Commit 8d200cce authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman
Browse files

dnssec: implemented unsafe policy

parent 2ce110e6
......@@ -1071,6 +1071,7 @@ policy:
cds\-cdnskey\-publish: none | delete\-dnssec | rollover | always | double\-ds
cds\-digest\-type: sha256 | sha384
offline\-ksk: BOOL
unsafe\-operation: none | no\-check\-keyset | no\-update\-dnskey | no\-update\-nsec | no\-update\-expired ...
.ft P
.fi
.UNINDENT
......@@ -1390,6 +1391,37 @@ Specify digest type for published CDS records.
Specifies if Offline KSK feature is enabled.
.sp
\fIDefault:\fP off
.SS unsafe\-operation
.sp
Turn off some DNSSEC safety features.
.sp
Possible values:
.INDENT 0.0
.IP \(bu 2
\fBnone\fP – Nothing disabled.
.IP \(bu 2
\fBno\-check\-keyset\fP – Don\(aqt check active keys in present algorithms. This may
lead to violation of \fI\%RFC 4035#section\-2.2\fP\&.
.IP \(bu 2
\fBno\-update\-dnskey\fP – Don\(aqt maintain/update DNSKEY, CDNSKEY, and CDS records
in the zone apex according to KASP database. Juste leave them as they are in the zone.
.IP \(bu 2
\fBno\-update\-nsec\fP – Don\(aqt maintain/update NSEC/NSEC3 chain. Leave all the records
as they are in the zone.
.IP \(bu 2
\fBno\-update\-expired\fP – Don\(aqt update expired RRSIGs.
.UNINDENT
.sp
Multiple values may be specified.
.sp
\fBWARNING:\fP
.INDENT 0.0
.INDENT 3.5
This mode is intended for DNSSEC experts who understand the corresponding consequences.
.UNINDENT
.UNINDENT
.sp
\fIDefault:\fP none
.SH TEMPLATE SECTION
.sp
A template is shareable zone settings, which can simplify configuration by
......
......@@ -1178,6 +1178,7 @@ DNSSEC policy configuration.
cds-cdnskey-publish: none | delete-dnssec | rollover | always | double-ds
cds-digest-type: sha256 | sha384
offline-ksk: BOOL
unsafe-operation: none | no-check-keyset | no-update-dnskey | no-update-nsec | no-update-expired ...
.. _policy_id:
......@@ -1535,6 +1536,31 @@ Specifies if :ref:`Offline KSK <DNSSEC Offline KSK>` feature is enabled.
*Default:* off
.. _policy_unsafe-operation:
unsafe-operation
----------------
Turn off some DNSSEC safety features.
Possible values:
- ``none`` – Nothing disabled.
- ``no-check-keyset`` – Don't check active keys in present algorithms. This may
lead to violation of :rfc:`4035#section-2.2`.
- ``no-update-dnskey`` – Don't maintain/update DNSKEY, CDNSKEY, and CDS records
in the zone apex according to KASP database. Juste leave them as they are in the zone.
- ``no-update-nsec`` – Don't maintain/update NSEC/NSEC3 chain. Leave all the records
as they are in the zone.
- ``no-update-expired`` – Don't update expired RRSIGs.
Multiple values may be specified.
.. WARNING::
This mode is intended for DNSSEC experts who understand the corresponding consequences.
*Default:* none
.. _Template section:
Template section
......
......@@ -72,6 +72,15 @@ static const knot_lookup_t dnssec_key_algs[] = {
{ 0, NULL }
};
static const knot_lookup_t unsafe_operation[] = {
{ UNSAFE_NONE, "none" },
{ UNSAFE_KEYSET, "no-check-keyset" },
{ UNSAFE_DNSKEY, "no-update-dnskey" },
{ UNSAFE_NSEC, "no-update-nsec" },
{ UNSAFE_EXPIRED, "no-update-expired" },
{ 0, NULL }
};
static const knot_lookup_t cds_cdnskey[] = {
{ CDS_CDNSKEY_NONE, "none" },
{ CDS_CDNSKEY_EMPTY, "delete-dnssec" },
......@@ -352,6 +361,7 @@ static const yp_item_t desc_policy[] = {
{ C_CDS_CDNSKEY, YP_TOPT, YP_VOPT = { cds_cdnskey, CDS_CDNSKEY_ROLLOVER } },
{ C_CDS_DIGESTTYPE, YP_TOPT, YP_VOPT = { cds_digesttype, DNSSEC_KEY_DIGEST_SHA256 } },
{ C_OFFLINE_KSK, YP_TBOOL, YP_VNONE, CONF_IO_FRLD_ZONES },
{ C_UNSAFE_OPERATION, YP_TOPT, YP_VOPT = { unsafe_operation, UNSAFE_NONE }, YP_FMULTI },
{ C_COMMENT, YP_TSTR, YP_VNONE },
{ NULL }
};
......
......@@ -126,6 +126,7 @@
#define C_UDP_MAX_PAYLOAD_IPV4 "\x14""udp-max-payload-ipv4"
#define C_UDP_MAX_PAYLOAD_IPV6 "\x14""udp-max-payload-ipv6"
#define C_UDP_WORKERS "\x0B""udp-workers"
#define C_UNSAFE_OPERATION "\x10""unsafe-operation"
#define C_UPDATE_OWNER "\x0C""update-owner"
#define C_UPDATE_OWNER_MATCH "\x12""update-owner-match"
#define C_UPDATE_OWNER_NAME "\x11""update-owner-name"
......@@ -162,6 +163,14 @@ enum {
KEYSTORE_BACKEND_PKCS11 = 2,
};
enum {
UNSAFE_NONE = 0,
UNSAFE_KEYSET = (1 << 0),
UNSAFE_DNSKEY = (1 << 1),
UNSAFE_NSEC = (1 << 2),
UNSAFE_EXPIRED = (1 << 3),
};
enum {
CDS_CDNSKEY_NONE = 0,
CDS_CDNSKEY_EMPTY = 1,
......
......@@ -133,6 +133,13 @@ static void policy_load(knot_kasp_policy_t *policy, conf_val_t *id)
val = conf_id_get(conf(), C_POLICY, C_OFFLINE_KSK, id);
policy->offline_ksk = conf_bool(&val);
policy->unsafe = 0;
val = conf_id_get(conf(), C_POLICY, C_UNSAFE_OPERATION, id);
while (val.code == KNOT_EOK) {
policy->unsafe |= conf_opt(&val);
conf_val_next(&val);
}
}
int kdnssec_ctx_init(conf_t *conf, kdnssec_ctx_t *ctx, const knot_dname_t *zone_name,
......
......@@ -125,5 +125,6 @@ typedef struct {
parent_dynarray_t parents;
uint16_t signing_threads;
bool offline_ksk;
unsigned unsafe;
} knot_kasp_policy_t;
// TODO make the time parameters knot_timediff_t ??
......@@ -377,7 +377,8 @@ int knot_check_signature(const knot_rrset_t *covered,
// consider signature invalid even if validity ends in refresh - in order to refresh it soon enough
knot_timediff_t refresh = dnssec_ctx->policy->rrsig_refresh_before +
dnssec_ctx->policy->rrsig_prerefresh;
if (is_expired_signature(rrsig, dnssec_ctx->now, refresh)) {
if (!(dnssec_ctx->policy->unsafe & UNSAFE_EXPIRED) &&
is_expired_signature(rrsig, dnssec_ctx->now, refresh)) {
return DNSSEC_INVALID_SIGNATURE;
}
......
......@@ -311,6 +311,10 @@ static bool is_nsec3_allowed(uint8_t algorithm)
static int walk_algorithms(kdnssec_ctx_t *ctx, zone_keyset_t *keyset)
{
if (ctx->policy->unsafe & UNSAFE_KEYSET) {
return KNOT_EOK;
}
uint8_t alg_usage[256] = { 0 };
bool have_active_alg = false;
......
......@@ -318,6 +318,10 @@ int knot_zone_create_nsec_chain(zone_update_t *update, const kdnssec_ctx_t *ctx)
return KNOT_EINVAL;
}
if (ctx->policy->unsafe & UNSAFE_NSEC) {
return KNOT_EOK;
}
const knot_rdataset_t *soa = node_rdataset(update->new_cont->apex, KNOT_RRTYPE_SOA);
if (soa == NULL) {
return KNOT_EINVAL;
......@@ -351,6 +355,10 @@ int knot_zone_fix_nsec_chain(zone_update_t *update,
return KNOT_EINVAL;
}
if (ctx->policy->unsafe & UNSAFE_NSEC) {
return KNOT_EOK;
}
const knot_rdataset_t *soa_old = node_rdataset(update->zone->contents->apex, KNOT_RRTYPE_SOA);
const knot_rdataset_t *soa_new = node_rdataset(update->new_cont->apex, KNOT_RRTYPE_SOA);
if (soa_old == NULL || soa_new == NULL) {
......
......@@ -840,6 +840,10 @@ int knot_zone_sign_update_dnskeys(zone_update_t *update,
return KNOT_EINVAL;
}
if (dnssec_ctx->policy->unsafe & UNSAFE_DNSKEY) {
return KNOT_EOK;
}
const zone_node_t *apex = update->new_cont->apex;
knot_rrset_t dnskeys = node_rrset(apex, KNOT_RRTYPE_DNSKEY);
knot_rrset_t cdnskeys = node_rrset(apex, KNOT_RRTYPE_CDNSKEY);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment