upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Force set DS state after 'rndc dnssec -checkds'

Browse source 
Set the DS state after issuing 'rndc dnssec -checkds'. If the DS
was published, it should go in RUMOURED state, regardless whether it
is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or
UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to
UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN)
would also allow for easy shoot in the foot situations.

(cherry picked from commit ee42f66fbe)
This commit is contained in:
Matthijs Mekking 2023-01-25 16:36:48 +01:00
parent 699d185176
commit 68f0fc6309
2 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
bin/tests/system/kasp/tests.sh
View file

@ -550,15 +550,23 @@ _wait_for_metadata() {
n=$((n+1))
echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
# DS State should be forced into RUMOURED.
set_keystate "KEY1" "STATE_DS" "rumoured"
check_keys
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
n=$((n+1))
echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
# DS State should be forced into UNRETENTIVE.
set_keystate "KEY1" "STATE_DS" "unretentive"
check_keys
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))

10
lib/dns/keymgr.c
View file

@ -2276,9 +2276,19 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
}
if (dspublish) {
dst_key_state_t s;
dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when);
result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s);
if (result != ISC_R_SUCCESS || s != RUMOURED) {
dst_key_setstate(ksk_key->key, DST_KEY_DS, RUMOURED);
}
} else {
dst_key_state_t s;
dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when);
result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s);
if (result != ISC_R_SUCCESS || s != UNRETENTIVE) {
dst_key_setstate(ksk_key->key, DST_KEY_DS, UNRETENTIVE);
}
}
if (isc_log_wouldlog(dns_lctx, ISC_LOG_NOTICE)) {