From 689ef89b67e6ce6f9ed2f6b9e839aa75d92e780a Mon Sep 17 00:00:00 2001 From: Tony Finch Date: Fri, 28 Feb 2020 20:08:04 +0000 Subject: [PATCH 1/3] Fix dns_client_addtrustedkey(dns_rdatatype_dnskey) Use a buffer that is big enough for DNSKEY records as well as DS records. --- lib/dns/client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/client.c b/lib/dns/client.c index 0d8e951fa0..6a003e8d79 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -1519,7 +1519,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass, dns_view_t *view = NULL; dns_keytable_t *secroots = NULL; dns_name_t *name = NULL; - char dsbuf[DNS_DS_BUFFERSIZE]; + char rdatabuf[DST_KEY_MAXSIZE]; unsigned char digest[ISC_MAX_MD_SIZE]; dns_rdata_ds_t ds; dns_decompress_t dctx; @@ -1543,7 +1543,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass, goto cleanup; } - isc_buffer_init(&b, dsbuf, sizeof(dsbuf)); + isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf)); dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE); dns_rdata_init(&rdata); isc_buffer_setactive(databuf, isc_buffer_usedlength(databuf)); From a81ae32d8a981f13ce58d72c7d8b75aacc02225f Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 4 Mar 2020 08:54:03 -0800 Subject: [PATCH 2/3] add a system test to check that delv loads trust anchors correctly --- bin/tests/system/digdelv/clean.sh | 1 + bin/tests/system/digdelv/ns2/sign.sh | 11 +++--- bin/tests/system/digdelv/tests.sh | 50 ++++++++++++++++++---------- 3 files changed, 41 insertions(+), 21 deletions(-) diff --git a/bin/tests/system/digdelv/clean.sh b/bin/tests/system/digdelv/clean.sh index d8c360f620..10fc6d001a 100644 --- a/bin/tests/system/digdelv/clean.sh +++ b/bin/tests/system/digdelv/clean.sh @@ -23,3 +23,4 @@ rm -f ./dig.out.nn.* rm -f ./ns*/named.lock rm -f ./ns*/managed-keys.bind* rm -f ./ns2/example.db ./ns2/K* ./ns2/keyid ./ns2/keydata +rm -f ./*/anchor.* diff --git a/bin/tests/system/digdelv/ns2/sign.sh b/bin/tests/system/digdelv/ns2/sign.sh index 05f9232083..efc2b30a58 100644 --- a/bin/tests/system/digdelv/ns2/sign.sh +++ b/bin/tests/system/digdelv/ns2/sign.sh @@ -14,11 +14,14 @@ set -e -keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "dnskey.example.") +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.) cp example.db.in example.db -cat "$keyname.key" >> example.db +"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1 -keyfile_to_key_id "$keyname" > keyid -< "$keyname.key" grep -Ev '^;' | cut -f 7- -d ' ' > keydata +keyfile_to_key_id "$ksk" > keyid +grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata + +keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey +keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index ff786f44b7..99578a9cb8 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -117,7 +117,7 @@ if [ -x "$DIG" ] ; then n=$((n+1)) echo_i "checking dig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY dnskey.example > dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n > /dev/null && ret=1 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -135,7 +135,7 @@ if [ -x "$DIG" ] ; then n=$((n+1)) echo_i "checking dig +rrcomments works for DNSKEY($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > dig.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -144,7 +144,7 @@ if [ -x "$DIG" ] ; then n=$((n+1)) echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -152,7 +152,7 @@ if [ -x "$DIG" ] ; then n=$((n+1)) echo_i "checking dig +short +nosplit works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > dig.out.test$n || ret=1 grep "$NOSPLIT" < dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -160,7 +160,7 @@ if [ -x "$DIG" ] ; then n=$((n+1)) echo_i "checking dig +short +rrcomments works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -168,10 +168,10 @@ if [ -x "$DIG" ] ; then n=$((n+1)) echo_i "checking dig multi flag is local($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY dnskey.example +nomulti dnskey.example +nomulti > dig.out.nn.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY dnskey.example +multi dnskey.example +nomulti > dig.out.mn.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY dnskey.example +nomulti dnskey.example +multi > dig.out.nm.$n || ret=1 - dig_with_opts +tcp @10.53.0.3 -t DNSKEY dnskey.example +multi dnskey.example +multi > dig.out.mm.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +nomulti > dig.out.nn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti > dig.out.mn.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi > dig.out.nm.$n || ret=1 + dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi > dig.out.mm.$n || ret=1 lcnn=$(wc -l < dig.out.nn.$n) lcmn=$(wc -l < dig.out.mn.$n) lcnm=$(wc -l < dig.out.nm.$n) @@ -199,7 +199,7 @@ if [ -x "$DIG" ] ; then n=$((n+1)) echo_i "checking dig +short +rrcomments works($n)" ret=0 - dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 + dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1 grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -795,7 +795,7 @@ if [ -x "$MDIG" ] ; then n=$((n+1)) echo_i "checking mdig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY dnskey.example > dig.out.test$n || ret=1 + mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -917,7 +917,7 @@ if [ -x "$DELV" ] ; then n=$((n+1)) echo_i "checking delv +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 + delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example > delv.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -935,7 +935,7 @@ if [ -x "$DELV" ] ; then n=$((n+1)) echo_i "checking delv +rrcomments works for DNSKEY($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 + delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > delv.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -944,7 +944,7 @@ if [ -x "$DELV" ] ; then n=$((n+1)) echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -952,7 +952,7 @@ if [ -x "$DELV" ] ; then n=$((n+1)) echo_i "checking delv +short +rrcomments works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1 grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -960,7 +960,7 @@ if [ -x "$DELV" ] ; then n=$((n+1)) echo_i "checking delv +short +nosplit works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > delv.out.test$n || ret=1 grep -q "$NOSPLIT" < delv.out.test$n || ret=1 test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 test "$(awk '{print NF}' < delv.out.test$n)" -eq 14 || ret=1 @@ -970,7 +970,7 @@ if [ -x "$DELV" ] ; then n=$((n+1)) echo_i "checking delv +short +nosplit +norrcomments works ($n)" ret=0 - delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 + delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY example > delv.out.test$n || ret=1 grep -q "$NOSPLIT\$" < delv.out.test$n || ret=1 test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1 test "$(awk '{print NF}' < delv.out.test$n)" -eq 4 || ret=1 @@ -1042,6 +1042,22 @@ if [ -x "$DELV" ] ; then if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) + n=$((n+1)) + echo_i "check that delv loads key-style trust anchors ($n)" + ret=0 + delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "check that delv loads DS-style trust anchors ($n)" + ret=0 + delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1 + grep "fully validated" delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + if [ $HAS_PYYAML -ne 0 ] ; then n=$((n+1)) echo_i "check delv +yaml output ($n)" From d805fe821e29cd7914f5641eb564cb071b292911 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 4 Mar 2020 08:54:53 -0800 Subject: [PATCH 3/3] CHANGES --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 5e06da59b4..4eff344d67 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5360. [bug] delv could fail to load trust anchors in DNSKEY + format. [GL #1647] + 5359. [func] "rndc nta -d" and "rndc secroots" now include "validate-except" entries when listing negative trust anchors. These are indicated by the keyword