Skip to content
Snippets Groups Projects
Commit b0da0e11 authored by Jan Hák's avatar Jan Hák Committed by Daniel Salzman
Browse files

knotd: check that DS record is not at zone apex

parent bda8dc7c
Branches
Tags
No related merge requests found
......@@ -2112,6 +2112,8 @@ DNAME record having a record under it (\fI\%RFC 6672\fP)
Multiple DNAME records with the same owner exist (\fI\%RFC 6672\fP)
.IP \(bu 2
NS record exists together with a DNAME record (\fI\%RFC 6672\fP)
.IP \(bu 2
DS record exists at the zone apex (\fI\%RFC 3658\fP)
.UNINDENT
.sp
Extra checks:
......@@ -2125,6 +2127,8 @@ Invalid DS or NSEC3PARAM record
.IP \(bu 2
CDS or CDNSKEY inconsistency
.IP \(bu 2
DS record exists at a non\-delegation point (\fI\%RFC 3658\fP)
.IP \(bu 2
All other DNSSEC checks executed during \fI\%dnssec\-validation\fP
.UNINDENT
.sp
......
......@@ -2320,6 +2320,7 @@ Mandatory checks affected by the soft mode:
- DNAME record having a record under it (:rfc:`6672`)
- Multiple DNAME records with the same owner exist (:rfc:`6672`)
- NS record exists together with a DNAME record (:rfc:`6672`)
- DS record exists at the zone apex (:rfc:`3658`)
Extra checks:
......@@ -2327,6 +2328,7 @@ Extra checks:
- Missing glue A or AAAA record
- Invalid DS or NSEC3PARAM record
- CDS or CDNSKEY inconsistency
- DS record exists at a non-delegation point (:rfc:`3658`)
- All other DNSSEC checks executed during :ref:`zone_dnssec-validation`
.. NOTE::
......
......@@ -68,6 +68,10 @@ static const char *error_messages[SEM_ERR_UNKNOWN + 1] = {
"invalid algorithm in DS",
[SEM_ERR_DS_RDATA_DIGLEN] =
"invalid digest length in DS",
[SEM_ERR_DS_APEX] =
"DS at the zone apex",
[SEM_ERR_DS_NONDELEG] =
"DS at non-delegation point",
[SEM_ERR_DNSKEY_NONE] =
"missing DNSKEY",
......@@ -132,7 +136,7 @@ static const struct check_function CHECK_FUNCTIONS[] = {
{ check_cname, MANDATORY | SOFT },
{ check_dname, MANDATORY | SOFT },
{ check_delegation, MANDATORY | SOFT }, // mandatory for apex, optional for others
{ check_ds, OPTIONAL },
{ check_ds, MANDATORY | SOFT }, // mandatory for apex, optional for others
{ check_nsec3param, DNSSEC },
{ check_submission, DNSSEC },
};
......@@ -315,6 +319,23 @@ static int check_ds(const zone_node_t *node, semchecks_data_t *data)
return KNOT_EOK;
}
if (data->zone->apex == node) {
data->handler->error = true;
data->handler->cb(data->handler, data->zone, node->owner,
SEM_ERR_DS_APEX, NULL);
return KNOT_EOK;
}
if (!(data->level & OPTIONAL)) {
return KNOT_EOK;
}
if (!(node->flags & NODE_FLAGS_DELEG)) {
data->handler->cb(data->handler, data->zone, node->owner,
SEM_ERR_DS_NONDELEG, NULL);
return KNOT_EOK;
}
for (int i = 0; i < dss->count; i++) {
knot_rdata_t *ds = knot_rdataset_at(dss, i);
uint16_t keytag = knot_ds_key_tag(ds);
......
......@@ -60,6 +60,8 @@ typedef enum {
SEM_ERR_DS_RDATA_ALG,
SEM_ERR_DS_RDATA_DIGLEN,
SEM_ERR_DS_APEX,
SEM_ERR_DS_NONDELEG,
SEM_ERR_DNSKEY_NONE,
SEM_ERR_DNSKEY_INVALID,
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment