upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 21:10:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Force set DS state after 'rndc dnssec -checkds'

Browse source 
Set the DS state after issuing 'rndc dnssec -checkds'. If the DS
was published, it should go in RUMOURED state, regardless whether it
is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or
UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to
UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN)
would also allow for easy shoot in the foot situations.
This commit is contained in:
Matthijs Mekking 2023-01-25 16:36:48 +01:00
parent 837da85ef7
commit ee42f66fbe
2 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
bin/tests/system/kasp/tests.sh
View file

@ -550,15 +550,23 @@ _wait_for_metadata() {
n=$((n+1))
echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
# DS State should be forced into RUMOURED.
set_keystate "KEY1" "STATE_DS" "rumoured"
check_keys
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
n=$((n+1))
echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
# DS State should be forced into UNRETENTIVE.
set_keystate "KEY1" "STATE_DS" "unretentive"
check_keys
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))

10
lib/dns/keymgr.c
View file

@ -2273,9 +2273,19 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
}
if (dspublish) {
dst_key_state_t s;
dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when);
result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s);
if (result != ISC_R_SUCCESS || s != RUMOURED) {
dst_key_setstate(ksk_key->key, DST_KEY_DS, RUMOURED);
}
} else {
dst_key_state_t s;
dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when);
result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s);
if (result != ISC_R_SUCCESS || s != UNRETENTIVE) {
dst_key_setstate(ksk_key->key, DST_KEY_DS, UNRETENTIVE);
}
}
if (isc_log_wouldlog(dns_lctx, ISC_LOG_NOTICE)) {