Treat records below a DNAME as out-of-zone data

DNAME records indicate bottom of zone and thus no records below a DNAME should be DNSSEC-signed or included in NSEC(3) chains. Add a helper function, has_dname(), for detecting DNAME records at a given node. Prevent signing DNAME-obscured records. Check that DNAME-obscured records are not signed.
2026-04-22 14:49:20 -04:00 · 2018-06-13 12:19:54 +02:00 · 2018-06-13 12:19:54 +02:00 · 75c0d85fc4
commit 75c0d85fc4
parent cf9fd889a6
5 changed files with 77 additions and 4 deletions
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@ -1491,8 +1491,13 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
 					if (!OPTOUT(nsec3flags) ||
 					    secure(name, node))
 						found = ISC_TRUE;
-				} else
+				} else if (has_dname(gdb, gversion, node)) {
+					zonecut = dns_fixedname_initname(&fzonecut);
+					dns_name_copy(name, zonecut, NULL);
 					found = ISC_TRUE;
+				} else {
+					found = ISC_TRUE;
+				}
 			}
 		}

@ -1798,6 +1803,9 @@ nsecify(void) {
 			remove_sigs(node, ISC_TRUE, 0);
 			if (generateds)
 				add_ds(name, node, nsttl);
+		} else if (has_dname(gdb, gversion, node)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copy(name, zonecut, NULL);
 		}

 		result = dns_dbiterator_next(dbiter);
@ -2238,6 +2246,11 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 			(void)active_node(node);
 		}

+		if (has_dname(gdb, gversion, node)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copy(name, zonecut, NULL);
+		}
+
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
@ -2272,6 +2285,9 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 					result = dns_dbiterator_next(dbiter);
 					continue;
 				}
+			} else if (has_dname(gdb, gversion, nextnode)) {
+				zonecut = dns_fixedname_name(&fzonecut);
+				dns_name_copy(nextname, zonecut, NULL);
 			}
 			dns_db_detachnode(gdb, &nextnode);
 			break;
@ -2370,6 +2386,12 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 			dns_db_detachnode(gdb, &node);
 			continue;
 		}
+
+		if (has_dname(gdb, gversion, node)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copy(name, zonecut, NULL);
+		}
+
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
@ -2400,6 +2422,9 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
 					result = dns_dbiterator_next(dbiter);
 					continue;
 				}
+			} else if (has_dname(gdb, gversion, nextnode)) {
+				zonecut = dns_fixedname_name(&fzonecut);
+				dns_name_copy(nextname, zonecut, NULL);
 			}
 			dns_db_detachnode(gdb, &nextnode);
 			break;
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@ -525,6 +525,21 @@ is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }

+isc_boolean_t
+has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
+	dns_rdataset_t dnameset;
+	isc_result_t result;
+
+	dns_rdataset_init(&dnameset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dname, 0, 0,
+				     &dnameset, NULL);
+	if (dns_rdataset_isassociated(&dnameset)) {
+		dns_rdataset_disassociate(&dnameset);
+	}
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
 static isc_boolean_t
 goodsig(dns_name_t *origin, dns_rdata_t *sigrdata, dns_name_t *name,
 	dns_rdataset_t *keyrdataset, dns_rdataset_t *rdataset, isc_mem_t *mctx)
@ -1678,6 +1693,9 @@ verifyzone(dns_db_t *db, dns_dbversion_t *ver,
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
 			isdelegation = ISC_TRUE;
+		} else if (has_dname(db, ver, node)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copy(name, zonecut, NULL);
 		}
 		nextnode = NULL;
 		result = dns_dbiterator_next(dbiter);
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@ -84,6 +84,13 @@ isc_boolean_t
 is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 		      dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);

+/*%
+ * Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
+ * 'node'; return ISC_FALSE otherwise.
+ */
+isc_boolean_t
+has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node);
+
 void
 verifyzone(dns_db_t *db, dns_dbversion_t *ver,
 		   dns_name_t *origin, isc_mem_t *mctx,
--- a/bin/tests/system/verify/tests.sh
+++ b/bin/tests/system/verify/tests.sh
@ -58,7 +58,7 @@ do
 		expect1="signature has expired"
 		expect2="No self-signed .*DNSKEY found"
 		;;
-	*.out-of-zone-nsec|*.below-bottom-of-zone-nsec)
+	*.out-of-zone-nsec|*.below-bottom-of-zone-nsec|*.below-dname-nsec)
 		expect1="unexpected NSEC RRset at"
 		;;
 	*.nsec.broken-chain)
--- a/bin/tests/system/verify/zones/genzones.sh
+++ b/bin/tests/system/verify/zones/genzones.sh
@ -42,6 +42,13 @@ $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
 $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n

+setup ksk+zsk.nsec.apex-dname good
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+cp unsigned.db ${file}.tmp
+echo "@ DNAME data" >> ${file}.tmp
+$SIGNER -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
+
 # A set of nsec3 zones.
 setup zsk-only.nsec3 good
 $KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
@ -56,11 +63,18 @@ $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
 $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n

-setup ksk+zsk.outout good
+setup ksk+zsk.optout good
 $KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
 $KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n

+setup ksk+zsk.nsec3.apex-dname good
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+cp unsigned.db ${file}.tmp
+echo "@ DNAME data" >> ${file}.tmp
+$SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
+
 # A set of zones with only DNSKEY records.
 setup zsk-only.dnskeyonly bad
 key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n
@ -151,7 +165,7 @@ $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s
 echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
 $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n

-# extra NSEC record below bottom of one
+# extra NSEC record below bottom of zone
 setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
 zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
 ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
@ -162,6 +176,15 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file}.tmp ${file} $zsk > s.out$
 # dnssec-signzone signs any node with a NSEC record.
 awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${file}.tmp > ${file}

+# extra NSEC record below DNAME
+setup ksk+zsk.nsec.below-dname-nsec bad
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+cat unsigned.db $ksk.key $zsk.key > $file
+$SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
+echo "sub.dname.${zone}. 3600 IN NSEC ${zone}. TXT" >> ${file}
+$SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
+
 # missing NSEC3 record at empty node
 # extract the hash fields from the empty node's NSEC 3 record then fix up
 # the NSEC3 chain to remove it