Subject: [PATCH] apply dnskey-kskonly logic to CDNSKEY and CDS X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.0 Date: Fri, 4 Aug 2017 14:24:20 +0100 Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id F2BABD78AA2 for ; Fri, 4 Aug 2017 13:24:26 +0000 (UTC) Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 1AF9C34AFB6 for ; Fri, 4 Aug 2017 13:24:23 +0000 (UTC) Received: from grey.csi.cam.ac.uk ([131.111.57.57]:44520) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1ddcaS-000ChO-eE (Exim 4.89) (return-path ); Fri, 04 Aug 2017 14:24:20 +0100 Return-Path: Message-ID: To: bind9-bugs@isc.org Delivered-To: bind9-confidential@bugs.isc.org X-Cam-Scannerinfo: http://help.uis.cam.ac.uk/email-scanner-virus From: "Tony Finch" User-Agent: Alpine 2.11 (DEB 23 2013-08-11) content-type: TEXT/PLAIN; charset="utf-8" X-RT-Incoming-Encryption: Not encrypted X-Original-To: bind9-confidential@bugs.isc.org MIME-Version: 1.0 X-Cam-Antivirus: no malware found X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org CC: "Tony Finch" From dot@dotat.at Fri Aug 4 13:24:27 2017 X-RT-Original-Encoding: ascii X-RT-Interface: Email Content-Length: 4135 I was surprised to see double signatures on CDS / CDNSKEY records when using `dnsssec-signzone -x` - I thought the KSK signing behaviour should be the same for CDNSKEY / CDS as it is for DNSKEY. I would like to avoid them for CDNSKEY in particular, since I want to avoid sending large responses as much as I can. --- bin/dnssec/dnssec-signzone.c | 8 ++++---- bin/dnssec/dnssec-signzone.docbook | 5 +++-- doc/arm/Bv9ARM-book.xml | 6 +++--- lib/dns/zone.c | 13 +++++++------ 4 files changed, 17 insertions(+), 15 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 4775955..5d278a1 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -659,7 +659,9 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, if (!issigningkey(key)) continue; - if (set->type == dns_rdatatype_dnskey && + if ((set->type == dns_rdatatype_cds || + set->type == dns_rdatatype_cdnskey || + set->type == dns_rdatatype_dnskey) && dns_name_equal(name, gorigin)) { isc_boolean_t have_ksk; dns_dnsseckey_t *tmpkey; @@ -680,9 +682,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, (iszsk(key) && !keyset_kskonly)) signwithkey(name, set, key->key, ttl, add, "signing with dnskey"); - } else if (set->type == dns_rdatatype_cds || - set->type == dns_rdatatype_cdnskey || - iszsk(key)) { + } else if (iszsk(key)) { signwithkey(name, set, key->key, ttl, add, "signing with dnskey"); } diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 82089a9..79e5d25 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -705,8 +705,9 @@ -x - Only sign the DNSKEY RRset with key-signing keys, and omit - signatures from zone-signing keys. (This is similar to the + Only sign the DNSKEY, CDNSKEY, and CDS RRsets with + key-signing keys, and omit signatures from zone-signing + keys. (This is similar to the dnssec-dnskey-kskonly yes; zone option in named.) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 2c5ff64..c2f7add 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -7261,9 +7261,9 @@ options { When this option and update-check-ksk are both set to yes, only key-signing keys (that is, keys with the KSK bit set) will be used - to sign the DNSKEY RRset at the zone apex. Zone-signing - keys (keys without the KSK bit set) will be used to sign - the remainder of the zone, but not the DNSKEY RRset. + to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex. + Zone-signing keys (keys without the KSK bit set) will be used + to sign the remainder of the zone, but not the DNSKEY RRset. This is similar to the dnssec-signzone -x command line option. diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 2b56aff..248bf3d 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6643,15 +6643,16 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node, if (rdataset.type == dns_rdatatype_soa || rdataset.type == dns_rdatatype_rrsig) goto next_rdataset; - if (rdataset.type == dns_rdatatype_dnskey) { + if (rdataset.type == dns_rdatatype_dnskey || + rdataset.type == dns_rdatatype_cdnskey || + rdataset.type == dns_rdatatype_cds) { + /* + * CDS and CDNSKEY are signed with KSK like DNSKEY + * (RFC 7344, 4.1). + */ if (!is_ksk && keyset_kskonly) goto next_rdataset; } else if (is_ksk) { - /* - * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1). - */ - if (rdataset.type != dns_rdatatype_cds && - rdataset.type != dns_rdatatype_cdnskey) goto next_rdataset; } if (*delegation && -- 2.10.1.445.g3cdd5d1