zonemd: option to systematicly remove

0019aabb · Libor Peltan · Daniel Salzman · e9963d2a · 0019aabb · 0019aabb
Commit 0019aabb authored 3 years ago by Libor Peltan Committed by Daniel Salzman 3 years ago
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -1672,7 +1672,7 @@ zone:
    dnssec\-validation: BOOL
    dnssec\-policy: policy_id
    zonemd\-verify: BOOL
-    zonemd\-generate: none | zonemd\-sha384 | zonemd\-sha512
+    zonemd\-generate: none | zonemd\-sha384 | zonemd\-sha512 | remove
    serial\-policy: increment | unixtime | dateserial
    refresh\-min\-interval: TIME
    refresh\-max\-interval: TIME
@@ -1971,6 +1971,8 @@ Possible values:
 \fBzonemd\-sha384\fP – Generate ZONEMD using SHA384 algorithm.
 .IP \(bu 2
 \fBzonemd\-sha512\fP – Generate ZONEMD using SHA512 algorithm.
+.IP \(bu 2
+\fBremove\fP – Remove any ZONEMD from the zone apex.
 .UNINDENT
 .sp
 \fIDefault:\fP none

--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -1801,7 +1801,7 @@ Definition of zones served by the server.
     dnssec-validation: BOOL
     dnssec-policy: policy_id
     zonemd-verify: BOOL
-     zonemd-generate: none | zonemd-sha384 | zonemd-sha512
+     zonemd-generate: none | zonemd-sha384 | zonemd-sha512 | remove
     serial-policy: increment | unixtime | dateserial
     refresh-min-interval: TIME
     refresh-max-interval: TIME
@@ -2118,6 +2118,7 @@ Possible values:
 - ``none`` – No action regarding ZONEMD.
 - ``zonemd-sha384`` – Generate ZONEMD using SHA384 algorithm.
 - ``zonemd-sha512`` – Generate ZONEMD using SHA512 algorithm.
+- ``remove`` – Remove any ZONEMD from the zone apex.

 *Default:* none


--- a/src/knot/conf/schema.c
+++ b/src/knot/conf/schema.c
@@ -128,6 +128,7 @@ static const knot_lookup_t zone_digest[] = {
 	{ ZONE_DIGEST_NONE,   "none" },
 	{ ZONE_DIGEST_SHA384, "zonemd-sha384" },
 	{ ZONE_DIGEST_SHA512, "zonemd-sha512" },
+	{ ZONE_DIGEST_REMOVE, "remove" },
 	{ 0, NULL }
 };


--- a/src/knot/conf/schema.h
+++ b/src/knot/conf/schema.h
@@ -200,6 +200,7 @@ enum {
 	ZONE_DIGEST_NONE   = 0,
 	ZONE_DIGEST_SHA384 = 1,
 	ZONE_DIGEST_SHA512 = 2,
+	ZONE_DIGEST_REMOVE = 255,
 };

 enum {

--- a/src/knot/zone/digest.c
+++ b/src/knot/zone/digest.c
@@ -173,13 +173,18 @@ static int verify_zonemd(const knot_rdata_t *zonemd, const zone_contents_t *cont
 	return ret;
 }

-bool zone_contents_digest_exists(const zone_contents_t *contents, uint8_t alg, bool no_verify)
+bool zone_contents_digest_exists(const zone_contents_t *contents, int alg, bool no_verify)
 {
 	if (alg == 0) {
 		return true;
 	}

 	knot_rdataset_t *zonemd = node_rdataset(contents->apex, KNOT_RRTYPE_ZONEMD);
+
+	if (alg == ZONE_DIGEST_REMOVE) {
+		return (zonemd == NULL || zonemd->count == 0);
+	}
+
 	if (zonemd == NULL || zonemd->count != 1 || knot_zonemd_algorithm(zonemd->rdata) != alg) {
 		return false;
 	}
@@ -252,6 +257,9 @@ int zone_update_add_digest(struct zone_update *update, int algorithm, bool place
 	size_t dsize = 0;

 	knot_rrset_t exists = node_rrset(update->new_cont->apex, KNOT_RRTYPE_ZONEMD);
+	if (algorithm == ZONE_DIGEST_REMOVE) {
+		return zone_update_remove(update, &exists);
+	}
 	if (placeholder) {
 		if (!knot_rrset_empty(&exists) &&
 		    !check_duplicate_schalg(&exists.rrs, exists.rrs.count,

--- a/src/knot/zone/digest.h
+++ b/src/knot/zone/digest.h
@@ -34,11 +34,13 @@ int zone_contents_digest(const zone_contents_t *contents, int algorithm,
 /*!
 * \brief Check whether exactly one ZONEMD exists in the zone, is valid and matches given algorithm.
 *
+ * \note Special value 255 of algorithm means that ZONEMD shall not exist.
+ *
 * \param contents   Zone contents to be verified.
 * \param alg        Required algorithm of the ZONEMD.
 * \param no_verify  Don't verify the validness of the digest in ZONEMD.
 */
-bool zone_contents_digest_exists(const zone_contents_t *contents, uint8_t alg, bool no_verify);
+bool zone_contents_digest_exists(const zone_contents_t *contents, int alg, bool no_verify);

 /*!
 * \brief Verify zone dgest in ZONEMD record.
@@ -63,6 +65,8 @@ struct zone_update;
 * \param algorithm     ZONEMD algorithm.
 * \param placeholder   Don't calculate, just put placeholder (if ZONEMD not yet present).
 *
+ * \note Special value 255 of algorithm means to remove ZONEMD.
+ *
 * \return KNOT_E*
 */
 int zone_update_add_digest(struct zone_update *update, int algorithm, bool placeholder);
--- a/tests-extra/tests/zone/zonemd_flush/test.py
+++ b/tests-extra/tests/zone/zonemd_flush/test.py
@@ -14,9 +14,11 @@ def has_zonemd(server, zone, alg):
    with open(zfn) as zf:
        for line in zf:
            rr = line.split()
+            if rr[0].lower() == zone.name.lower() and rr[2] == "ZONEMD" and str(alg) == "255":
+                return False
            if rr[0].lower() == zone.name.lower() and rr[2] == "ZONEMD" and rr[5] == alg:
                return True
-    return False
+    return (str(alg) == "255")

 def check_zonemd(server, zone, alg):
    t.sleep(2)
@@ -97,4 +99,19 @@ master.ctl("zone-reload")
 check_serial_incr(slave, zone, serial, 2, "ZF reload")
 check_zonemd(master, zone, "2")

+slave.zonemd_verify = False
+slave.gen_confile()
+slave.reload()
+
+master.zonemd_generate = "none"
+master.gen_confile()
+master.reload()
+check_zonemd(master, zone, "2")
+
+master.zonemd_generate = "remove"
+master.gen_confile()
+master.reload()
+check_serial_incr(slave, zone, serial, 1, "ZONEMD remove")
+check_zonemd(master, zone, "255")
+
 t.end()