upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 00:43:21 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '2236-resolver-sometimes-treats-signed-insecure-zone-with-broken-dnskey-as-bogus' into 'main'

Browse source 
Resolve "Resolver sometimes treats signed, insecure zone with broken DNSKEY as bogus"

Closes #2236

See merge request isc-projects/bind9!4319
This commit is contained in:
Mark Andrews 2020-10-29 13:46:53 +00:00
commit e9b6747888
7 changed files with 175 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -1,3 +1,8 @@
5523. [bug] The initial lookup of a zone transitioning to/from
the signed state could fail if the DNSKEY RRset was
not found. Subsequent lookups would succeed.
[GL #2236]
5522. [bug] Fix a race/NULL dereference in TCPDNS. [GL #2227]
5521. [func] All use of libltdl was dropped. libuv's shared library

145
bin/tests/system/dnssec/ans10/ans.py Normal file
View file

@ -0,0 +1,145 @@
############################################################################
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
############################################################################
from __future__ import print_function
import os
import sys
import signal
import socket
import select
from datetime import datetime, timedelta
import time
import functools
import dns, dns.message, dns.query, dns.flags
from dns.rdatatype import *
from dns.rdataclass import *
from dns.rcode import *
from dns.name import *
# Log query to file
def logquery(type, qname):
with open("qlog", "a") as f:
f.write("%s %s\n", type, qname)
############################################################################
# Respond to a DNS query.
# SOA gets a unsigned response.
# NS gets a unsigned response.
# DNSKEY get a unsigned NODATA response.
# A gets a signed response.
# All other types get a unsigned NODATA response.
############################################################################
def create_response(msg):
m = dns.message.from_wire(msg)
qname = m.question[0].name.to_text()
rrtype = m.question[0].rdtype
typename = dns.rdatatype.to_text(rrtype)
with open("query.log", "a") as f:
f.write("%s %s\n" % (typename, qname))
print("%s %s" % (typename, qname), end=" ")
r = dns.message.make_response(m)
r.set_rcode(NOERROR)
if rrtype == A:
now = datetime.today()
expire = now + timedelta(days=30)
inception = now - timedelta(days=1)
rrsig = "A 13 2 60 " + expire.strftime("%Y%m%d%H%M%S") + " " + \
inception.strftime("%Y%m%d%H%M%S") + " 12345 " + qname + \
" gB+eISXAhSPZU2i/II0W9ZUhC2SCIrb94mlNvP5092WAeXxqN/vG43/1nmDl" + \
"y2Qs7y5VCjSMOGn85bnaMoAc7w=="
r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10"))
r.answer.append(dns.rrset.from_text(qname, 1, IN, RRSIG, rrsig))
elif rrtype == NS:
r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, "."))
elif rrtype == SOA:
r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
else:
r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
r.flags |= dns.flags.AA
return r
def sigterm(signum, frame):
print ("Shutting down now...")
os.remove('ans.pid')
running = False
sys.exit(0)
############################################################################
# Main
#
# Set up responder and control channel, open the pid file, and start
# the main loop, listening for queries on the query channel or commands
# on the control channel and acting on them.
############################################################################
ip4 = "10.53.0.10"
ip6 = "fd92:7065:b8e:ffff::10"
try: port=int(os.environ['PORT'])
except: port=5300
query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
query4_socket.bind((ip4, port))
havev6 = True
try:
query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
try:
query6_socket.bind((ip6, port))
except:
query6_socket.close()
havev6 = False
except:
havev6 = False
signal.signal(signal.SIGTERM, sigterm)
f = open('ans.pid', 'w')
pid = os.getpid()
print (pid, file=f)
f.close()
running = True
print ("Listening on %s port %d" % (ip4, port))
if havev6:
print ("Listening on %s port %d" % (ip6, port))
print ("Ctrl-c to quit")
if havev6:
input = [query4_socket, query6_socket]
else:
input = [query4_socket]
while running:
try:
inputready, outputready, exceptready = select.select(input, [], [])
except select.error as e:
break
except socket.error as e:
break
except KeyboardInterrupt:
break
for s in inputready:
if s == query4_socket or s == query6_socket:
print ("Query received on %s" %
(ip4 if s == query4_socket else ip6), end=" ")
# Handle incoming queries
msg = s.recvfrom(65535)
rsp = create_response(msg[0])
if rsp:
print(dns.rcode.to_text(rsp.rcode()))
s.sendto(rsp.to_wire(), msg[1])
else:
print("NO RESPONSE")
if not running:
break

1
bin/tests/system/dnssec/clean.sh
View file

@ -20,6 +20,7 @@ rm -f ./*/named.secroots
rm -f ./*/tmp* ./*/*.jnl ./*/*.bk ./*/*.jbk
rm -f ./*/trusted.conf ./*/managed.conf ./*/revoked.conf
rm -f ./Kexample.* ./Kkeygen* ./keygen*.err
rm -f ./ans10/query.log ./ans10/ans.run
rm -f ./canonical?.*
rm -f ./delv.out*
rm -f ./delve.out*

2
bin/tests/system/dnssec/ns1/root.db.in
View file

@ -29,3 +29,5 @@ ns2.trusted. A 10.53.0.2
optout-tld NS ns6.optout-tld.
ns6.optout-tld. A 10.53.0.6
in-addr.arpa. NS ns2.example.
inprogress. NS ns10.inprogress.
ns10.inprogress. A 10.53.0.10

10
bin/tests/system/dnssec/tests.sh
View file

@ -4281,5 +4281,15 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking validation succeeds during transition to signed ($n)"
ret=0
dig_with_opts @10.53.0.4 inprogress A > dig.out.ns4.test$n || ret=1
grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
grep 'A.10\.53\.0\.10' dig.out.ns4.test$n >/dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

15
lib/dns/validator.c
View file

@ -410,13 +410,20 @@ fetch_callback_dnskey(isc_task_t *task, isc_event_t *event) {
val->fetch = NULL;
if (CANCELED(val)) {
validator_done(val, ISC_R_CANCELED);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %s",
} else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NCACHENXRRSET) {
/*
* We have an answer to our DNSKEY query. Either the DNSKEY
* RRset or a NODATA response.
*/
validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
eresult == ISC_R_SUCCESS ? "keyset"
: "NCACHENXRRSET",
dns_trust_totext(rdataset->trust));
/*
* Only extract the dst key if the keyset is secure.
* Only extract the dst key if the keyset exists and is secure.
*/
if (rdataset->trust >= dns_trust_secure) {
if (eresult == ISC_R_SUCCESS &&
rdataset->trust >= dns_trust_secure) {
result = select_signing_key(val, rdataset);
if (result == ISC_R_SUCCESS) {
val->keyset = &val->frdataset;

1
util/copyrights
View file

@ -334,6 +334,7 @@
./bin/tests/system/dns64/setup.sh SH 2010,2012,2014,2016,2017,2018,2019,2020
./bin/tests/system/dns64/tests.sh SH 2010,2011,2012,2013,2014,2016,2018,2019,2020
./bin/tests/system/dnssec/README TXT.BRIEF 2000,2001,2002,2004,2011,2016,2018,2019,2020
./bin/tests/system/dnssec/ans10/ans.py PYTHON 2020
./bin/tests/system/dnssec/clean.sh SH 2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
./bin/tests/system/dnssec/dnssec_update_test.pl PERL 2002,2004,2007,2010,2012,2016,2018,2019,2020
./bin/tests/system/dnssec/ns1/sign.sh SH 2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018,2019,2020