diff --git a/CHANGES b/CHANGES index d9767531c9..f665c937c1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6219. [bug] Ignore 'max-zone-ttl' on 'dnssec-policy insecure'. + [GL #4032] + 6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API support is not configured. [GL #4225] diff --git a/bin/named/config.c b/bin/named/config.c index b2b802806b..7f318a206e 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -319,6 +319,7 @@ dnssec-policy \"default\" {\n\ };\n\ \n\ dnssec-policy \"insecure\" {\n\ + max-zone-ttl 0; \n\ keys { };\n\ };\n\ \n\ diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index e4d73ebcd9..44c2242bdf 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1511,7 +1511,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } if (use_kasp) { - maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone)); + maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone), false); } else { obj = NULL; result = named_config_get(maps, "max-zone-ttl", &obj); diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index add787ad93..86014c6b92 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -40,6 +40,10 @@ Bug Fixes flushed. This has been fixed to not process queued already received queries over TCP while the server is in the "exclusive" mode. :gl:`#4200` +- Ignore :any:`max-zone-ttl` for :any:`dnssec-policy` "insecure", + otherwise some zones will not be loaded if they use a TTL value larger + than 86400. :gl:`#4032`. + Known Issues ~~~~~~~~~~~~ diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index b429494ca3..4f560a037f 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -382,9 +382,11 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value); */ dns_ttl_t -dns_kasp_zonemaxttl(dns_kasp_t *kasp); +dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback); /*%< - * Get maximum zone TTL. + * Get maximum zone TTL. If 'fallback' is true, return a default maximum TTL + * if the maximum zone TTL is set to unlimited (value 0). Fallback should be + * used if determining key rollover timings in keymgr.c * * Requires: * diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index cdc70fd2d9..0cbd0cdc69 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -27,6 +27,9 @@ #include #include +/* Default TTLsig (maximum zone ttl) */ +#define DEFAULT_TTLSIG 86400 + isc_result_t dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) { dns_kasp_t *kasp; @@ -237,10 +240,13 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) { } dns_ttl_t -dns_kasp_zonemaxttl(dns_kasp_t *kasp) { +dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback) { REQUIRE(DNS_KASP_VALID(kasp)); REQUIRE(kasp->frozen); + if (kasp->zone_max_ttl == 0 && fallback) { + return (DEFAULT_TTLSIG); + } return (kasp->zone_max_ttl); } diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 02975fefb0..106b376ef0 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -132,11 +132,11 @@ keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) { ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk); if (ret == ISC_R_SUCCESS && zsk) { + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); /* ZSK: Iret = Dsgn + Dprp + TTLsig */ - zsk_remove = retire + dns_kasp_zonemaxttl(kasp) + - dns_kasp_zonepropagationdelay(kasp) + - dns_kasp_retiresafety(kasp) + - dns_kasp_signdelay(kasp); + zsk_remove = + retire + ttlsig + dns_kasp_zonepropagationdelay(kasp) + + dns_kasp_retiresafety(kasp) + dns_kasp_signdelay(kasp); } ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk); if (ret == ISC_R_SUCCESS && ksk) { @@ -179,7 +179,8 @@ keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) { if (first) { /* Also need to wait until the signatures are omnipresent. */ isc_stdtime_t zrrsig_present; - zrrsig_present = published + dns_kasp_zonemaxttl(kasp) + + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); + zrrsig_present = published + ttlsig + dns_kasp_zonepropagationdelay(kasp) + dns_kasp_publishsafety(kasp); if (zrrsig_present > syncpublish) { @@ -260,7 +261,9 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, * No predecessor, wait for zone to be * completely signed. */ - syncpub2 = pub + dns_kasp_zonemaxttl(kasp) + + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, + true); + syncpub2 = pub + ttlsig + dns_kasp_publishsafety(kasp) + dns_kasp_zonepropagationdelay(kasp); } @@ -1240,6 +1243,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type, isc_stdtime_t now, isc_stdtime_t *when) { isc_result_t ret; isc_stdtime_t lastchange, dstime, nexttime = now; + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); /* * No need to wait if we move things into an uncertain state. @@ -1312,7 +1316,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type, * * We will also add the retire-safety interval. */ - nexttime = lastchange + dns_kasp_zonemaxttl(kasp) + + nexttime = lastchange + ttlsig + dns_kasp_zonepropagationdelay(kasp) + dns_kasp_retiresafety(kasp); /* @@ -1585,9 +1589,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now, /* Get time metadata. */ ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active); if (active <= now && ret == ISC_R_SUCCESS) { - dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp); - zone_ttl += dns_kasp_zonepropagationdelay(kasp); - if ((active + zone_ttl) <= now) { + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); + ttlsig += dns_kasp_zonepropagationdelay(kasp); + if ((active + ttlsig) <= now) { zrrsig_state = OMNIPRESENT; } else { zrrsig_state = RUMOURED; @@ -1618,9 +1622,9 @@ keymgr_key_init(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now, } ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire); if (retire <= now && ret == ISC_R_SUCCESS) { - dns_ttl_t zone_ttl = dns_kasp_zonemaxttl(kasp); - zone_ttl += dns_kasp_zonepropagationdelay(kasp); - if ((retire + zone_ttl) <= now) { + dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); + ttlsig += dns_kasp_zonepropagationdelay(kasp); + if ((retire + ttlsig) <= now) { zrrsig_state = HIDDEN; } else { zrrsig_state = UNRETENTIVE;