Commit 65a9b69e authored by Libor Peltan's avatar Libor Peltan

DDNS: allowed deleting non-apex DNSKEY and NSEC3PARAM records

parent c41dea7e
......@@ -174,6 +174,24 @@ static bool rrset_empty(const knot_rrset_t *rrset)
return false;
}
/*< \brief Returns true if DDNS should deny updating DNSSEC-related record. */
static bool is_dnssec_protected(uint16_t type, bool is_apex)
{
switch (type) {
case KNOT_RRTYPE_RRSIG:
case KNOT_RRTYPE_NSEC:
case KNOT_RRTYPE_NSEC3:
case KNOT_RRTYPE_CDNSKEY:
case KNOT_RRTYPE_CDS:
return true;
case KNOT_RRTYPE_DNSKEY:
case KNOT_RRTYPE_NSEC3PARAM:
return is_apex;
default:
return false;
}
}
/*!< \brief Checks prereq for given packet RR. */
static int process_prereq(const knot_rrset_t *rrset, uint16_t qclass,
zone_update_t *update, uint16_t *rcode,
......@@ -505,13 +523,14 @@ static int process_rem_rrset(const knot_rrset_t *rrset,
const zone_node_t *node,
zone_update_t *update)
{
if (rrset->type == KNOT_RRTYPE_SOA || knot_rrtype_is_dnssec(rrset->type)) {
bool is_apex = node_rrtype_exists(node, KNOT_RRTYPE_SOA);
if (rrset->type == KNOT_RRTYPE_SOA || is_dnssec_protected(rrset->type, is_apex)) {
// Ignore SOA and DNSSEC removals.
return KNOT_EOK;
}
if (node_rrtype_exists(node, KNOT_RRTYPE_SOA) &&
rrset->type == KNOT_RRTYPE_NS) {
if (is_apex && rrset->type == KNOT_RRTYPE_NS) {
// Ignore NS apex RRSet removals.
return KNOT_EOK;
}
......@@ -614,12 +633,13 @@ static int check_update(const knot_rrset_t *rrset, const knot_pkt_t *query,
const knot_dname_t *owner = rrset->owner;
const knot_dname_t *qname = knot_pkt_qname(query);
const bool is_sub = knot_dname_is_sub(owner, qname);
if (!is_sub && !knot_dname_is_equal(owner, qname)) {
const bool is_apex = knot_dname_is_equal(owner, qname);
if (!is_sub && !is_apex) {
*rcode = KNOT_RCODE_NOTZONE;
return KNOT_EOUTOFZONE;
}
if (knot_rrtype_is_dnssec(rrset->type)) {
if (is_dnssec_protected(rrset->type, is_apex)) {
*rcode = KNOT_RCODE_REFUSED;
log_warning("DDNS, refusing to update DNSSEC-related record");
return KNOT_EDENIED;
......
......@@ -515,6 +515,16 @@ def do_refusal_tests(master, zone, dnssec=False):
check_soa(master, prev_soa)
# Add DNSKEY
check_log("non-apex DNSKEY addition")
up = master.update(zone)
up.add("nonapex.ddns.", "3600", "DNSKEY",
"256 3 5 AwEAAbs0AlA6xWQn/lECfGt3S6TaeEmgJfEVVEMh06iNMNWMRHOfbqLF h3N52Ob7trmzlrzGlGLPnAZJvMB8lsFGC5CtaLUBD+4xCh5tl5QifZ+y o+MJvPGlVQI2cs7aMWV9CyFrRmuRcJaSZU2uBz9KFJ955UCq/WIy5KqS 7qaKLzzN")
up.send("NOERROR")
resp = master.dig("nonapex.ddns.", "DNSKEY")
resp.check(rcode="NOERROR",
rdata="256 3 5 AwEAAbs0AlA6xWQn/lECfGt3S6TaeEmgJfEVVEMh06iNMNWMRHOfbqLF h3N52Ob7trmzlrzGlGLPnAZJvMB8lsFGC5CtaLUBD+4xCh5tl5QifZ+y o+MJvPGlVQI2cs7aMWV9CyFrRmuRcJaSZU2uBz9KFJ955UCq/WIy5KqS 7qaKLzzN")
zone = t.zone("ddns.", storage=".")
master_plain = t.server("knot")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment