X-RT-Incoming-Encryption: Not encrypted Message-ID: Subject: Re: [ISC-Bugs #46090] [PATCH] dnssec-cds: RFC 7344 CDS/CDNSKEY parent side Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mx.ams1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 80761D78B0A for ; Mon, 25 Sep 2017 11:26:00 +0000 (UTC) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id AE38824AE16 for ; Mon, 25 Sep 2017 11:24:25 +0000 (UTC) Received: from grey.csi.cam.ac.uk ([131.111.57.57]:45853) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1dwRQB-000RnQ-0d (Exim 4.89) for bind9-confidential@isc.org (return-path ); Mon, 25 Sep 2017 12:19:31 +0100 content-type: TEXT/PLAIN; charset="utf-8" References: X-RT-Interface: Email From dot@dotat.at Mon Sep 25 11:26:01 2017 X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=3.4.1 User-Agent: Alpine 2.11 (DEB 23 2013-08-11) In-Reply-To: Date: Mon, 25 Sep 2017 12:19:31 +0100 X-Original-To: bind9-confidential@bugs.isc.org X-RT-Original-Encoding: utf-8 X-Cam-Antivirus: no malware found To: "Tony Finch via RT" X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.ams1.isc.org From: "Tony Finch" X-Cam-Scannerinfo: http://help.uis.cam.ac.uk/email-scanner-virus MIME-Version: 1.0 Return-Path: Delivered-To: bind9-confidential@bugs.isc.org RT-Message-ID: Content-Length: 91092 --- bin/dnssec/.gitignore | 1 + bin/dnssec/Makefile.in | 32 +- bin/dnssec/dnssec-cds.8 | 304 ++++++++ bin/dnssec/dnssec-cds.c | 1337 ++++++++++++++++++++++++++++++++++++ bin/dnssec/dnssec-cds.docbook | 404 +++++++++++ bin/dnssec/dnssec-cds.html | 293 ++++++++ bin/tests/system/cds/.gitignore | 13 + bin/tests/system/cds/checkmtime.pl | 6 + bin/tests/system/cds/checktime.pl | 12 + bin/tests/system/cds/clean.sh | 11 + bin/tests/system/cds/mangle.pl | 7 + bin/tests/system/cds/prereq.sh | 12 + bin/tests/system/cds/setup.sh | 120 ++++ bin/tests/system/cds/tests.sh | 233 +++++++ bin/tests/system/conf.sh.in | 8 +- 15 files changed, 2777 insertions(+), 16 deletions(-) create mode 100644 bin/dnssec/dnssec-cds.8 create mode 100644 bin/dnssec/dnssec-cds.c create mode 100644 bin/dnssec/dnssec-cds.docbook create mode 100644 bin/dnssec/dnssec-cds.html create mode 100644 bin/tests/system/cds/.gitignore create mode 100644 bin/tests/system/cds/checkmtime.pl create mode 100644 bin/tests/system/cds/checktime.pl create mode 100644 bin/tests/system/cds/clean.sh create mode 100644 bin/tests/system/cds/mangle.pl create mode 100644 bin/tests/system/cds/prereq.sh create mode 100644 bin/tests/system/cds/setup.sh create mode 100644 bin/tests/system/cds/tests.sh diff --git a/bin/dnssec/.gitignore b/bin/dnssec/.gitignore index 8252103..9d50f6c 100644 --- a/bin/dnssec/.gitignore +++ b/bin/dnssec/.gitignore @@ -1,3 +1,4 @@ +dnssec-cds dnssec-dsfromkey dnssec-keyfromlabel dnssec-keygen diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in index 60e666d..30c5736 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -32,30 +32,37 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ # Alphabetically -TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ - dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ - dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \ - dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@ +TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ + dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \ + dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \ + dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \ + dnssec-verify@EXEEXT@ OBJS = dnssectool.@O@ -SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \ - dnssec-revoke.c dnssec-settime.c dnssec-signzone.c \ - dnssec-verify.c dnssec-importkey.c dnssectool.c +SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \ + dnssec-keyfromlabel.c dnssec-keygen.c dnssec-revoke.c \ + dnssec-settime.c dnssec-signzone.c dnssec-verify.c \ + dnssectool.c -MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \ - dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \ - dnssec-verify.8 dnssec-importkey.8 +MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \ + dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \ + dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8 -HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \ +HTMLPAGES = dnssec-cds.html dnssec-dsfromkey.html \ + dnssec-importkey.html dnssec-keyfromlabel.html \ dnssec-keygen.html dnssec-revoke.html \ dnssec-settime.html dnssec-signzone.html \ - dnssec-verify.html dnssec-importkey.html + dnssec-verify.html MANOBJS = ${MANPAGES} ${HTMLPAGES} @BIND9_MAKE_RULES@ +dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ ${FINALBUILDCMD} @@ -115,4 +122,3 @@ uninstall:: clean distclean:: rm -f ${TARGETS} - diff --git a/bin/dnssec/dnssec-cds.8 b/bin/dnssec/dnssec-cds.8 new file mode 100644 index 0000000..d258788 --- /dev/null +++ b/bin/dnssec/dnssec-cds.8 @@ -0,0 +1,304 @@ +.\" Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") +.\" +.\" This Source Code Form is subject to the terms of the Mozilla Public +.\" License, v. 2.0. If a copy of the MPL was not distributed with this +.\" file, You can obtain one at http://mozilla.org/MPL/2.0/. +.\" +.hy 0 +.ad l +'\" t +.\" Title: dnssec-cds +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 2017-09-14 +.\" Manual: BIND9 +.\" Source: ISC +.\" Language: English +.\" +.TH "DNSSEC\-CDS" "8" "2017\-09\-14" "ISC" "BIND9" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +dnssec-cds \- change DS records based on CDS/CDNSKEY +.SH "SYNOPSIS" +.HP 11 +\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIpath\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain} +.SH "DESCRIPTION" +.PP +The +\fBdnssec\-cds\fR +command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. By default CDS records are used if both CDS and CDNSKEY records are present\&. +.PP +It requires two input files\&. The +\fB\-f \fR\fB\fIfile\fR\fR +contains the child\*(Aqs CDS and/or CDNSKEY records, plus RRSIG and DNSKEY records so that they can be authenticated\&. The +\fB\-d \fR\fB\fIpath\fR\fR +contains the current DS records, such as a +dsset\- +file used by +\fBdnssec\-signzone\fR\&. +.PP +For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of +\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the +dsset\- +file, or from the +\fB\-s\fR +option\&. +.PP +To protect against breaking the delegation, +\fBdnssec\-cds\fR +ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type\&. +.PP +By default, replacement DS records are written to the standard output; with the +\fB\-i\fR +option the input file is overwritten in place\&. The replacement DS records will be the same as the existing records when no change is required\&. The output can be empty if the CDS / CDNSKEY records specify that the child zone wants to go insecure\&. +.PP +Warning: Be careful not to delete the DS records when +\fBdnssec\-cds\fR +fails! +.PP +Alternatively, +\fBdnssec\-cds \-u\fR +writes an +\fBnsupdate\fR +script to the standard output\&. You can use the +\fB\-u\fR +and +\fB\-i\fR +options together to maintain a +dsset\- +file as well as emit an +\fBnsupdate\fR +script\&. +.SH "OPTIONS" +.PP +\-a \fIalgorithm\fR +.RS 4 +Specify a digest algorithm to use when converting CDNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each CDNSKEY record\&. This option has no effect when using CDS records\&. +.sp +The +\fIalgorithm\fR +must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&. +.RE +.PP +\-c \fIclass\fR +.RS 4 +Specifies the DNS class of the zones\&. +.RE +.PP +\-D +.RS 4 +Generate DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone\&. By default CDS records are preferred\&. +.RE +.PP +\-d \fIpath\fR +.RS 4 +Location of the parent DS records\&. The +\fIpath\fR +can be the name of a file containing the DS records, or if it is a directory, +\fBdnssec\-cds\fR +looks for a +dsset\- +file for the +\fIdomain\fR +inside the directory\&. +.sp +To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the +dsset\- +file\&. This can be adjusted with the +\fB\-s\fR +option\&. +.RE +.PP +\-f \fIchild\-file\fR +.RS 4 +File containing the child\*(Aqs CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records so that they can be authenticated\&. +.sp +The EXAMPLES below describe how to generate this file\&. +.RE +.PP +\-i [\fIextension\fR] +.RS 4 +Update the +dsset\- +file in place, instead of writing DS records to the standard output\&. +.sp +There must be no space between the +\fB\-i\fR +and the +\fIextension\fR\&. If you provide no +\fIextension\fR +then the old +dsset\- +is discarded\&. If an +\fIextension\fR +is present, a backup of the old +dsset\- +file is kept with the +\fIextension\fR +appended to its filename\&. +.sp +To protect against replay attacks, the modification time of the +dsset\- +file is set to match the signature inception time of the child records, provided that is later than the file\*(Aqs current modification time\&. +.RE +.PP +\-s \fIstart\-time\fR +.RS 4 +Specify the date and time after which RRSIG records become acceptable\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017\&. A time relative to the +dsset\- +file is indicated with \-N, which is N seconds before the file modification time\&. A time relative to the current time is indicated with now+N\&. +.sp +If no +\fIstart\-time\fR +is specified, the modification time of the +dsset\- +file is used\&. +.RE +.PP +\-T \fIttl\fR +.RS 4 +Specifies a TTL to be used for new DS records\&. If not specified, the default is the TTL of the old DS records\&. If they had no explicit TTL then the new DS records also have no explicit TTL\&. +.RE +.PP +\-u +.RS 4 +Write an +\fBnsupdate\fR +script to the standard output, instead of printing the new DS reords\&. The output will be empty if no change is needed\&. +.sp +Note: The TTL of new records needs to be specified, either in the original +dsset\- +file, or with the +\fB\-T\fR +option, or using the +\fBnsupdate\fR\fBttl\fR +command\&. +.RE +.PP +\-V +.RS 4 +Print version information\&. +.RE +.PP +\-v \fIlevel\fR +.RS 4 +Sets the debugging level\&. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers\&. +.RE +.PP +\fIdomain\fR +.RS 4 +The name of the delegation point / child zone apex\&. +.RE +.SH "EXIT STATUS" +.PP +The +\fBdnssec\-cds\fR +command exits 0 on success, or non\-zero if an error occurred\&. +.PP +In the success case, the DS records might or might not need to be changed\&. +.SH "EXAMPLES" +.PP +Before running +\fBdnssec\-signzone\fR +you can ensure that the delegations are up\-to\-date by running +\fBdnssec\-cds\fR +on every +dsset\- +file\&. +.PP +To fetch the child records required by +\fBdnssec\-cds\fR +you can invoke +\fBdig\fR +as in the script below\&. It\*(Aqs OK if the +\fBdig\fR +fails since +\fBdnssec\-cds\fR +performs all the necessary checking\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +for f in dsset\-* +do + d=${f#dsset\-} + dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS | + dnssec\-cds \-i \-f /dev/stdin \-d $f $d +done +.fi +.if n \{\ +.RE +.\} +.PP +When the parent zone is automatically signed by +\fBnamed\fR, you can use +\fBdnssec\-cds\fR +with +\fBnsupdate\fR +to maintain a delegation as follows\&. The +dsset\- +file allows the script to avoid having to fetch and validate the parent DS records, and it keeps the replay attack protection time\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS | +dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d | +nsupdate \-l +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +\fBdig\fR(1), +\fBdnssec-settime\fR(8), +\fBdnssec-signzone\fR(8), +\fBnsupdate\fR(1), +BIND 9 Administrator Reference Manual, +RFC 7344\&. +.SH "BUGS" +.PP +RFC 8078 support is missing\&. This depends on support for the CDS/CDNSKEY delete format in the rest of BIND\&. +.PP +The +\fBdnssec\-cds\fR +command should be able to fetch the child records itself if the +\fB\-f\fR +flag is not given\&. As well as making invocation simpler, this will allow better error reporting when lookups fail\&. +.PP +Using the modification time of the +dsset\- +file is naff\&. It would be better to keep the timing information as comments inside the file\&. That would allow more sophisticated safety checks, such as a hold\-down period\&. +.SH "AUTHORS" +.PP +\fBInternet Systems Consortium, Inc\&.\fR +.PP +\fBTony Finch\fR <\&dot@dotat\&.at\&>, <\&fanf2@cam\&.ac\&.uk\&> +.br +.RS 4 +.RE +.SH "COPYRIGHT" +.br +Copyright \(co 2017 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c new file mode 100644 index 0000000..7fb1069 --- /dev/null +++ b/bin/dnssec/dnssec-cds.c @@ -0,0 +1,1337 @@ +/* + * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +/* + * Written by Tony Finch + * at Cambridge University Information Services + */ + +/*! \file */ + +#include + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#ifdef PKCS11CRYPTO +#include +#endif + +#include "dnssectool.h" + +#ifndef PATH_MAX +#define PATH_MAX 1024 /* AIX, WIN32, and others don't define this. */ +#endif + +const char *program = "dnssec-cds"; +int verbose; + +/* + * Infrastructure + */ +static isc_log_t *lctx = NULL; +static isc_mem_t *mctx = NULL; +static isc_entropy_t *ectx = NULL; + +/* + * The domain we are working on + */ +static const char *namestr = NULL; +static dns_fixedname_t fixed; +static dns_name_t *name = NULL; +static dns_rdataclass_t rdclass = dns_rdataclass_in; + +/* + * List of digest types used by ds_from_cdnskey(), filled in by add_dtype() + * from -a arguments. The size of the array is an arbitrary limit. + */ +static isc_uint8_t dtype[8]; + +static const char *startstr = NULL; /* from which we derive notbefore */ +static isc_stdtime_t notbefore = 0; /* restrict sig inception times */ +static dns_rdata_rrsig_t oldestsig; /* for recording inception time */ + +static int nkey; /* number of child zone DNSKEY records */ + +/* + * The validation strategy of this program is top-down. + * + * We start with an implicitly trusted authoritative dsset. + * + * The child DNSKEY RRset is scanned to find out which keys are + * authenticated by DS records, and the result is recorded in a key + * table as described later in this comment. + * + * The key table is used up to three times to verify the signatures on + * the child DNSKEY, CDNSKEY, and CDS RRsets. In this program, only keys + * that have matching DS records are used for validating signatures. + * + * For replay attack protection, signatures are ignored if their inception + * time is before the previously recorded inception time. We use the earliest + * signature so that another run of dnssec-cds with the same records will + * still accept all the signatures. + * + * A key table is an array of nkey keyinfo structures, like + * + * struct keyinfo key_tbl[nkey]; + * + * Each key is decoded into more useful representations, held in + * keyinfo->rdata + * keyinfo->dst + * + * If a key has no matching DS record then keyinfo->dst is NULL. + * + * The key algorithm and ID are saved in keyinfo->algo and + * keyinfo->tag for quicky skipping DS and RRSIG records that can't + * match. + */ +struct keyinfo { + dns_rdata_t rdata; + dst_key_t *dst; + isc_uint8_t algo; + dns_keytag_t tag; +}; + +static dns_rdataset_t cdnskey_set, cdnskey_sig; +static dns_rdataset_t cds_set, cds_sig; +static dns_rdataset_t dnskey_set, dnskey_sig; +static dns_rdataset_t old_ds_set, new_ds_set; + +static struct keyinfo *old_key_tbl, *new_key_tbl; + +isc_buffer_t *new_ds_buf = NULL; /* backing store for new_ds_set */ + +static void +verbose_time(int level, const char *msg, isc_stdtime_t time) +{ + isc_result_t result; + isc_buffer_t timebuf; + char timestr[32]; + + if (verbose < level) + return; + + isc_buffer_init(&timebuf, timestr, sizeof(timestr)); + result = dns_time64_totext(time, &timebuf); + check_result(result, "dns_time64_totext()"); + isc_buffer_putuint8(&timebuf, 0); + if (verbose < 3) + vbprintf(level, "%s %s\n", msg, timestr); + else + vbprintf(level, "%s %s (%lld)\n", + msg, timestr, (long long)time); +} + +static void +initname(char *setname) { + isc_result_t result; + isc_buffer_t buf; + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + namestr = setname; + + isc_buffer_init(&buf, setname, strlen(setname)); + isc_buffer_add(&buf, strlen(setname)); + result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL); + if (result != ISC_R_SUCCESS) + fatal("could not initialize name %s", setname); +} + +static void +findset(dns_db_t *db, dns_dbnode_t *node, dns_rdatatype_t type, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) +{ + isc_result_t result; + + dns_rdataset_init(rdataset); + if (sigrdataset != NULL) + dns_rdataset_init(sigrdataset); + result = dns_db_findrdataset(db, node, NULL, type, 0, 0, + rdataset, sigrdataset); + if (result != ISC_R_NOTFOUND) + check_result(result, "dns_db_findrdataset()"); +} + +static void +freeset(dns_rdataset_t *rdataset) +{ + if (dns_rdataset_isassociated(rdataset)) + dns_rdataset_disassociate(rdataset); +} + +static void +freelist(dns_rdataset_t *rdataset) +{ + dns_rdatalist_t *rdlist; + dns_rdata_t *rdata; + + if (!dns_rdataset_isassociated(rdataset)) + return; + + dns_rdatalist_fromrdataset(rdataset, &rdlist); + + for (rdata = ISC_LIST_HEAD(rdlist->rdata); + rdata != NULL; + rdata = ISC_LIST_HEAD(rdlist->rdata)) + { + ISC_LIST_UNLINK(rdlist->rdata, rdata, link); + isc_mem_put(mctx, rdata, sizeof(*rdata)); + } + isc_mem_put(mctx, rdlist, sizeof(*rdlist)); + dns_rdataset_disassociate(rdataset); +} + +static void +free_all_sets(void) +{ + freeset(&cdnskey_set); + freeset(&cdnskey_sig); + freeset(&cds_set); + freeset(&cds_sig); + freeset(&dnskey_set); + freeset(&dnskey_sig); + freeset(&old_ds_set); + freelist(&new_ds_set); + if (new_ds_buf != NULL) + isc_buffer_free(&new_ds_buf); +} + +static void +load_db(const char *filename, dns_db_t **dbp, dns_dbnode_t **nodep) +{ + isc_result_t result; + + result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, + rdclass, 0, NULL, dbp); + check_result(result, "dns_db_create()"); + + result = dns_db_load3(*dbp, filename, + dns_masterformat_text, DNS_MASTER_HINT); + if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) + fatal("can't load %s: %s", filename, + isc_result_totext(result)); + + result = dns_db_findnode(*dbp, name, ISC_FALSE, nodep); + if (result != ISC_R_SUCCESS) + fatal("can't find %s node in %s", namestr, filename); +} + +static void +free_db(dns_db_t **dbp, dns_dbnode_t **nodep) +{ + dns_db_detachnode(*dbp, nodep); + dns_db_detach(dbp); +} + +static void +load_child_sets(const char *file) +{ + dns_db_t *db = NULL; + dns_dbnode_t *node = NULL; + + load_db(file, &db, &node); + findset(db, node, dns_rdatatype_dnskey, &dnskey_set, &dnskey_sig); + findset(db, node, dns_rdatatype_cdnskey, &cdnskey_set, &cdnskey_sig); + findset(db, node, dns_rdatatype_cds, &cds_set, &cds_sig); + free_db(&db, &node); +} + +static void +get_dsset_name(char *filename, size_t size, + const char *path, const char *suffix) +{ + isc_result_t result; + isc_buffer_t buf; + size_t len; + + isc_buffer_init(&buf, filename, size); + + len = strlen(path); + + /* allow room for a trailing slash */ + if (isc_buffer_availablelength(&buf) <= len) + fatal("%s: pathname too long", path); + isc_buffer_putstr(&buf, path); + + if (isc_file_isdirectory(path) == ISC_R_SUCCESS) { + const char *prefix = "dsset-"; + + if (path[len - 1] != '/') + isc_buffer_putstr(&buf, "/"); + + if (isc_buffer_availablelength(&buf) < strlen(prefix)) + fatal("%s: pathname too long", path); + isc_buffer_putstr(&buf, prefix); + + result = dns_name_tofilenametext(name, ISC_FALSE, &buf); + check_result(result, "dns_name_tofilenametext()"); + if (isc_buffer_availablelength(&buf) == 0) + fatal("%s: pathname too long", path); + } + /* allow room for a trailing nul */ + if (isc_buffer_availablelength(&buf) <= strlen(suffix)) + fatal("%s: pathname too long", path); + isc_buffer_putstr(&buf, suffix); + isc_buffer_putuint8(&buf, 0); +} + +static void +load_parent_set(const char *path) +{ + isc_result_t result; + dns_db_t *db = NULL; + dns_dbnode_t *node = NULL; + isc_time_t modtime; + char filename[PATH_MAX + 1]; + + get_dsset_name(filename, sizeof(filename), path, ""); + + result = isc_file_getmodtime(filename, &modtime); + if (result != ISC_R_SUCCESS) + fatal("could not get modification time of %s: %s", + filename, isc_result_totext(result)); + notbefore = isc_time_seconds(&modtime); + if (startstr != NULL) { + isc_stdtime_t now; + isc_stdtime_get(&now); + notbefore = strtotime(startstr, now, notbefore, NULL); + } + verbose_time(1, "child records must not be signed before", notbefore); + + load_db(filename, &db, &node); + findset(db, node, dns_rdatatype_ds, &old_ds_set, NULL); + + if (!dns_rdataset_isassociated(&old_ds_set)) + fatal("could not find DS records for %s in %s", + namestr, filename); + + free_db(&db, &node); +} + +static isc_buffer_t * +formatset(dns_rdataset_t *rdataset) +{ + isc_result_t result; + isc_buffer_t *buf = NULL; + dns_master_style_t *style = NULL; + unsigned int styleflags; + unsigned int size; + + styleflags = (rdataset->ttl == 0) ? DNS_STYLEFLAG_NO_TTL : 0; + + /* + * This style is for consistency with the output of dnssec-dsfromkey + * which just separates fields with spaces. The huge tab stop width + * eliminates any tab characters. + */ + result = dns_master_stylecreate2(&style, styleflags, + 0, 0, 0, 0, 0, 1000000, 0, + mctx); + + size = 256; + do { + result = isc_buffer_allocate(mctx, &buf, size); + check_result(result, "printing DS records"); + result = dns_master_rdatasettotext(name, rdataset, + style, buf); + if (result == ISC_R_NOSPACE || + isc_buffer_availablelength(buf) < 1) { + vbprintf(20, "formatset buffer size %u\n", size); + isc_buffer_free(&buf); + size *= 2; + } else { + check_result(result, "dns_rdataset_totext()"); + } + } while (result != ISC_R_SUCCESS); + + isc_buffer_putuint8(buf, 0); + + dns_master_styledestroy(&style, mctx); + + return (buf); +} + +static void +write_parent_set(const char *path, const char *inplace, + isc_boolean_t nsupdate, dns_rdataset_t *rdataset) +{ + isc_result_t result; + isc_buffer_t *buf; + isc_region_t r; + isc_time_t filetime; + char backname[PATH_MAX + 1]; + char filename[PATH_MAX + 1]; + char tmpname[PATH_MAX + 1]; + FILE *fp; + + if (nsupdate && inplace == NULL) + return; + + buf = formatset(rdataset); + isc_buffer_usedregion(buf, &r); + + /* + * Try to ensure a write error doesn't make a zone go insecure! + */ + if (inplace == NULL) { + printf("%s", (char *)r.base); + isc_buffer_free(&buf); + if (fflush(stdout) == EOF) + fatal("write stdout: %s", strerror(errno)); + return; + } + + if (inplace[0] != '\0') + get_dsset_name(backname, sizeof(backname), path, inplace); + get_dsset_name(filename, sizeof(filename), path, ""); + get_dsset_name(tmpname, sizeof(tmpname), path, "-XXXXXXXXXX"); + + fp = NULL; + result = isc_file_openunique(tmpname, &fp); + if (result != ISC_R_SUCCESS) + fatal("open %s: %s", tmpname, isc_result_totext(result)); + fprintf(fp, "%s", (char *)r.base); + isc_buffer_free(&buf); + if (fclose(fp) == EOF) { + result = errno; + isc_file_remove(tmpname); + fatal("write %s: %s", tmpname, strerror(result)); + } + + isc_time_set(&filetime, oldestsig.timesigned, 0); + result = isc_file_settime(tmpname, &filetime); + if (result != ISC_R_SUCCESS) { + isc_file_remove(tmpname); + fatal("set modification time of %s: %s", + tmpname, isc_result_totext(result)); + } + + if (inplace[0] != '\0') + isc_file_rename(filename, backname); + /* ??? else remove(filename) ??? */ + isc_file_rename(tmpname, filename); +} + +enum strictness { loose, tight }; + +/* + * Find out if any (C)DS record matches a particular (C)DNSKEY. + */ +static isc_boolean_t +match_key_dsset(struct keyinfo *ki, dns_rdataset_t *dsset, + enum strictness strictness) +{ + isc_result_t result; + unsigned char dsbuf[DNS_DS_BUFFERSIZE]; + + for (result = dns_rdataset_first(dsset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(dsset)) + { + dns_rdata_ds_t ds; + dns_rdata_t dsrdata = DNS_RDATA_INIT; + dns_rdata_t newdsrdata = DNS_RDATA_INIT; + dns_rdatatype_t keytype; + isc_boolean_t c; + + dns_rdataset_current(dsset, &dsrdata); + result = dns_rdata_tostruct(&dsrdata, &ds, NULL); + check_result(result, "dns_rdata_tostruct(DS)"); + + if (ki->tag != ds.key_tag || + ki->algo != ds.algorithm) + continue; + + /* allow for both DNSKEY and CDNSKEY */ + keytype = ki->rdata.type; + ki->rdata.type = dns_rdatatype_dnskey; + result = dns_ds_buildrdata(name, &ki->rdata, ds.digest_type, + dsbuf, &newdsrdata); + ki->rdata.type = keytype; + if (result != ISC_R_SUCCESS) { + vbprintf(3, "dns_ds_buildrdata(" + "keytag=%d, algo=%d, digest=%d): %s\n", + ds.key_tag, ds.algorithm, ds.digest_type, + dns_result_totext(result)); + continue; + } + /* allow for both DS and CDS */ + c = dsrdata.type != dns_rdatatype_ds; + dsrdata.type = dns_rdatatype_ds; + if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0) { + vbprintf(1, "found matching %s %d %d %d\n", + c ? "CDS" : "DS", + ds.key_tag, ds.algorithm, ds.digest_type); + return (ISC_TRUE); + } else if (strictness == tight) { + vbprintf(0, "key does not match %s %d %d %d " + "when it looks like it should\n", + c ? "CDS" : "DS", + ds.key_tag, ds.algorithm, ds.digest_type); + return (ISC_FALSE); + } + } + return (ISC_FALSE); +} + +/* + * Find which (C)DNSKEY records match a (C)DS RRset. + * This creates a struct keyinfo key_tbl[nkey] array. + */ +static struct keyinfo * +match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset, + enum strictness strictness) +{ + isc_result_t result; + struct keyinfo *keytable; + int i; + + nkey = dns_rdataset_count(keyset); + + keytable = isc_mem_get(mctx, sizeof(struct keyinfo) * nkey); + if (keytable == NULL) + fatal("allocating key table: %s", + isc_result_totext(ISC_R_NOMEMORY)); + + for (result = dns_rdataset_first(keyset), i = 0; + result == ISC_R_SUCCESS; + result = dns_rdataset_next(keyset), i++) + { + struct keyinfo *ki; + dns_rdata_dnskey_t dnskey; + dns_rdata_t *keyrdata; + isc_region_t r; + + INSIST(i < nkey); + ki = &keytable[i]; + keyrdata = &ki->rdata; + + dns_rdata_init(keyrdata); + dns_rdataset_current(keyset, keyrdata); + + result = dns_rdata_tostruct(keyrdata, &dnskey, NULL); + check_result(result, "dns_rdata_tostruct(DNSKEY)"); + ki->algo = dnskey.algorithm; + + dns_rdata_toregion(keyrdata, &r); + ki->tag = dst_region_computeid(&r, ki->algo); + + ki->dst = NULL; + if (!match_key_dsset(ki, dsset, strictness)) + continue; + + result = dns_dnssec_keyfromrdata(name, keyrdata, + mctx, &ki->dst); + if (result != ISC_R_SUCCESS) + vbprintf(3, "dns_dnssec_keyfromrdata(" + "keytag=%d, algo=%d): %s\n", + ki->tag, ki->algo, + dns_result_totext(result)); + } + return (keytable); +} + +static void +free_keytable(struct keyinfo **keytable_p) +{ + struct keyinfo *keytable = *keytable_p; + struct keyinfo *ki; + int i; + + for (i = 0; i < nkey; i++) { + ki = &keytable[i]; + if (ki->dst != NULL) + dst_key_free(&ki->dst); + } + isc_mem_put(mctx, keytable, sizeof(struct keyinfo) * nkey); + *keytable_p = NULL; +} + +/* + * Find out which keys have signed an RRset. Keys that do not match a + * DS record are skipped. + * + * The return value is an array with nkey elements, one for each key, + * either zero if the key was skipped or did not sign the RRset, or + * otherwise the key algorithm. This is used by the signature coverage + * check functions below. + */ +static isc_uint8_t * +matching_sigs(struct keyinfo *keytbl, dns_rdataset_t *rdataset, + dns_rdataset_t *sigset) +{ + isc_result_t result; + isc_uint8_t *algo; + int i; + + algo = isc_mem_get(mctx, nkey); + if (algo == NULL) + fatal("allocating RRSIG/DNSKEY match list: %s", + isc_result_totext(ISC_R_NOMEMORY)); + memset(algo, 0, nkey); + + for (result = dns_rdataset_first(sigset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(sigset)) { + dns_rdata_t sigrdata = DNS_RDATA_INIT; + dns_rdata_rrsig_t sig; + + dns_rdataset_current(sigset, &sigrdata); + result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + check_result(result, "dns_rdata_tostruct(RRSIG)"); + + /* + * Replay attack protection: check against current age limit + */ + if (isc_serial_lt(sig.timesigned, notbefore)) { + vbprintf(1, "skip RRSIG by key %d: too old\n", + sig.keyid); + continue; + } + + for (i = 0; i < nkey; i++) { + struct keyinfo *ki = &keytbl[i]; + if (ki->dst == NULL || + sig.keyid != ki->tag || + sig.algorithm != ki->algo || + !dns_name_equal(&sig.signer, name)) + continue; + + result = dns_dnssec_verify(name, rdataset, ki->dst, + ISC_FALSE, mctx, &sigrdata); + if (result != ISC_R_SUCCESS) + continue; + + vbprintf(1, "found RRSIG by key %d\n", ki->tag); + algo[i] = sig.algorithm; + + /* + * Replay attack protection: work out next age limit, + * only after the signature has been verified + */ + if (oldestsig.timesigned == 0 || + isc_serial_lt(sig.timesigned, oldestsig.timesigned)) { + verbose_time(2, "this is the oldest so far", + sig.timesigned); + oldestsig = sig; + } + } + } + return (algo); +} + +/* + * Consume the result of matching_sigs(). When checking records + * fetched from the child zone, any working signature is enough. + */ +static isc_boolean_t +signed_loose(isc_uint8_t *algo) { + isc_boolean_t ok = ISC_FALSE; + int i; + for (i = 0; i < nkey; i++) + if (algo[i] != 0) + ok = ISC_TRUE; + isc_mem_put(mctx, algo, nkey); + return (ok); +} + +/* + * Consume the result of matching_sigs(). To ensure that the new DS + * RRset does not break the chain of trust to the DNSKEY RRset, every + * key algorithm in the DS RRset must have a signature in the DNSKEY + * RRset. + */ +static isc_boolean_t +signed_strict(dns_rdataset_t *dsset, isc_uint8_t *algo) { + isc_result_t result; + isc_boolean_t all_ok = ISC_TRUE; + + for (result = dns_rdataset_first(dsset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(dsset)) { + dns_rdata_t dsrdata = DNS_RDATA_INIT; + dns_rdata_ds_t ds; + isc_boolean_t ds_ok; + int i; + + dns_rdataset_current(dsset, &dsrdata); + result = dns_rdata_tostruct(&dsrdata, &ds, NULL); + check_result(result, "dns_rdata_tostruct(DS)"); + + ds_ok = ISC_FALSE; + for (i = 0; i < nkey; i++) + if (algo[i] == ds.algorithm) + ds_ok = ISC_TRUE; + if (!ds_ok) { + vbprintf(0, "missing signature for algorithm %d " + "(key %d)\n", ds.algorithm, ds.key_tag); + all_ok = ISC_FALSE; + } + } + isc_mem_put(mctx, algo, nkey); + return (all_ok); +} + +static dns_rdata_t * +rdata_get(void) +{ + dns_rdata_t *rdata; + + rdata = isc_mem_get(mctx, sizeof(*rdata)); + if (rdata == NULL) + fatal("allocating DS rdata: %s", + isc_result_totext(ISC_R_NOMEMORY)); + dns_rdata_init(rdata); + + return (rdata); +} + +static isc_result_t +rdata_put(isc_result_t result, + dns_rdatalist_t *rdlist, dns_rdata_t *rdata) +{ + if (result == ISC_R_SUCCESS) + ISC_LIST_APPEND(rdlist->rdata, rdata, link); + else + isc_mem_put(mctx, rdata, sizeof(*rdata)); + return (result); +} + +typedef isc_result_t ds_maker_fun(dns_rdatalist_t *dslist, + isc_buffer_t *buf, + dns_rdata_t *cds); +static ds_maker_fun ds_from_cds, ds_from_cdnskey; + +/* + * This basically copies the rdata into the buffer, but going via the + * unpacked struct has the side-effect of changing the rdatatype. The + * dns_rdata_cds_t and dns_rdata_ds_t types are aliases. + */ +static isc_result_t +ds_from_cds(dns_rdatalist_t *dslist, isc_buffer_t *buf, + dns_rdata_t *cds) +{ + isc_result_t result; + dns_rdata_ds_t ds; + dns_rdata_t *rdata; + + rdata = rdata_get(); + + result = dns_rdata_tostruct(cds, &ds, NULL); + check_result(result, "dns_rdata_tostruct(CDS)"); + ds.common.rdtype = dns_rdatatype_ds; + + result = dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_ds, + &ds, buf); + + return (rdata_put(result, dslist, rdata)); +} + +static isc_result_t +one_ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf, + dns_rdata_t *cdnskey, unsigned int dt) +{ + isc_result_t result; + dns_rdata_t *rdata; + isc_region_t r; + + isc_buffer_availableregion(buf, &r); + if (r.length < DNS_DS_BUFFERSIZE) + return (ISC_R_NOSPACE); + + cdnskey->type = dns_rdatatype_dnskey; + rdata = rdata_get(); + result = dns_ds_buildrdata(name, cdnskey, dt, r.base, rdata); + if (result == ISC_R_SUCCESS) + isc_buffer_add(buf, DNS_DS_BUFFERSIZE); + return (rdata_put(result, dslist, rdata)); +} + +static isc_result_t +ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf, + dns_rdata_t *cdnskey) +{ + isc_result_t result; + unsigned i, n; + + n = sizeof(dtype)/sizeof(dtype[0]); + for (i = 0; i < n; i++) { + if (dtype[i] != 0) + result = one_ds_from_cdnskey(dslist, buf, + cdnskey, dtype[i]); + if (result != ISC_R_SUCCESS) + return (result); + } + return (ISC_R_SUCCESS); +} + +/* + * For sorting the digest types so that DS records generated + * from CDNSKEY records are in canonical order. + */ +static int +cmp_dtype(const void *ap, const void *bp) +{ + int a = *(const isc_uint8_t *)ap; + int b = *(const isc_uint8_t *)bp; + return (a - b); +} + +static void +add_dtype(const char *dn) +{ + isc_uint8_t dt; + unsigned i, n; + + dt = strtodsdigest(dn); + n = sizeof(dtype)/sizeof(dtype[0]); + for (i = 0; i < n; i++) { + if (dtype[i] == 0 || dtype[i] == dt) { + dtype[i] = dt; + qsort(dtype, i+1, 1, cmp_dtype); + return; + } + } + fatal("Too many -a digest type arguments"); +} + +static void +make_new_ds_set(ds_maker_fun *ds_from_rdata, + isc_uint32_t ttl, dns_rdataset_t *rdset) +{ + isc_result_t result; + unsigned int size; + dns_rdatalist_t *dslist; + + size = 16; +again: + dslist = isc_mem_get(mctx, sizeof(*dslist)); + if (dslist == NULL) + fatal("allocating new DS list: %s", + isc_result_totext(ISC_R_NOMEMORY)); + dns_rdatalist_init(dslist); + dslist->rdclass = rdclass; + dslist->type = dns_rdatatype_ds; + dslist->ttl = ttl; + + dns_rdataset_init(&new_ds_set); + result = dns_rdatalist_tordataset(dslist, &new_ds_set); + check_result(result, "dns_rdatalist_tordataset(dslist)"); + + result = isc_buffer_allocate(mctx, &new_ds_buf, size); + check_result(result, "building new DS records"); + + for (result = dns_rdataset_first(rdset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdset)) { + dns_rdata_t rdata = DNS_RDATA_INIT; + + dns_rdataset_current(rdset, &rdata); + + result = ds_from_rdata(dslist, new_ds_buf, &rdata); + if (result == ISC_R_NOSPACE) { + vbprintf(20, "DS list buffer size %u\n", size); + freelist(&new_ds_set); + isc_buffer_free(&new_ds_buf); + size *= 2; + goto again; + } else { + check_result(result, "ds_from_rdata()"); + } + } +} + +/* + * Make qsort happy. + */ +static int +rdata_cmp(const void *rdata1, const void *rdata2) { + return (dns_rdata_compare((const dns_rdata_t *)rdata1, + (const dns_rdata_t *)rdata2)); +} + +/* + * Ensure that every key identified by the DS RRset has the same set of + * digest types. + */ +static isc_boolean_t +consistent_digests(dns_rdataset_t *dsset) +{ + isc_result_t result; + dns_rdata_t *arrdata; + dns_rdata_ds_t *ds; + dns_keytag_t key_tag; + isc_uint8_t algorithm; + isc_boolean_t match; + int i, j, n, d; + + /* + * First sort the dsset. DS rdata fields are tag, algorithm, digest, + * so sorting them brings together all the records for each key. + */ + + n = dns_rdataset_count(dsset); + + arrdata = isc_mem_get(mctx, n * sizeof(dns_rdata_t)); + if (arrdata == NULL) + fatal("allocating DS rdata array: %s", + isc_result_totext(ISC_R_NOMEMORY)); + + for (result = dns_rdataset_first(dsset), i = 0; + result == ISC_R_SUCCESS; + result = dns_rdataset_next(dsset), i++) + { + dns_rdata_init(&arrdata[i]); + dns_rdataset_current(dsset, &arrdata[i]); + } + + qsort(arrdata, n, sizeof(dns_rdata_t), rdata_cmp); + + /* + * Convert sorted arrdata to more accessible format + */ + + ds = isc_mem_get(mctx, n * sizeof(dns_rdata_ds_t)); + if (ds == NULL) + fatal("allocating unpacked DS array: %s", + isc_result_totext(ISC_R_NOMEMORY)); + + for (i = 0; i < n; i++) { + result = dns_rdata_tostruct(&arrdata[i], &ds[i], NULL); + check_result(result, "dns_rdata_tostruct(DS)"); + } + + /* + * Count number of digest types (d) for first key + */ + key_tag = ds[0].key_tag; + algorithm = ds[0].algorithm; + for (d = 0, i = 0; i < n; i++, d++) { + if (ds[i].key_tag != key_tag || + ds[i].algorithm != algorithm) + break; + } + + /* + * Check subsequent keys match the first one + */ + match = ISC_TRUE; + while (i < n) { + key_tag = ds[i].key_tag; + algorithm = ds[i].algorithm; + for (j = 0; j < d && i+j < n; j++) + if (ds[i+j].key_tag != key_tag || + ds[i+j].algorithm != algorithm || + ds[i+j].digest_type != ds[j].digest_type) + match = ISC_FALSE; + i += d; + } + + /* + * Done! + */ + isc_mem_put(mctx, ds, n * sizeof(dns_rdata_ds_t)); + isc_mem_put(mctx, arrdata, n * sizeof(dns_rdata_t)); + + return (match); +} + +static void +print_diff(const char *cmd, dns_rdataset_t *rdataset) +{ + isc_buffer_t *buf; + isc_region_t r; + unsigned char *nl; + size_t len; + + buf = formatset(rdataset); + isc_buffer_usedregion(buf, &r); + + while ((nl = memchr(r.base, '\n', r.length)) != NULL) { + len = nl - r.base + 1; + printf("update %s %.*s", cmd, (int)len, (char *)r.base); + isc_region_consume(&r, len); + } + + isc_buffer_free(&buf); +} + +static void +update_diff(const char *cmd, isc_uint32_t ttl, + dns_rdataset_t *addset, dns_rdataset_t *delset) +{ + isc_result_t result; + dns_db_t *db; + dns_dbnode_t *node; + dns_dbversion_t *ver; + dns_rdataset_t diffset; + isc_uint32_t save; + + db = NULL; + result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, + rdclass, 0, NULL, &db); + check_result(result, "dns_db_create()"); + + ver = NULL; + result = dns_db_newversion(db, &ver); + check_result(result, "dns_db_newversion()"); + + node = NULL; + result = dns_db_findnode(db, name, ISC_TRUE, &node); + check_result(result, "dns_db_findnode()"); + + dns_rdataset_init(&diffset); + + result = dns_db_addrdataset(db, node, ver, 0, addset, + DNS_DBADD_MERGE, NULL); + check_result(result, "dns_db_addrdataset()"); + + result = dns_db_subtractrdataset(db, node, ver, delset, + 0, &diffset); + if (result == DNS_R_UNCHANGED) { + save = addset->ttl; + addset->ttl = ttl; + print_diff(cmd, addset); + addset->ttl = save; + } else if (result != DNS_R_NXRRSET) { + check_result(result, "dns_db_subtractrdataset()"); + diffset.ttl = ttl; + print_diff(cmd, &diffset); + dns_rdataset_disassociate(&diffset); + } + + dns_db_detachnode(db, &node); + dns_db_closeversion(db, &ver, ISC_FALSE); + dns_db_detach(&db); +} + +static void +nsdiff(isc_uint32_t ttl, dns_rdataset_t *oldset, dns_rdataset_t *newset) +{ + if (ttl == 0) + vbprintf(1, "warning: no TTL in nsupdate script\n"); + update_diff("add", ttl, newset, oldset); + update_diff("del", 0, oldset, newset); + if (verbose > 0) + printf("show\nsend\nanswer\n"); + else + printf("send\n"); + if (fflush(stdout) == EOF) + fatal("write stdout: %s", strerror(errno)); +} + +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + +static void +usage(void) { + fprintf(stderr, "Usage:\n"); + fprintf(stderr, + " %s options [options] -f -d \n", + program); + fprintf(stderr, "Version: %s\n", VERSION); + fprintf(stderr, "Options:\n" +" -a digest algorithm (SHA-1 / SHA-256 / GOST / SHA-384)\n" +" -c of domain (default IN)\n" +" -D prefer CDNSKEY records instead of CDS\n" +" -d where to find parent dsset- file\n" +" -f child DNSKEY+CDNSKEY+CDS+RRSIG records\n" +" -i[extension] update dsset- file in place\n" +" -s oldest permitted child signatures\n" +" -u emit nsupdate script\n" +" -T TTL of DS records\n" +" -V print version\n" +" -v \n" + ); + exit(1); +} + +int +main(int argc, char *argv[]) { + const char *child_path = NULL; + const char *ds_path = NULL; + const char *inplace = NULL; + isc_result_t result; + isc_boolean_t prefer_cdnskey = ISC_FALSE; + isc_boolean_t nsupdate = ISC_FALSE; + isc_uint32_t ttl = 0; + int ch; + char *endp; + + result = isc_mem_create(0, 0, &mctx); + if (result != ISC_R_SUCCESS) + fatal("out of memory"); + +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif + dns_result_register(); + + isc_commandline_errprint = ISC_FALSE; + +#define OPTIONS "a:c:Dd:f:i:ms:T:uv:V" + while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) { + switch (ch) { + case 'a': + add_dtype(isc_commandline_argument); + break; + case 'c': + rdclass = strtoclass(isc_commandline_argument); + break; + case 'D': + prefer_cdnskey = ISC_TRUE; + break; + case 'd': + ds_path = isc_commandline_argument; + break; + case 'f': + child_path = isc_commandline_argument; + break; + case 'i': + /* + * This is a bodge to make the argument optional, + * so that it works just like sed(1). + */ + if (isc_commandline_argument == + argv[isc_commandline_index - 1]) { + isc_commandline_index--; + inplace = ""; + } else { + inplace = isc_commandline_argument; + } + break; + case 'm': + isc_mem_debugging = ISC_MEM_DEBUGTRACE | + ISC_MEM_DEBUGRECORD; + break; + case 's': + startstr = isc_commandline_argument; + break; + case 'T': + ttl = strtottl(isc_commandline_argument); + break; + case 'u': + nsupdate = ISC_TRUE; + break; + case 'V': + /* Does not return. */ + version(program); + break; + case 'v': + verbose = strtoul(isc_commandline_argument, &endp, 0); + if (*endp != '\0') + fatal("-v must be followed by a number"); + break; + default: + usage(); + break; + } + } + argv += isc_commandline_index; + argc -= isc_commandline_index; + + if (argc != 1) + usage(); + initname(argv[0]); + + /* + * Default digest type if none specified. + */ + if (dtype[0] == 0) + dtype[0] = DNS_DSDIGEST_SHA256; + + setup_logging(mctx, &lctx); + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("could not initialize hash"); + result = dst_lib_init(mctx, ectx, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst: %s", + isc_result_totext(result)); + isc_entropy_stopcallbacksources(ectx); + + if (ds_path == NULL) + fatal("missing -d DS pathname"); + load_parent_set(ds_path); + + /* + * Preserve the TTL if it wasn't overridden. + */ + if (ttl == 0) + ttl = old_ds_set.ttl; + + if (child_path == NULL) + fatal("TODO: cannot fetch child records from DNS yet"); + else + load_child_sets(child_path); + + /* + * Check child records have accompanying RRSIGs and DNSKEYs + */ + + if (!dns_rdataset_isassociated(&dnskey_set) || + !dns_rdataset_isassociated(&dnskey_sig)) + fatal("could not find signed DNSKEY RRset for %s", namestr); + + if (dns_rdataset_isassociated(&cdnskey_set) && + !dns_rdataset_isassociated(&cdnskey_sig)) + fatal("missing RRSIG CDNSKEY records for %s", namestr); + if (dns_rdataset_isassociated(&cds_set) && + !dns_rdataset_isassociated(&cds_sig)) + fatal("missing RRSIG CDS records for %s", namestr); + + vbprintf(1, "which child DNSKEY records match parent DS records?\n"); + old_key_tbl = match_keyset_dsset(&dnskey_set, &old_ds_set, loose); + + /* + * ??? eliminate keys covered by SHA1 if any keys are covered by + * better digests - RFC 4509 section 3 + */ + + /* + * We have now identified the keys that are allowed to authenticate + * the DNSKEY RRset (RFC 4035 section 5.2 bullet 2), and CDNSKEY and + * CDS RRsets (RFC 7344 section 4.1 bullet 2). + */ + + vbprintf(1, "verify DNSKEY signature(s)\n"); + if (!signed_loose(matching_sigs(old_key_tbl, &dnskey_set, &dnskey_sig))) + fatal("could not validate child DNSKEY RRset for %s", namestr); + + if (dns_rdataset_isassociated(&cdnskey_set)) { + vbprintf(1, "verify CDNSKEY signature(s)\n"); + if (!signed_loose(matching_sigs(old_key_tbl, + &cdnskey_set, &cdnskey_sig))) + fatal("could not validate child CDNSKEY RRset for %s", + namestr); + } + if (dns_rdataset_isassociated(&cds_set)) { + vbprintf(1, "verify CDS signature(s)\n"); + if (!signed_loose(matching_sigs(old_key_tbl, + &cds_set, &cds_sig))) + fatal("could not validate child CDS RRset for %s", + namestr); + } + + free_keytable(&old_key_tbl); + + /* + * Report the result of the replay attack protection checks + * used for the output file timestamp + */ + if (oldestsig.timesigned != 0 && verbose > 0) { + char type[32]; + dns_rdatatype_format(oldestsig.covered, type, sizeof(type)); + verbose_time(1, "child signature inception time", + oldestsig.timesigned); + vbprintf(2, "from RRSIG %s by key %d\n", + type, oldestsig.keyid); + } + + /* + * Sucessfully do nothing if there's neither CDNSKEY nor CDS + * RFC 7344 section 4.1 first paragraph + */ + if (!dns_rdataset_isassociated(&cdnskey_set) && + !dns_rdataset_isassociated(&cds_set)) { + vbprintf(1, "%s has neither CDS nor CDNSKEY records\n", namestr); + write_parent_set(ds_path, inplace, nsupdate, &old_ds_set); + exit(0); + } + + /* + * Make DS records from the CDS or CDNSKEY records + * + * ??? if there are both, do we check they are consistent? + * https://mailarchive.ietf.org/arch/msg/dnsop/BDWqfQhwtSWxpG8G2-G9fqB3ijQ + * - if so, match_keyset_dsset(&cdnskey_set, &cds_set); + * - ensure all keys are covered by all digest algorithms + */ + if (prefer_cdnskey && dns_rdataset_isassociated(&cdnskey_set)) + make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set); + else if (dns_rdataset_isassociated(&cds_set)) + make_new_ds_set(ds_from_cds, ttl, &cds_set); + else + make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set); + + /* + * Now we have a candidate DS RRset, we need to check it + * won't break the delegation. + */ + vbprintf(1, "which child DNSKEY records match new DS records?\n"); + new_key_tbl = match_keyset_dsset(&dnskey_set, &new_ds_set, tight); + + if (!consistent_digests(&new_ds_set)) + fatal("CDS records at %s do not cover each key " + "with the same set of digest types", namestr); + + vbprintf(1, "verify DNSKEY signature(s)\n"); + if (!signed_strict(&new_ds_set, + matching_sigs(new_key_tbl, + &dnskey_set, &dnskey_sig))) + fatal("could not validate child DNSKEY RRset " + "with new DS records for %s", namestr); + + free_keytable(&new_key_tbl); + + /* + * OK, it's all good! + */ + if (nsupdate) + nsdiff(ttl, &old_ds_set, &new_ds_set); + write_parent_set(ds_path, inplace, nsupdate, &new_ds_set); + + free_all_sets(); + cleanup_logging(&lctx); + dst_lib_destroy(); + isc_hash_destroy(); + cleanup_entropy(&ectx); + if (verbose > 10) + isc_mem_stats(mctx, stdout); + isc_mem_destroy(&mctx); + + return (0); +} diff --git a/bin/dnssec/dnssec-cds.docbook b/bin/dnssec/dnssec-cds.docbook new file mode 100644 index 0000000..b19e303 --- /dev/null +++ b/bin/dnssec/dnssec-cds.docbook @@ -0,0 +1,404 @@ + + + + + 2017-09-14 + + + ISC + Internet Systems Consortium, Inc. + + Tony Finch + dot@dotat.at + fanf2@cam.ac.uk + Cambridge University Information Services + + + + + + dnssec-cds + 8 + BIND9 + + + + dnssec-cds + change DS records based on CDS/CDNSKEY + + + + + 2017 + Internet Systems Consortium, Inc. ("ISC") + + + + + + dnssec-cds + + + + + + extension + + + + + + domain + + + + DESCRIPTION + + + The dnssec-cds command changes DS records at + a delegation point based on CDS or CDNSKEY records published in + the child zone. By default CDS records are used if both CDS and + CDNSKEY records are present. + + + + It requires two input files. + The + contains the child's CDS and/or CDNSKEY records, plus RRSIG and + DNSKEY records so that they can be authenticated. + The + contains the current DS records, such as + a dsset- file used + by dnssec-signzone. + + + + For protection against replay attacks, the signatures on the + child records must not be older than they were on a previous run + of dnssec-cds. This time is obtained from the + modification time of the dsset- file, or + from the option. + + + + To protect against breaking the + delegation, dnssec-cds ensures that the + DNSKEY RRset can be verified by every key algorithm in the new + DS RRset, and that the same set of keys are covered by every + DS digest type. + + + + By default, replacement DS records are written to the standard + output; with the option the input file is + overwritten in place. The replacement DS records will be the + same as the existing records when no change is required. The + output can be empty if the CDS / CDNSKEY records specify that + the child zone wants to go insecure. + + + Warning: Be careful not to delete the DS records + when dnssec-cds fails! + + + + Alternatively, dnssec-cds -u writes + an nsupdate script to the standard output. + You can use the and + options together to maintain a dsset- file + as well as emit an nsupdate script. + + + + + OPTIONS + + + + + -a algorithm + + + Specify a digest algorithm to use when converting CDNSKEY + records to DS records. This option can be repeated, so + that multiple DS records are created for each CDNSKEY + record. This option has no effect when using CDS records. + + + The algorithm must be one of SHA-1 + (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These + values are case insensitive. If no algorithm is specified, + the default is SHA-256. + + + + + + -c class + + + Specifies the DNS class of the zones. + + + + + + -D + + + Generate DS records from CDNSKEY records if both CDS and + CDNSKEY records are present in the child zone. By default + CDS records are preferred. + + + + + + -d path + + + Location of the parent DS records. + The path can be the name of a file + containing the DS records, or if it is a + directory, dnssec-cds looks for + a dsset- file for + the domain inside the directory. + + + To protect against replay attacks, child records are + rejected if they were signed earlier than the modification + time of the dsset- file. This can be + adjusted with the option. + + + + + + -f child-file + + + File containing the child's CDS and/or CDNSKEY records, + plus its DNSKEY records and the covering RRSIG records so + that they can be authenticated. + + + The EXAMPLES below describe how to generate this file. + + + + + + -iextension + + + Update the dsset- file in place, + instead of writing DS records to the standard output. + + + There must be no space between the and + the extension. If you provide + no extension then the + old dsset- is discarded. If + an extension is present, a + backup of the old dsset- file is kept + with the extension appended to + its filename. + + + To protect against replay attacks, the modification time + of the dsset- file is set to match + the signature inception time of the child records, + provided that is later than the file's current + modification time. + + + + + + -s start-time + + + Specify the date and time after which RRSIG records become + acceptable. This can be either an absolute or relative + time. An absolute start time is indicated by a number in + YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 + UTC on August 27th, 2017. A time relative to + the dsset- file is indicated with -N, + which is N seconds before the file modification time. A + time relative to the current time is indicated with now+N. + + + If no start-time is specified, the + modification time of the dsset- file + is used. + + + + + + -T ttl + + + Specifies a TTL to be used for new DS records. If not + specified, the default is the TTL of the old DS records. + If they had no explicit TTL then the new DS records also + have no explicit TTL. + + + + + + -u + + + Write an nsupdate script to the + standard output, instead of printing the new DS reords. + The output will be empty if no change is needed. + + + Note: The TTL of new records needs to be specified, either + in the original dsset- file, or with + the option, or using + the nsupdate ttl + command. + + + + + + -V + + + Print version information. + + + + + + -v level + + + Sets the debugging level. Level 1 is intended to be + usefully verbose for general users; higher levels are + intended for developers. + + + + + + domain + + + The name of the delegation point / child zone apex. + + + + + + + + EXIT STATUS + + + The dnssec-cds command exits 0 on success, or + non-zero if an error occurred. + + + + In the success case, the DS records might or might not need + to be changed. + + + + + EXAMPLES + + + Before running dnssec-signzone you can ensure + that the delegations are up-to-date by + running dnssec-cds on + every dsset- file. + + + To fetch the child records required + by dnssec-cds you can + invoke dig as in the script below. + It's OK if the dig fails + since dnssec-cds performs all the necessary + checking. + +for f in dsset-* +do + d=${f#dsset-} + dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS | + dnssec-cds -i -f /dev/stdin -d $f $d +done + + + + When the parent zone is automatically signed + by named, you can + use dnssec-cds + with nsupdate to maintain a delegation as + follows. The dsset- file allows the script + to avoid having to fetch and validate the parent DS records, and + it keeps the replay attack protection time. + + +dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS | +dnssec-cds -u -i -f /dev/stdin -d $f $d | +nsupdate -l + + + + SEE ALSO + + + + dig1 + , + + dnssec-settime8 + , + + dnssec-signzone8 + , + + nsupdate1 + , + BIND 9 Administrator Reference Manual, + RFC 7344. + + + + + BUGS + + + RFC 8078 support is missing. This depends on support for the + CDS/CDNSKEY delete format in the rest of BIND. + + + + The dnssec-cds command should be able to + fetch the child records itself if the flag + is not given. As well as making invocation simpler, this will + allow better error reporting when lookups fail. + + + + Using the modification time of the dsset- + file is naff. It would be better to keep the timing information + as comments inside the file. That would allow more sophisticated + safety checks, such as a hold-down period. + + + + + diff --git a/bin/dnssec/dnssec-cds.html b/bin/dnssec/dnssec-cds.html new file mode 100644 index 0000000..e8a1836 --- /dev/null +++ b/bin/dnssec/dnssec-cds.html @@ -0,0 +1,293 @@ + + + + + +dnssec-cds + + +
+
+
+

Name

+

dnssec-cds — change DS records based on CDS/CDNSKEY

+
+
+

Synopsis

+

dnssec-cds [-a alg...] [-c class] [-D] {-d path} {-f child-file} [-i [extension]] [-s start-time] [-T ttl] [-u] [-v level] [-V] {domain}

+
+
+

DESCRIPTION

+

+ The dnssec-cds command changes DS records at + a delegation point based on CDS or CDNSKEY records published in + the child zone. By default CDS records are used if both CDS and + CDNSKEY records are present. +

+

+ It requires two input files. + The -f file + contains the child's CDS and/or CDNSKEY records, plus RRSIG and + DNSKEY records so that they can be authenticated. + The -d path + contains the current DS records, such as + a dsset- file used + by dnssec-signzone. +

+

+ For protection against replay attacks, the signatures on the + child records must not be older than they were on a previous run + of dnssec-cds. This time is obtained from the + modification time of the dsset- file, or + from the -s option. +

+

+ To protect against breaking the + delegation, dnssec-cds ensures that the + DNSKEY RRset can be verified by every key algorithm in the new + DS RRset, and that the same set of keys are covered by every + DS digest type. +

+

+ By default, replacement DS records are written to the standard + output; with the -i option the input file is + overwritten in place. The replacement DS records will be the + same as the existing records when no change is required. The + output can be empty if the CDS / CDNSKEY records specify that + the child zone wants to go insecure. +

+

+ Warning: Be careful not to delete the DS records + when dnssec-cds fails! +

+

+ Alternatively, dnssec-cds -u writes + an nsupdate script to the standard output. + You can use the -u and -i + options together to maintain a dsset- file + as well as emit an nsupdate script. +

+
+
+

OPTIONS

+
+
-a algorithm
+
+

+ Specify a digest algorithm to use when converting CDNSKEY + records to DS records. This option can be repeated, so + that multiple DS records are created for each CDNSKEY + record. This option has no effect when using CDS records. +

+

+ The algorithm must be one of SHA-1 + (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These + values are case insensitive. If no algorithm is specified, + the default is SHA-256. +

+
+
-c class
+

+ Specifies the DNS class of the zones. +

+
-D
+

+ Generate DS records from CDNSKEY records if both CDS and + CDNSKEY records are present in the child zone. By default + CDS records are preferred. +

+
-d path
+
+

+ Location of the parent DS records. + The path can be the name of a file + containing the DS records, or if it is a + directory, dnssec-cds looks for + a dsset- file for + the domain inside the directory. +

+

+ To protect against replay attacks, child records are + rejected if they were signed earlier than the modification + time of the dsset- file. This can be + adjusted with the -s option. +

+
+
-f child-file
+
+

+ File containing the child's CDS and/or CDNSKEY records, + plus its DNSKEY records and the covering RRSIG records so + that they can be authenticated. +

+

+ The EXAMPLES below describe how to generate this file. +

+
+
-i[extension]
+
+

+ Update the dsset- file in place, + instead of writing DS records to the standard output. +

+

+ There must be no space between the -i and + the extension. If you provide + no extension then the + old dsset- is discarded. If + an extension is present, a + backup of the old dsset- file is kept + with the extension appended to + its filename. +

+

+ To protect against replay attacks, the modification time + of the dsset- file is set to match + the signature inception time of the child records, + provided that is later than the file's current + modification time. +

+
+
-s start-time
+
+

+ Specify the date and time after which RRSIG records become + acceptable. This can be either an absolute or relative + time. An absolute start time is indicated by a number in + YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 + UTC on August 27th, 2017. A time relative to + the dsset- file is indicated with -N, + which is N seconds before the file modification time. A + time relative to the current time is indicated with now+N. +

+

+ If no start-time is specified, the + modification time of the dsset- file + is used. +

+
+
-T ttl
+

+ Specifies a TTL to be used for new DS records. If not + specified, the default is the TTL of the old DS records. + If they had no explicit TTL then the new DS records also + have no explicit TTL. +

+
-u
+
+

+ Write an nsupdate script to the + standard output, instead of printing the new DS reords. + The output will be empty if no change is needed. +

+

+ Note: The TTL of new records needs to be specified, either + in the original dsset- file, or with + the -T option, or using + the nsupdate ttl + command. +

+
+
-V
+

+ Print version information. +

+
-v level
+

+ Sets the debugging level. Level 1 is intended to be + usefully verbose for general users; higher levels are + intended for developers. +

+
domain
+

+ The name of the delegation point / child zone apex. +

+
+
+
+

EXIT STATUS

+

+ The dnssec-cds command exits 0 on success, or + non-zero if an error occurred. +

+

+ In the success case, the DS records might or might not need + to be changed. +

+
+
+

EXAMPLES

+

+ Before running dnssec-signzone you can ensure + that the delegations are up-to-date by + running dnssec-cds on + every dsset- file. +

+

+ To fetch the child records required + by dnssec-cds you can + invoke dig as in the script below. + It's OK if the dig fails + since dnssec-cds performs all the necessary + checking. +

+
for f in dsset-*
+do
+	d=${f#dsset-}
+	dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+	dnssec-cds -i -f /dev/stdin -d $f $d
+done
+
+

+ When the parent zone is automatically signed + by named, you can + use dnssec-cds + with nsupdate to maintain a delegation as + follows. The dsset- file allows the script + to avoid having to fetch and validate the parent DS records, and + it keeps the replay attack protection time. +

+
+dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+dnssec-cds -u -i -f /dev/stdin -d $f $d |
+nsupdate -l
+
+
+
+

SEE ALSO

+

+ dig(1), + dnssec-settime(8), + dnssec-signzone(8), + nsupdate(1), + BIND 9 Administrator Reference Manual, + RFC 7344. +

+
+
+

BUGS

+

+ RFC 8078 support is missing. This depends on support for the + CDS/CDNSKEY delete format in the rest of BIND. +

+

+ The dnssec-cds command should be able to + fetch the child records itself if the -f flag + is not given. As well as making invocation simpler, this will + allow better error reporting when lookups fail. +

+

+ Using the modification time of the dsset- + file is naff. It would be better to keep the timing information + as comments inside the file. That would allow more sophisticated + safety checks, such as a hold-down period. +

+
+
+ diff --git a/bin/tests/system/cds/.gitignore b/bin/tests/system/cds/.gitignore new file mode 100644 index 0000000..cce92fe --- /dev/null +++ b/bin/tests/system/cds/.gitignore @@ -0,0 +1,13 @@ +CDNSKEY* +CDS* +DS* +K* +UP* +brk.* +db.* +dsset-* +err +empty +out +sig.* +vars.sh diff --git a/bin/tests/system/cds/checkmtime.pl b/bin/tests/system/cds/checkmtime.pl new file mode 100644 index 0000000..a8f94f3 --- /dev/null +++ b/bin/tests/system/cds/checkmtime.pl @@ -0,0 +1,6 @@ +#!/usr/bin/perl +my $target = shift; +my $file = shift; +my $mtime = time - (stat $file)[9]; +die "bad mtime $mtime" + unless abs($mtime - $target) < 3; diff --git a/bin/tests/system/cds/checktime.pl b/bin/tests/system/cds/checktime.pl new file mode 100644 index 0000000..1efd653 --- /dev/null +++ b/bin/tests/system/cds/checktime.pl @@ -0,0 +1,12 @@ +#!/usr/bin/perl + +$target = shift; +while (<>) { + $notbefore = $1 if m{^.* must not be signed before \d+ [(](\d+)[)]$}; + $inception = $1 if m{^.* inception time \d+ [(](\d+)[)]$}; +} +die "missing notbefore time" unless $notbefore; +die "missing inception time" unless $inception; +my $delta = $inception - $notbefore; +die "bad inception time $delta" + unless abs($delta - $target) < 3; diff --git a/bin/tests/system/cds/clean.sh b/bin/tests/system/cds/clean.sh new file mode 100644 index 0000000..25798f2 --- /dev/null +++ b/bin/tests/system/cds/clean.sh @@ -0,0 +1,11 @@ +#!/bin/sh -e +# +# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +while read glob +do rm -f $glob +done <.gitignore diff --git a/bin/tests/system/cds/mangle.pl b/bin/tests/system/cds/mangle.pl new file mode 100644 index 0000000..a566006 --- /dev/null +++ b/bin/tests/system/cds/mangle.pl @@ -0,0 +1,7 @@ +#!/usr/bin/perl +my $re = $ARGV[0]; +shift; +while (<>) { + s{($re)........}{${1}00000000}; + print; +} diff --git a/bin/tests/system/cds/prereq.sh b/bin/tests/system/cds/prereq.sh new file mode 100644 index 0000000..0eacf1d --- /dev/null +++ b/bin/tests/system/cds/prereq.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# +# Copyright (C) 2014, 2016 Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +exec $SHELL ../testcrypto.sh diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh new file mode 100644 index 0000000..6437c0a --- /dev/null +++ b/bin/tests/system/cds/setup.sh @@ -0,0 +1,120 @@ +#!/bin/sh -e +# +# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +set -eu + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +test -r $RANDFILE || $GENRANDOM 800 $RANDFILE + +touch empty + +Z=cds.test + +keyz=$($KEYGEN -q -r $RANDFILE -a RSASHA256 $Z) +key1=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z) +key2=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z) + +idz=$(echo $keyz | sed 's/.*+0*//') +id1=$(echo $key1 | sed 's/.*+0*//') +id2=$(echo $key2 | sed 's/.*+0*//') + +cat <vars.sh +Z=$Z +key1=$key1 +key2=$key2 +idz=$idz +id1=$id1 +id2=$id2 +EOF + +tac() { + perl -e 'print reverse <>' "$@" +} + +convert() { + local key=$1 n=$2 + $DSFROMKEY $key >DS.$n + grep ' 8 1 ' DS.$n >DS.$n-1 + grep ' 8 2 ' DS.$n >DS.$n-2 + sed 's/ IN DS / IN CDS /' >CDS.$n + sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n + sed 's/ IN DS / 3600 IN DS /' DS.ttl$n + sed 's/ IN DS / 7200 IN DS /' DS.ttlong$n + tac DS.rev$n +} +convert $key1 1 +convert $key2 2 + +# consistent order wrt IDs +sort DS.1 DS.2 >DS.both + +cp DS.1 DS.inplace +$PERL -we 'utime time, time - 7200, "DS.inplace" or die' + +mangle="$PERL mangle.pl" + +$mangle " IN DS $id1 8 1 " DS.broke1 +$mangle " IN DS $id1 8 2 " DS.broke2 +$mangle " IN DS $id1 8 [12] " DS.broke12 + +sed 's/^/update add /;$a send' UP.add2 +sed 's/^/update del /;$a send' UP.del1 +cat UP.add2 UP.del1 | sed 3d >UP.swap + +sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' UP.swapttl + +sign() { + cat >db.$1 + $SIGNER >/dev/null 2>&1 -r $RANDFILE \ + -S -O full -o $Z -f sig.$1 db.$1 +} + +sign null <brk.unsigned-cds + +cat db.null CDS.1 | sign cds.1 +cat db.null CDS.2 | sign cds.2 +cat db.null CDS.1 CDS.2 | sign cds.both + +tac sig.cds.rev1 + +cat db.null CDNSKEY.2 | sign cdnskey.2 +cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2 + +$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \ + brk.rrsig.cds.zsk +$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \ + brk.rrsig.cds.ksk + +$mangle " IN CDS $id1 8 1 " err 1>out; echo $?) ] + then echo "D:exit status does not match $y" + die=die + fi + ckerr + ckout + $die + rm -f err out xerr xout + unset name err out +} +ckerr() { + if [ -n "${err:=}" ] + then egrep "$err" err >/dev/null && + return 0 + else [ -s err ] || + return 0 + fi + echo "D:stderr did not match '$err'" + sed 's/^/D:/' err + die=die +} +ckout() { + cmp out "${out:-empty}" >/dev/null && return + echo "D:stdout did not match '$out'" + ( echo "wanted" + cat "$out" + echo "got" + cat out + ) | sed 's/^/D:/' + die=die +} + +Z=cds.test + +name='usage' +err='Usage' +ck 1 $CDS + +name='need a DS file' +err='DS pathname' +ck 1 $CDS $Z + +name='name of dsset in directory' +err="./dsset-$Z.: file not found" +ck 1 $CDS -d . $Z + +name='load a file' +err='could not find DS records' +ck 1 $CDS -d empty $Z + +name='load DS records' +err='TODO: cannot fetch child records from DNS yet' +ck 1 $CDS -d DS.1 $Z + +name='missing DNSKEY' +err='could not find signed DNSKEY RRset' +ck 1 $CDS -f db.null -d DS.1 $Z + +name='sigs too old' +err='could not validate child DNSKEY RRset' +ck 1 $CDS -f sig.null -d DS.1 $Z + +name='sigs too old, verbosely' +err='skip RRSIG by key [0-9]+: too old' +ck 1 $CDS -v1 -f sig.null -d DS.1 $Z + +name='old sigs are allowed' +err='found RRSIG by key' +out=DS.1 +ck 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z + +name='no CDS/CDNSKEY records' +out=DS.1 +ck 0 $CDS -s -7200 -f sig.null -d DS.1 $Z + +name='no child records, verbosely' +err='has neither CDS nor CDNSKEY records' +out=DS.1 +ck 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z + +name='unsigned CDS' +err='missing RRSIG CDS records' +ck 1 $CDS -f brk.unsigned-cds -d DS.1 $Z + +name='correct signature inception time' +$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr +ck 0 $PERL checktime.pl 3600 xerr + +name='in-place reads modification time' +ck 0 $CDS -f sig.cds.1 -i.bak -d DS.inplace $Z + +name='in-place output correct modification time' +ck 0 $PERL checkmtime.pl 3600 DS.inplace + +name='in-place backup correct modification time' +ck 0 $PERL checkmtime.pl 7200 DS.inplace.bak + +name='in-place correct output' +ck 0 cmp DS.1 DS.inplace + +name='in-place backup unmodified' +ck 0 cmp DS.1 DS.inplace.bak + +name='one mangled DS' +err='found RRSIG by key' +out=DS.1 +ck 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke1 $Z + +name='other mangled DS' +err='found RRSIG by key' +out=DS.1 +ck 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke2 $Z + +name='both mangled DS' +err='could not validate child DNSKEY RRset' +ck 1 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke12 $Z + +name='mangle RRSIG CDS by ZSK' +err='found RRSIG by key' +out=DS.1 +ck 0 $CDS -v1 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z + +name='mangle RRSIG CDS by KSK' +err='could not validate child CDS RRset' +ck 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z + +name='mangle CDS 1' +err='could not validate child DNSKEY RRset with new DS records' +ck 1 $CDS -s -7200 -f sig.cds-mangled -d DS.1 $Z + +name='inconsistent digests' +err='do not cover each key with the same set of digest types' +ck 1 $CDS -s -7200 -f sig.bad-digests -d DS.1 $Z + +name='inconsistent algorithms' +err='missing signature for algorithm' +ck 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z + +name='add DS records' +out=DS.both +$CDS -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out +# sort to allow for numerical vs lexical order of key tags +ck 0 sort DS.out + +name='update add' +out=UP.add2 +ck 0 $CDS -u -s -7200 -f sig.cds.both -d DS.1 $Z + +name='remove DS records' +out=DS.2 +ck 0 $CDS -s -7200 -f sig.cds.2 -d DS.both $Z + +name='update del' +out=UP.del1 +ck 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.both $Z + +name='swap DS records' +out=DS.2 +ck 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='update swap' +out=UP.swap +ck 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='TTL from -T' +out=DS.ttl2 +ck 0 $CDS -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='update TTL from -T' +out=UP.swapttl +ck 0 $CDS -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z + +name='update TTL from dsset' +out=UP.swapttl +ck 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z + +name='TTL from -T overrides dsset' +out=DS.ttlong2 +ck 0 $CDS -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z + +name='stable DS record order (no change)' +out=DS.1 +ck 0 $CDS -s -7200 -f sig.null -d DS.rev1 $Z + +name='stable DS record order (changes)' +out=DS.1 +ck 0 $CDS -s -7200 -f sig.cds.rev1 -d DS.2 $Z + +name='CDNSKEY default algorithm' +out=DS.2-2 +ck 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY SHA1' +out=DS.2-1 +ck 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY two algorithms' +out=DS.2 +ck 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY two algorithms, reversed' +out=DS.2 +ck 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z + +name='CDNSKEY and CDS' +out=DS.2 +ck 0 $CDS -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z + +name='prefer CDNSKEY' +out=DS.2-2 +ck 0 $CDS -D -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z + +echo "I:exit status: 0" +exit $status diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 94d5a44..411877c 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -18,6 +18,7 @@ TOP=${SYSTEMTESTTOP:=.}/../../.. TOP=`cd $TOP && pwd` ARPANAME=$TOP/bin/tools/arpaname +CDS=$TOP/bin/dnssec/dnssec-cds CHECKCONF=$TOP/bin/check/named-checkconf CHECKDS=$TOP/bin/python/dnssec-checkds CHECKZONE=$TOP/bin/check/named-checkzone @@ -69,9 +70,9 @@ SAMPLEUPDATE=$TOP/lib/samples/sample-update # load on the machine to make it unusable to other users. # v6synth SUBDIRS="acl additional addzone allow_query autosign builtin - cacheclean case catz chain - checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@ - database digdelv dlv dlvauto dlz dlzexternal + cacheclean case catz cds chain + checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@ + database digdelv dlv dlvauto dlz dlzexternal dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa emptyzones fetchlimit filter-aaaa formerr geoip glue gost inline integrity ixfr keepalive @KEYMGR@ legacy limits @@ -137,6 +138,7 @@ NZD=@NZD_TOOLS@ export ARPANAME export BIGKEY +export CDS export CHECKZONE export DESCRIPTION export DIG -- 2.10.1.445.g3cdd5d1