|
|
a2a915 |
From c705a3eac69286b47a70b851aa5dd9119d04512f Mon Sep 17 00:00:00 2001
|
|
|
a2a915 |
From: Petr Mensik <pemensik@redhat.com>
|
|
|
a2a915 |
Date: Tue, 23 Jul 2019 16:43:55 +0200
|
|
|
a2a915 |
Subject: [PATCH] Fix CVE-2018-5745
|
|
|
a2a915 |
|
|
|
a2a915 |
Squashed commit of the following:
|
|
|
a2a915 |
|
|
|
a2a915 |
commit c38e1dd10567e246bb802d889c3b2d2d286c7616
|
|
|
a2a915 |
Author: Evan Hunt <each@isc.org>
|
|
|
a2a915 |
Date: Fri Dec 21 17:24:47 2018 -0800
|
|
|
a2a915 |
|
|
|
a2a915 |
use algorithm 255 for both unsupported keys
|
|
|
a2a915 |
|
|
|
a2a915 |
(cherry picked from commit de8b2d4a6a97bb2ddf19024918581e70512ebc41)
|
|
|
a2a915 |
|
|
|
a2a915 |
commit caf8a62270c850fbc59cfa6bb9dcedb2ef7228c2
|
|
|
a2a915 |
Author: Matthijs Mekking <matthijs@isc.org>
|
|
|
a2a915 |
Date: Wed Dec 19 18:45:43 2018 +0100
|
|
|
a2a915 |
|
|
|
a2a915 |
Add tests for mkeys with unsupported algorithm
|
|
|
a2a915 |
|
|
|
a2a915 |
These tests check if a key with an unsupported algorithm in
|
|
|
a2a915 |
managed-keys is ignored and when seeing an algorithm rollover to
|
|
|
a2a915 |
an unsupported algorithm, the new key will be ignored too.
|
|
|
a2a915 |
|
|
|
a2a915 |
(cherry picked from commit 144cb53d0ae3aa5e6e3123720b603f9ab2bd1fa9)
|
|
|
a2a915 |
(cherry picked from commit 8c2a8ca50946449bf26a7e0843cc5e54e36071ae)
|
|
|
a2a915 |
|
|
|
a2a915 |
commit 634655f38385595fb9a35e93ec3a72ed4c48bda6
|
|
|
a2a915 |
Author: Matthijs Mekking <matthijs@isc.org>
|
|
|
a2a915 |
Date: Wed Dec 19 18:47:43 2018 +0100
|
|
|
a2a915 |
|
|
|
a2a915 |
Update keyfetch_done compute_tag check
|
|
|
a2a915 |
|
|
|
a2a915 |
If in keyfetch_done the compute_tag fails (because for example the
|
|
|
a2a915 |
algorithm is not supported), don't crash, but instead ignore the
|
|
|
a2a915 |
key.
|
|
|
a2a915 |
|
|
|
a2a915 |
(cherry picked from commit b1d5411569ae10830b63f07560091193646cc739)
|
|
|
a2a915 |
(cherry picked from commit 8f64928e2eb9395d8cdcd62183a1eaec3b1c5256)
|
|
|
a2a915 |
|
|
|
a2a915 |
commit e5cb28c3f3df4c37d528665e67fb460cc1662259
|
|
|
a2a915 |
Author: Matthijs Mekking <github@pletterpet.nl>
|
|
|
a2a915 |
Date: Wed Dec 12 14:06:10 2018 +0100
|
|
|
a2a915 |
|
|
|
a2a915 |
Don't free key in compute_tag in case of failure
|
|
|
a2a915 |
|
|
|
a2a915 |
If `dns_dnssec_keyfromrdata` failed we don't need to call
|
|
|
a2a915 |
`dst_key_free` because no `dstkey` was created. Doing so
|
|
|
a2a915 |
nevertheless will result in an assertion failure.
|
|
|
a2a915 |
|
|
|
a2a915 |
This can happen if the key uses an unsupported algorithm.
|
|
|
a2a915 |
|
|
|
a2a915 |
(cherry picked from commit 7a1ca39b950b7d5230b605ac60f15a1cb94e3d69)
|
|
|
a2a915 |
(cherry picked from commit acae423ef4274c5535da324da78ce1441628d5f6)
|
|
|
a2a915 |
---
|
|
|
a2a915 |
bin/tests/system/mkeys/README | 3 +
|
|
|
a2a915 |
bin/tests/system/mkeys/clean.sh | 2 +
|
|
|
a2a915 |
bin/tests/system/mkeys/ns1/root.db | 20 +++----
|
|
|
a2a915 |
bin/tests/system/mkeys/ns1/sign.sh | 7 ++-
|
|
|
a2a915 |
bin/tests/system/mkeys/ns1/unsupported.key | 1 +
|
|
|
a2a915 |
bin/tests/system/mkeys/ns6/named.args | 1 +
|
|
|
a2a915 |
bin/tests/system/mkeys/ns6/named.conf.in | 43 +++++++++++++++
|
|
|
a2a915 |
bin/tests/system/mkeys/ns6/setup.sh | 30 ++++++++++
|
|
|
a2a915 |
.../system/mkeys/ns6/unsupported-managed.key | 1 +
|
|
|
a2a915 |
bin/tests/system/mkeys/ns7/named.conf.in | 50 +++++++++++++++++
|
|
|
a2a915 |
bin/tests/system/mkeys/setup.sh | 1 +
|
|
|
a2a915 |
bin/tests/system/mkeys/tests.sh | 55 +++++++++++++++++++
|
|
|
a2a915 |
lib/dns/include/dst/dst.h | 3 +-
|
|
|
a2a915 |
lib/dns/zone.c | 27 ++++++++-
|
|
|
a2a915 |
14 files changed, 229 insertions(+), 15 deletions(-)
|
|
|
a2a915 |
create mode 100644 bin/tests/system/mkeys/ns1/unsupported.key
|
|
|
a2a915 |
create mode 100644 bin/tests/system/mkeys/ns6/named.args
|
|
|
a2a915 |
create mode 100644 bin/tests/system/mkeys/ns6/named.conf.in
|
|
|
a2a915 |
create mode 100644 bin/tests/system/mkeys/ns6/setup.sh
|
|
|
a2a915 |
create mode 100644 bin/tests/system/mkeys/ns6/unsupported-managed.key
|
|
|
a2a915 |
create mode 100644 bin/tests/system/mkeys/ns7/named.conf.in
|
|
|
a2a915 |
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README
|
|
|
a2a915 |
index 700e6c21ca..257ef5406f 100644
|
|
|
a2a915 |
--- a/bin/tests/system/mkeys/README
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/README
|
|
|
a2a915 |
@@ -16,3 +16,6 @@ ns3 is a validator with a broken key in managed-keys.
|
|
|
a2a915 |
|
|
|
a2a915 |
ns5 is a validator which is prevented from getting a response from the
|
|
|
a2a915 |
root server, causing key refresh queries to fail.
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+ns6 is a validator which has unsupported algorithms, one at start up,
|
|
|
a2a915 |
+one because of an algorithm rollover.
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh
|
|
|
a2a915 |
index 17bd50f273..844d813eb4 100644
|
|
|
a2a915 |
--- a/bin/tests/system/mkeys/clean.sh
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/clean.sh
|
|
|
a2a915 |
@@ -11,6 +11,7 @@
|
|
|
a2a915 |
|
|
|
a2a915 |
rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
|
|
|
a2a915 |
rm -f dsset-. ns1/dsset-.
|
|
|
a2a915 |
+rm -f ns1/zone.key
|
|
|
a2a915 |
rm -f ns*/named.lock
|
|
|
a2a915 |
rm -f */managed-keys.bind* */named.secroots
|
|
|
a2a915 |
rm -f */managed.conf ns1/managed.key ns1/managed.key.id
|
|
|
a2a915 |
@@ -19,3 +20,4 @@ rm -f dig.out* delv.out* rndc.out* signer.out*
|
|
|
a2a915 |
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
|
|
|
a2a915 |
rm -f */named.conf
|
|
|
a2a915 |
rm -f ns5/named.args
|
|
|
a2a915 |
+rm -f ns7/view1.mkeys ns7/view2.mkeys
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db
|
|
|
a2a915 |
index 6ba922af09..0070f13942 100644
|
|
|
a2a915 |
--- a/bin/tests/system/mkeys/ns1/root.db
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/ns1/root.db
|
|
|
a2a915 |
@@ -8,16 +8,16 @@
|
|
|
a2a915 |
; information regarding copyright ownership.
|
|
|
a2a915 |
|
|
|
a2a915 |
$TTL 20
|
|
|
a2a915 |
-. IN SOA gson.nominum.com. a.root.servers.nil. (
|
|
|
a2a915 |
- 2000042100 ; serial
|
|
|
a2a915 |
- 600 ; refresh
|
|
|
a2a915 |
- 600 ; retry
|
|
|
a2a915 |
- 1200 ; expire
|
|
|
a2a915 |
- 2 ; minimum
|
|
|
a2a915 |
- )
|
|
|
a2a915 |
-. NS a.root-servers.nil.
|
|
|
a2a915 |
-a.root-servers.nil. A 10.53.0.1
|
|
|
a2a915 |
+. IN SOA gson.nominum.com. a.root.servers.nil. (
|
|
|
a2a915 |
+ 2000042100 ; serial
|
|
|
a2a915 |
+ 600 ; refresh
|
|
|
a2a915 |
+ 600 ; retry
|
|
|
a2a915 |
+ 1200 ; expire
|
|
|
a2a915 |
+ 2 ; minimum
|
|
|
a2a915 |
+ )
|
|
|
a2a915 |
+. NS a.root-servers.nil.
|
|
|
a2a915 |
+a.root-servers.nil. A 10.53.0.1
|
|
|
a2a915 |
|
|
|
a2a915 |
; no delegation
|
|
|
a2a915 |
|
|
|
a2a915 |
-example. TXT "This is a test."
|
|
|
a2a915 |
+example. TXT "This is a test."
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh
|
|
|
a2a915 |
index ccc7889ad9..e5e7ec05d6 100644
|
|
|
a2a915 |
--- a/bin/tests/system/mkeys/ns1/sign.sh
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/ns1/sign.sh
|
|
|
a2a915 |
@@ -25,13 +25,18 @@ keyfile_to_managed_keys $keyname > managed.conf
|
|
|
a2a915 |
cp managed.conf ../ns2/managed.conf
|
|
|
a2a915 |
cp managed.conf ../ns5/managed.conf
|
|
|
a2a915 |
|
|
|
a2a915 |
-# Configure a trusted key statement (used by delv)
|
|
|
a2a915 |
+# Configure a trusted key statement (used by delv).
|
|
|
a2a915 |
keyfile_to_trusted_keys $keyname > trusted.conf
|
|
|
a2a915 |
|
|
|
a2a915 |
+# Prepare an unsupported algorithm key.
|
|
|
a2a915 |
+unsupportedkey=Kunknown.+255+00000
|
|
|
a2a915 |
+cp unsupported.key "${unsupportedkey}.key"
|
|
|
a2a915 |
+
|
|
|
a2a915 |
#
|
|
|
a2a915 |
# Save keyname and keyid for managed key id test.
|
|
|
a2a915 |
#
|
|
|
a2a915 |
echo "$keyname" > managed.key
|
|
|
a2a915 |
+echo "$zskkeyname" > zone.key
|
|
|
a2a915 |
keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
|
|
|
a2a915 |
keyid=`expr $keyid + 0`
|
|
|
a2a915 |
echo "$keyid" > managed.key.id
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/ns1/unsupported.key b/bin/tests/system/mkeys/ns1/unsupported.key
|
|
|
a2a915 |
new file mode 100644
|
|
|
a2a915 |
index 0000000000..7435d03b63
|
|
|
a2a915 |
--- /dev/null
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/ns1/unsupported.key
|
|
|
a2a915 |
@@ -0,0 +1 @@
|
|
|
a2a915 |
+. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/ns6/named.args b/bin/tests/system/mkeys/ns6/named.args
|
|
|
a2a915 |
new file mode 100644
|
|
|
a2a915 |
index 0000000000..02f8f670f6
|
|
|
a2a915 |
--- /dev/null
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/ns6/named.args
|
|
|
a2a915 |
@@ -0,0 +1 @@
|
|
|
a2a915 |
+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in
|
|
|
a2a915 |
new file mode 100644
|
|
|
a2a915 |
index 0000000000..8d76f7f2e7
|
|
|
a2a915 |
--- /dev/null
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/ns6/named.conf.in
|
|
|
a2a915 |
@@ -0,0 +1,43 @@
|
|
|
a2a915 |
+/*
|
|
|
a2a915 |
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
a2a915 |
+ *
|
|
|
a2a915 |
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
a2a915 |
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
a2a915 |
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
a2a915 |
+ *
|
|
|
a2a915 |
+ * See the COPYRIGHT file distributed with this work for additional
|
|
|
a2a915 |
+ * information regarding copyright ownership.
|
|
|
a2a915 |
+ */
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+// NS6
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+options {
|
|
|
a2a915 |
+ query-source address 10.53.0.6;
|
|
|
a2a915 |
+ notify-source 10.53.0.6;
|
|
|
a2a915 |
+ transfer-source 10.53.0.6;
|
|
|
a2a915 |
+ port @PORT@;
|
|
|
a2a915 |
+ pid-file "named.pid";
|
|
|
a2a915 |
+ listen-on { 10.53.0.6; };
|
|
|
a2a915 |
+ listen-on-v6 { none; };
|
|
|
a2a915 |
+ recursion yes;
|
|
|
a2a915 |
+ notify no;
|
|
|
a2a915 |
+ dnssec-enable yes;
|
|
|
a2a915 |
+ dnssec-validation yes;
|
|
|
a2a915 |
+ trust-anchor-telemetry no;
|
|
|
a2a915 |
+};
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+key rndc_key {
|
|
|
a2a915 |
+ secret "1234abcd8765";
|
|
|
a2a915 |
+ algorithm hmac-sha256;
|
|
|
a2a915 |
+};
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+controls {
|
|
|
a2a915 |
+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
|
a2a915 |
+};
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+zone "." {
|
|
|
a2a915 |
+ type hint;
|
|
|
a2a915 |
+ file "../../common/root.hint";
|
|
|
a2a915 |
+};
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+include "managed.conf";
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh
|
|
|
a2a915 |
new file mode 100644
|
|
|
a2a915 |
index 0000000000..5ba1647da5
|
|
|
a2a915 |
--- /dev/null
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/ns6/setup.sh
|
|
|
a2a915 |
@@ -0,0 +1,30 @@
|
|
|
a2a915 |
+#!/bin/sh -e
|
|
|
a2a915 |
+#
|
|
|
a2a915 |
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
a2a915 |
+#
|
|
|
a2a915 |
+# This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
a2a915 |
+# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
a2a915 |
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
a2a915 |
+#
|
|
|
a2a915 |
+# See the COPYRIGHT file distributed with this work for additional
|
|
|
a2a915 |
+# information regarding copyright ownership.
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+SYSTEMTESTTOP=../..
|
|
|
a2a915 |
+. $SYSTEMTESTTOP/conf.sh
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+zone=.
|
|
|
a2a915 |
+zonefile=root.db
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+# an RSA key
|
|
|
a2a915 |
+rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+# a key with unsupported algorithm
|
|
|
a2a915 |
+unsupportedkey=Kunknown.+255+00000
|
|
|
a2a915 |
+cp unsupported-managed.key "${unsupportedkey}.key"
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+# root key
|
|
|
a2a915 |
+rootkey=`cat ../ns1/managed.key`
|
|
|
a2a915 |
+cp "../ns1/${rootkey}.key" .
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+# Configure the resolving server with a managed trusted key.
|
|
|
a2a915 |
+keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/ns6/unsupported-managed.key b/bin/tests/system/mkeys/ns6/unsupported-managed.key
|
|
|
a2a915 |
new file mode 100644
|
|
|
a2a915 |
index 0000000000..be872a00f0
|
|
|
a2a915 |
--- /dev/null
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/ns6/unsupported-managed.key
|
|
|
a2a915 |
@@ -0,0 +1 @@
|
|
|
a2a915 |
+unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in
|
|
|
a2a915 |
new file mode 100644
|
|
|
a2a915 |
index 0000000000..a9aba00733
|
|
|
a2a915 |
--- /dev/null
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/ns7/named.conf.in
|
|
|
a2a915 |
@@ -0,0 +1,50 @@
|
|
|
a2a915 |
+/*
|
|
|
a2a915 |
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
a2a915 |
+ *
|
|
|
a2a915 |
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
a2a915 |
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
a2a915 |
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
a2a915 |
+ *
|
|
|
a2a915 |
+ * See the COPYRIGHT file distributed with this work for additional
|
|
|
a2a915 |
+ * information regarding copyright ownership.
|
|
|
a2a915 |
+ */
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+// NS7
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+options {
|
|
|
a2a915 |
+ query-source address 10.53.0.7;
|
|
|
a2a915 |
+ notify-source 10.53.0.7;
|
|
|
a2a915 |
+ transfer-source 10.53.0.7;
|
|
|
a2a915 |
+ port @PORT@;
|
|
|
a2a915 |
+ pid-file "named.pid";
|
|
|
a2a915 |
+ listen-on { 10.53.0.7; };
|
|
|
a2a915 |
+ listen-on-v6 { none; };
|
|
|
a2a915 |
+ recursion yes;
|
|
|
a2a915 |
+ notify no;
|
|
|
a2a915 |
+ dnssec-enable yes;
|
|
|
a2a915 |
+ dnssec-validation auto;
|
|
|
a2a915 |
+ bindkeys-file "managed.conf";
|
|
|
a2a915 |
+};
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+key rndc_key {
|
|
|
a2a915 |
+ secret "1234abcd8765";
|
|
|
a2a915 |
+ algorithm hmac-sha256;
|
|
|
a2a915 |
+};
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+controls {
|
|
|
a2a915 |
+ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
|
|
a2a915 |
+};
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+view view1 {
|
|
|
a2a915 |
+ zone "." {
|
|
|
a2a915 |
+ type hint;
|
|
|
a2a915 |
+ file "../../common/root.hint";
|
|
|
a2a915 |
+ };
|
|
|
a2a915 |
+};
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+view view2 {
|
|
|
a2a915 |
+ zone "." {
|
|
|
a2a915 |
+ type hint;
|
|
|
a2a915 |
+ file "../../common/root.hint";
|
|
|
a2a915 |
+ };
|
|
|
a2a915 |
+};
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh
|
|
|
a2a915 |
index bd3169f9b6..100a86959b 100644
|
|
|
a2a915 |
--- a/bin/tests/system/mkeys/setup.sh
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/setup.sh
|
|
|
a2a915 |
@@ -25,3 +25,4 @@ copy_setports ns5/named.conf.in ns5/named.conf
|
|
|
a2a915 |
cp ns5/named1.args ns5/named.args
|
|
|
a2a915 |
|
|
|
a2a915 |
( cd ns1 && $SHELL sign.sh )
|
|
|
a2a915 |
+( cd ns6 && $SHELL setup.sh )
|
|
|
a2a915 |
diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh
|
|
|
a2a915 |
index f65f49e98d..b8410902d7 100644
|
|
|
a2a915 |
--- a/bin/tests/system/mkeys/tests.sh
|
|
|
a2a915 |
+++ b/bin/tests/system/mkeys/tests.sh
|
|
|
a2a915 |
@@ -701,6 +701,8 @@ rm -f ns1/root.db.signed.jnl
|
|
|
a2a915 |
nextpart ns5/named.run > /dev/null
|
|
|
a2a915 |
mkeys_reconfig_on 1
|
|
|
a2a915 |
wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
|
|
|
a2a915 |
+#mkeys_secroots_on 5
|
|
|
a2a915 |
+#grep '; managed' ns5/named.secroots > /dev/null || ret=1
|
|
|
a2a915 |
# ns1 should not longer REFUSE queries from ns5, so managed keys should be
|
|
|
a2a915 |
# correctly refreshed and resolving should succeed
|
|
|
a2a915 |
$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
|
|
|
a2a915 |
@@ -710,5 +712,58 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
|
|
|
a2a915 |
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
a2a915 |
status=`expr $status + $ret`
|
|
|
a2a915 |
|
|
|
a2a915 |
+echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
|
|
|
a2a915 |
+ret=0
|
|
|
a2a915 |
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
|
|
|
a2a915 |
+rm -f ns6/managed-keys.bind*
|
|
|
a2a915 |
+nextpart ns6/named.run > /dev/null
|
|
|
a2a915 |
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
|
|
|
a2a915 |
+# log when an unsupported algorithm is encountered during startup
|
|
|
a2a915 |
+wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
|
|
|
a2a915 |
+if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
a2a915 |
+status=`expr $status + $ret`
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+n=`expr $n + 1`
|
|
|
a2a915 |
+echo_i "skipping unsupported algorithm in managed-keys ($n)"
|
|
|
a2a915 |
+ret=0
|
|
|
a2a915 |
+mkeys_status_on 6 > rndc.out.$n 2>&1
|
|
|
a2a915 |
+# there should still be only two keys listed (for . and rsasha256.)
|
|
|
a2a915 |
+count=`grep -c "keyid: " rndc.out.$n`
|
|
|
a2a915 |
+[ "$count" -eq 2 ] || ret=1
|
|
|
a2a915 |
+# two lines indicating trust status
|
|
|
a2a915 |
+count=`grep -c "trust" rndc.out.$n`
|
|
|
a2a915 |
+[ "$count" -eq 2 ] || ret=1
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+n=`expr $n + 1`
|
|
|
a2a915 |
+echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
|
|
|
a2a915 |
+ret=0
|
|
|
a2a915 |
+cp ns1/root.db ns1/root.db.orig
|
|
|
a2a915 |
+ksk=`cat ns1/managed.key`
|
|
|
a2a915 |
+zsk=`cat ns1/zone.key`
|
|
|
a2a915 |
+cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
|
|
|
a2a915 |
+grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
|
|
|
a2a915 |
+$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
|
|
|
a2a915 |
+grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
|
|
|
a2a915 |
+cp ns1/root.db.orig ns1/root.db
|
|
|
a2a915 |
+if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
a2a915 |
+status=`expr $status + $ret`
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+n=`expr $n + 1`
|
|
|
a2a915 |
+echo_i "skipping unsupported algorithm in rollover ($n)"
|
|
|
a2a915 |
+ret=0
|
|
|
a2a915 |
+mkeys_reload_on 1
|
|
|
a2a915 |
+mkeys_refresh_on 6
|
|
|
a2a915 |
+mkeys_status_on 6 > rndc.out.$n 2>&1
|
|
|
a2a915 |
+# there should still be only two keys listed (for . and rsasha256.)
|
|
|
a2a915 |
+count=`grep -c "keyid: " rndc.out.$n`
|
|
|
a2a915 |
+[ "$count" -eq 2 ] || ret=1
|
|
|
a2a915 |
+# two lines indicating trust status
|
|
|
a2a915 |
+count=`grep -c "trust" rndc.out.$n`
|
|
|
a2a915 |
+[ "$count" -eq 2 ] || ret=1
|
|
|
a2a915 |
+# log when an unsupported algorithm is encountered during rollover
|
|
|
a2a915 |
+wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
|
|
|
a2a915 |
+if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
|
a2a915 |
+status=`expr $status + $ret`
|
|
|
a2a915 |
+
|
|
|
a2a915 |
echo_i "exit status: $status"
|
|
|
a2a915 |
[ $status -eq 0 ] || exit 1
|
|
|
a2a915 |
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
|
|
|
a2a915 |
index e8c1a3c287..91f4a6e300 100644
|
|
|
a2a915 |
--- a/lib/dns/include/dst/dst.h
|
|
|
a2a915 |
+++ b/lib/dns/include/dst/dst.h
|
|
|
a2a915 |
@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_t;
|
|
|
a2a915 |
#define DST_ALG_HMACSHA512 165 /* XXXMPA */
|
|
|
a2a915 |
#define DST_ALG_INDIRECT 252
|
|
|
a2a915 |
#define DST_ALG_PRIVATE 254
|
|
|
a2a915 |
-#define DST_ALG_EXPAND 255
|
|
|
a2a915 |
-#define DST_MAX_ALGS 255
|
|
|
a2a915 |
+#define DST_MAX_ALGS 256
|
|
|
a2a915 |
|
|
|
a2a915 |
/*% A buffer of this size is large enough to hold any key */
|
|
|
a2a915 |
#define DST_KEY_MAXSIZE 1280
|
|
|
a2a915 |
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
|
|
|
a2a915 |
index 055b2417eb..96c98d585c 100644
|
|
|
a2a915 |
--- a/lib/dns/zone.c
|
|
|
a2a915 |
+++ b/lib/dns/zone.c
|
|
|
a2a915 |
@@ -3903,9 +3903,10 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
|
|
|
a2a915 |
dns_rdatatype_dnskey, dnskey, &buffer);
|
|
|
a2a915 |
|
|
|
a2a915 |
result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
|
|
|
a2a915 |
- if (result == ISC_R_SUCCESS)
|
|
|
a2a915 |
+ if (result == ISC_R_SUCCESS) {
|
|
|
a2a915 |
*tag = dst_key_id(dstkey);
|
|
|
a2a915 |
- dst_key_free(&dstkey);
|
|
|
a2a915 |
+ dst_key_free(&dstkey);
|
|
|
a2a915 |
+ }
|
|
|
a2a915 |
|
|
|
a2a915 |
return (result);
|
|
|
a2a915 |
}
|
|
|
a2a915 |
@@ -9364,6 +9365,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
|
|
|
a2a915 |
|
|
|
a2a915 |
dns_keydata_todnskey(&keydata, &dnskey, NULL);
|
|
|
a2a915 |
result = compute_tag(keyname, &dnskey, mctx, &keytag);
|
|
|
a2a915 |
+ if (result != ISC_R_SUCCESS) {
|
|
|
a2a915 |
+ /*
|
|
|
a2a915 |
+ * Skip if we cannot compute the key tag.
|
|
|
a2a915 |
+ * This may happen if the algorithm is unsupported
|
|
|
a2a915 |
+ */
|
|
|
a2a915 |
+ dns_zone_log(zone, ISC_LOG_ERROR,
|
|
|
a2a915 |
+ "Cannot compute tag for key in zone %s: %s "
|
|
|
a2a915 |
+ "(skipping)",
|
|
|
a2a915 |
+ namebuf, dns_result_totext(result));
|
|
|
a2a915 |
+ continue;
|
|
|
a2a915 |
+ }
|
|
|
a2a915 |
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
|
|
a2a915 |
|
|
|
a2a915 |
/*
|
|
|
a2a915 |
@@ -9475,6 +9487,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
|
|
|
a2a915 |
continue;
|
|
|
a2a915 |
|
|
|
a2a915 |
result = compute_tag(keyname, &dnskey, mctx, &keytag);
|
|
|
a2a915 |
+ if (result != ISC_R_SUCCESS) {
|
|
|
a2a915 |
+ /*
|
|
|
a2a915 |
+ * Skip if we cannot compute the key tag.
|
|
|
a2a915 |
+ * This may happen if the algorithm is unsupported
|
|
|
a2a915 |
+ */
|
|
|
a2a915 |
+ dns_zone_log(zone, ISC_LOG_ERROR,
|
|
|
a2a915 |
+ "Cannot compute tag for key in zone %s: %s "
|
|
|
a2a915 |
+ "(skipping)",
|
|
|
a2a915 |
+ namebuf, dns_result_totext(result));
|
|
|
a2a915 |
+ continue;
|
|
|
a2a915 |
+ }
|
|
|
a2a915 |
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
|
|
a2a915 |
|
|
|
a2a915 |
revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);
|
|
|
a2a915 |
--
|
|
|
a2a915 |
2.20.1
|
|
|
a2a915 |
|