Do not check SEP bit for mirror zone trust anchors

When a mirror zone is verified, the 'ignore_kskflag' argument passed to
dns_zoneverify_dnssec() is set to false.  This means that in order for
its verification to succeed, a mirror zone needs to have at least one
key with the SEP bit set configured as a trust anchor.  This brings no
security benefit and prevents zones signed only using keys without the
SEP bit set from being mirrored, so change the value of the
'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.

bin/tests/system/mirror/ns2/named.conf.in

@@ -55,6 +55,11 @@ zone "verify-axfr" {
 	file "verify-axfr.db.signed";
 };
 
+zone "verify-csk" {
+	type master;
+	file "verify-csk.db.signed";
+};
+
 zone "verify-ixfr" {
 	type master;
 	file "verify-ixfr.db.signed";

bin/tests/system/mirror/ns2/sign.sh

@@ -32,6 +32,18 @@ done
 # the "root" zone on ns1.
 keys_to_trust="$keys_to_trust $keyname1"
 
+# Prepare a zone signed using a Combined Signing Key (CSK) without the SEP bit
+# set and add that key to the list of keys to trust.
+zone=verify-csk
+infile=verify.db.in
+zonefile=verify-csk.db
+
+keyname=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
+cat $infile $keyname.key > $zonefile
+$SIGNER -P -o $zone $zonefile > /dev/null
+keys_to_trust="$keys_to_trust $keyname"
+
+# Prepare remaining zones used in the test.
 ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
 UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
 UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`

bin/tests/system/mirror/ns3/named.conf.in

@@ -56,6 +56,12 @@ zone "verify-axfr" {
 	file "verify-axfr.db.mirror";
 };
 
+zone "verify-csk" {
+	type mirror;
+	masters { 10.53.0.2; };
+	file "verify-csk.db.mirror";
+};
+
 zone "verify-ixfr" {
 	type mirror;
 	masters { 10.53.0.2; };

bin/tests/system/mirror/tests.sh

@@ -92,11 +92,23 @@ wait_for_transfer verify-untrusted
 $DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1
 grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
 grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
-nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted KSK DNSKEY found" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1
 nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking that a mirror zone signed using a CSK without the SEP bit set is accepted ($n)"
+ret=0
+nextpartreset ns3/named.run
+wait_for_transfer verify-csk
+$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ($n)"
 ret=0

lib/dns/zone.c

@@ -19816,7 +19816,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
 
 	origin = dns_db_origin(db);
 	result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
-				       zone->mctx, false, false);
+				       zone->mctx, true, false);
 
  done:
 	if (secroots != NULL) {