diff --git a/CHANGES b/CHANGES index e7aa4be105..9efded88ab 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +6013. [bug] Fix a crash that could happen when you change + a dnssec-policy zone with NSEC3 to start using + inline-signing. [GL #3591] + 6012. [func] Cleanup the dead nodes while pruning the tree. [GL #3641] diff --git a/bin/named/server.c b/bin/named/server.c index b95d1ee108..b38e00d027 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6501,6 +6501,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, bool zone_is_catz = false; bool zone_maybe_inline = false; bool inline_signing = false; + bool fullsign = false; options = NULL; (void)cfg_map_get(config, "options", &options); @@ -6769,6 +6770,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, if (zone != NULL && !named_zone_reusable(zone, zconfig)) { dns_zone_detach(&zone); + fullsign = true; } if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) || @@ -6903,7 +6905,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * Ensure that zone keys are reloaded on reconfig */ if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) { - dns_zone_rekey(zone, false); + dns_zone_rekey(zone, fullsign); } cleanup: diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh index e5a1253497..0990fa3c6b 100644 --- a/bin/tests/system/checkds/ns9/setup.sh +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -43,7 +43,8 @@ do $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 done # DS Withdrawal. @@ -57,5 +58,6 @@ do $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 done diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index 03ff93c4c4..702a239296 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -695,7 +695,7 @@ dnssec_verify() echo_i "dnssec-verify zone ${ZONE} ($n)" ret=0 _dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed" - $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > /dev/null || _log_error "dnssec verify zone $ZONE failed" + $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) } diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 1ed1c80f0d..db264c2810 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -16,7 +16,7 @@ set -e rm -f ./keygen.* rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp rm -rf ./keys/ -rm -f dig.out* rrsig.out.* keyevent.out.* +rm -f dig.out* rrsig.out.* keyevent.out.* verify.out.* zone.out.* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/named-fips.conf rm -f ns*/policies/*.conf diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 84fbb9c170..c0111203c7 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -161,7 +161,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -PS -x -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # These signatures are set to expire long in the past, update immediately. setup expired-sigs.autosign @@ -175,7 +176,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # These signatures are still good, and can be reused. setup fresh-sigs.autosign @@ -189,7 +191,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # These signatures are still good, but not fresh enough, update immediately. setup unfresh-sigs.autosign @@ -203,7 +206,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # These signatures are still good, but the private KSK is missing. setup ksk-missing.autosign @@ -217,7 +221,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 echo "KSK: yes" >> "${KSK}".state echo "ZSK: no" >> "${KSK}".state echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y @@ -235,7 +240,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 echo "KSK: no" >> "${ZSK}".state echo "ZSK: yes" >> "${ZSK}".state echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y @@ -253,7 +259,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 $SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 # @@ -286,7 +293,8 @@ CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keyg $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # The zone signatures have been published long enough to become OMNIPRESENT. @@ -302,7 +310,8 @@ CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keyg $SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS has been submitted long enough ago to become OMNIPRESENT. @@ -321,7 +330,8 @@ CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keyg $SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 setup step4.enable-dnssec.autosign # @@ -342,7 +352,8 @@ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$z cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to pre-publish the successor ZSK. @@ -381,7 +392,8 @@ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$z cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # After the publication interval has passed the DNSKEY of the successor ZSK @@ -443,7 +455,8 @@ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # After the retire interval has passed the predecessor DNSKEY can be @@ -502,7 +515,8 @@ $SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out. key_successor $ZSK1 $ZSK2 # Sign zone. cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. @@ -540,7 +554,8 @@ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # The predecessor DNSKEY can be purged. @@ -578,7 +593,8 @@ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at ksk-doubleksk.autosign represent the various steps of a KSK @@ -596,7 +612,8 @@ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to submit the introduce the new KSK. @@ -647,7 +664,8 @@ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$z cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS. @@ -713,7 +731,8 @@ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS should be swapped now. @@ -773,7 +792,8 @@ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. @@ -811,7 +831,8 @@ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # The predecessor DNSKEY can be purged. @@ -849,7 +870,8 @@ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at csk-roll.autosign represent the various steps of a CSK rollover @@ -865,7 +887,8 @@ CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.ou $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -892,7 +915,8 @@ CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.ou $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -946,7 +970,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -992,7 +1017,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # After the DS is swapped in step 4, also the KRRSIG records can be removed. @@ -1027,7 +1053,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # After the retire interval has passed the predecessor DNSKEY can be @@ -1070,7 +1097,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 7: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1104,7 +1132,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 8: # The predecessor DNSKEY can be purged. @@ -1138,7 +1167,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at csk-roll2.autosign represent the various steps of a CSK rollover @@ -1156,7 +1186,8 @@ CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.o $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -1183,7 +1214,8 @@ CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.o $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -1237,7 +1269,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -1284,7 +1317,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # Some time later the DS can be swapped and the old DNSKEY can be removed from @@ -1320,7 +1354,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1355,7 +1390,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 7: # The predecessor DNSKEY can be purged, but purge-keys is disabled. @@ -1389,4 +1425,5 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index 7e62fa9dd5..f00594b784 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -38,6 +38,14 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +/* This zone switch from dynamic to inline-signing. */ +zone "dynamic2inline.kasp" { + type primary; + file "dynamic2inline.kasp.db"; + allow-update { any; }; + dnssec-policy "default"; +}; + /* These zones are going insecure. */ zone "step1.going-insecure.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 79fc7768e7..1bb6242b6d 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -37,6 +37,15 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +/* This zone switch from dynamic to inline-signing. */ +zone "dynamic2inline.kasp" { + type primary; + file "dynamic2inline.kasp.db"; + allow-update { any; }; + inline-signing yes; + dnssec-policy "default"; +}; + /* Zones for testing going insecure. */ zone "step1.going-insecure.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in index 683c9ef500..810b91d6ad 100644 --- a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in +++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in @@ -20,6 +20,10 @@ dnssec-policy "unsigning" { }; }; +dnssec-policy "nsec3" { + nsec3param iterations 0 optout no salt-length 0; +}; + dnssec-policy "rsasha256" { signatures-refresh P5D; signatures-validity 30d; diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 3f3f193a66..6764f1b9c1 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -45,7 +45,8 @@ do cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" - $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # Set up a zone with dnssec-policy that is going insecure. Don't add @@ -66,7 +67,8 @@ do cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" - $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 done # This zone is going straight to "none" policy. This is undefined behavior. @@ -78,7 +80,8 @@ CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1) $SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK @@ -99,7 +102,8 @@ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$z cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 8 "$KSK" >> "$infile" private_type_record $zone 8 "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. @@ -130,7 +134,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # The zone signatures are also OMNIPRESENT. @@ -160,7 +165,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS is swapped and can become OMNIPRESENT. @@ -191,7 +197,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # The DNSKEY is removed long enough to be HIDDEN. @@ -223,7 +230,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. @@ -256,7 +264,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK @@ -273,7 +282,8 @@ CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.ou $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 5 "$CSK" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. @@ -292,7 +302,8 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # The zone signatures are also OMNIPRESENT. @@ -313,7 +324,8 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS is swapped and can become OMNIPRESENT. @@ -335,7 +347,8 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # The DNSKEY is removed long enough to be HIDDEN. @@ -358,7 +371,8 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. @@ -382,10 +396,14 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # Reload testing # echo "example" >> zones cp example.db.in example.db + +setup "dynamic2inline.kasp" +cp template.db.in $zonefile diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index eefe12e541..ab65dff3ad 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1375,9 +1375,10 @@ check_rrsig_reuse() { dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - # If this exact RRSIG is also in the zone file it is not refreshed. + # If this exact RRSIG is also in the signed zone file it is not refreshed. _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") - grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) done @@ -1395,8 +1396,10 @@ check_rrsig_reuse() { dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the signed zone file it is not refreshed. _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") - grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) done @@ -3540,6 +3543,34 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # TODO (GL #2471). +# Test dynamic zones that switch to inline-signing. +set_zone "dynamic2inline.kasp" +set_policy "default" "1" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# The CSK is rumoured. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + # # Testing algorithm rollover. # @@ -3807,6 +3838,34 @@ wait_for_done_signing() { status=$((status+ret)) } +# Test dynamic zones that switch to inline-signing. +set_zone "dynamic2inline.kasp" +set_policy "default" "1" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# The CSK is rumoured. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + # # Testing going insecure. # @@ -3974,8 +4033,6 @@ key_clear "KEY4" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -check_apex -check_subdomain dnssec_verify # diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh index cc4ffe3f8b..1fe2bb946d 100644 --- a/bin/tests/system/keymgr2kasp/clean.sh +++ b/bin/tests/system/keymgr2kasp/clean.sh @@ -30,4 +30,5 @@ rm -f ./python.out.* rm -f ./retired.* rm -f ./rndc.dnssec.* rm -f ./unused.key* +rm -f ./verify.out.* diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh index d6b11e749b..7ca6829689 100644 --- a/bin/tests/system/nsec3/clean.sh +++ b/bin/tests/system/nsec3/clean.sh @@ -13,7 +13,7 @@ set -e -rm -f dig.out.* rndc.signing.* verify.out.* +rm -f dig.out.* rndc.signing.* update.out.* verify.out.* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind rm -f ns*/K*.private ns*/K*.key ns*/K*.state diff --git a/bin/tests/system/nsec3/ns2/named.conf.in b/bin/tests/system/nsec3/ns2/named.conf.in new file mode 100644 index 0000000000..d6caf15615 --- /dev/null +++ b/bin/tests/system/nsec3/ns2/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +dnssec-policy "nsec3" { + nsec3param; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "nsec3-xfr-inline.kasp" { + type primary; + file "nsec3-xfr-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; diff --git a/bin/tests/system/nsec3/ns2/setup.sh b/bin/tests/system/nsec3/ns2/setup.sh new file mode 100644 index 0000000000..1cbe02f9c0 --- /dev/null +++ b/bin/tests/system/nsec3/ns2/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns2/setup.sh" + +zone="nsec3-xfr-inline.kasp" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +cp template.db.in "$zonefile" diff --git a/bin/tests/system/nsec3/ns2/template.db.in b/bin/tests/system/nsec3/ns2/template.db.in new file mode 100644 index 0000000000..8379c37213 --- /dev/null +++ b/bin/tests/system/nsec3/ns2/template.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index c94fa5d679..de097744ba 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -184,3 +184,35 @@ zone "nsec3-fails-to-load.kasp" { dnssec-policy "nsec3"; allow-update { any; }; }; + +/* These zones switch from dynamic to inline-signing or vice versa. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ +zone "nsec3-dynamic-update-inline.kasp" { + type primary; + file "nsec3-dynamic-update-inline.kasp.db"; + inline-signing yes; + allow-update { any; }; + dnssec-policy "nsec"; +}; + +zone "nsec3-xfr-inline.kasp" { + type secondary; + file "nsec3-xfr-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec"; + primaries { 10.53.0.2; }; +}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index d9764abcad..084bba3f0b 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -193,3 +193,20 @@ zone "nsec3-fails-to-load.kasp" { dnssec-policy "nsec3"; allow-update { any; }; }; + +/* These zones switch from dynamic to inline-signing or vice versa. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; + allow-update { any; }; +}; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing no; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index e2478ac3df..68bc2e4511 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -25,7 +25,9 @@ setup() { } for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ - nsec3-to-optout nsec3-from-optout nsec3-dynamic nsec3-dynamic-change + nsec3-to-optout nsec3-from-optout nsec3-dynamic \ + nsec3-dynamic-change nsec3-dynamic-to-inline \ + nsec3-inline-to-dynamic nsec3-dynamic-update-inline do setup "${zn}.kasp" done diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh index 66320529b7..bdd1ae9a81 100644 --- a/bin/tests/system/nsec3/setup.sh +++ b/bin/tests/system/nsec3/setup.sh @@ -18,8 +18,12 @@ set -e $SHELL clean.sh +copy_setports ns2/named.conf.in ns2/named.conf +( + cd ns2 + $SHELL setup.sh +) copy_setports ns3/named.conf.in ns3/named.conf - ( cd ns3 $SHELL setup.sh diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 1d9adbc3a2..0abbbce71c 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -297,6 +297,20 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 +# Zone: nsec3-dynamic-to-inline.kasp. +set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 +set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec3 + +# Zone: nsec3-inline-to-dynamic.kasp. +set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 +set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec3 + # Zone: nsec3-to-nsec.kasp. set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" @@ -325,7 +339,34 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 +# Zone: nsec3-xfr-inline.kasp. +# This is a secondary zone, where the primary is signed with NSEC3 but +# the dnssec-policy dictates NSEC. +set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600 +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec + +# Zone: nsec3-dynamic-update-inline.kasp. +set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600 +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec + +n=$((n+1)) +echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)" +ret=0 +$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1 +server 10.53.0.3 ${PORT} +zone ${ZONE}. +update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG +send +END +wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1 +check_nsec + # Reconfig named. +ret=0 echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -419,6 +460,20 @@ set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 +# Zone: nsec3-dynamic-to-inline.kasp. (same) +set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 +set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 + +# Zone: nsec3-inline-to-dynamic.kasp. (same) +set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 +set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec3 + # Zone: nsec3-to-nsec.kasp. (reconfigured) set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600 set_nsec3param "1" "11" "8" diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 36b1a877fb..5245ef7479 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -63,3 +63,6 @@ Bug Fixes enter into a state where it would not recover without stopping ``named``, manually deleting ``managed-keys.bind`` and ``managed-keys.bind.jnl`` files, and starting ``named`` again. :gl:`#2895` + +- Fixed a crash that happens when you reconfigure a ``dnssec-policy`` + zone that uses NSEC3 to enable ``inline-signing``. :gl:`#3591` diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 672d2997bc..cf2fc489c7 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -17169,9 +17169,8 @@ restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, } static isc_result_t -copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version, - dns_db_t *rawdb, dns_dbiterator_t *dbiterator, - unsigned int *oldserial) { +copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb, + dns_dbiterator_t *dbiterator, unsigned int *oldserial) { dns_dbnode_t *rawnode = NULL, *node = NULL; dns_fixedname_t fixed; dns_name_t *name = dns_fixedname_initname(&fixed); @@ -17208,14 +17207,8 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version, rdataset.type == dns_rdatatype_dnskey || rdataset.type == dns_rdatatype_nsec3param) { - /* - * Allow DNSSEC records with dnssec-policy. - * WMM: Perhaps add config option for it. - */ - if (dns_zone_getkasp(zone) == NULL) { - dns_rdataset_disassociate(&rdataset); - continue; - } + dns_rdataset_disassociate(&rdataset); + continue; } if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) { result = checkandaddsoa(db, node, version, &rdataset, @@ -17318,8 +17311,8 @@ receive_secure_db(isc_task_t *task, isc_event_t *event) { for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS; result = dns_dbiterator_next(dbiterator)) { - result = copy_non_dnssec_records(zone, db, version, rawdb, - dbiterator, oldserialp); + result = copy_non_dnssec_records(db, version, rawdb, dbiterator, + oldserialp); if (result != ISC_R_SUCCESS) { goto failure; }