From e84615629f52f551c7482036e4a333498fc5f089 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 9 Jan 2024 12:09:03 +1100 Subject: [PATCH 1/7] Properly update 'maxtype' 'maxtype' should be checked to see if it should be updated whenever a type is added to the type map. --- lib/dns/zoneverify.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index 684ab9984c..ce60441a44 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -960,6 +960,9 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node, { if (rdataset.type == dns_rdatatype_ns) { dns_nsec_setbit(types, rdataset.type, 1); + if (rdataset.type > maxtype) { + maxtype = rdataset.type; + } } result = check_no_rrsig(vctx, &rdataset, name, node); if (result != ISC_R_SUCCESS) { @@ -969,6 +972,9 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node, } } else { dns_nsec_setbit(types, rdataset.type, 1); + if (rdataset.type > maxtype) { + maxtype = rdataset.type; + } } dns_rdataset_disassociate(&rdataset); result = dns_rdatasetiter_next(rdsiter); From ec3c6248148dec0696eeab62abdf53ea71116c0b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 9 Jan 2024 12:12:33 +1100 Subject: [PATCH 2/7] Properly build the NSEC/NSEC3 type bit map DNSKEY was incorrectly being added to the NESC/NSEC3 type bit map when it was obscured by the delegation. This lead to zone verification failures. --- lib/dns/zoneverify.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index ce60441a44..3419ef1f91 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -940,7 +940,6 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node, * other than NSEC and DS is not signed at a delegation. */ if (rdataset.type != dns_rdatatype_rrsig && - rdataset.type != dns_rdatatype_dnskey && (!delegation || rdataset.type == dns_rdatatype_ds || rdataset.type == dns_rdatatype_nsec)) { @@ -955,9 +954,7 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node, if (rdataset.type > maxtype) { maxtype = rdataset.type; } - } else if (rdataset.type != dns_rdatatype_rrsig && - rdataset.type != dns_rdatatype_dnskey) - { + } else if (rdataset.type != dns_rdatatype_rrsig) { if (rdataset.type == dns_rdatatype_ns) { dns_nsec_setbit(types, rdataset.type, 1); if (rdataset.type > maxtype) { From b3efc15be429d940a98baa4715959071e2581502 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 9 Jan 2024 17:01:07 +1100 Subject: [PATCH 3/7] Fail if there are non apex DNSKEYs DNSSEC only works when DNSKEYs are self signed. This only occurs when the DNSKEY RRset is at the apex. Cause dnssec-signzone to fail if it attempts to sign an non-apex DNSKEY RRset. --- bin/dnssec/dnssec-signzone.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 7b85464180..b38de8e942 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1167,7 +1167,7 @@ has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) { * Signs all records at a name. */ static void -signname(dns_dbnode_t *node, dns_name_t *name) { +signname(dns_dbnode_t *node, bool apex, dns_name_t *name) { isc_result_t result; dns_rdataset_t rdataset; dns_rdatasetiter_t *rdsiter; @@ -1218,6 +1218,10 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_name_format(name, namebuf, sizeof(namebuf)); fatal("'%s': found DS RRset without NS RRset\n", namebuf); + } else if (rdataset.type == dns_rdatatype_dnskey && !apex) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(name, namebuf, sizeof(namebuf)); + fatal("'%s': Non-apex DNSKEY RRset\n", namebuf); } signset(&del, &add, node, name, &rdataset); @@ -1537,7 +1541,7 @@ signapex(void) { check_result(result, "dns_dbiterator_seek()"); result = dns_dbiterator_current(gdbiter, &node, name); check_dns_dbiterator_current(result); - signname(node, name); + signname(node, true, name); dumpnode(name, node); dns_db_detachnode(gdb, &node); result = dns_dbiterator_first(gdbiter); @@ -1666,7 +1670,7 @@ assignwork(void *arg) { UNLOCK(&namelock); - signname(node, dns_fixedname_name(&fname)); + signname(node, false, dns_fixedname_name(&fname)); /*% * Write a node to the output file, and restart the worker task. From 122111f75e1c3d76b8620e3c3009be2a78e55424 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 9 Jan 2024 12:22:21 +1100 Subject: [PATCH 4/7] Add regression test data for [GL #4517] An obscured DNSKEY RRset at a delegation was incorrectly added to the NSEC/NSEC3 type bit map leading to zone verification failures. This adds such a RRset to the test zone. --- bin/tests/system/verify/zones/unsigned.db | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/tests/system/verify/zones/unsigned.db b/bin/tests/system/verify/zones/unsigned.db index 1e7cd2b677..7febeefc33 100644 --- a/bin/tests/system/verify/zones/unsigned.db +++ b/bin/tests/system/verify/zones/unsigned.db @@ -26,4 +26,6 @@ secure NS secure secure DS 1312 50 100 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 secure A 1.2.3.4 secure AAAA 2002::1.2.3.4 +; obscured DNSKEY, regression test for [GL #4517] +secure DNSKEY 256 3 3 VGhpcyBzaG9ydCBzbmlwcGV0IG9mIHRleHQgaXMgc2FkIGFuZCBtZWFuaW5nbGVzcy4K out-of-zone. A 1.2.3.4 From 315ad2df7adc7ff36ed435490fec067f11680b31 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 9 Jan 2024 14:58:37 +1100 Subject: [PATCH 5/7] Remove invalid DNSKEY RRset from zone --- bin/tests/system/dnssec/ns3/secure.example.db.in | 1 - bin/tests/system/dnssec/tests.sh | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index 883e06790b..b82b280219 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -30,7 +30,6 @@ g A 10.0.0.7 z A 10.0.0.26 a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 x CNAME a -zz DNSKEY 258 3 5 Cg== private NS ns.private ns.private A 10.53.0.2 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index ffbba1b033..413af09f7f 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3905,9 +3905,9 @@ ret=0 dig_with_opts any x.insecure.example. @10.53.0.3 >dig.out.ns3.1.test$n || ret=1 grep "status: NOERROR" dig.out.ns3.1.test$n >/dev/null || ret=1 grep "ANSWER: 0," dig.out.ns3.1.test$n >/dev/null || ret=1 -dig_with_opts any zz.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 +dig_with_opts any z.secure.example. @10.53.0.3 >dig.out.ns3.2.test$n || ret=1 grep "status: NOERROR" dig.out.ns3.2.test$n >/dev/null || ret=1 -# DNSKEY+RRSIG, NSEC+RRSIG +# A+RRSIG, NSEC+RRSIG grep "ANSWER: 4," dig.out.ns3.2.test$n >/dev/null || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" From dd13f41ae193e9f597ac4d18cfb4daf64714907a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 9 Jan 2024 15:20:09 +1100 Subject: [PATCH 6/7] Don't sign non-apex DNSKEY records DNSKEY can only be validated if it is signed by itself. Stop attempting to sign non apex DNSKEY RRsets. --- bin/tests/system/doth/example.axfr.good | 2 +- bin/tests/system/doth/example8.axfr.good | 2 +- bin/tests/system/genzone.sh | 2 +- bin/tests/system/xfer/dig1.good | 2 +- bin/tests/system/xfer/dig2.good | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bin/tests/system/doth/example.axfr.good b/bin/tests/system/doth/example.axfr.good index 581a0c5cd3..176c824f4a 100644 --- a/bin/tests/system/doth/example.axfr.good +++ b/bin/tests/system/doth/example.axfr.good @@ -1,5 +1,6 @@ example. 86400 IN SOA ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600 example. 3600 IN NS ns2.example. +example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= a01.example. 3600 IN A 0.0.0.0 a02.example. 3600 IN A 255.255.255.255 a601.example. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff @@ -2541,7 +2542,6 @@ dlv.example. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 dname01.example. 3600 IN DNAME dname-target. dname02.example. 3600 IN DNAME dname-target.example. dname03.example. 3600 IN DNAME . -dnskey01.example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= doa01.example. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 doa02.example. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= ds01.example. 3600 IN NS ns42.example. diff --git a/bin/tests/system/doth/example8.axfr.good b/bin/tests/system/doth/example8.axfr.good index fe00a90577..97b05323d7 100644 --- a/bin/tests/system/doth/example8.axfr.good +++ b/bin/tests/system/doth/example8.axfr.good @@ -1,5 +1,6 @@ example8. 86400 IN SOA ns2.example8. hostmaster.example8. 1397051952 5 5 1814400 3600 example8. 3600 IN NS ns2.example8. +example8. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= a01.example8. 3600 IN A 0.0.0.0 a02.example8. 3600 IN A 255.255.255.255 a601.example8. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff @@ -2541,7 +2542,6 @@ dlv.example8. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 dname01.example8. 3600 IN DNAME dname-target. dname02.example8. 3600 IN DNAME dname-target.example8. dname03.example8. 3600 IN DNAME . -dnskey01.example8. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= doa01.example8. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 doa02.example8. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= ds01.example8. 3600 IN DS 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh index 13ac32f1ea..40bf221a3b 100644 --- a/bin/tests/system/genzone.sh +++ b/bin/tests/system/genzone.sh @@ -277,7 +277,7 @@ nsec03 NSEC . TYPE1 nsec04 NSEC . TYPE127 ; type 48 -dnskey01 DNSKEY 512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY +@ DNSKEY 512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY 9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKV sENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esg a60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= ) diff --git a/bin/tests/system/xfer/dig1.good b/bin/tests/system/xfer/dig1.good index 4908f8ed1d..27285100d7 100644 --- a/bin/tests/system/xfer/dig1.good +++ b/bin/tests/system/xfer/dig1.good @@ -1,6 +1,7 @@ example. 86400 IN SOA ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600 example. 3600 IN NS ns2.example. example. 3600 IN NS ns3.example. +example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= a01.example. 3600 IN A 0.0.0.0 a02.example. 3600 IN A 255.255.255.255 a601.example. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff @@ -42,7 +43,6 @@ dlv.example. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 dname01.example. 3600 IN DNAME dname-target. dname02.example. 3600 IN DNAME dname-target.example. dname03.example. 3600 IN DNAME . -dnskey01.example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= doa01.example. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 doa02.example. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= ds01.example. 3600 IN DS 12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13 diff --git a/bin/tests/system/xfer/dig2.good b/bin/tests/system/xfer/dig2.good index 4993815af8..5b1d93d09c 100644 --- a/bin/tests/system/xfer/dig2.good +++ b/bin/tests/system/xfer/dig2.good @@ -1,6 +1,7 @@ example. 86400 IN SOA ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600 example. 3600 IN NS ns2.example. example. 3600 IN NS ns3.example. +example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= a01.example. 3600 IN A 0.0.0.1 a02.example. 3600 IN A 255.255.255.255 a601.example. 3600 IN A6 0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff @@ -42,7 +43,6 @@ dlv.example. 3600 IN DLV 30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9 dname01.example. 3600 IN DNAME dname-target. dname02.example. 3600 IN DNAME dname-target.example. dname03.example. 3600 IN DNAME . -dnskey01.example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8= doa01.example. 3600 IN DOA 1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7 doa02.example. 3600 IN DOA 0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8= ds01.example. 3600 IN NS ns42.example. From e4dbf4be8e6c305687bb7f2cc9035979a8f9d108 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 9 Jan 2024 12:28:28 +1100 Subject: [PATCH 7/7] Add CHANGES note for [GL #4517] --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 333f0e7d1f..7802216b8a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +6389. [bug] dnssec-verify and dnssec-signzone could fail if there + was an obscured DNSKEY RRset at a delegatation. + [GL #4517] + 6388. [placeholder] 6387. [func] Added a new statistics variable "recursive high-water"