version 1.5, 2019/04/28 00:01:14 |
version 1.6, 2019/09/05 19:32:58 |
|
|
#include <isc/print.h> |
#include <isc/print.h> |
#include <isc/region.h> |
#include <isc/region.h> |
#include <isc/result.h> |
#include <isc/result.h> |
|
#include <isc/siphash.h> |
#include <isc/sockaddr.h> |
#include <isc/sockaddr.h> |
#include <isc/string.h> |
#include <isc/string.h> |
#include <isc/symtab.h> |
#include <isc/symtab.h> |
|
|
#include <dns/acl.h> |
#include <dns/acl.h> |
#include <dns/dnstap.h> |
#include <dns/dnstap.h> |
#include <dns/fixedname.h> |
#include <dns/fixedname.h> |
|
#include <dns/rbt.h> |
#include <dns/rdataclass.h> |
#include <dns/rdataclass.h> |
#include <dns/rdatatype.h> |
#include <dns/rdatatype.h> |
#include <dns/rrl.h> |
#include <dns/rrl.h> |
Line 530 check_dns64(cfg_aclconfctx_t *actx, cons |
|
Line 532 check_dns64(cfg_aclconfctx_t *actx, cons |
|
continue; |
continue; |
} |
} |
|
|
|
if (na.type.in6.s6_addr[8] != 0) { |
|
cfg_obj_log(map, logctx, ISC_LOG_WARNING, |
|
"warning: invalid prefix, bits [64..71] " |
|
"must be zero"); |
|
} |
|
|
if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 && |
if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 && |
prefixlen != 56 && prefixlen != 64 && prefixlen != 96) { |
prefixlen != 56 && prefixlen != 64 && prefixlen != 96) { |
cfg_obj_log(map, logctx, ISC_LOG_ERROR, |
cfg_obj_log(map, logctx, ISC_LOG_ERROR, |
Line 860 check_options(const cfg_obj_t *options, |
|
Line 868 check_options(const cfg_obj_t *options, |
|
dns_name_t *name; |
dns_name_t *name; |
isc_buffer_t b; |
isc_buffer_t b; |
uint32_t lifetime = 3600; |
uint32_t lifetime = 3600; |
const char *ccalg = "aes"; |
const char *ccalg = "siphash24"; |
|
|
/* |
/* |
* { "name", scale, value } |
* { "name", scale, value } |
Line 1354 check_options(const cfg_obj_t *options, |
|
Line 1362 check_options(const cfg_obj_t *options, |
|
if (strcasecmp(ccalg, "aes") == 0 && |
if (strcasecmp(ccalg, "aes") == 0 && |
usedlength != ISC_AES128_KEYLENGTH) { |
usedlength != ISC_AES128_KEYLENGTH) { |
cfg_obj_log(obj, logctx, ISC_LOG_ERROR, |
cfg_obj_log(obj, logctx, ISC_LOG_ERROR, |
"AES cookie-secret must be " |
"AES cookie-secret must be 128 bits"); |
"128 bits"); |
if (result == ISC_R_SUCCESS) |
|
result = ISC_R_RANGE; |
|
} |
|
if (strcasecmp(ccalg, "siphash24") == 0 && |
|
usedlength != ISC_SIPHASH24_KEY_LENGTH) { |
|
cfg_obj_log(obj, logctx, ISC_LOG_ERROR, |
|
"SipHash-2-4 cookie-secret must be 128 bits"); |
if (result == ISC_R_SUCCESS) |
if (result == ISC_R_SUCCESS) |
result = ISC_R_RANGE; |
result = ISC_R_RANGE; |
} |
} |
Line 1472 check_options(const cfg_obj_t *options, |
|
Line 1486 check_options(const cfg_obj_t *options, |
|
result = ISC_R_FAILURE; |
result = ISC_R_FAILURE; |
} |
} |
} |
} |
|
} else { |
|
(void) cfg_map_get(options, "dnstap", &obj); |
|
if (obj != NULL) { |
|
cfg_obj_log(obj, logctx, ISC_LOG_ERROR, |
|
"'dnstap-output' must be set if 'dnstap' " |
|
"is set"); |
|
if (result == ISC_R_SUCCESS) { |
|
result = ISC_R_FAILURE; |
|
} |
|
} |
} |
} |
#endif |
#endif |
|
|
Line 3267 check_trusted_key(const cfg_obj_t *key, |
|
Line 3291 check_trusted_key(const cfg_obj_t *key, |
|
return (result); |
return (result); |
} |
} |
|
|
|
/* |
|
* Check for conflicts between trusted-keys and managed-keys. |
|
*/ |
|
static isc_result_t |
|
check_ta_conflicts(const cfg_obj_t *mkeys, const cfg_obj_t *tkeys, |
|
bool autovalidation, isc_mem_t *mctx, isc_log_t *logctx) |
|
{ |
|
isc_result_t result = ISC_R_SUCCESS, tresult; |
|
const cfg_listelt_t *elt = NULL, *elt2 = NULL; |
|
dns_fixedname_t fixed; |
|
dns_name_t *name; |
|
const cfg_obj_t *obj; |
|
const char *str; |
|
isc_symtab_t *symtab = NULL; |
|
isc_symvalue_t symvalue; |
|
char namebuf[DNS_NAME_FORMATSIZE]; |
|
const char *file; |
|
unsigned int line; |
|
|
|
name = dns_fixedname_initname(&fixed); |
|
|
|
result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab); |
|
if (result != ISC_R_SUCCESS) { |
|
goto cleanup; |
|
} |
|
|
|
for (elt = cfg_list_first(mkeys); |
|
elt != NULL; |
|
elt = cfg_list_next(elt)) |
|
{ |
|
const cfg_obj_t *keylist = cfg_listelt_value(elt); |
|
for (elt2 = cfg_list_first(keylist); |
|
elt2 != NULL; |
|
elt2 = cfg_list_next(elt2)) |
|
{ |
|
obj = cfg_listelt_value(elt2); |
|
str = cfg_obj_asstring(cfg_tuple_get(obj, "name")); |
|
tresult = dns_name_fromstring(name, str, 0, NULL); |
|
if (tresult != ISC_R_SUCCESS) { |
|
/* already reported */ |
|
continue; |
|
} |
|
|
|
dns_name_format(name, namebuf, sizeof(namebuf)); |
|
symvalue.as_cpointer = obj; |
|
tresult = isc_symtab_define(symtab, namebuf, 1, |
|
symvalue, |
|
isc_symexists_reject); |
|
if (tresult != ISC_R_SUCCESS && |
|
tresult != ISC_R_EXISTS) |
|
{ |
|
result = tresult; |
|
continue; |
|
} |
|
} |
|
} |
|
|
|
for (elt = cfg_list_first(tkeys); |
|
elt != NULL; |
|
elt = cfg_list_next(elt)) |
|
{ |
|
const cfg_obj_t *keylist = cfg_listelt_value(elt); |
|
for (elt2 = cfg_list_first(keylist); |
|
elt2 != NULL; |
|
elt2 = cfg_list_next(elt2)) |
|
{ |
|
obj = cfg_listelt_value(elt2); |
|
str = cfg_obj_asstring(cfg_tuple_get(obj, "name")); |
|
result = dns_name_fromstring(name, str, 0, NULL); |
|
if (result != ISC_R_SUCCESS) { |
|
/* already reported */ |
|
continue; |
|
} |
|
|
|
if (autovalidation && |
|
dns_name_equal(name, dns_rootname)) |
|
{ |
|
cfg_obj_log(obj, logctx, ISC_LOG_WARNING, |
|
"WARNING: " |
|
"trusted-keys for root zone " |
|
"used with " |
|
"'dnssec-validation auto'. " |
|
"KEY ROLLOVERS WILL FAIL."); |
|
continue; |
|
} |
|
|
|
dns_name_format(name, namebuf, sizeof(namebuf)); |
|
tresult = isc_symtab_lookup(symtab, namebuf, 1, |
|
&symvalue); |
|
if (tresult == ISC_R_SUCCESS) { |
|
file = cfg_obj_file(symvalue.as_cpointer); |
|
line = cfg_obj_line(symvalue.as_cpointer); |
|
if (file == NULL) { |
|
file = "<unknown file>"; |
|
} |
|
cfg_obj_log(obj, logctx, ISC_LOG_WARNING, |
|
"WARNING: " |
|
"trusted-keys and managed-keys " |
|
"are both used for the " |
|
"name '%s'. " |
|
"KEY ROLLOVERS WILL FAIL. " |
|
"managed-key defined " |
|
"(%s:%u)", str, file, line); |
|
} |
|
} |
|
} |
|
|
|
cleanup: |
|
if (symtab != NULL) { |
|
isc_symtab_destroy(&symtab); |
|
} |
|
return (result); |
|
} |
|
|
typedef enum { |
typedef enum { |
special_zonetype_rpz, |
special_zonetype_rpz, |
special_zonetype_catz |
special_zonetype_catz |
Line 3408 check_viewconf(const cfg_obj_t *config, |
|
Line 3546 check_viewconf(const cfg_obj_t *config, |
|
isc_log_t *logctx, isc_mem_t *mctx) |
isc_log_t *logctx, isc_mem_t *mctx) |
{ |
{ |
const cfg_obj_t *zones = NULL; |
const cfg_obj_t *zones = NULL; |
const cfg_obj_t *keys = NULL; |
const cfg_obj_t *keys = NULL, *tkeys = NULL, *mkeys = NULL; |
#ifndef HAVE_DLOPEN |
#ifndef HAVE_DLOPEN |
const cfg_obj_t *dyndb = NULL; |
const cfg_obj_t *dyndb = NULL; |
#endif |
#endif |
Line 3422 check_viewconf(const cfg_obj_t *config, |
|
Line 3560 check_viewconf(const cfg_obj_t *config, |
|
const cfg_obj_t *opts = NULL; |
const cfg_obj_t *opts = NULL; |
const cfg_obj_t *plugin_list = NULL; |
const cfg_obj_t *plugin_list = NULL; |
bool enablednssec, enablevalidation; |
bool enablednssec, enablevalidation; |
|
bool autovalidation = false; |
const char *valstr = "no"; |
const char *valstr = "no"; |
unsigned int tflags, mflags; |
unsigned int tflags, mflags; |
|
|
Line 3610 check_viewconf(const cfg_obj_t *config, |
|
Line 3749 check_viewconf(const cfg_obj_t *config, |
|
/* |
/* |
* Check trusted-keys and managed-keys. |
* Check trusted-keys and managed-keys. |
*/ |
*/ |
keys = NULL; |
tkeys = NULL; |
if (voptions != NULL) |
if (voptions != NULL) |
(void)cfg_map_get(voptions, "trusted-keys", &keys); |
(void)cfg_map_get(voptions, "trusted-keys", &tkeys); |
if (keys == NULL) |
if (tkeys == NULL) |
(void)cfg_map_get(config, "trusted-keys", &keys); |
(void)cfg_map_get(config, "trusted-keys", &tkeys); |
|
|
tflags = 0; |
tflags = 0; |
for (element = cfg_list_first(keys); |
for (element = cfg_list_first(tkeys); |
element != NULL; |
element != NULL; |
element = cfg_list_next(element)) |
element = cfg_list_next(element)) |
{ |
{ |
Line 3634 check_viewconf(const cfg_obj_t *config, |
|
Line 3773 check_viewconf(const cfg_obj_t *config, |
|
} |
} |
|
|
if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) { |
if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) { |
cfg_obj_log(keys, logctx, ISC_LOG_WARNING, |
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING, |
"trusted-key for root from 2010 without updated " |
"trusted-key for root from 2010 without updated " |
"trusted-key from 2017: THIS WILL FAIL AFTER " |
"trusted-key from 2017: THIS WILL FAIL AFTER " |
"KEY ROLLOVER"); |
"KEY ROLLOVER"); |
} |
} |
|
|
if ((tflags & DLV_KSK_KEY) != 0) { |
if ((tflags & DLV_KSK_KEY) != 0) { |
cfg_obj_log(keys, logctx, ISC_LOG_WARNING, |
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING, |
"trusted-key for dlv.isc.org still present; " |
"trusted-key for dlv.isc.org still present; " |
"dlv.isc.org has been shut down"); |
"dlv.isc.org has been shut down"); |
} |
} |
|
|
keys = NULL; |
mkeys = NULL; |
if (voptions != NULL) |
if (voptions != NULL) |
(void)cfg_map_get(voptions, "managed-keys", &keys); |
(void)cfg_map_get(voptions, "managed-keys", &mkeys); |
if (keys == NULL) |
if (mkeys == NULL) |
(void)cfg_map_get(config, "managed-keys", &keys); |
(void)cfg_map_get(config, "managed-keys", &mkeys); |
|
|
mflags = 0; |
mflags = 0; |
for (element = cfg_list_first(keys); |
for (element = cfg_list_first(mkeys); |
element != NULL; |
element != NULL; |
element = cfg_list_next(element)) |
element = cfg_list_next(element)) |
{ |
{ |
const cfg_obj_t *keylist = cfg_listelt_value(element); |
const cfg_obj_t *keylist = cfg_listelt_value(element); |
for (element2 = cfg_list_first(keylist); |
for (element2 = cfg_list_first(keylist); |
element2 != NULL; |
element2 != NULL; |
element2 = cfg_list_next(element2)) { |
element2 = cfg_list_next(element2)) |
|
{ |
obj = cfg_listelt_value(element2); |
obj = cfg_listelt_value(element2); |
tresult = check_trusted_key(obj, true, &mflags, |
tresult = check_trusted_key(obj, true, &mflags, |
logctx); |
logctx); |
Line 3670 check_viewconf(const cfg_obj_t *config, |
|
Line 3810 check_viewconf(const cfg_obj_t *config, |
|
} |
} |
|
|
if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) { |
if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) { |
cfg_obj_log(keys, logctx, ISC_LOG_WARNING, |
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING, |
"managed-key for root from 2010 without updated " |
"managed-key for root from 2010 without updated " |
"managed-key from 2017"); |
"managed-key from 2017"); |
} |
} |
|
|
if ((mflags & DLV_KSK_KEY) != 0) { |
if ((mflags & DLV_KSK_KEY) != 0) { |
cfg_obj_log(keys, logctx, ISC_LOG_WARNING, |
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING, |
"managed-key for dlv.isc.org still present; " |
"managed-key for dlv.isc.org still present; " |
"dlv.isc.org has been shut down"); |
"dlv.isc.org has been shut down"); |
} |
} |
Line 3684 check_viewconf(const cfg_obj_t *config, |
|
Line 3824 check_viewconf(const cfg_obj_t *config, |
|
if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 && |
if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 && |
(mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0) |
(mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0) |
{ |
{ |
cfg_obj_log(keys, logctx, ISC_LOG_WARNING, |
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING, |
"both trusted-keys and managed-keys for the ICANN " |
"both trusted-keys and managed-keys for the ICANN " |
"root are present"); |
"root are present"); |
} |
} |
|
|
|
obj = NULL; |
|
if (voptions != NULL) { |
|
(void)cfg_map_get(voptions, "dnssec-validation", &obj); |
|
} |
|
if (obj == NULL && options != NULL) { |
|
(void)cfg_map_get(options, "dnssec-validation", &obj); |
|
} |
|
if (obj != NULL && !cfg_obj_isboolean(obj)) { |
|
autovalidation = true; |
|
} |
|
|
|
tresult = check_ta_conflicts(mkeys, tkeys, |
|
autovalidation, mctx, logctx); |
|
if (tresult != ISC_R_SUCCESS) { |
|
result = tresult; |
|
} |
|
|
/* |
/* |
* Check options. |
* Check options. |
*/ |
*/ |