mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

3181. [func] Inline-signing is now supported for master zones.

Browse Source 
[RT #26224]
This commit is contained in:
Mark Andrews 2011-10-26 20:56:45 +00:00
parent 191fed04b2
commit 24ef32426d
10 changed files with 519 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,3 +1,6 @@
3181. [func] Inline-signing is now supported for master zones.
[RT #26224]
3180. [func] Local copies of slave zones are now saved in raw 3180. [func] Local copies of slave zones are now saved in raw
format by default, to improve startup performance. format by default, to improve startup performance.
'masterfile-format text;' can be used to override 'masterfile-format text;' can be used to override

10
bin/tests/system/inline/ns1/root.db.in
View File

@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE. ; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db.in,v 1.3 2011/10/25 23:46:58 tbox Exp $ ; $Id: root.db.in,v 1.4 2011/10/26 20:56:45 marka Exp $
$TTL 300 $TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. ( . IN SOA gson.nominum.com. a.root.servers.nil. (
@ -26,9 +26,15 @@ $TTL 300
a.root-servers.nil. A 10.53.0.1 a.root-servers.nil. A 10.53.0.1
bits. NS ns3.bits. bits. NS ns3.bits.
ns3.bits. A 10.53.0.3
bits. NS ns4.bits. bits. NS ns4.bits.
ns3.bits. A 10.53.0.3
ns4.bits. A 10.53.0.4 ns4.bits. A 10.53.0.4
noixfr. NS ns3.noixfr. noixfr. NS ns3.noixfr.
ns3.noixfr. A 10.53.0.3 ns3.noixfr. A 10.53.0.3
master. NS ns3.master.
ns3.master. A 10.53.0.3
dynamic. NS ns3.dynamic.
ns3.dynamic. A 10.53.0.3

134
bin/tests/system/inline/ns3/master.db.in Normal file
View File

@ -0,0 +1,134 @@
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: master.db.in,v 1.2 2011/10/26 20:56:45 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA ns2 . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns3
ns2 A 10.53.0.2
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
; Used for testing ANY queries
foo TXT "testing"
foo A 10.0.1.0
bad-cname CNAME a
bad-dname DNAME @
; Used for testing CNAME queries
cname1 CNAME cname1-target
cname1-target TXT "testing cname"
cname2 CNAME cname2-target
cname2-target TXT "testing cname"
; Used for testing DNAME queries
dname1 DNAME dname1-target
foo.dname1-target TXT "testing dname"
dname2 DNAME dname2-target
foo.dname2-target TXT "testing dname"
; A secure subdomain
secure NS ns.secure
ns.secure A 10.53.0.3
; An insecure subdomain
insecure NS ns.insecure
ns.insecure A 10.53.0.3
; A secure subdomain we're going to inject bogus data into
bogus NS ns.bogus
ns.bogus A 10.53.0.3
; A dynamic secure subdomain
dynamic NS dynamic
dynamic A 10.53.0.3
; A insecure subdomain
mustbesecure NS ns.mustbesecure
ns.mustbesecure A 10.53.0.3
; A rfc2535 signed zone w/ CNAME
rfc2535 NS ns.rfc2535
ns.rfc2535 A 10.53.0.3
z A 10.0.0.26
keyless NS ns.keyless
ns.keyless A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
nsec3-unknown NS ns.nsec3-unknown
ns.nsec3-unknown A 10.53.0.3
optout-unknown NS ns.optout-unknown
ns.optout-unknown A 10.53.0.3
multiple NS ns.multiple
ns.multiple A 10.53.0.3
*.wild A 10.0.0.27
rsasha256 NS ns.rsasha256
ns.rsasha256 A 10.53.0.3
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3
kskonly NS ns.kskonly
ns.kskonly A 10.53.0.3
update-nsec3 NS ns.update-nsec3
ns.update-nsec3 A 10.53.0.3
auto-nsec NS ns.auto-nsec
ns.auto-nsec A 10.53.0.3
auto-nsec3 NS ns.auto-nsec3
ns.auto-nsec3 A 10.53.0.3
below-cname CNAME some.where.else.
insecure.below-cname NS ns.insecure.below-cname
ns.insecure.below-cname A 10.53.0.3
secure.below-cname NS ns.secure.below-cname
ns.secure.below-cname A 10.53.0.3
ttlpatch NS ns.ttlpatch
ns.ttlpatch A 10.53.0.3
split-dnssec NS ns.split-dnssec
ns.split-dnssec A 10.53.0.3
split-smart NS ns.split-smart
ns.split-smart A 10.53.0.3

135
bin/tests/system/inline/ns3/master2.db.in Normal file
View File

@ -0,0 +1,135 @@
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: master2.db.in,v 1.2 2011/10/26 20:56:45 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA ns2 . (
2000042408 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns3
ns2 A 10.53.0.2
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
e A 10.0.0.5
; Used for testing ANY queries
foo TXT "testing"
foo A 10.0.1.0
bad-cname CNAME a
bad-dname DNAME @
; Used for testing CNAME queries
cname1 CNAME cname1-target
cname1-target TXT "testing cname"
cname2 CNAME cname2-target
cname2-target TXT "testing cname"
; Used for testing DNAME queries
dname1 DNAME dname1-target
foo.dname1-target TXT "testing dname"
dname2 DNAME dname2-target
foo.dname2-target TXT "testing dname"
; A secure subdomain
secure NS ns.secure
ns.secure A 10.53.0.3
; An insecure subdomain
insecure NS ns.insecure
ns.insecure A 10.53.0.3
; A secure subdomain we're going to inject bogus data into
bogus NS ns.bogus
ns.bogus A 10.53.0.3
; A dynamic secure subdomain
dynamic NS dynamic
dynamic A 10.53.0.3
; A insecure subdomain
mustbesecure NS ns.mustbesecure
ns.mustbesecure A 10.53.0.3
; A rfc2535 signed zone w/ CNAME
rfc2535 NS ns.rfc2535
ns.rfc2535 A 10.53.0.3
z A 10.0.0.26
keyless NS ns.keyless
ns.keyless A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
nsec3-unknown NS ns.nsec3-unknown
ns.nsec3-unknown A 10.53.0.3
optout-unknown NS ns.optout-unknown
ns.optout-unknown A 10.53.0.3
multiple NS ns.multiple
ns.multiple A 10.53.0.3
*.wild A 10.0.0.27
rsasha256 NS ns.rsasha256
ns.rsasha256 A 10.53.0.3
rsasha512 NS ns.rsasha512
ns.rsasha512 A 10.53.0.3
kskonly NS ns.kskonly
ns.kskonly A 10.53.0.3
update-nsec3 NS ns.update-nsec3
ns.update-nsec3 A 10.53.0.3
auto-nsec NS ns.auto-nsec
ns.auto-nsec A 10.53.0.3
auto-nsec3 NS ns.auto-nsec3
ns.auto-nsec3 A 10.53.0.3
below-cname CNAME some.where.else.
insecure.below-cname NS ns.insecure.below-cname
ns.insecure.below-cname A 10.53.0.3
secure.below-cname NS ns.secure.below-cname
ns.secure.below-cname A 10.53.0.3
ttlpatch NS ns.ttlpatch
ns.ttlpatch A 10.53.0.3
split-dnssec NS ns.split-dnssec
ns.split-dnssec A 10.53.0.3
split-smart NS ns.split-smart
ns.split-smart A 10.53.0.3

17
bin/tests/system/inline/ns3/named.conf
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */ /* $Id: named.conf,v 1.4 2011/10/26 20:56:45 marka Exp $ */
// NS3 // NS3
@ -55,3 +55,18 @@ zone "noixfr" {
allow-update-forwarding { any; }; allow-update-forwarding { any; };
file "noixfr.bk"; file "noixfr.bk";
}; };
zone "master" {
type master;
inline-signing yes;
auto-dnssec maintain;
file "master.db";
};
zone "dynamic" {
type master;
inline-signing yes;
auto-dnssec maintain;
allow-update { any; };
file "dynamic.db";
};

16
bin/tests/system/inline/ns3/sign.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.3 2011/10/25 01:54:20 marka Exp $ # $Id: sign.sh,v 1.4 2011/10/26 20:56:45 marka Exp $
SYSTEMTESTTOP=../.. SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
@ -34,3 +34,17 @@ rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=master
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=dynamic
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

23
bin/tests/system/inline/setup.sh
View File

@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.4 2011/10/25 01:54:19 marka Exp $ # $Id: setup.sh,v 1.5 2011/10/26 20:56:45 marka Exp $
sh clean.sh sh clean.sh
@ -28,15 +28,28 @@ rm -f ns3/bits.bk.jnl
rm -f ns3/bits.bk.signed rm -f ns3/bits.bk.signed
rm -f ns3/bits.bk.signed.jnl rm -f ns3/bits.bk.signed.jnl
touch ns4/trusted.conf
cp ns4/noixfr.db.in ns4/noixfr.db
rm -f ns4/noixfr.db.jnl
rm -f ns3/noixfr.bk rm -f ns3/noixfr.bk
rm -f ns3/noixfr.bk.jnl rm -f ns3/noixfr.bk.jnl
rm -f ns3/noixfr.bk.signed rm -f ns3/noixfr.bk.signed
rm -f ns3/noixfr.bk.signed.jnl rm -f ns3/noixfr.bk.signed.jnl
rm -f ns3/master.db
rm -f ns3/master.db.jnl
rm -f ns3/master.db.signed
rm -f ns3/master.db.signed.jnl
rm -f ns3/dynamic.db
rm -f ns3/dynamic.db.jnl
rm -f ns3/dynamic.db.signed
rm -f ns3/dynamic.db.signed.jnl
cp ns3/master.db.in ns3/master.db
cp ns3/master.db.in ns3/dynamic.db
touch ns4/trusted.conf
cp ns4/noixfr.db.in ns4/noixfr.db
rm -f ns4/noixfr.db.jnl
cp ns5/named.conf.pre ns5/named.conf cp ns5/named.conf.pre ns5/named.conf
../../../tools/genrandom 400 random.data ../../../tools/genrandom 400 random.data

155
bin/tests/system/inline/tests.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.4 2011/10/25 01:54:20 marka Exp $ # $Id: tests.sh,v 1.5 2011/10/26 20:56:45 marka Exp $
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
@ -254,6 +254,158 @@ done
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that the master zone signed on initial load ($n)"
ret=0
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
records=`grep 'TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001$' dig.out.ns3.test$n | wc -l`
[ $records = 2 ] || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
n=`expr $n + 1`
echo "I:checking removal of private type record via 'rndc keydone' (master) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n
records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n`
for record in $records
do
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" master || ret=1
break; # We only want to remove 1 record for now.
done 2>&1 |sed 's/^/I:ns3 /'
for i in 1 2 3 4 5 6 7 8 9
do
ans=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
[ $ans = 1 ] || break
sleep 1
done
[ $ans = 0 ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking private type was properly signed (master) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.6 -p 5300 master TYPE65534 > dig.out.ns6.test$n
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking removal of remaining private type record via 'rndc keydone' (master) ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n
records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n`
for record in $records
do
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" master || ret=1
done 2>&1 |sed 's/^/I:ns3 /'
for i in 1 2 3 4 5 6 7 8 9
do
ans=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 master TYPE65534 > dig.out.ns3.test$n
grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ans=1
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
[ $ans = 1 ] || break
sleep 1
done
[ $ans = 0 ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check adding of record to unsigned master ($n)"
ret=0
sleep 1
cp ns3/master2.db.in ns3/master.db
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1
for i in 1 2 3 4 5 6 7 8 9
do
ans=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns3.test$n
grep "10.0.0.5" dig.out.ns3.test$n > /dev/null || ans=1
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
[ $ans = 1 ] || break
sleep 1
done
[ $ans = 0 ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check the added record was properly signed ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 e.master A > dig.out.ns6.test$n
grep "10.0.0.5" dig.out.ns6.test$n > /dev/null || ans=1
grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ans=1
grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ans=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that the dynamic master zone signed on initial load ($n)"
ret=0
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 dynamic TYPE65534 > dig.out.ns3.test$n
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
records=`grep 'TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001$' dig.out.ns3.test$n | wc -l`
[ $records = 2 ] || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
n=`expr $n + 1`
echo "I:checking adding of record to unsigned master using UPDATE ($n)"
ret=0
[ -f ns3/dynamic.db.jnl ] && { ret=1 ; echo "I:journal exists (pretest)" ; }
$NSUPDATE << EOF
zone dynamic
server 10.53.0.3 5300
update add e.dynamic 0 A 1.2.3.4
send
EOF
[ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo "I:journal does not exist (posttest)" ; }
for i in 1 2 3 4 5 6 7 8 9 10
do
ans=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 e.dynamic > dig.out.ns3.test$n
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
grep "1.2.3.4" dig.out.ns3.test$n > /dev/null || ans=1
[ $ans = 0 ] && break
sleep 1
done
[ $ans = 0 ] || { ret=1; echo "I:signed record not found"; cat dig.out.ns3.test$n ; }
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo "I:stop bump in the wire signer server ($n)" echo "I:stop bump in the wire signer server ($n)"
ret=0 ret=0
@ -419,4 +571,5 @@ done
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
status=`expr $status + $ret`
exit $status exit $status

22
lib/bind9/check.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: check.c,v 1.134 2011/08/30 05:16:14 marka Exp $ */ /* $Id: check.c,v 1.135 2011/10/26 20:56:45 marka Exp $ */
/*! \file */ /*! \file */
@ -1479,10 +1479,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
/* /*
* Master zones can't have both "allow-update" and "update-policy". * Master zones can't have both "allow-update" and "update-policy".
*/ */
if (ztype == MASTERZONE) { if (ztype == MASTERZONE || ztype == SLAVEZONE) {
isc_result_t res1, res2, res3; isc_result_t res1, res2, res3;
const char *arg; const char *arg;
isc_boolean_t ddns; isc_boolean_t ddns = ISC_FALSE, signing = ISC_FALSE;
obj = NULL; obj = NULL;
res1 = cfg_map_get(zoptions, "allow-update", &obj); res1 = cfg_map_get(zoptions, "allow-update", &obj);
@ -1499,16 +1499,24 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
result = ISC_R_FAILURE; result = ISC_R_FAILURE;
ddns = ISC_TF(res1 == ISC_R_SUCCESS || res2 == ISC_R_SUCCESS); ddns = ISC_TF(res1 == ISC_R_SUCCESS || res2 == ISC_R_SUCCESS);
obj = NULL;
res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if (res1 == ISC_R_SUCCESS)
signing = cfg_obj_asboolean(obj);
fprintf(stderr, "inline-signing -> %u\n", signing);
obj = NULL; obj = NULL;
arg = "off"; arg = "off";
res3 = cfg_map_get(zoptions, "auto-dnssec", &obj); res3 = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (res3 == ISC_R_SUCCESS) if (res3 == ISC_R_SUCCESS)
arg = cfg_obj_asstring(obj); arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "off") != 0 && !ddns) { if (strcasecmp(arg, "off") != 0 && !ddns && !signing) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR, cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'auto-dnssec %s;' requires " "'auto-dnssec %s;' requires%s "
"dynamic DNS to be configured in the zone", "inline-signing to be configured for "
arg); "the zone", arg,
(ztype == MASTERZONE) ?
" dynamic DNS or" : "");
result = ISC_R_FAILURE; result = ISC_R_FAILURE;
} }
if (strcasecmp(arg, "create") == 0) { if (strcasecmp(arg, "create") == 0) {

26
lib/dns/zone.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: zone.c,v 1.639 2011/10/25 23:46:58 tbox Exp $ */ /* $Id: zone.c,v 1.640 2011/10/26 20:56:45 marka Exp $ */
/*! \file */ /*! \file */
@ -651,6 +651,8 @@ static void zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
static void zone_name_tostr(dns_zone_t *zone, char *buf, size_t length); static void zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
static void zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length); static void zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
static void zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length); static void zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
static isc_result_t zone_send_secureserial(dns_zone_t *zone,
isc_uint32_t serial);
#if 0 #if 0
/* ondestroy example */ /* ondestroy example */
@ -8370,10 +8372,26 @@ zone_maintenance(dns_zone_t *zone) {
void void
dns_zone_markdirty(dns_zone_t *zone) { dns_zone_markdirty(dns_zone_t *zone) {
isc_uint32_t serial;
isc_result_t result;
LOCK_ZONE(zone); LOCK_ZONE(zone);
if (zone->type == dns_zone_master) if (zone->type == dns_zone_master) {
if (zone->secure != NULL) {
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
if (zone->db != NULL) {
result = zone_get_from_db(zone, zone->db, NULL,
NULL, &serial, NULL,
NULL, NULL, NULL,
NULL);
} else
result = DNS_R_NOTLOADED;
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
if (result == ISC_R_SUCCESS)
zone_send_secureserial(zone, serial);
}
set_resigntime(zone); /* XXXMPA make separate call back */ set_resigntime(zone); /* XXXMPA make separate call back */
}
zone_needdump(zone, DNS_DUMP_DELAY); zone_needdump(zone, DNS_DUMP_DELAY);
UNLOCK_ZONE(zone); UNLOCK_ZONE(zone);
} }
@ -12383,10 +12401,8 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
break; break;
} }
} }
#if 0 if (zone->type == dns_zone_master && zone->secure != NULL)
if (zone->secure != NULL)
zone_send_secureserial(zone, serial); zone_send_secureserial(zone, serial);
#endif
} else { } else {
if (dump && zone->masterfile != NULL) { if (dump && zone->masterfile != NULL) {
/* /*