You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2020/02/21 19:39:18 UTC
[GitHub] [trafficcontrol] mhoppa opened a new pull request #4430: DNSSEC
refresh breaks on DS if KSK and ZSK both are expired
mhoppa opened a new pull request #4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
URL: https://github.com/apache/trafficcontrol/pull/4430
<!--
************ STOP!! ************
If this Pull Request is intended to fix a security vulnerability, DO NOT submit it! Instead, contact
the Apache Software Foundation Security Team at security@trafficcontrol.apache.org and follow the
guidelines at https://www.apache.org/security/ regarding vulnerability disclosure.
-->
## What does this PR (Pull Request) do?
<!-- Explain the changes you made here. If this fixes an Issue, identify it by
replacing the text in the checkbox item with the Issue number e.g.
- [x] This PR fixes #9001 OR is not related to any Issue
^ This will automatically close Issue number 9001 when the Pull Request is
merged (The '#' is important).
Be sure you check the box properly, see the "The following criteria are ALL
met by this PR" section for details.
-->
- [x] This PR fixes is not related to any Issue <!-- You can check for an issue here: https://github.com/apache/trafficcontrol/issues -->
## Which Traffic Control components are affected by this PR?
<!-- Please delete all components from this list that are NOT affected by this
Pull Request. Also, feel free to add the name of a tool or script that is
affected but not on the list.
Additionally, if this Pull Request does NOT affect documentation, please
explain why documentation is not required. -->
- Traffic Ops
## What is the best way to verify this PR?
<!-- Please include here ALL the steps necessary to test your Pull Request. If
it includes tests (and most should), outline here the steps needed to run the
tests. If not, lay out the manual testing procedure and please explain why
tests are unnecessary for this Pull Request. -->
Make a call to `cdns/dnsseckeys/refresh` with the given environment having a DNSSEC enabled CDN and HTTP/DNS/STEERING DS with both expired KSK and ZSK keys. Make sure the result is both being updated.
## If this is a bug fix, what versions of Traffic Control are affected?
<!-- If this PR fixes a bug, please list here all of the affected versions - to
the best of your knowledge. It's also pretty helpful to include a commit hash
of where 'master' is at the time this PR is opened (if it affects master),
because what 'master' means will change over time. For example, if this PR
fixes a bug that's present in master (at commit hash '2697ebac'), in v3.0.0,
and in the current 3.0.1 Release candidate (e.g. RC1), then this list would
look like:
- master (2697ebac)
- 3.0.0
- 3.0.1 (RC1)
If you don't know what other versions might have this bug, AND don't know how
to find the commit hash of 'master', then feel free to leave this section
blank (or, preferably, delete it entirely).
-->
master
## The following criteria are ALL met by this PR
<!-- Check the boxes to signify that the associated statement is true. To
"check a box", replace the space inside of the square brackets with an 'x'.
e.g.
- [ x] <- Wrong
- [x ] <- Wrong
- [] <- Wrong
- [*] <- Wrong
- [x] <- Correct!
-->
- [x] This PR includes tests OR I have explained why tests are unnecessary
- [x] This PR includes documentation OR I have explained why documentation is unnecessary
- [x] This PR includes an update to CHANGELOG.md OR such an update is not necessary
- [x] This PR includes any and all required license headers
- [x] This PR ensures that database migration sequence is correct OR this PR does not include a database migration
- [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the Apache Software Foundation's security guidelines](https://www.apache.org/security/) for details)
## Additional Information
<!-- If you would like to include any additional information on the PR for
potential reviewers please put it here.
Some examples of this would be:
- Before and after screenshots/gifs of the Traffic Portal if it is affected
- Links to other dependent Pull Requests
- References to relevant context (e.g. new/updates to dependent libraries,
mailing list records, blueprints)
Feel free to leave this section blank (or, preferably, delete it entirely).
-->
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] mhoppa commented on a change in pull request
#4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
Posted by GitBox <gi...@apache.org>.
mhoppa commented on a change in pull request #4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
URL: https://github.com/apache/trafficcontrol/pull/4430#discussion_r382858114
##########
File path: traffic_ops/traffic_ops_golang/cdn/dnssecrefresh.go
##########
@@ -251,6 +251,10 @@ func doDNSSECKeyRefresh(tx *sql.Tx, cfg *config.Config) {
if err != nil {
log.Errorln("refreshing DNSSEC Keys: regenerating expired ZSK keys for ds '" + string(ds.DSName) + "': " + err.Error())
} else {
+ if existingNewKeys, ok := keys[string(ds.DSName)]; ok {
Review comment:
yeah maybe I guess. And yeah the key set is returned but it’s overwritten. I mean we can leave it broken w/ the bug since ideally the next cron run will catch the ksk key as long as the expiration date is bigger than the cron run of the refresh script for the zsk key
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] rawlinp merged pull request #4430: DNSSEC refresh
breaks on DS if KSK and ZSK both are expired
Posted by GitBox <gi...@apache.org>.
rawlinp merged pull request #4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
URL: https://github.com/apache/trafficcontrol/pull/4430
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] mhoppa commented on issue #4430: DNSSEC refresh
breaks on DS if KSK and ZSK both are expired
Posted by GitBox <gi...@apache.org>.
mhoppa commented on issue #4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
URL: https://github.com/apache/trafficcontrol/pull/4430#issuecomment-589806418
opposite refreshes ZSK but not KSK
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] rawlinp commented on a change in pull request
#4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
Posted by GitBox <gi...@apache.org>.
rawlinp commented on a change in pull request #4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
URL: https://github.com/apache/trafficcontrol/pull/4430#discussion_r382850282
##########
File path: traffic_ops/traffic_ops_golang/cdn/dnssecrefresh.go
##########
@@ -251,6 +251,10 @@ func doDNSSECKeyRefresh(tx *sql.Tx, cfg *config.Config) {
if err != nil {
log.Errorln("refreshing DNSSEC Keys: regenerating expired ZSK keys for ds '" + string(ds.DSName) + "': " + err.Error())
} else {
+ if existingNewKeys, ok := keys[string(ds.DSName)]; ok {
Review comment:
So, I'm not entirely convinced this is correct. The `regenExpiredKeys` function is supposed to return the right keyset to put in the `keys` map -- take a look at https://github.com/apache/trafficcontrol/blob/master/traffic_ops/traffic_ops_golang/cdn/genksk.go#L233-L239
We have to be extremely careful with DNSSEC keys, and the existing code _seems_ to match up w/ what the Perl did. Does this mean Perl had this bug? And maybe we just didn't catch it because generally the KSK and ZSK expire at different intervals?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] mhoppa commented on a change in pull request
#4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
Posted by GitBox <gi...@apache.org>.
mhoppa commented on a change in pull request #4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
URL: https://github.com/apache/trafficcontrol/pull/4430#discussion_r382858114
##########
File path: traffic_ops/traffic_ops_golang/cdn/dnssecrefresh.go
##########
@@ -251,6 +251,10 @@ func doDNSSECKeyRefresh(tx *sql.Tx, cfg *config.Config) {
if err != nil {
log.Errorln("refreshing DNSSEC Keys: regenerating expired ZSK keys for ds '" + string(ds.DSName) + "': " + err.Error())
} else {
+ if existingNewKeys, ok := keys[string(ds.DSName)]; ok {
Review comment:
yeah maybe I guess. And yeah the key set is returned but it’s overwritten. I mean we can leave it broken w/ the bug since ideally the next cron run will catch the ksk key as long as the expiration date is bigger then a cron time for the zsk key
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] rawlinp commented on issue #4430: DNSSEC refresh
breaks on DS if KSK and ZSK both are expired
Posted by GitBox <gi...@apache.org>.
rawlinp commented on issue #4430: DNSSEC refresh breaks on DS if KSK and ZSK both are expired
URL: https://github.com/apache/trafficcontrol/pull/4430#issuecomment-589805997
What does this mean by "breaks"? It refreshes just the KSK but not also the ZSK?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services