From 72c201733cc5a9722ec882c88e9f650197f84ed2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 14 Feb 2019 11:03:35 +0100
Subject: [PATCH 1/2] Do not check SEP bit for mirror zone trust anchors

When a mirror zone is verified, the 'ignore_kskflag' argument passed to
dns_zoneverify_dnssec() is set to false.  This means that in order for
its verification to succeed, a mirror zone needs to have at least one
key with the SEP bit set configured as a trust anchor.  This brings no
security benefit and prevents zones signed only using keys without the
SEP bit set from being mirrored, so change the value of the
'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
---
 bin/tests/system/mirror/ns2/named.conf.in |  5 +++++
 bin/tests/system/mirror/ns2/sign.sh       | 12 ++++++++++++
 bin/tests/system/mirror/ns3/named.conf.in |  6 ++++++
 bin/tests/system/mirror/tests.sh          | 14 +++++++++++++-
 lib/dns/zone.c                            |  2 +-
 5 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/bin/tests/system/mirror/ns2/named.conf.in b/bin/tests/system/mirror/ns2/named.conf.in
index 1b616e52a8..f3e78c4569 100644
--- a/bin/tests/system/mirror/ns2/named.conf.in
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@@ -55,6 +55,11 @@ zone "verify-axfr" {
 	file "verify-axfr.db.signed";
 };
 
+zone "verify-csk" {
+	type master;
+	file "verify-csk.db.signed";
+};
+
 zone "verify-ixfr" {
 	type master;
 	file "verify-ixfr.db.signed";
diff --git a/bin/tests/system/mirror/ns2/sign.sh b/bin/tests/system/mirror/ns2/sign.sh
index 57df68db1b..140ebb9403 100644
--- a/bin/tests/system/mirror/ns2/sign.sh
+++ b/bin/tests/system/mirror/ns2/sign.sh
@@ -32,6 +32,18 @@ done
 # the "root" zone on ns1.
 keys_to_trust="$keys_to_trust $keyname1"
 
+# Prepare a zone signed using a Combined Signing Key (CSK) without the SEP bit
+# set and add that key to the list of keys to trust.
+zone=verify-csk
+infile=verify.db.in
+zonefile=verify-csk.db
+
+keyname=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
+cat $infile $keyname.key > $zonefile
+$SIGNER -P -o $zone $zonefile > /dev/null
+keys_to_trust="$keys_to_trust $keyname"
+
+# Prepare remaining zones used in the test.
 ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
 UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
 UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in
index edf6a21702..e851b8cbf1 100644
--- a/bin/tests/system/mirror/ns3/named.conf.in
+++ b/bin/tests/system/mirror/ns3/named.conf.in
@@ -56,6 +56,12 @@ zone "verify-axfr" {
 	file "verify-axfr.db.mirror";
 };
 
+zone "verify-csk" {
+	type mirror;
+	masters { 10.53.0.2; };
+	file "verify-csk.db.mirror";
+};
+
 zone "verify-ixfr" {
 	type mirror;
 	masters { 10.53.0.2; };
diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh
index b0203341c1..d4ed7d3ad2 100644
--- a/bin/tests/system/mirror/tests.sh
+++ b/bin/tests/system/mirror/tests.sh
@@ -92,11 +92,23 @@ wait_for_transfer verify-untrusted
 $DIG $DIGOPTS @10.53.0.3 +norec verify-untrusted SOA > dig.out.ns3.test$n 2>&1 || ret=1
 grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
 grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
-nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted KSK DNSKEY found" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-untrusted.*No trusted DNSKEY found" > /dev/null || ret=1
 nextpartpeek ns3/named.run | grep "verify-untrusted.*mirror zone is now in use" > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking that a mirror zone signed using a CSK without the SEP bit set is accepted ($n)"
+ret=0
+nextpartreset ns3/named.run
+wait_for_transfer verify-csk
+$DIG $DIGOPTS @10.53.0.3 +norec verify-csk SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
+grep "${ORIGINAL_SERIAL}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "verify-csk.*mirror zone is now in use" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo_i "checking that an AXFR of an incorrectly signed mirror zone is rejected ($n)"
 ret=0
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 7504c0c087..467ad4ae54 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -19816,7 +19816,7 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
 
 	origin = dns_db_origin(db);
 	result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
-				       zone->mctx, false, false);
+				       zone->mctx, true, false);
 
  done:
 	if (secroots != NULL) {

From 2b19b8511a24fca8a6051aefbcf1ba7a89109254 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 14 Feb 2019 11:03:35 +0100
Subject: [PATCH 2/2] Add CHANGES entry

5161.	[bug]		Do not require the SEP bit to be set for mirror zone
			trust anchors. [GL #873]
---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 1935e04e23..804533ab38 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5161.	[bug]		Do not require the SEP bit to be set for mirror zone
+			trust anchors. [GL #873]
+
 5160.	[contrib]	Added DNAME support to the DLZ LDAP schema. Also
 			fixed a compilation bug affecting several DLZ
 			modules. [GL #872]