From 24ef32426d91c5140d75031b6443397c6d24006c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 26 Oct 2011 20:56:45 +0000 Subject: [PATCH] 3181. [func] Inline-signing is now supported for master zones. [RT #26224] --- CHANGES | 3 + bin/tests/system/inline/ns1/root.db.in | 10 +- bin/tests/system/inline/ns3/master.db.in | 134 +++++++++++++++++++ bin/tests/system/inline/ns3/master2.db.in | 135 +++++++++++++++++++ bin/tests/system/inline/ns3/named.conf | 17 ++- bin/tests/system/inline/ns3/sign.sh | 16 ++- bin/tests/system/inline/setup.sh | 23 +++- bin/tests/system/inline/tests.sh | 155 +++++++++++++++++++++- lib/bind9/check.c | 22 ++- lib/dns/zone.c | 26 +++- 10 files changed, 519 insertions(+), 22 deletions(-) create mode 100644 bin/tests/system/inline/ns3/master.db.in create mode 100644 bin/tests/system/inline/ns3/master2.db.in diff --git a/CHANGES b/CHANGES index 63d99c8487..2e690319c4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3181. [func] Inline-signing is now supported for master zones. + [RT #26224] + 3180. [func] Local copies of slave zones are now saved in raw format by default, to improve startup performance. 'masterfile-format text;' can be used to override diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in index b4a1a2dc3f..b3e756dd7c 100644 --- a/bin/tests/system/inline/ns1/root.db.in +++ b/bin/tests/system/inline/ns1/root.db.in @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db.in,v 1.3 2011/10/25 23:46:58 tbox Exp $ +; $Id: root.db.in,v 1.4 2011/10/26 20:56:45 marka Exp $ $TTL 300 . IN SOA gson.nominum.com. a.root.servers.nil. ( @@ -26,9 +26,15 @@ $TTL 300 a.root-servers.nil. A 10.53.0.1 bits. NS ns3.bits. -ns3.bits. A 10.53.0.3 bits. NS ns4.bits. +ns3.bits. A 10.53.0.3 ns4.bits. A 10.53.0.4 noixfr. NS ns3.noixfr. ns3.noixfr. A 10.53.0.3 + +master. NS ns3.master. +ns3.master. A 10.53.0.3 + +dynamic. NS ns3.dynamic. +ns3.dynamic. A 10.53.0.3 diff --git a/bin/tests/system/inline/ns3/master.db.in b/bin/tests/system/inline/ns3/master.db.in new file mode 100644 index 0000000000..8f5690d6d5 --- /dev/null +++ b/bin/tests/system/inline/ns3/master.db.in @@ -0,0 +1,134 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: master.db.in,v 1.2 2011/10/26 20:56:45 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA ns2 . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 diff --git a/bin/tests/system/inline/ns3/master2.db.in b/bin/tests/system/inline/ns3/master2.db.in new file mode 100644 index 0000000000..5b3fcaaeba --- /dev/null +++ b/bin/tests/system/inline/ns3/master2.db.in @@ -0,0 +1,135 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: master2.db.in,v 1.2 2011/10/26 20:56:45 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA ns2 . ( + 2000042408 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +e A 10.0.0.5 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 diff --git a/bin/tests/system/inline/ns3/named.conf b/bin/tests/system/inline/ns3/named.conf index dbf747f4ff..1c9483bb7c 100644 --- a/bin/tests/system/inline/ns3/named.conf +++ b/bin/tests/system/inline/ns3/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */ +/* $Id: named.conf,v 1.4 2011/10/26 20:56:45 marka Exp $ */ // NS3 @@ -55,3 +55,18 @@ zone "noixfr" { allow-update-forwarding { any; }; file "noixfr.bk"; }; + +zone "master" { + type master; + inline-signing yes; + auto-dnssec maintain; + file "master.db"; +}; + +zone "dynamic" { + type master; + inline-signing yes; + auto-dnssec maintain; + allow-update { any; }; + file "dynamic.db"; +}; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index 7625cd094f..913e64bd5f 100644 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.3 2011/10/25 01:54:20 marka Exp $ +# $Id: sign.sh,v 1.4 2011/10/26 20:56:45 marka Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -34,3 +34,17 @@ rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=master +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db + +zone=dynamic +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index 5dd3285ee3..84c89c9a54 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -12,7 +12,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.4 2011/10/25 01:54:19 marka Exp $ +# $Id: setup.sh,v 1.5 2011/10/26 20:56:45 marka Exp $ sh clean.sh @@ -28,15 +28,28 @@ rm -f ns3/bits.bk.jnl rm -f ns3/bits.bk.signed rm -f ns3/bits.bk.signed.jnl -touch ns4/trusted.conf -cp ns4/noixfr.db.in ns4/noixfr.db -rm -f ns4/noixfr.db.jnl - rm -f ns3/noixfr.bk rm -f ns3/noixfr.bk.jnl rm -f ns3/noixfr.bk.signed rm -f ns3/noixfr.bk.signed.jnl +rm -f ns3/master.db +rm -f ns3/master.db.jnl +rm -f ns3/master.db.signed +rm -f ns3/master.db.signed.jnl + +rm -f ns3/dynamic.db +rm -f ns3/dynamic.db.jnl +rm -f ns3/dynamic.db.signed +rm -f ns3/dynamic.db.signed.jnl + +cp ns3/master.db.in ns3/master.db +cp ns3/master.db.in ns3/dynamic.db + +touch ns4/trusted.conf +cp ns4/noixfr.db.in ns4/noixfr.db +rm -f ns4/noixfr.db.jnl + cp ns5/named.conf.pre ns5/named.conf ../../../tools/genrandom 400 random.data diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index 24d21449a5..3dc32dd934 100644 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.4 2011/10/25 01:54:20 marka Exp $ +# $Id: tests.sh,v 1.5 2011/10/26 20:56:45 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -254,6 +254,158 @@ done if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking that the master zone signed on initial load ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 + records=`grep 'TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001$' dig.out.ns3.test$n | wc -l` + [ $records = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi + +n=`expr $n + 1` +echo "I:checking removal of private type record via 'rndc keydone' (master) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n +records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n` +for record in $records +do + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" master || ret=1 + break; # We only want to remove 1 record for now. +done 2>&1 |sed 's/^/I:ns3 /' + +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking private type was properly signed (master) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 -p 5300 master TYPE65534 > dig.out.ns6.test$n +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking removal of remaining private type record via 'rndc keydone' (master) ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n +records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n` +for record in $records +do + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" master || ret=1 +done 2>&1 |sed 's/^/I:ns3 /' + +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n + grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ans=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:check adding of record to unsigned master ($n)" +ret=0 +sleep 1 +cp ns3/master2.db.in ns3/master.db +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1 + +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns3.test$n + grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:check the added record was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns6.test$n +grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1 +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that the dynamic master zone signed on initial load ($n)" +ret=0 +for i in 1 2 3 4 5 6 7 8 9 10 +do + ret=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 dynamic TYPE65534 > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 + grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 + records=`grep 'TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001$' dig.out.ns3.test$n | wc -l` + [ $records = 2 ] || ret=1 + if [ $ret = 0 ]; then break; fi + sleep 1 +done +if [ $ret != 0 ]; then echo "I:failed"; fi + +n=`expr $n + 1` +echo "I:checking adding of record to unsigned master using UPDATE ($n)" +ret=0 + +[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo "I:journal exists (pretest)" ; } + +$NSUPDATE << EOF +zone dynamic +server 10.53.0.3 5300 +update add e.dynamic 0 A 1.2.3.4 +send +EOF + +[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo "I:journal does not exist (posttest)" ; } + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 e.dynamic > dig.out.ns3.test$n + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 0 ] && break + sleep 1 +done +[ $ans = 0 ] || { ret=1; echo "I:signed record not found"; cat dig.out.ns3.test$n ; } + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo "I:stop bump in the wire signer server ($n)" ret=0 @@ -419,4 +571,5 @@ done if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +status=`expr $status + $ret` exit $status diff --git a/lib/bind9/check.c b/lib/bind9/check.c index c14cc94006..c8bcd93a9b 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.134 2011/08/30 05:16:14 marka Exp $ */ +/* $Id: check.c,v 1.135 2011/10/26 20:56:45 marka Exp $ */ /*! \file */ @@ -1479,10 +1479,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, /* * Master zones can't have both "allow-update" and "update-policy". */ - if (ztype == MASTERZONE) { + if (ztype == MASTERZONE || ztype == SLAVEZONE) { isc_result_t res1, res2, res3; const char *arg; - isc_boolean_t ddns; + isc_boolean_t ddns = ISC_FALSE, signing = ISC_FALSE; obj = NULL; res1 = cfg_map_get(zoptions, "allow-update", &obj); @@ -1498,17 +1498,25 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, check_update_policy(obj, logctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; ddns = ISC_TF(res1 == ISC_R_SUCCESS || res2 == ISC_R_SUCCESS); + + obj = NULL; + res1 = cfg_map_get(zoptions, "inline-signing", &obj); + if (res1 == ISC_R_SUCCESS) + signing = cfg_obj_asboolean(obj); + fprintf(stderr, "inline-signing -> %u\n", signing); obj = NULL; arg = "off"; res3 = cfg_map_get(zoptions, "auto-dnssec", &obj); if (res3 == ISC_R_SUCCESS) arg = cfg_obj_asstring(obj); - if (strcasecmp(arg, "off") != 0 && !ddns) { + if (strcasecmp(arg, "off") != 0 && !ddns && !signing) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "'auto-dnssec %s;' requires " - "dynamic DNS to be configured in the zone", - arg); + "'auto-dnssec %s;' requires%s " + "inline-signing to be configured for " + "the zone", arg, + (ztype == MASTERZONE) ? + " dynamic DNS or" : ""); result = ISC_R_FAILURE; } if (strcasecmp(arg, "create") == 0) { diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 1e041f6566..ea5e8a38b4 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.639 2011/10/25 23:46:58 tbox Exp $ */ +/* $Id: zone.c,v 1.640 2011/10/26 20:56:45 marka Exp $ */ /*! \file */ @@ -651,6 +651,8 @@ static void zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length); static void zone_name_tostr(dns_zone_t *zone, char *buf, size_t length); static void zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length); static void zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length); +static isc_result_t zone_send_secureserial(dns_zone_t *zone, + isc_uint32_t serial); #if 0 /* ondestroy example */ @@ -8370,10 +8372,26 @@ zone_maintenance(dns_zone_t *zone) { void dns_zone_markdirty(dns_zone_t *zone) { + isc_uint32_t serial; + isc_result_t result; LOCK_ZONE(zone); - if (zone->type == dns_zone_master) + if (zone->type == dns_zone_master) { + if (zone->secure != NULL) { + ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); + if (zone->db != NULL) { + result = zone_get_from_db(zone, zone->db, NULL, + NULL, &serial, NULL, + NULL, NULL, NULL, + NULL); + } else + result = DNS_R_NOTLOADED; + ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); + if (result == ISC_R_SUCCESS) + zone_send_secureserial(zone, serial); + } set_resigntime(zone); /* XXXMPA make separate call back */ + } zone_needdump(zone, DNS_DUMP_DELAY); UNLOCK_ZONE(zone); } @@ -12383,10 +12401,8 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) { break; } } -#if 0 - if (zone->secure != NULL) + if (zone->type == dns_zone_master && zone->secure != NULL) zone_send_secureserial(zone, serial); -#endif } else { if (dump && zone->masterfile != NULL) { /*