ dialup no;\n\ - dnssec-dnskey-kskonly yes;\n\ dnssec-loadkeys-interval 60;\n\ dnssec-update-mode maintain;\n\ # forward \n\ @@ -243,7 +242,6 @@ options {\n\ transfer-source *;\n\ transfer-source-v6 *;\n\ try-tcp-refresh yes; /* BIND 8 compat */\n\ - update-check-ksk yes;\n\ zero-no-soa-ttl yes;\n\ zone-statistics terse;\n\ };\n\ diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index dcf4cad762..8b584d4e1f 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1593,26 +1593,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, INSIST(result == ISC_R_SUCCESS && obj != NULL); dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj)); - obj = NULL; - result = named_config_get(maps, "update-check-ksk", &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, - cfg_obj_asboolean(obj)); - /* - * This setting will be ignored if dnssec-policy is used. - * named-checkconf will error if both are configured. - */ - - obj = NULL; - result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY, - cfg_obj_asboolean(obj)); - /* - * This setting will be ignored if dnssec-policy is used. - * named-checkconf will error if both are configured. - */ - obj = NULL; result = named_config_get(maps, "dnssec-loadkeys-interval", &obj); diff --git a/bin/tests/system/checkconf/bad-dnssec.conf b/bin/tests/system/checkconf/bad-dnssec.conf index 3dbd0f3056..b6974eb86c 100644 --- a/bin/tests/system/checkconf/bad-dnssec.conf +++ b/bin/tests/system/checkconf/bad-dnssec.conf @@ -15,8 +15,6 @@ zone not-inline { type secondary; primaries { 127.0.0.1; }; inline-signing no; - dnssec-dnskey-kskonly yes; - update-check-ksk yes; dnssec-loadkeys-interval 10; }; @@ -25,7 +23,5 @@ zone inline { type secondary; primaries { 127.0.0.1; }; inline-signing yes; - dnssec-dnskey-kskonly yes; - update-check-ksk yes; dnssec-loadkeys-interval 10; }; diff --git a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf index 0626afb9d4..2208ac0e19 100644 --- a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf +++ b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf @@ -17,8 +17,6 @@ zone "nsec3.net" { type primary; file "nsec3.db"; dnssec-policy "test"; - dnssec-dnskey-kskonly yes; dnssec-update-mode maintain; inline-signing no; - update-check-ksk yes; }; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 0d93b8bfae..7167df8dcc 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -218,15 +218,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking options allowed in inline-signing secondaries ($n)" ret=0 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 && ret=1 -l=$(grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l) -[ $l -eq 1 ] || ret=1 $CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 && ret=1 l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l) [ $l -eq 1 ] || ret=1 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 && ret=1 -l=$(grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l) -[ $l -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -490,9 +484,7 @@ echo_i "checking named-checkconf kasp errors ($n)" ret=0 $CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index c339c447db..d20bf7194a 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -69,6 +69,13 @@ zone "step1.going-straight-to-none.kasp" { dnssec-policy "default"; }; +zone "step1.going-straight-to-none-dynamic.kasp" { + type primary; + file "step1.going-straight-to-none-dynamic.kasp.db.signed"; + dnssec-policy "default"; + allow-update { any; }; +}; + /* These are alorithm rollover test zones. */ zone "step1.algorithm-roll.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 4d48fd9a7e..13a57f91f7 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -82,6 +82,13 @@ zone "step1.going-straight-to-none.kasp" { dnssec-policy "none"; }; +zone "step1.going-straight-to-none-dynamic.kasp" { + type primary; + file "step1.going-straight-to-none-dynamic.kasp.db.signed"; + dnssec-policy "none"; + allow-update { any; }; +}; + /* * Zones for testing KSK/ZSK algorithm roll. */ diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 6764f1b9c1..895c55c4c8 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -83,6 +83,18 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" cp $infile $zonefile $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +# This zone is going straight to "none" policy. This is undefined behavior. +setup step1.going-straight-to-none-dynamic.kasp +echo "$zone" >> zones +TactN="now" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + # # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK # algorithm rollover. diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 2162952c23..636e9acd3b 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -3897,6 +3897,44 @@ check_apex check_subdomain dnssec_verify +# +# Zone step1.going-straight-to-none-dynamic.kasp +# +set_zone "step1.going-straight-to-none-dynamic.kasp" +set_policy "default" "1" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" +# This policy only has one key. +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The first key is immediately published and activated. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" +set_keytime "KEY1" "SYNCPUBLISH" "${created}" +# Key lifetime is unlimited, so not setting RETIRED and REMOVED. +check_keytimes + +check_apex +check_subdomain +dnssec_verify + # Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy # changes). echo_i "reconfig dnssec-policy to trigger algorithm rollover" @@ -4143,6 +4181,37 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" dnssec_verify +# +# Zone: step1.going-straight-to-none-dynamic.kasp +# +set_zone "step1.going-straight-to-none-dynamic.kasp" +set_policy "none" "1" "3600" +set_server "ns6" "10.53.0.6" + +# The zone will go bogus after signatures expire, but remains validly signed for now. + +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" +# This policy only has one key. +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +dnssec_verify + # # Testing KSK/ZSK algorithm rollover. # diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 0d5ef3d09a..51db685f57 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -2708,40 +2708,14 @@ Boolean Options The default is ``no``. .. namedconf:statement:: update-check-ksk - :tags: zone, dnssec - :short: Specifies whether to check the KSK bit to determine how a key should be used, when generating RRSIGs for a secure zone. + :tags: obsolete - When set to the default value of ``yes``, check the KSK bit in each - key to determine how the key should be used when generating RRSIGs - for a secure zone. - - Ordinarily, zone-signing keys (that is, keys without the KSK bit set) - are used to sign the entire zone, while key-signing keys (keys with - the KSK bit set) are only used to sign the DNSKEY RRset at the zone - apex. However, if this option is set to ``no``, then the KSK bit is - ignored; KSKs are treated as if they were ZSKs and are used to sign - the entire zone. This is similar to the :option:`dnssec-signzone -z` - command-line option. - - When this option is set to ``yes``, there must be at least two active - keys for every algorithm represented in the DNSKEY RRset: at least - one KSK and one ZSK per algorithm. If there is any algorithm for - which this requirement is not met, this option is ignored for - that algorithm. + This option no longer has any effect. .. namedconf:statement:: dnssec-dnskey-kskonly - :tags: dnssec - :short: Specifies that only key-signing keys are used to sign the DNSKEY, CDNSKEY, and CDS RRsets at a zone's apex. + :tags: obsolete - When this option and :any:`update-check-ksk` are both set to ``yes``, - only key-signing keys (that is, keys with the KSK bit set) are - used to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex. - Zone-signing keys (keys without the KSK bit set) are used to sign - the remainder of the zone, but not the DNSKEY RRset. This is similar - to the :option:`dnssec-signzone -x` command-line option. - - The default is ``yes``. If :any:`update-check-ksk` is set to ``no``, this - option is ignored. + This option no longer has any effect. .. namedconf:statement:: try-tcp-refresh :tags: transfer diff --git a/doc/misc/options b/doc/misc/options index 674ceb536f..815bac3b37 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -115,7 +115,7 @@ options { dnsrps-library ; // not configured dnsrps-options { }; // not configured dnssec-accept-expired ; - dnssec-dnskey-kskonly ; + dnssec-dnskey-kskonly ; // obsolete dnssec-loadkeys-interval ; dnssec-must-be-secure ; // may occur multiple times dnssec-policy ; @@ -298,7 +298,7 @@ options { try-tcp-refresh ; udp-receive-buffer ; udp-send-buffer ; - update-check-ksk ; + update-check-ksk ; // obsolete update-quota ; use-v4-udp-ports { ; ... }; // deprecated use-v6-udp-ports { ; ... }; // deprecated @@ -413,7 +413,7 @@ view [ ] { dnsrps-enable ; // not configured dnsrps-options { }; // not configured dnssec-accept-expired ; - dnssec-dnskey-kskonly ; + dnssec-dnskey-kskonly ; // obsolete dnssec-loadkeys-interval ; dnssec-must-be-secure ; // may occur multiple times dnssec-policy ; @@ -571,7 +571,7 @@ view [ ] { trust-anchors { ( static-key | initial-key | static-ds | initial-ds ) ; ... }; // may occur multiple times trusted-keys { ; ... }; // may occur multiple times, deprecated try-tcp-refresh ; - update-check-ksk ; + update-check-ksk ; // obsolete v6-bias ; validate-except { ; ... }; zero-no-soa-ttl ; diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt index 7f03bd6472..a844114683 100644 --- a/doc/misc/primary.zoneopt +++ b/doc/misc/primary.zoneopt @@ -20,7 +20,7 @@ zone [ ] { dialup ( notify | notify-passive | passive | refresh | ); dlz ; dnskey-sig-validity ; // obsolete - dnssec-dnskey-kskonly ; + dnssec-dnskey-kskonly ; // obsolete dnssec-loadkeys-interval ; dnssec-policy ; dnssec-secure-to-insecure ; // obsolete @@ -54,7 +54,7 @@ zone [ ] { sig-signing-signatures ; sig-signing-type ; sig-validity-interval [ ]; // obsolete - update-check-ksk ; + update-check-ksk ; // obsolete update-policy ( local | { ( deny | grant ) ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ ] ; ... } ); zero-no-soa-ttl ; zone-statistics ( full | terse | none | ); diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt index 661d50445e..7c50a79d97 100644 --- a/doc/misc/secondary.zoneopt +++ b/doc/misc/secondary.zoneopt @@ -12,7 +12,7 @@ zone [ ] { dialup ( notify | notify-passive | passive | refresh | ); dlz ; dnskey-sig-validity ; // obsolete - dnssec-dnskey-kskonly ; + dnssec-dnskey-kskonly ; // obsolete dnssec-loadkeys-interval ; dnssec-policy ; dnssec-update-mode ( maintain | no-resign ); @@ -56,7 +56,7 @@ zone [ ] { transfer-source ( | * ); transfer-source-v6 ( | * ); try-tcp-refresh ; - update-check-ksk ; + update-check-ksk ; // obsolete zero-no-soa-ttl ; zone-statistics ( full | terse | none | ); }; diff --git a/lib/dns/update.c b/lib/dns/update.c index 17ebcb8e2d..6063a50199 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1108,8 +1108,7 @@ static isc_result_t add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, - isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk, - bool keyset_kskonly) { + isc_stdtime_t inception, isc_stdtime_t expire) { isc_result_t result; dns_dbnode_t *node = NULL; dns_kasp_t *kasp = dns_zone_getkasp(zone); @@ -1124,8 +1123,6 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, isc_mem_t *mctx = diff->mctx; if (kasp != NULL) { - check_ksk = false; - keyset_kskonly = true; use_kasp = true; } @@ -1163,7 +1160,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, continue; } - if (check_ksk && !REVOKE(keys[i])) { + if (!REVOKE(keys[i])) { /* * Don't consider inactive keys, however the KSK may be * temporary offline, so do consider KSKs which private @@ -1232,7 +1229,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1). */ if (dns_rdatatype_iskeymaterial(type)) { - if (!KSK(keys[i]) && keyset_kskonly) { + if (!KSK(keys[i])) { continue; } } else if (KSK(keys[i])) { @@ -1367,8 +1364,8 @@ static isc_result_t add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, bool cut, dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, - isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk, - bool keyset_kskonly, unsigned int *sigs) { + isc_stdtime_t inception, isc_stdtime_t expire, + unsigned int *sigs) { isc_result_t result; dns_dbnode_t *node; dns_rdatasetiter_t *iter; @@ -1418,8 +1415,7 @@ add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, continue; } result = add_sigs(log, zone, db, ver, name, type, diff, keys, - nkeys, inception, expire, check_ksk, - keyset_kskonly); + nkeys, inception, expire); if (result != ISC_R_SUCCESS) { goto cleanup_iterator; } @@ -1469,7 +1465,7 @@ struct dns_update_state { unsigned int nkeys; isc_stdtime_t inception, expire, soaexpire, keyexpire; dns_ttl_t nsecttl; - bool check_ksk, keyset_kskonly, build_nsec3; + bool build_nsec3; enum { sign_updates, remove_orphaned, @@ -1565,17 +1561,6 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, state->keyexpire += now; } - /* - * Do we look at the KSK flag on the DNSKEY to determining which - * keys sign which RRsets? First check the zone option then - * check the keys flags to make sure at least one has a ksk set - * and one doesn't. - */ - state->check_ksk = ((dns_zone_getoptions(zone) & - DNS_ZONEOPT_UPDATECHECKKSK) != 0); - state->keyset_kskonly = ((dns_zone_getoptions(zone) & - DNS_ZONEOPT_DNSKEYKSKONLY) != 0); - /* * Calculate the NSEC/NSEC3 TTL as a minimum of the SOA TTL and * MINIMUM field. @@ -1675,9 +1660,7 @@ next_state: log, zone, db, newver, name, type, &state->sig_diff, state->zone_keys, state->nkeys, - state->inception, exp, - state->check_ksk, - state->keyset_kskonly)); + state->inception, exp)); sigs++; } skip: @@ -1879,8 +1862,7 @@ next_state: log, zone, db, newver, name, cut, &state->sig_diff, state->zone_keys, state->nkeys, state->inception, - state->expire, state->check_ksk, - state->keyset_kskonly, &sigs)); + state->expire, &sigs)); } unlink: ISC_LIST_UNLINK(state->affected.tuples, t, link); @@ -1952,13 +1934,11 @@ next_state: dns_rdatatype_nsec, NULL, &state->sig_diff)); } else if (t->op == DNS_DIFFOP_ADD) { - CHECK(add_sigs(log, zone, db, newver, &t->name, - dns_rdatatype_nsec, - &state->sig_diff, - state->zone_keys, state->nkeys, - state->inception, state->expire, - state->check_ksk, - state->keyset_kskonly)); + CHECK(add_sigs( + log, zone, db, newver, &t->name, + dns_rdatatype_nsec, &state->sig_diff, + state->zone_keys, state->nkeys, + state->inception, state->expire)); sigs++; } else { UNREACHABLE(); @@ -2086,8 +2066,7 @@ next_state: log, zone, db, newver, name, cut, &state->sig_diff, state->zone_keys, state->nkeys, state->inception, - state->expire, state->check_ksk, - state->keyset_kskonly, &sigs)); + state->expire, &sigs)); CHECK(dns_nsec3_addnsec3sx( db, newver, name, state->nsecttl, unsecure, privatetype, @@ -2127,13 +2106,11 @@ next_state: dns_rdatatype_nsec3, NULL, &state->sig_diff)); } else if (t->op == DNS_DIFFOP_ADD) { - CHECK(add_sigs(log, zone, db, newver, &t->name, - dns_rdatatype_nsec3, - &state->sig_diff, - state->zone_keys, state->nkeys, - state->inception, state->expire, - state->check_ksk, - state->keyset_kskonly)); + CHECK(add_sigs( + log, zone, db, newver, &t->name, + dns_rdatatype_nsec3, &state->sig_diff, + state->zone_keys, state->nkeys, + state->inception, state->expire)); sigs++; } else { UNREACHABLE(); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 945346967b..4b07ae6699 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6546,7 +6546,7 @@ static isc_result_t add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception, - isc_stdtime_t expire, bool check_ksk, bool keyset_kskonly) { + isc_stdtime_t expire) { isc_result_t result; dns_dbnode_t *node = NULL; dns_stats_t *dnssecsignstats; @@ -6558,8 +6558,6 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, bool use_kasp = false; if (zone->kasp != NULL) { - check_ksk = false; - keyset_kskonly = true; use_kasp = true; } @@ -6598,7 +6596,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, continue; } - if (check_ksk && !REVOKE(keys[i])) { + if (!REVOKE(keys[i])) { /* * Don't consider inactive keys, however the KSK may be * temporary offline, so do consider keys which private @@ -6680,7 +6678,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1). */ if (dns_rdatatype_iskeymaterial(type)) { - if (!KSK(keys[i]) && keyset_kskonly) { + if (!KSK(keys[i])) { continue; } } else if (KSK(keys[i])) { @@ -6739,7 +6737,6 @@ zone_resigninc(dns_zone_t *zone) { dns_rdataset_t rdataset; dns_rdatatype_t covers; dst_key_t *zone_keys[DNS_MAXZONEKEYS]; - bool check_ksk, keyset_kskonly = false; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire, fullexpire, stop; uint32_t sigvalidityinterval, expiryinterval; @@ -6827,9 +6824,6 @@ zone_resigninc(dns_zone_t *zone) { } stop = now + 5; - check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); - keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY); - name = dns_fixedname_initname(&fixed); result = dns_db_getsigningtime(db, &rdataset, name); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { @@ -6876,8 +6870,7 @@ zone_resigninc(dns_zone_t *zone) { result = add_sigs(db, version, name, zone, covers, zonediff.diff, zone_keys, nkeys, zone->mctx, inception, - resign > (now - 300) ? expire : fullexpire, - check_ksk, keyset_kskonly); + resign > (now - 300) ? expire : fullexpire); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_resigninc:add_sigs -> %s", @@ -6939,7 +6932,7 @@ zone_resigninc(dns_zone_t *zone) { */ result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa, zonediff.diff, zone_keys, nkeys, zone->mctx, - inception, soaexpire, check_ksk, keyset_kskonly); + inception, soaexpire); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_resigninc:add_sigs -> %s", @@ -7173,8 +7166,8 @@ static isc_result_t sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, dns_dbnode_t *node, dns_dbversion_t *version, bool build_nsec3, bool build_nsec, dst_key_t *key, isc_stdtime_t inception, - isc_stdtime_t expire, dns_ttl_t nsecttl, bool is_ksk, bool is_zsk, - bool keyset_kskonly, bool is_bottom_of_zone, dns_diff_t *diff, + isc_stdtime_t expire, dns_ttl_t nsecttl, bool both, bool is_ksk, + bool is_zsk, bool is_bottom_of_zone, dns_diff_t *diff, int32_t *signatures, isc_mem_t *mctx) { isc_result_t result; dns_rdatasetiter_t *iterator = NULL; @@ -7262,10 +7255,10 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, * be signed with a key in the current DS RRset, * which would only include KSK's.) */ - if (!is_ksk && keyset_kskonly) { + if (!is_ksk && both) { goto next_rdataset; } - } else if (!is_zsk) { + } else if (!is_zsk && both) { goto next_rdataset; } else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK, inception, &when)) @@ -7860,8 +7853,7 @@ dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, dst_key_t *zone_keys[], unsigned int nkeys, dns_zone_t *zone, isc_stdtime_t inception, isc_stdtime_t expire, isc_stdtime_t keyexpire, - isc_stdtime_t now, bool check_ksk, bool keyset_kskonly, - dns__zonediff_t *zonediff) { + isc_stdtime_t now, dns__zonediff_t *zonediff) { dns_difftuple_t *tuple; isc_result_t result; @@ -7885,8 +7877,7 @@ dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, } result = add_sigs(db, version, &tuple->name, zone, tuple->rdata.type, zonediff->diff, zone_keys, - nkeys, zone->mctx, inception, exp, check_ksk, - keyset_kskonly); + nkeys, zone->mctx, inception, exp); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "dns__zone_updatesigs:add_sigs -> %s", @@ -7928,7 +7919,6 @@ zone_nsec3chain(dns_zone_t *zone) { dns_nsec3chainlist_t cleanup; dst_key_t *zone_keys[DNS_MAXZONEKEYS]; int32_t signatures; - bool check_ksk, keyset_kskonly; bool delegation; bool first; isc_result_t result; @@ -8028,9 +8018,6 @@ zone_nsec3chain(dns_zone_t *zone) { expire = soaexpire - 1; } - check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); - keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY); - /* * We keep pulling nodes off each iterator in turn until * we have no more nodes to pull off or we reach the limits @@ -8585,7 +8572,7 @@ skip_removals: } result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys, nkeys, zone, inception, expire, 0, now, - check_ksk, keyset_kskonly, &zonediff); + &zonediff); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:dns__zone_updatesigs -> %s", @@ -8599,7 +8586,7 @@ skip_removals: */ result = dns__zone_updatesigs(¶m_diff, db, version, zone_keys, nkeys, zone, inception, expire, 0, now, - check_ksk, keyset_kskonly, &zonediff); + &zonediff); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:dns__zone_updatesigs -> %s", @@ -8620,7 +8607,7 @@ skip_removals: result = dns__zone_updatesigs(&nsec_diff, db, version, zone_keys, nkeys, zone, inception, expire, 0, now, - check_ksk, keyset_kskonly, &zonediff); + &zonediff); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:dns__zone_updatesigs -> %s", @@ -8660,7 +8647,7 @@ skip_removals: result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa, zonediff.diff, zone_keys, nkeys, zone->mctx, - inception, soaexpire, check_ksk, keyset_kskonly); + inception, soaexpire); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:add_sigs -> %s", @@ -9028,7 +9015,7 @@ zone_sign(dns_zone_t *zone) { dns_signinglist_t cleanup; dst_key_t *zone_keys[DNS_MAXZONEKEYS]; int32_t signatures; - bool check_ksk, keyset_kskonly, is_ksk, is_zsk; + bool is_ksk, is_zsk; bool with_ksk, with_zsk; bool commit = false; bool is_bottom_of_zone; @@ -9128,13 +9115,7 @@ zone_sign(dns_zone_t *zone) { first = true; if (kasp != NULL) { - check_ksk = false; - keyset_kskonly = true; use_kasp = true; - } else { - check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); - keyset_kskonly = DNS_ZONE_OPTION(zone, - DNS_ZONEOPT_DNSKEYKSKONLY); } dnssec_log(zone, ISC_LOG_DEBUG(3), "zone_sign:use kasp -> %s", use_kasp ? "yes" : "no"); @@ -9265,7 +9246,6 @@ zone_sign(dns_zone_t *zone) { for (i = 0; !has_alg && i < nkeys; i++) { bool both = false; - /* * Find the keys we want to sign with. */ @@ -9297,9 +9277,9 @@ zone_sign(dns_zone_t *zone) { } /* - * Do we do KSK processing? + * We do KSK processing. */ - if (check_ksk && !REVOKE(zone_keys[i])) { + if (!REVOKE(zone_keys[i])) { /* * Don't consider inactive keys, however the key * may be temporary offline, so do consider KSKs @@ -9333,14 +9313,26 @@ zone_sign(dns_zone_t *zone) { is_zsk = true; } } - /* Treat as if we have both KSK and ZSK. */ both = true; - } else if (both || REVOKE(zone_keys[i])) { - is_ksk = KSK(zone_keys[i]); - is_zsk = !KSK(zone_keys[i]); } else { - is_ksk = false; - is_zsk = true; + is_ksk = KSK(zone_keys[i]); + is_zsk = !is_ksk; + + /* + * Don't consider inactive keys, however the key + * may be temporary offline, so do consider KSKs + * which private key files are unavailable. + */ + both = dst_key_have_ksk_and_zsk( + zone_keys, nkeys, i, false, is_ksk, + is_zsk, NULL, NULL); + if (both || REVOKE(zone_keys[i])) { + is_ksk = KSK(zone_keys[i]); + is_zsk = !KSK(zone_keys[i]); + } else { + is_ksk = false; + is_zsk = false; + } } /* @@ -9356,12 +9348,12 @@ zone_sign(dns_zone_t *zone) { continue; } - CHECK(sign_a_node( - db, zone, name, node, version, build_nsec3, - build_nsec, zone_keys[i], inception, expire, - zone_nsecttl(zone), is_ksk, is_zsk, - (both && keyset_kskonly), is_bottom_of_zone, - zonediff.diff, &signatures, zone->mctx)); + CHECK(sign_a_node(db, zone, name, node, version, + build_nsec3, build_nsec, zone_keys[i], + inception, expire, zone_nsecttl(zone), + both, is_ksk, is_zsk, + is_bottom_of_zone, zonediff.diff, + &signatures, zone->mctx)); /* * If we are adding we are done. Look for other keys * of the same algorithm if deleting. @@ -9449,8 +9441,7 @@ zone_sign(dns_zone_t *zone) { if (ISC_LIST_HEAD(post_diff.tuples) != NULL) { result = dns__zone_updatesigs(&post_diff, db, version, zone_keys, nkeys, zone, inception, - expire, 0, now, check_ksk, - keyset_kskonly, &zonediff); + expire, 0, now, &zonediff); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:dns__zone_updatesigs -> %s", @@ -9495,7 +9486,7 @@ zone_sign(dns_zone_t *zone) { */ result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa, zonediff.diff, zone_keys, nkeys, zone->mctx, - inception, soaexpire, check_ksk, keyset_kskonly); + inception, soaexpire); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s", isc_result_totext(result)); @@ -19587,8 +19578,7 @@ tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now, dns_diff_t *diff, dns__zonediff_t *zonediff, dst_key_t **keys, unsigned int nkeys, isc_stdtime_t inception, - isc_stdtime_t keyexpire, bool check_ksk, - bool keyset_kskonly) { + isc_stdtime_t keyexpire) { dns_difftuple_t *tuple; isc_result_t result; @@ -19613,8 +19603,7 @@ tickle_apex_rrset(dns_rdatatype_t rrtype, dns_zone_t *zone, dns_db_t *db, } result = add_sigs(db, ver, &zone->origin, zone, rrtype, zonediff->diff, keys, nkeys, zone->mctx, - inception, keyexpire, check_ksk, - keyset_kskonly); + inception, keyexpire); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "sign_apex:add_sigs -> %s", @@ -19631,7 +19620,6 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now, dns_diff_t *diff, dns__zonediff_t *zonediff) { isc_result_t result; isc_stdtime_t inception, soaexpire, keyexpire; - bool check_ksk, keyset_kskonly; dst_key_t *zone_keys[DNS_MAXZONEKEYS]; unsigned int nkeys = 0, i; @@ -19654,9 +19642,6 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, keyexpire += now; } - check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); - keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY); - /* * See if dns__zone_updatesigs() will update DNSKEY/CDS/CDNSKEY * signature and if not cause them to sign so that newly activated @@ -19664,26 +19649,26 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, */ result = tickle_apex_rrset(dns_rdatatype_dnskey, zone, db, ver, now, diff, zonediff, zone_keys, nkeys, inception, - keyexpire, check_ksk, keyset_kskonly); + keyexpire); if (result != ISC_R_SUCCESS) { goto failure; } result = tickle_apex_rrset(dns_rdatatype_cds, zone, db, ver, now, diff, zonediff, zone_keys, nkeys, inception, - keyexpire, check_ksk, keyset_kskonly); + keyexpire); if (result != ISC_R_SUCCESS) { goto failure; } result = tickle_apex_rrset(dns_rdatatype_cdnskey, zone, db, ver, now, diff, zonediff, zone_keys, nkeys, inception, - keyexpire, check_ksk, keyset_kskonly); + keyexpire); if (result != ISC_R_SUCCESS) { goto failure; } result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone, inception, soaexpire, keyexpire, now, - check_ksk, keyset_kskonly, zonediff); + zonediff); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, diff --git a/lib/dns/zone_p.h b/lib/dns/zone_p.h index 8eeeab4ee7..fcbd3711c2 100644 --- a/lib/dns/zone_p.h +++ b/lib/dns/zone_p.h @@ -39,8 +39,7 @@ dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, dst_key_t *zone_keys[], unsigned int nkeys, dns_zone_t *zone, isc_stdtime_t inception, isc_stdtime_t expire, isc_stdtime_t keyxpire, - isc_stdtime_t now, bool check_ksk, bool keyset_kskonly, - dns__zonediff_t *zonediff); + isc_stdtime_t now, dns__zonediff_t *zonediff); isc_result_t dns__zone_lookup_nsec3param(dns_zone_t *zone, dns_rdata_nsec3param_t *lookup, diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index b9e0942346..d703ec06a5 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -3402,24 +3402,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, } } - obj = NULL; - res1 = cfg_map_get(zoptions, "dnssec-dnskey-kskonly", &obj); - if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY && - !signing) - { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-dnskey-kskonly: requires " - "inline-signing when used in secondary " - "zone"); - result = ISC_R_FAILURE; - } - if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-dnskey-kskonly: cannot be " - "configured if dnssec-policy is also set"); - result = ISC_R_FAILURE; - } - obj = NULL; res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj); if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY && @@ -3432,24 +3414,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, result = ISC_R_FAILURE; } - obj = NULL; - res1 = cfg_map_get(zoptions, "update-check-ksk", &obj); - if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY && - !signing) - { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "update-check-ksk: requires " - "inline-signing when used in secondary " - "zone"); - result = ISC_R_FAILURE; - } - if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "update-check-ksk: cannot be configured " - "if dnssec-policy is also set"); - result = ISC_R_FAILURE; - } - obj = NULL; res1 = cfg_map_get(zoptions, "dnssec-update-mode", &obj); if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index a6febf4023..b1be17a6d5 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2275,7 +2275,7 @@ static cfg_clausedef_t zone_clauses[] = { { "dialup", &cfg_type_dialuptype, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_STUB }, { "dnssec-dnskey-kskonly", &cfg_type_boolean, - CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, + CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE }, { "dnssec-loadkeys-interval", &cfg_type_uint32, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, { "dnssec-policy", &cfg_type_astring, @@ -2365,7 +2365,7 @@ static cfg_clausedef_t zone_clauses[] = { { "try-tcp-refresh", &cfg_type_boolean, CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR }, { "update-check-ksk", &cfg_type_boolean, - CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, + CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE }, { "use-alt-transfer-source", &cfg_type_boolean, CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_CLAUSEFLAG_ANCIENT }, diff --git a/tests/dns/sigs_test.c b/tests/dns/sigs_test.c index 88e4f7fb4e..d521757d87 100644 --- a/tests/dns/sigs_test.c +++ b/tests/dns/sigs_test.c @@ -244,7 +244,7 @@ updatesigs_test(const updatesigs_test_params_t *test, dns_zone_t *zone, */ result = dns__zone_updatesigs(&raw_diff, db, version, zone_keys, nkeys, zone, now - 3600, now + 3600, 0, now, - true, false, &zonediff); + &zonediff); assert_int_equal(result, ISC_R_SUCCESS); assert_true(ISC_LIST_EMPTY(raw_diff.tuples)); assert_false(ISC_LIST_EMPTY(zone_diff.tuples));