upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '3381-dnssec-policy-explicit-inline-signing-v9_18' into 'v9_18'

Browse source 
[v9_18] dnssec-policy now requires inline-signing

See merge request isc-projects/bind9!6729
This commit is contained in:
Matthijs Mekking 2022-09-06 08:48:46 +00:00
commit 7be0594be9
29 changed files with 196 additions and 120 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -34,6 +34,9 @@
5942. [bug] Fix tkey.c:buildquery() function's error handling by
adding the missing cleanup code. [GL #3492]
5941. [func] Zones with dnssec-policy now require dynamic DNS or
inline-siging to be configured explicitly. [GL #3381]
5938. [bug] An integer type overflow could cause an assertion
failure when freeing memory. [GL #3483]

10
bin/named/include/named/zoneconf.h
View file

@ -44,9 +44,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
*/
bool
named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, const cfg_obj_t *config,
cfg_aclconfctx_t *actx);
named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
/*%<
* If 'zone' can be safely reconfigured according to the configuration
* data in 'zconfig', return true. If the configuration data is so
@ -55,12 +53,10 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
*/
bool
named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, const cfg_obj_t *config,
cfg_aclconfctx_t *actx);
named_zone_inlinesigning(const cfg_obj_t *zconfig);
/*%<
* Determine if zone uses inline-signing. This is true if inline-signing
* is set to yes, or if there is a dnssec-policy on a non-dynamic zone.
* is set to yes.
*/
isc_result_t

7
bin/named/server.c
View file

@ -6770,9 +6770,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
goto cleanup;
}
if (zone != NULL &&
!named_zone_reusable(zone, zconfig, vconfig, config, aclconf))
{
if (zone != NULL && !named_zone_reusable(zone, zconfig)) {
dns_zone_detach(&zone);
}
@ -6854,8 +6852,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
strcasecmp(ztypestr, "slave") == 0));
if (zone_maybe_inline) {
inline_signing = named_zone_inlinesigning(
zone, zconfig, vconfig, config, aclconf);
inline_signing = named_zone_inlinesigning(zconfig);
}
if (inline_signing) {
dns_zone_getraw(zone, &raw);

82
bin/named/zoneconf.c
View file

@ -2049,9 +2049,7 @@ named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
}
bool
named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, const cfg_obj_t *config,
cfg_aclconfctx_t *actx) {
named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
const cfg_obj_t *zoptions = NULL;
const cfg_obj_t *obj = NULL;
const char *cfilename;
@ -2085,8 +2083,7 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
has_raw = false;
}
inline_signing = named_zone_inlinesigning(zone, zconfig, vconfig,
config, actx);
inline_signing = named_zone_inlinesigning(zconfig);
if (!inline_signing && has_raw) {
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"not reusable: old zone was inline-signing");
@ -2123,88 +2120,15 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
}
bool
named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, const cfg_obj_t *config,
cfg_aclconfctx_t *actx) {
isc_result_t res;
named_zone_inlinesigning(const cfg_obj_t *zconfig) {
const cfg_obj_t *zoptions = NULL;
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
const cfg_obj_t *signing = NULL;
const cfg_obj_t *allowupdate = NULL;
const cfg_obj_t *updatepolicy = NULL;
bool zone_is_dynamic = false;
bool inline_signing = false;
bool dnssec_policy = false;
(void)cfg_map_get(config, "options", &options);
zoptions = cfg_tuple_get(zconfig, "options");
if (vconfig != NULL) {
voptions = cfg_tuple_get(vconfig, "options");
}
inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) ==
ISC_R_SUCCESS &&
cfg_obj_asboolean(signing));
if (inline_signing) {
return (true);
}
if (cfg_map_get(zoptions, "update-policy", &updatepolicy) ==
ISC_R_SUCCESS) {
zone_is_dynamic = true;
} else {
res = cfg_map_get(zoptions, "allow-update", &allowupdate);
if (res != ISC_R_SUCCESS && voptions != NULL) {
res = cfg_map_get(voptions, "allow-update",
&allowupdate);
}
if (res != ISC_R_SUCCESS && options != NULL) {
res = cfg_map_get(options, "allow-update",
&allowupdate);
}
if (res == ISC_R_SUCCESS) {
dns_acl_t *acl = NULL;
res = cfg_acl_fromconfig(
allowupdate, config, named_g_lctx, actx,
dns_zone_getmctx(zone), 0, &acl);
if (res == ISC_R_SUCCESS && acl != NULL &&
!dns_acl_isnone(acl)) {
zone_is_dynamic = true;
}
if (acl != NULL) {
dns_acl_detach(&acl);
}
}
}
/*
* If inline-signing is not set, perhaps implictly through a
* dnssec-policy. Since automated DNSSEC maintenance requires
* a dynamic zone, or inline-siging to be enabled, check if
* the zone with dnssec-policy allows updates. If not, enable
* inline-signing.
*/
signing = NULL;
res = cfg_map_get(zoptions, "dnssec-policy", &signing);
if (res != ISC_R_SUCCESS && voptions != NULL) {
res = cfg_map_get(voptions, "dnssec-policy", &signing);
}
if (res != ISC_R_SUCCESS && options != NULL) {
res = cfg_map_get(options, "dnssec-policy", &signing);
}
if (res == ISC_R_SUCCESS) {
dnssec_policy = (strcmp(cfg_obj_asstring(signing), "none") !=
0);
}
if (!inline_signing && !zone_is_dynamic && dnssec_policy) {
inline_signing = true;
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"inline-signing: "
"implicitly through dnssec-policy");
}
return (inline_signing);
}

5
bin/tests/system/checkconf/good-kasp.conf
View file

@ -40,15 +40,20 @@ options {
zone "example1" {
type primary;
file "example1.db";
inline-signing yes;
};
zone "example2" {
type primary;
file "example2.db";
allow-update {
"any";
};
dnssec-policy "test";
};
zone "example3" {
type primary;
file "example3.db";
inline-signing yes;
dnssec-policy "default";
};
zone "dnssec-policy-none-shared-zonefile1" {

3
bin/tests/system/checkconf/good-key-directory.conf
View file

@ -46,6 +46,7 @@ view "localhost" {
type primary;
file "localhost/example.com.zone";
dnssec-policy "localhost";
inline-signing yes;
};
};
@ -56,6 +57,7 @@ view "external" {
type primary;
file "external/example.com.zone";
dnssec-policy "internet";
inline-signing yes;
};
};
@ -66,5 +68,6 @@ view "internal" {
type primary;
file "internal/example.com.zone";
dnssec-policy "intranet";
inline-signing yes;
};
};

13
bin/tests/system/checkconf/good.conf
View file

@ -106,6 +106,7 @@ view "first" {
zone "clone" {
type primary;
file "yyy";
inline-signing yes;
max-ixfr-ratio unlimited;
};
dnssec-validation auto;
@ -169,9 +170,12 @@ view "third" {
zone "p" {
type primary;
file "pfile";
inline-signing yes;
};
zone "s" {
type secondary;
file "sfile";
inline-signing yes;
primaries {
1.2.3.4;
};
@ -182,6 +186,7 @@ view "fourth" {
zone "dnssec-test" {
type primary;
file "dnssec-test.db";
inline-signing yes;
parental-agents {
1.2.3.4;
1.2.3.5;
@ -192,6 +197,7 @@ view "fourth" {
zone "dnssec-default" {
type primary;
file "dnssec-default.db";
inline-signing yes;
parental-agents {
"parents";
};
@ -200,6 +206,7 @@ view "fourth" {
zone "dnssec-inherit" {
type primary;
file "dnssec-inherit.db";
inline-signing yes;
};
zone "dnssec-none" {
type primary;
@ -209,11 +216,13 @@ view "fourth" {
zone "dnssec-view1" {
type primary;
file "dnssec-view41.db";
inline-signing yes;
dnssec-policy "test";
};
zone "dnssec-view2" {
type primary;
file "dnssec-view42.db";
inline-signing yes;
};
zone "dnssec-view3" {
type primary;
@ -233,17 +242,20 @@ view "fifth" {
zone "dnssec-view1" {
type primary;
file "dnssec-view51.db";
inline-signing yes;
dnssec-policy "test";
};
zone "dnssec-view2" {
type primary;
file "dnssec-view52.db";
inline-signing yes;
dnssec-policy "test";
key-directory "keys";
};
zone "dnssec-view3" {
type primary;
file "dnssec-view53.db";
inline-signing yes;
dnssec-policy "default";
key-directory "keys";
};
@ -258,6 +270,7 @@ view "chaos" chaos {
zone "hostname.bind" chaos {
type primary;
database "_builtin hostname";
inline-signing yes;
};
};
dyndb "name" "library.so" {

1
bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf
View file

@ -26,4 +26,3 @@ zone "nsec3.net" {
sig-validity-interval 3600;
update-check-ksk yes;
};

1
bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
View file

@ -57,4 +57,5 @@ zone "example.net" {
type primary;
file "example.db";
dnssec-policy "default";
inline-signing yes;
};

2
bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf
View file

@ -34,11 +34,13 @@ dnssec-policy "bad-sigrefresh-dnskey" {
zone "sigrefresh.example.net" {
type primary;
file "sigrefresh.example.db";
inline-signing yes;
dnssec-policy "bad-sigrefresh";
};
zone "dnskey.example.net" {
type primary;
file "dnskey.example.db";
inline-signing yes;
dnssec-policy "bad-sigrefresh-dnskey";
};

1
bin/tests/system/checkconf/kasp-ignore-keylen.conf
View file

@ -22,5 +22,6 @@ zone "example.net" {
type primary;
file "example.db";
dnssec-policy "warn-length";
inline-signing yes;
};

3
bin/tests/system/checkconf/kasp-warning.conf
View file

@ -42,18 +42,21 @@ dnssec-policy "warn3" {
zone "warn1.example.net" {
type primary;
file "warn1.example.db";
inline-signing yes;
dnssec-policy "warn1";
};
zone "warn2.example.net" {
type primary;
file "warn2.example.db";
inline-signing yes;
dnssec-policy "warn2";
};
zone "warn3.example.net" {
type primary;
file "warn3.example.db";
inline-signing yes;
dnssec-policy "warn3";
};

2
bin/tests/system/checkconf/tests.sh
View file

@ -491,7 +491,7 @@ n=`expr $n + 1`
echo_i "checking named-checkconf kasp errors ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on a non-dynamic DNS zone" < checkconf.out$n > /dev/null || ret=1
grep "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone" < checkconf.out$n > /dev/null || ret=1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1

1
bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
View file

@ -22,5 +22,6 @@ options {
zone "example.net" {
type primary;
file "example.db";
inline-signing yes;
max-zone-ttl 600;
};

13
bin/tests/system/checkds/ns9/named.conf.in
View file

@ -49,6 +49,7 @@ zone "." {
zone "dspublished.checkds" {
type primary;
file "dspublished.checkds.db";
inline-signing yes;
dnssec-policy "default";
parental-agents { 10.53.0.2 port @PORT@; };
};
@ -60,6 +61,7 @@ zone "dspublished.checkds" {
zone "reference.checkds" {
type primary;
file "reference.checkds.db";
inline-signing yes;
dnssec-policy "default";
parental-agents { "ns2"; };
};
@ -71,6 +73,7 @@ zone "reference.checkds" {
zone "missing-dspublished.checkds" {
type primary;
file "missing-dspublished.checkds.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.5 port @PORT@; // missing
@ -85,6 +88,7 @@ zone "missing-dspublished.checkds" {
zone "bad-dspublished.checkds" {
type primary;
file "bad-dspublished.checkds.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.6 port @PORT@; // bad
@ -98,6 +102,7 @@ zone "bad-dspublished.checkds" {
zone "multiple-dspublished.checkds" {
type primary;
file "multiple-dspublished.checkds.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.2 port @PORT@;
@ -113,6 +118,7 @@ zone "multiple-dspublished.checkds" {
zone "incomplete-dspublished.checkds" {
type primary;
file "incomplete-dspublished.checkds.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.2 port @PORT@;
@ -130,6 +136,7 @@ zone "incomplete-dspublished.checkds" {
zone "bad2-dspublished.checkds" {
type primary;
file "bad2-dspublished.checkds.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.2 port @PORT@;
@ -150,6 +157,7 @@ zone "bad2-dspublished.checkds" {
zone "dswithdrawn.checkds" {
type primary;
file "dswithdrawn.checkds.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents { 10.53.0.5 port @PORT@; };
};
@ -157,6 +165,7 @@ zone "dswithdrawn.checkds" {
zone "missing-dswithdrawn.checkds" {
type primary;
file "missing-dswithdrawn.checkds.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.2 port @PORT@; // still published
@ -166,6 +175,7 @@ zone "missing-dswithdrawn.checkds" {
zone "bad-dswithdrawn.checkds" {
type primary;
file "bad-dswithdrawn.checkds.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.6 port @PORT@; // bad
@ -175,6 +185,7 @@ zone "bad-dswithdrawn.checkds" {
zone "multiple-dswithdrawn.checkds" {
type primary;
file "multiple-dswithdrawn.checkds.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.5 port @PORT@;
@ -185,6 +196,7 @@ zone "multiple-dswithdrawn.checkds" {
zone "incomplete-dswithdrawn.checkds" {
type primary;
file "incomplete-dswithdrawn.checkds.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.2 port @PORT@; // still published
@ -196,6 +208,7 @@ zone "incomplete-dswithdrawn.checkds" {
zone "bad2-dswithdrawn.checkds" {
type primary;
file "bad2-dswithdrawn.checkds.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.5 port @PORT@;

3
bin/tests/system/kasp/ns2/named.conf.in
View file

@ -46,8 +46,9 @@ zone "unsigned.tld" {
zone "signed.tld" {
type primary;
dnssec-policy "default";
file "signed.tld.db";
dnssec-policy "default";
inline-signing yes;
};
/* Primary service for ns3 */

1
bin/tests/system/kasp/ns3/ed25519.conf
View file

@ -24,5 +24,6 @@ dnssec-policy "ed25519" {
zone "ed25519.kasp" {
type primary;
file "ed25519.kasp.db";
inline-signing yes;
dnssec-policy "ed25519";
};

1
bin/tests/system/kasp/ns3/ed448.conf
View file

@ -24,5 +24,6 @@ dnssec-policy "ed448" {
zone "ed448.kasp" {
type primary;
file "ed448.kasp.db";
inline-signing yes;
dnssec-policy "ed448";
};

57
bin/tests/system/kasp/ns3/named-fips.conf.in
View file

@ -44,6 +44,7 @@ controls {
zone "default.kasp" {
type primary;
file "default.kasp.db";
inline-signing yes;
dnssec-policy "default";
};
@ -51,6 +52,7 @@ zone "default.kasp" {
zone "checkds-ksk.kasp" {
type primary;
file "checkds-ksk.kasp.db";
inline-signing yes;
dnssec-policy "checkds-ksk";
};
@ -58,6 +60,7 @@ zone "checkds-ksk.kasp" {
zone "checkds-doubleksk.kasp" {
type primary;
file "checkds-doubleksk.kasp.db";
inline-signing yes;
dnssec-policy "checkds-doubleksk";
};
@ -65,6 +68,7 @@ zone "checkds-doubleksk.kasp" {
zone "checkds-csk.kasp" {
type primary;
file "checkds-csk.kasp.db";
inline-signing yes;
dnssec-policy "checkds-csk";
};
@ -72,6 +76,7 @@ zone "checkds-csk.kasp" {
zone "unlimited.kasp" {
type primary;
file "unlimited.kasp.db";
inline-signing yes;
dnssec-policy "unlimited";
};
@ -79,12 +84,14 @@ zone "unlimited.kasp" {
zone "manual-rollover.kasp" {
type primary;
file "manual-rollover.kasp.db";
inline-signing yes;
dnssec-policy "manual-rollover";
};
/* A zone that inherits dnssec-policy. */
zone "inherit.kasp" {
type primary;
inline-signing yes;
file "inherit.kasp.db";
};
@ -92,6 +99,7 @@ zone "inherit.kasp" {
zone "unsigned.kasp" {
type primary;
file "unsigned.kasp.db";
inline-signing yes;
dnssec-policy "none";
};
@ -99,6 +107,7 @@ zone "unsigned.kasp" {
zone "insecure.kasp" {
type primary;
file "insecure.kasp.db";
inline-signing yes;
dnssec-policy "insecure";
};
@ -106,6 +115,7 @@ zone "insecure.kasp" {
zone "dnssec-keygen.kasp" {
type primary;
file "dnssec-keygen.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -114,6 +124,7 @@ zone "secondary.kasp" {
type secondary;
primaries { 10.53.0.2; };
file "secondary.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -148,6 +159,7 @@ zone "inline-signing.kasp" {
zone "some-keys.kasp" {
type primary;
file "some-keys.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -157,6 +169,7 @@ zone "some-keys.kasp" {
zone "legacy-keys.kasp" {
type primary;
file "legacy-keys.kasp.db";
inline-signing yes;
dnssec-policy "migrate-to-dnssec-policy";
};
@ -166,6 +179,7 @@ zone "legacy-keys.kasp" {
zone "pregenerated.kasp" {
type primary;
file "pregenerated.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -176,6 +190,7 @@ zone "pregenerated.kasp" {
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -193,21 +208,25 @@ zone "multisigner-model2.kasp" {
zone "rsasha256.kasp" {
type primary;
file "rsasha256.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
zone "rsasha512.kasp" {
type primary;
file "rsasha512.kasp.db";
inline-signing yes;
dnssec-policy "rsasha512";
};
zone "ecdsa256.kasp" {
type primary;
file "ecdsa256.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "ecdsa384.kasp" {
type primary;
file "ecdsa384.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa384";
};
@ -217,6 +236,7 @@ zone "ecdsa384.kasp" {
zone "max-zone-ttl.kasp" {
type primary;
file "max-zone-ttl.kasp.db";
inline-signing yes;
dnssec-policy "ttl";
};
@ -230,6 +250,7 @@ zone "max-zone-ttl.kasp" {
zone "expired-sigs.autosign" {
type primary;
file "expired-sigs.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -239,6 +260,7 @@ zone "expired-sigs.autosign" {
zone "fresh-sigs.autosign" {
type primary;
file "fresh-sigs.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -248,6 +270,7 @@ zone "fresh-sigs.autosign" {
zone "unfresh-sigs.autosign" {
type primary;
file "unfresh-sigs.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -257,6 +280,7 @@ zone "unfresh-sigs.autosign" {
zone "ksk-missing.autosign" {
type primary;
file "ksk-missing.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -266,6 +290,7 @@ zone "ksk-missing.autosign" {
zone "zsk-missing.autosign" {
type primary;
file "zsk-missing.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -275,6 +300,7 @@ zone "zsk-missing.autosign" {
zone "zsk-retired.autosign" {
type primary;
file "zsk-retired.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -284,21 +310,25 @@ zone "zsk-retired.autosign" {
zone "step1.enable-dnssec.autosign" {
type primary;
file "step1.enable-dnssec.autosign.db";
inline-signing yes;
dnssec-policy "enable-dnssec";
};
zone "step2.enable-dnssec.autosign" {
type primary;
file "step2.enable-dnssec.autosign.db";
inline-signing yes;
dnssec-policy "enable-dnssec";
};
zone "step3.enable-dnssec.autosign" {
type primary;
file "step3.enable-dnssec.autosign.db";
inline-signing yes;
dnssec-policy "enable-dnssec";
};
zone "step4.enable-dnssec.autosign" {
type primary;
file "step4.enable-dnssec.autosign.db";
inline-signing yes;
dnssec-policy "enable-dnssec";
};
@ -308,31 +338,37 @@ zone "step4.enable-dnssec.autosign" {
zone "step1.zsk-prepub.autosign" {
type primary;
file "step1.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step2.zsk-prepub.autosign" {
type primary;
file "step2.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step3.zsk-prepub.autosign" {
type primary;
file "step3.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step4.zsk-prepub.autosign" {
type primary;
file "step4.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step5.zsk-prepub.autosign" {
type primary;
file "step5.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step6.zsk-prepub.autosign" {
type primary;
file "step6.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
@ -342,31 +378,37 @@ zone "step6.zsk-prepub.autosign" {
zone "step1.ksk-doubleksk.autosign" {
type primary;
file "step1.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step2.ksk-doubleksk.autosign" {
type primary;
file "step2.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step3.ksk-doubleksk.autosign" {
type primary;
file "step3.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step4.ksk-doubleksk.autosign" {
type primary;
file "step4.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step5.ksk-doubleksk.autosign" {
type primary;
file "step5.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step6.ksk-doubleksk.autosign" {
type primary;
file "step6.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
@ -376,76 +418,91 @@ zone "step6.ksk-doubleksk.autosign" {
zone "step1.csk-roll.autosign" {
type primary;
file "step1.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step2.csk-roll.autosign" {
type primary;
file "step2.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step3.csk-roll.autosign" {
type primary;
file "step3.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step4.csk-roll.autosign" {
type primary;
file "step4.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step5.csk-roll.autosign" {
type primary;
file "step5.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step6.csk-roll.autosign" {
type primary;
file "step6.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step7.csk-roll.autosign" {
type primary;
file "step7.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step8.csk-roll.autosign" {
type primary;
file "step8.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step1.csk-roll2.autosign" {
type primary;
file "step1.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step2.csk-roll2.autosign" {
type primary;
file "step2.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step3.csk-roll2.autosign" {
type primary;
file "step3.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step4.csk-roll2.autosign" {
type primary;
file "step4.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step5.csk-roll2.autosign" {
type primary;
file "step5.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step6.csk-roll2.autosign" {
type primary;
file "step6.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step7.csk-roll2.autosign" {
type primary;
file "step7.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};

2
bin/tests/system/kasp/ns3/named.conf.in
View file

@ -18,11 +18,13 @@ include "named-fips.conf";
zone "rsasha1.kasp" {
type primary;
file "rsasha1.kasp.db";
inline-signing yes;
dnssec-policy "rsasha1";
};
zone "rsasha1-nsec3.kasp" {
type primary;
file "rsasha1-nsec3.kasp.db";
inline-signing yes;
dnssec-policy "rsasha1-nsec3";
};

20
bin/tests/system/kasp/ns4/named.conf.in
View file

@ -75,20 +75,22 @@ view "inherit" {
zone "inherit.inherit.signed" {
type primary;
file "inherit.inherit.signed.db";
inline-signing yes;
};
/* Override dnssec-policy */
zone "override.inherit.signed" {
type primary;
dnssec-policy "default";
file "override.inherit.signed.db";
inline-signing yes;
dnssec-policy "default";
};
/* Unset dnssec-policy */
zone "none.inherit.signed" {
type primary;
dnssec-policy "none";
file "none.inherit.signed.db";
dnssec-policy "none";
};
};
@ -100,20 +102,22 @@ view "override" {
zone "inherit.override.signed" {
type primary;
file "inherit.override.signed.db";
inline-signing yes;
};
/* Override dnssec-policy */
zone "override.override.signed" {
type primary;
dnssec-policy "test";
file "override.override.signed.db";
inline-signing yes;
dnssec-policy "test";
};
/* Unset dnssec-policy */
zone "none.override.signed" {
type primary;
dnssec-policy "none";
file "none.override.signed.db";
dnssec-policy "none";
};
};
@ -130,15 +134,16 @@ view "none" {
/* Override dnssec-policy */
zone "override.none.signed" {
type primary;
dnssec-policy "test";
file "override.none.signed.db";
inline-signing yes;
dnssec-policy "test";
};
/* Unset dnssec-policy */
zone "none.none.signed" {
type primary;
dnssec-policy "none";
file "none.none.signed.db";
dnssec-policy "none";
};
};
@ -150,7 +155,6 @@ view "example1" {
zone "example.net" {
type primary;
file "example1.db";
// Dynamic zone, inline-signing disabled, policy inerhited.
};
};
@ -160,7 +164,7 @@ view "example2" {
zone "example.net" {
type primary;
file "example2.db";
// Static zone, inline-signing, policy inherited.
inline-signing yes;
};
};

16
bin/tests/system/kasp/ns5/named.conf.in
View file

@ -65,15 +65,16 @@ view "inherit" {
/* Override dnssec-policy */
zone "override.inherit.unsigned" {
type primary;
dnssec-policy "default";
file "override.inherit.unsigned.db";
inline-signing yes;
dnssec-policy "default";
};
/* Unset dnssec-policy */
zone "none.inherit.unsigned" {
type primary;
dnssec-policy "none";
file "none.inherit.unsigned.db";
dnssec-policy "none";
};
};
@ -85,20 +86,22 @@ view "override" {
zone "inherit.override.unsigned" {
type primary;
file "inherit.override.unsigned.db";
inline-signing yes;
};
/* Override dnssec-policy */
zone "override.override.unsigned" {
type primary;
dnssec-policy "test";
file "override.override.unsigned.db";
inline-signing yes;
dnssec-policy "test";
};
/* Unset dnssec-policy */
zone "none.override.unsigned" {
type primary;
dnssec-policy "none";
file "none.override.unsigned.db";
dnssec-policy "none";
};
};
@ -115,14 +118,15 @@ view "none" {
/* Override dnssec-policy */
zone "override.none.unsigned" {
type primary;
dnssec-policy "test";
file "override.none.unsigned.db";
inline-signing yes;
dnssec-policy "test";
};
/* Unset dnssec-policy */
zone "none.none.unsigned" {
type primary;
dnssec-policy "none";
file "none.none.unsigned.db";
dnssec-policy "none";
};
};

7
bin/tests/system/kasp/ns6/named.conf.in
View file

@ -42,6 +42,7 @@ controls {
zone "step1.going-insecure.kasp" {
type primary;
file "step1.going-insecure.kasp.db";
inline-signing yes;
dnssec-policy "unsigning";
};
@ -55,6 +56,7 @@ zone "step1.going-insecure-dynamic.kasp" {
zone "step1.going-straight-to-none.kasp" {
type primary;
file "step1.going-straight-to-none.kasp.db";
inline-signing yes;
dnssec-policy "default";
};
@ -62,12 +64,14 @@ zone "step1.going-straight-to-none.kasp" {
zone "step1.algorithm-roll.kasp" {
type primary;
file "step1.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
zone "step1.csk-algorithm-roll.kasp" {
type primary;
file "step1.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
@ -79,6 +83,7 @@ dnssec-policy "modified" {
zone example {
type primary;
dnssec-policy modified;
file "example.db";
inline-signing yes;
dnssec-policy modified;
};

17
bin/tests/system/kasp/ns6/named2.conf.in
View file

@ -41,12 +41,14 @@ controls {
zone "step1.going-insecure.kasp" {
type primary;
file "step1.going-insecure.kasp.db";
inline-signing yes;
dnssec-policy "insecure";
};
zone "step2.going-insecure.kasp" {
type primary;
file "step2.going-insecure.kasp.db";
inline-signing yes;
dnssec-policy "insecure";
};
@ -76,36 +78,42 @@ zone "step1.going-straight-to-none.kasp" {
zone "step1.algorithm-roll.kasp" {
type primary;
file "step1.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step2.algorithm-roll.kasp" {
type primary;
file "step2.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step3.algorithm-roll.kasp" {
type primary;
file "step3.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step4.algorithm-roll.kasp" {
type primary;
file "step4.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step5.algorithm-roll.kasp" {
type primary;
file "step5.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step6.algorithm-roll.kasp" {
type primary;
file "step6.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
@ -115,36 +123,42 @@ zone "step6.algorithm-roll.kasp" {
zone "step1.csk-algorithm-roll.kasp" {
type primary;
file "step1.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step2.csk-algorithm-roll.kasp" {
type primary;
file "step2.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step3.csk-algorithm-roll.kasp" {
type primary;
file "step3.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step4.csk-algorithm-roll.kasp" {
type primary;
file "step4.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step5.csk-algorithm-roll.kasp" {
type primary;
file "step5.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step6.csk-algorithm-roll.kasp" {
type primary;
file "step6.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
@ -156,6 +170,7 @@ dnssec-policy "modified" {
zone example {
type primary;
dnssec-policy modified;
file "example.db";
inline-signing yes;
dnssec-policy modified;
};

2
bin/tests/system/keymgr2kasp/ns4/named2.conf.in
View file

@ -72,6 +72,7 @@ view "ext" {
zone "view-rsasha256.kasp" {
type primary;
file "view-rsasha256.kasp.ext.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
};
@ -82,6 +83,7 @@ view "int" {
zone "view-rsasha256.kasp" {
type primary;
file "view-rsasha256.kasp.int.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
};

7
bin/tests/system/nsec3/ns3/named.conf.in
View file

@ -61,6 +61,7 @@ controls {
zone "nsec-to-nsec3.kasp" {
type primary;
file "nsec-to-nsec3.kasp.db";
inline-signing yes;
dnssec-policy "nsec";
};
@ -118,6 +119,7 @@ zone "nsec3-to-rsasha1-ds.kasp" {
zone "nsec3.kasp" {
type primary;
file "nsec3.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -132,6 +134,7 @@ zone "nsec3-dynamic.kasp" {
zone "nsec3-other.kasp" {
type primary;
file "nsec3-other.kasp.db";
inline-signing yes;
dnssec-policy "nsec3-other";
};
@ -139,6 +142,7 @@ zone "nsec3-other.kasp" {
zone "nsec3-change.kasp" {
type primary;
file "nsec3-change.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -153,6 +157,7 @@ zone "nsec3-dynamic-change.kasp" {
zone "nsec3-to-optout.kasp" {
type primary;
file "nsec3-to-optout.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -160,6 +165,7 @@ zone "nsec3-to-optout.kasp" {
zone "nsec3-from-optout.kasp" {
type primary;
file "nsec3-from-optout.kasp.db";
inline-signing yes;
dnssec-policy "optout";
};
@ -167,6 +173,7 @@ zone "nsec3-from-optout.kasp" {
zone "nsec3-to-nsec.kasp" {
type primary;
file "nsec3-to-nsec.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};

7
bin/tests/system/nsec3/ns3/named2.conf.in
View file

@ -61,6 +61,7 @@ controls {
zone "nsec-to-nsec3.kasp" {
type primary;
file "nsec-to-nsec3.kasp.db";
inline-signing yes;
//dnssec-policy "nsec";
dnssec-policy "nsec3";
};
@ -122,6 +123,7 @@ zone "nsec3-to-rsasha1-ds.kasp" {
zone "nsec3.kasp" {
type primary;
file "nsec3.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -136,6 +138,7 @@ zone "nsec3-dynamic.kasp" {
zone "nsec3-other.kasp" {
type primary;
file "nsec3-other.kasp.db";
inline-signing yes;
dnssec-policy "nsec3-other";
};
@ -143,6 +146,7 @@ zone "nsec3-other.kasp" {
zone "nsec3-change.kasp" {
type primary;
file "nsec3-change.kasp.db";
inline-signing yes;
//dnssec-policy "nsec3";
dnssec-policy "nsec3-other";
};
@ -159,6 +163,7 @@ zone "nsec3-dynamic-change.kasp" {
zone "nsec3-to-optout.kasp" {
type primary;
file "nsec3-to-optout.kasp.db";
inline-signing yes;
//dnssec-policy "nsec3";
dnssec-policy "optout";
};
@ -167,6 +172,7 @@ zone "nsec3-to-optout.kasp" {
zone "nsec3-from-optout.kasp" {
type primary;
file "nsec3-from-optout.kasp.db";
inline-signing yes;
//dnssec-policy "optout";
dnssec-policy "nsec3";
};
@ -175,6 +181,7 @@ zone "nsec3-from-optout.kasp" {
zone "nsec3-to-nsec.kasp" {
type primary;
file "nsec3-to-nsec.kasp.db";
inline-signing yes;
//dnssec-policy "nsec3";
dnssec-policy "nsec";
};

3
doc/notes/notes-current.rst
View file

@ -35,7 +35,8 @@ Removed Features
Feature Changes
~~~~~~~~~~~~~~~
- None.
- Zones using ``dnssec-policy`` now require dynamic DNS or
``inline-signing`` to be configured explicitly :gl:`#3381`.
- When reconfiguring ``dnssec-policy`` from using NSEC with an NSEC-only DNSKEY
algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND will no longer fail

26
lib/bind9/check.c
View file

@ -2853,7 +2853,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
const char *target = NULL;
unsigned int ztype;
const cfg_obj_t *zoptions, *goptions = NULL;
const cfg_obj_t *obj = NULL;
const cfg_obj_t *obj = NULL, *kasp = NULL;
const cfg_obj_t *inviewobj = NULL;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
@ -3142,6 +3142,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
}
}
}
if (has_dnssecpolicy) {
kasp = obj;
}
}
/*
@ -3439,12 +3442,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if (res1 == ISC_R_SUCCESS) {
signing = cfg_obj_asboolean(obj);
if (has_dnssecpolicy && !ddns && !signing) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'inline-signing;' cannot be set "
"to 'no' "
"if dnssec-policy is also set on a "
"non-dynamic DNS zone");
}
if (has_dnssecpolicy) {
if (!ddns && !signing) {
cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
"'dnssec-policy;' requires%s "
"inline-signing to be configured "
"for the zone",
(ztype == CFG_ZONE_PRIMARY)
? " dynamic DNS or"
: "");
result = ISC_R_FAILURE;
}
}
@ -3456,7 +3464,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
arg = cfg_obj_asstring(obj);
}
if (strcasecmp(arg, "off") != 0) {
if (!ddns && !signing && strcasecmp(arg, "off") != 0) {
if (!ddns && !signing && !has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' requires%s "
"inline-signing to be configured "
@ -3468,7 +3476,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
result = ISC_R_FAILURE;
}
if (strcasecmp(arg, "off") != 0 && has_dnssecpolicy) {
if (has_dnssecpolicy) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' cannot be "
"configured if dnssec-policy is "