Merge branch '2498-nsec3-dynamic-update-dnssec-policy-v9_16' into 'v9_16'

Resolve "Regression in BIND 9.16.10, DNSSEC fails due to improper NSEC3 creation witihin named"

See merge request isc-projects/bind9!4746
This commit is contained in:
Matthijs Mekking 2021-02-25 11:02:00 +00:00
commit c4c8f78b0a
7 changed files with 88 additions and 6 deletions

View file

@ -1,3 +1,7 @@
5590. [bug] Process NSEC3PARAM queue when loading a dynamic zone.
This will immediately create NSEC3 records for zones
that use "dnssec-policy" and "nsec3param". [GL #2498]
5588. [func] Add "purge-keys" option to "dnssec-policy". This sets
the time how long key files should be retained after
they have become obsolete. [GL #2408]

View file

@ -56,13 +56,20 @@ zone "nsec-to-nsec3.kasp" {
dnssec-policy "nsec";
};
/* This zone uses the default NSEC3 settings. */
/* These zones use the default NSEC3 settings. */
zone "nsec3.kasp" {
type primary;
file "nsec3.kasp.db";
dnssec-policy "nsec3";
};
zone "nsec3-dynamic.kasp" {
type primary;
file "nsec3-dynamic.kasp.db";
dnssec-policy "nsec3";
allow-update { any; };
};
/* This zone uses non-default NSEC3 settings. */
zone "nsec3-other.kasp" {
type primary;
@ -70,13 +77,20 @@ zone "nsec3-other.kasp" {
dnssec-policy "nsec3-other";
};
/* The zone will be reconfigured to use other NSEC3 settings. */
/* These zones will be reconfigured to use other NSEC3 settings. */
zone "nsec3-change.kasp" {
type primary;
file "nsec3-change.kasp.db";
dnssec-policy "nsec3";
};
zone "nsec3-dynamic-change.kasp" {
type primary;
file "nsec3-dynamic-change.kasp.db";
dnssec-policy "nsec3";
allow-update { any; };
};
/* The zone will be reconfigured to use opt-out. */
zone "nsec3-to-optout.kasp" {
type primary;

View file

@ -57,13 +57,20 @@ zone "nsec-to-nsec3.kasp" {
dnssec-policy "nsec3";
};
/* This zone uses the default NSEC3 settings. */
/* These zones use the default NSEC3 settings. */
zone "nsec3.kasp" {
type primary;
file "nsec3.kasp.db";
dnssec-policy "nsec3";
};
zone "nsec3-dynamic.kasp" {
type primary;
file "nsec3-dynamic.kasp.db";
dnssec-policy "nsec3";
allow-update { any; };
};
/* This zone uses non-default NSEC3 settings. */
zone "nsec3-other.kasp" {
type primary;
@ -71,7 +78,7 @@ zone "nsec3-other.kasp" {
dnssec-policy "nsec3-other";
};
/* The zone will be reconfigured to use other NSEC3 settings. */
/* These zone will be reconfigured to use other NSEC3 settings. */
zone "nsec3-change.kasp" {
type primary;
file "nsec3-change.kasp.db";
@ -79,6 +86,14 @@ zone "nsec3-change.kasp" {
dnssec-policy "nsec3-other";
};
zone "nsec3-dynamic-change.kasp" {
type primary;
file "nsec3-dynamic-change.kasp.db";
//dnssec-policy "nsec3";
dnssec-policy "nsec3-other";
allow-update { any; };
};
/* The zone will be reconfigured to use opt-out. */
zone "nsec3-to-optout.kasp" {
type primary;

View file

@ -23,7 +23,7 @@ setup() {
}
for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
nsec3-to-optout nsec3-from-optout
nsec3-to-optout nsec3-from-optout nsec3-dynamic nsec3-dynamic-change
do
setup "${zn}.kasp"
done

View file

@ -175,12 +175,25 @@ echo_i "initial check zone ${ZONE}"
check_nsec3
dnssec_verify
# Zone: nsec3-dynamic.kasp.
set_zone_policy "nsec3-dynamic.kasp" "nsec3"
set_nsec3param "0" "5" "8"
echo_i "initial check zone ${ZONE}"
check_nsec3
dnssec_verify
# Zone: nsec3-change.kasp.
set_zone_policy "nsec3-change.kasp" "nsec3"
echo_i "initial check zone ${ZONE}"
check_nsec3
dnssec_verify
# Zone: nsec3-dynamic-change.kasp.
set_zone_policy "nsec3-dynamic-change.kasp" "nsec3"
echo_i "initial check zone ${ZONE}"
check_nsec3
dnssec_verify
# Zone: nsec3-to-nsec.kasp.
set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
echo_i "initial check zone ${ZONE}"
@ -227,6 +240,12 @@ echo_i "check zone ${ZONE} after reconfig"
check_nsec3
dnssec_verify
# Zone: nsec3-dyamic.kasp. (same)
set_zone_policy "nsec3-dynamic.kasp" "nsec3"
echo_i "check zone ${ZONE} after reconfig"
check_nsec3
dnssec_verify
# Zone: nsec3-change.kasp. (reconfigured)
set_zone_policy "nsec3-change.kasp" "nsec3-other"
set_nsec3param "1" "11" "0"
@ -234,6 +253,13 @@ echo_i "check zone ${ZONE} after reconfig"
check_nsec3
dnssec_verify
# Zone: nsec3-dynamic-change.kasp. (reconfigured)
set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other"
set_nsec3param "1" "11" "0"
echo_i "check zone ${ZONE} after reconfig"
check_nsec3
dnssec_verify
# Zone: nsec3-to-nsec.kasp. (reconfigured)
set_zone_policy "nsec3-to-nsec.kasp" "nsec"
echo_i "check zone ${ZONE} after reconfig"

View file

@ -54,5 +54,8 @@ Bug Fixes
UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue.
[GL #2487]
- NSEC3 records were not immediately created when signing a dynamic zone with
``dnssec-policy`` and ``nsec3param``. This has been fixed [GL #2498].
- An invalid direction field (not one of 'N'/'S' or 'E'/'W') in a LOC record
triggered an INSIST failure. [GL #2499]

View file

@ -4834,12 +4834,32 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
"could not find NS and/or SOA records");
}
/*
* Process any queued NSEC3PARAM change requests. Only for dynamic
* zones, an inline-signing zone will perform this action when
* receiving the secure db (receive_secure_db).
*/
is_dynamic = dns_zone_isdynamic(zone, true);
if (is_dynamic) {
isc_event_t *setnsec3param_event;
dns_zone_t *dummy;
while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) {
setnsec3param_event =
ISC_LIST_HEAD(zone->setnsec3param_queue);
ISC_LIST_UNLINK(zone->setnsec3param_queue,
setnsec3param_event, ev_link);
dummy = NULL;
zone_iattach(zone, &dummy);
isc_task_send(zone->task, &setnsec3param_event);
}
}
/*
* Check to make sure the journal is up to date, and remove the
* journal file if it isn't, as we wouldn't be able to apply
* updates otherwise.
*/
is_dynamic = dns_zone_isdynamic(zone, true);
if (zone->journal != NULL && is_dynamic &&
!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS))
{