From 68f0fc63098199a2c1afa7f36429d7b277eb474d Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 25 Jan 2023 16:36:48 +0100 Subject: [PATCH] Force set DS state after 'rndc dnssec -checkds' Set the DS state after issuing 'rndc dnssec -checkds'. If the DS was published, it should go in RUMOURED state, regardless whether it is already safe to do so according to the state machine. Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or UNRETENTIVE) would allow for easy shoot in the foot situations. Similar, if the DS was withdrawn, the state should be set to UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN) would also allow for easy shoot in the foot situations. (cherry picked from commit ee42f66fbe386b07595a2ea445117b1f44d37497) --- bin/tests/system/kasp/tests.sh | 16 ++++++++++++---- lib/dns/keymgr.c | 10 ++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 12b77cf071..2be9284cab 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -550,15 +550,23 @@ _wait_for_metadata() { n=$((n+1)) echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" -rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" -retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +# DS State should be forced into RUMOURED. +set_keystate "KEY1" "STATE_DS" "rumoured" +check_keys test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" -rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" -retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +# DS State should be forced into UNRETENTIVE. +set_keystate "KEY1" "STATE_DS" "unretentive" +check_keys test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 6457d97c4e..189931f7b2 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -2276,9 +2276,19 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, } if (dspublish) { + dst_key_state_t s; dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when); + result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s); + if (result != ISC_R_SUCCESS || s != RUMOURED) { + dst_key_setstate(ksk_key->key, DST_KEY_DS, RUMOURED); + } } else { + dst_key_state_t s; dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when); + result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s); + if (result != ISC_R_SUCCESS || s != UNRETENTIVE) { + dst_key_setstate(ksk_key->key, DST_KEY_DS, UNRETENTIVE); + } } if (isc_log_wouldlog(dns_lctx, ISC_LOG_NOTICE)) {