From e335c490eb1b69d67bb4d1f987730d87a8e9c808 Mon Sep 17 00:00:00 2001 From: Charles-Henri Bruyand Date: Wed, 23 May 2018 15:34:54 +0200 Subject: [PATCH] auth: sign CDS/CDNSKEY RRsets with the KSK --- pdns/dnssecsigner.cc | 6 +++++- .../tests/publishing-cds-cdnskey/expected_result | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc index af77f4132..771ddd76d 100644 --- a/pdns/dnssecsigner.cc +++ b/pdns/dnssecsigner.cc @@ -38,6 +38,7 @@ typedef map, string> signaturecache_t; static signaturecache_t g_signatures; static int g_cacheweekno; +const static std::set g_KSKSignedQTypes {QType::DNSKEY, QType::CDS, QType::CDNSKEY}; AtomicCounter* g_signatureCount; static void fillOutRRSIG(DNSSECPrivateKey& dpk, const DNSName& signQName, RRSIGRecordContent& rrc, vector >& toSign) @@ -106,8 +107,11 @@ static int getRRSIGsForRRSET(DNSSECKeeper& dk, const DNSName& signer, const DNSN if(!keymeta.second.active) continue; + bool signWithKSK = g_KSKSignedQTypes.count(signQType) != 0; + // Do not sign DNSKEY RRsets with the ZSK if((signQType == QType::DNSKEY && keymeta.second.keyType == DNSSECKeeper::ZSK) || - (signQType != QType::DNSKEY && keymeta.second.keyType == DNSSECKeeper::KSK)) { + // Do not sign any other RRset than DNSKEY, CDS and CDNSKEY with a KSK + (!signWithKSK && keymeta.second.keyType == DNSSECKeeper::KSK)) { continue; } diff --git a/regression-tests/tests/publishing-cds-cdnskey/expected_result b/regression-tests/tests/publishing-cds-cdnskey/expected_result index cc03f2d9a..0c709606d 100644 --- a/regression-tests/tests/publishing-cds-cdnskey/expected_result +++ b/regression-tests/tests/publishing-cds-cdnskey/expected_result @@ -1,11 +1,13 @@ 0 secure-delegated.dnssec-parent.com. IN CDS 86400 54319 8 1 a28ebe791e9cc7f4c2821131be367326ddd7434c 0 secure-delegated.dnssec-parent.com. IN CDS 86400 54319 8 2 a0b9c38cd324182af0ef66830d0a0e85a1d58979c9834e18c871779e040857b7 0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... 2 . IN OPT 32768 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=CDS 0 secure-delegated.dnssec-parent.com. IN CDNSKEY 86400 257 3 8 AwEAAZd9R7SWWGqA12oG7Ls+h3b0/IAyMj/Pqn/ZuKWM/OdpxT/cn2xwLDhkdmqP/pUqAzvyFPyd4kTqrmLfbohBwA7+07pBVa4qf/jxlHivdMNUD72H+dUYqBlmhCC6l3eG+8FZi2tkdwn8kUoa9kyLMtrEaFnOd/oUQbmNvIDp+8VWv1cSnRJ8UXKdXLl0smpvC7h1K2AUiC5oGIYQTCYWwYRM1wCbb+q1fbFCdkbI7OQW/h7Pj30eLpIuz0bJj4vdKXXZHK8clSdTMAFm6rQsNDI0w7QdCgaDmTn3b6TF2UJi4eDnh7uDbSpUd1mI5XWNw4C6WrUmebFLfiry6vqdiIc= 0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... 2 . IN OPT 32768 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=CDNSKEY @@ -13,6 +15,8 @@ Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=CDNSKEY 0 secure-delegated.dnssec-parent.com. IN CDS 86400 54319 8 1 a28ebe791e9cc7f4c2821131be367326ddd7434c 0 secure-delegated.dnssec-parent.com. IN CDS 86400 54319 8 2 a0b9c38cd324182af0ef66830d0a0e85a1d58979c9834e18c871779e040857b7 0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... +0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... 0 secure-delegated.dnssec-parent.com. IN RRSIG 86400 CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ... 0 cdnskey-cds-test.com. IN CDS 86400 0 cdnskey-cds-test.com. IN CDS 86400 -- 2.50.0