From 0b792bd37b9b6a1cc5914ab95987359fda972ff2 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 25 Jun 2019 17:53:32 -0700 Subject: [PATCH 1/3] don't overwrite the dns_master_loadfile() result before calling zone_postload() if "rndc reload" fails, the result code is supposed to be passed to zone_postload, but for inline-signing zones, the result can be overwritten first by a call to the ZONE_TRYLOCK macro. this can lead to the partially-loaded unsigned zone being synced over to the signed zone instead of being rejected. --- lib/dns/zone.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index d97491c61f..9706d9e2b2 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15943,8 +15943,8 @@ zone_loaddone(void *arg, isc_result_t result) { LOCK_ZONE(zone->raw); else if (inline_raw(zone)) { secure = zone->secure; - TRYLOCK_ZONE(result, secure); - if (result != ISC_R_SUCCESS) { + TRYLOCK_ZONE(tresult, secure); + if (tresult != ISC_R_SUCCESS) { UNLOCK_ZONE(zone); secure = NULL; isc_thread_yield(); From e48b3f1a00b183063030910530cf8a10b2d52531 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 25 Jun 2019 18:59:47 -0700 Subject: [PATCH 2/3] add a test that reloading errors are not ignored --- bin/tests/system/inline/ns3/master6.db.in | 24 +++++++++++++++++++++++ bin/tests/system/inline/tests.sh | 23 ++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 bin/tests/system/inline/ns3/master6.db.in diff --git a/bin/tests/system/inline/ns3/master6.db.in b/bin/tests/system/inline/ns3/master6.db.in new file mode 100644 index 0000000000..5cdb504bc9 --- /dev/null +++ b/bin/tests/system/inline/ns3/master6.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042412 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 + +$INCLUDE missingfile.db diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index 60e578371e..836d421937 100755 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -932,6 +932,29 @@ grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "check that reloading errors prevent synchronization ($n)" +ret=0 +$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.1 || ret=1 +sleep 1 +nextpart ns3/named.run > /dev/null +cp ns3/master5.db.in ns3/master.db +rndc_reload ns3 10.53.0.3 +for i in 1 2 3 4 5 6 7 8 9 10 +do + if nextpart ns3/named.run | + grep "not loaded due to errors" > /dev/null + then + break + fi + sleep 1 +done +# Sanity check: the SOA record should be unchanged +$DIG $DIGOPTS +short @10.53.0.3 master SOA > dig.out.ns3.test$n.2 || ret=1 +$DIFF dig.out.ns3.test$n.1 dig.out.ns3.test$n.2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo_i "test add/del zone combinations ($n)" ret=0 From c29e344f07d6f95528724ba494434a216dd11c96 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 25 Jun 2019 19:42:46 -0700 Subject: [PATCH 3/3] CHANGES --- CHANGES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 9435f6ee94..dc2390118d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +5255. [bug] Errors encountered while reloading inline-signing + zones could be ignored, causing the zone content to + be left in an incompletely updated state rather than + reverted. [GL #1109] + 5254. [func] Collect metrics to report to the statistics-channel DNSSEC signing operations (dnssec-sign) and refresh operations (dnssec-refresh) per zone and per keytag.