Bug 1455147 (new-ksk-libreswan-el6)

Summary: Add DNSSEC trust anchor KSK 2017
Product: Red Hat Enterprise Linux 6 Reporter: Petr Menšík <pemensik>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.9CC: cww, jreznik, mkolaja, mthacker, omoris, pemensik, pwouters, qe-baseos-security, thozza, tmraz, toneata
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1452672
: 1493292 1493917 (view as bug list) Environment:
Last Closed: 2018-06-21 08:46:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1451855, 1493292, 1493917    
Attachments:
Description Flags
stand-alone test code for KSK behaviour none

Comment 22 Tomas Mraz 2017-09-20 06:48:46 UTC 
*** Bug 1493292 has been marked as a duplicate of this bug. ***
Comment 27 Ondrej Moriš 2017-09-25 10:43:34 UTC 
Paul, you mentioned, you have some binary to test this fix, could you share it? I can clearly see that libreswan is compiled with DNSSEC2017 but I would like to do more.
Comment 28 Paul Wouters 2017-09-25 15:57:55 UTC 
Created attachment 1330610 [details]
stand-alone test code for KSK behaviour

Test file to check secure resolving when either first or second (or both) added trust anchors are bad. This shows that resolving works securely before and after the KSK root key roll.

The code is basically pulled from lib/libswan/unbound.c as a standaline program testing the unbound_resolve() call used in libreswan