Merge branch '3783-parental-ds-requests-need-rd-bit-set-v9_18' into 'v9_18'

[9.18] Set RD=1 on DS requests to parental-agents

See merge request isc-projects/bind9!7411

CHANGES

@@ -4,6 +4,8 @@
 6074.	[func]		Refactor the isc_nm_xfr_allowed() function to return
 			isc_result_t instead of boolean. [GL #3808]
 
+6073.	[bug]		Set RD=1 on DS requests to parental-agents. [GL #3783]
+
 6072.	[bug]		Avoid the OpenSSL lock contention when initializing
 			Message Digest Contexts by using explicit algorithm
 			fetching, initializing static contexts for every

bin/tests/system/checkds/clean.sh

@@ -21,6 +21,7 @@ rm -f ns*/dsset-*
 rm -f ns*/*.db ns*/*.jnl ns*/*.jbk ns*/*.db.signed ns*/*.db.infile
 rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
 rm -f ns*/managed-keys.bind*
+rm -f ns*/trusted.conf
 rm -f ns*/*.mkeys
 rm -f ns*/zones
 rm -f *.checkds.out

bin/tests/system/checkds/ns1/named.conf.in

@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation no;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};

bin/tests/system/checkds/ns1/root.db.in

@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+.			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				600		; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+checkds.		NS	ns2.checkds.
+ns2.checkds.		A	10.53.0.2

bin/tests/system/checkds/ns1/setup.sh

@@ -0,0 +1,46 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+set -e
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+echo_i "ns1/setup.sh"
+
+cp "../ns2/dsset-checkds." .
+
+ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cp "$ksk.key" "../ns10/"
+cp "$zsk.key" "../ns10/"
+cp "$ksk.private" "../ns10/"
+cp "$zsk.private" "../ns10/"
+
+cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
+"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
+
+(
+	cd ../ns10
+	cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
+	"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
+)
+
+# Configure the resolving server with a static key.
+keyfile_to_static_ds "$ksk" > trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns8/trusted.conf

bin/tests/system/checkds/ns10/named.conf.in

@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS10
+
+options {
+	query-source address 10.53.0.10;
+	notify-source 10.53.0.10;
+	transfer-source 10.53.0.10;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.10; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-validation no;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};

bin/tests/system/checkds/ns10/root.db.in

@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+.			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				600		; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.10
+
+checkds.		NS	ns5.checkds.
+ns5.checkds.		A	10.53.0.5

bin/tests/system/checkds/ns2/setup.sh

@@ -18,8 +18,10 @@ echo_i "ns2/setup.sh"
 
 for subdomain in dspublished reference missing-dspublished bad-dspublished \
 		 multiple-dspublished incomplete-dspublished bad2-dspublished \
+		 resolver-dspublished \
 		 dswithdrawn missing-dswithdrawn bad-dswithdrawn \
-		 multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn
+		 multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \
+		 resolver-dswithdrawn
 do
 	cp "../ns9/dsset-$subdomain.checkds." .
 done

bin/tests/system/checkds/ns2/template.db.in

@@ -28,6 +28,7 @@ bad-dspublished			NS	ns9.bad-dspublished
 multiple-dspublished		NS	ns9.multiple-dspublished
 incomplete-dspublished		NS	ns9.incomplete-dspublished
 bad2-dspublished		NS	ns9.bad2-dspublished
+resolver-dspublished		NS	ns9.resolver-dspublished
 
 dswithdrawn			NS	ns9.dswithdrawn
 missing-dswithdrawn		NS	ns9.missing-dswithdrawn
@@ -35,4 +36,4 @@ bad-dswithdrawn			NS	ns9.bad-dswithdrawn
 multiple-dswithdrawn		NS	ns9.multiple-dswithdrawn
 incomplete-dswithdrawn		NS	ns9.incomplete-dswithdrawn
 bad2-dswithdrawn		NS	ns9.bad2-dswithdrawn
-
+resolver-dswithdrawn		NS	ns9.resolver-dswithdrawn

bin/tests/system/checkds/ns3/named.conf.in

@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	session-keyfile "session.key";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";

bin/tests/system/checkds/ns5/template.db.in

@@ -28,6 +28,7 @@ bad-dspublished			NS	ns9.bad-dspublished
 multiple-dspublished		NS	ns9.multiple-dspublished
 incomplete-dspublished		NS	ns9.incomplete-dspublished
 bad2-dspublished		NS	ns9.bad2-dspublished
+resolver-dspublished		NS	ns9.resolver-dspublished
 
 dswithdrawn			NS	ns9.dswithdrawn
 missing-dswithdrawn		NS	ns9.missing-dswithdrawn
@@ -35,4 +36,5 @@ bad-dswithdrawn			NS	ns9.bad-dswithdrawn
 multiple-dswithdrawn		NS	ns9.multiple-dswithdrawn
 incomplete-dswithdrawn		NS	ns9.incomplete-dswithdrawn
 bad2-dswithdrawn		NS	ns9.bad2-dswithdrawn
+resolver-dswithdrawn		NS	ns9.resolver-dswithdrawn
 

bin/tests/system/checkds/ns8/named.conf.in

@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS8
+
+options {
+	query-source address 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	session-keyfile "session.key";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+include "trusted.conf";

bin/tests/system/checkds/ns8/root.hint

@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.10

bin/tests/system/checkds/ns9/named.conf.in

@@ -145,6 +145,19 @@ zone "bad2-dspublished.checkds" {
 	};
 };
 
+/*
+ * Zone with resolver parental agent configured, due for DS checking.
+ */
+zone "resolver-dspublished.checkds" {
+	type primary;
+	file "resolver-dspublished.checkds.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.3 port @PORT@;
+	};
+};
+
 // TODO: Other test cases:
 // - Test with bogus response
 // - check with TSIG
@@ -216,3 +229,13 @@ zone "bad2-dswithdrawn.checkds" {
 		10.53.0.6 port @PORT@; // bad
 	};
 };
+
+zone "resolver-dswithdrawn.checkds" {
+	type primary;
+	file "resolver-dswithdrawn.checkds.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.8 port @PORT@;
+	};
+};

bin/tests/system/checkds/ns9/setup.sh

@@ -34,7 +34,7 @@ Y="now-1y"
 
 # DS Publication.
 for zn in dspublished reference missing-dspublished bad-dspublished \
-	  multiple-dspublished incomplete-dspublished bad2-dspublished
+	  multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished
 do
 	setup "${zn}.checkds"
 	cp template.db.in "$zonefile"
@@ -49,7 +49,7 @@ done
 
 # DS Withdrawal.
 for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \
-	  incomplete-dswithdrawn bad2-dswithdrawn
+	  incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn
 do
 	setup "${zn}.checkds"
 	cp template.db.in "$zonefile"

bin/tests/system/checkds/setup.sh

@@ -18,12 +18,16 @@ set -e
 
 $SHELL clean.sh
 
+copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
 copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
 
 # Setup zones
 (
@@ -38,3 +42,7 @@ copy_setports ns9/named.conf.in ns9/named.conf
 	cd ns2
 	$SHELL setup.sh
 )
+(
+	cd ns1
+	$SHELL setup.sh
+)

bin/tests/system/checkds/tests_checkds.py

@@ -36,7 +36,7 @@ def has_signed_apex_nsec(zone, response):
 
     ttl = 300
     nextname = "a."
-    types = "NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY"
+    types = "NS SOA RRSIG NSEC DNSKEY"
     match = "{0} {1} IN NSEC {2}{0} {3}".format(zone, ttl, nextname, types)
     sig = "{0} {1} IN RRSIG NSEC 13 2 300".format(zone, ttl)
 
@@ -346,6 +346,15 @@ def test_checkds_dspublished(named_port):
     )
     keystate_check(parent, "bad2-dspublished.checkds.", "!DSPublish")
 
+    # Check with resolver parental-agent.
+    zone_check(server, "resolver-dspublished.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone resolver-dspublished.checkds/IN (signed): checkds: "
+        "DS response from 10.53.0.3",
+    )
+    keystate_check(parent, "resolver-dspublished.checkds.", "DSPublish")
+
     # TBD: DS published in all parents, but one has bogus signature.
 
     # TBD: Check with TSIG
@@ -444,4 +453,13 @@ def test_checkds_dswithdrawn(named_port):
     )
     keystate_check(parent, "bad2-dswithdrawn.checkds.", "!DSRemoved")
 
+    # Check with resolver parental-agent.
+    zone_check(server, "resolver-dswithdrawn.checkds.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone resolver-dswithdrawn.checkds/IN (signed): checkds: "
+        "empty DS response from 10.53.0.8",
+    )
+    keystate_check(parent, "resolver-dswithdrawn.checkds.", "DSRemoved")
+
     # TBD: DS withdrawn from all parents, but one has bogus signature.

doc/notes/notes-current.rst

@@ -42,6 +42,9 @@ Bug Fixes
 - Improve the speed of the message digest algorithms (MD5, SHA-1,
   SHA-2) and NSEC3 hashing. :gl:`#3795`
 
+- Setting :any:`parental-agents` to a resolver did not work because the RD bit
+  was not set on DS requests. This has been fixed. :gl:`#3783`
+
 Known Issues
 ~~~~~~~~~~~~
 

lib/dns/zone.c

@@ -20826,6 +20826,7 @@ checkds_done(isc_task_t *task, isc_event_t *event) {
 	/* Validate response. */
 	CHECK(validate_ds(zone, message));
 
+	/* Check RCODE. */
 	if (message->rcode != dns_rcode_noerror) {
 		dns_zone_log(zone, ISC_LOG_NOTICE,
 			     "checkds: bad DS response from %s: %.*s", addrbuf,
@@ -20833,6 +20834,17 @@ checkds_done(isc_task_t *task, isc_event_t *event) {
 		goto failure;
 	}
 
+	/* Make sure that either AA or RA bit is set. */
+	if ((message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
+	    (message->flags & DNS_MESSAGEFLAG_RA) == 0)
+	{
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "checkds: bad DS response from %s: expected AA or "
+			     "RA bit set",
+			     addrbuf);
+		goto failure;
+	}
+
 	/* Lookup DS RRset. */
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (result == ISC_R_SUCCESS) {
@@ -21055,6 +21067,7 @@ checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep) {
 
 	message->opcode = dns_opcode_query;
 	message->rdclass = zone->rdclass;
+	message->flags |= DNS_MESSAGEFLAG_RD;
 
 	result = dns_message_gettempname(message, &tempname);
 	if (result != ISC_R_SUCCESS) {