diff --git a/CHANGES b/CHANGES
index 074df6f512..72264ef261 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,14 +1,5 @@
--- 9.12.0b1 released ---
-4773. [bug] Keys specified in "managed-keys" statements
- can now only be used when validating key refresh
- queries during initialization of RFC 5011 key
- maintenance. If initialization fails, DNSSEC
- validation of normal queries will also fail.
- Previously, validation of normal queries could
- succeed using the initializing key, potentially
- masking problems with managed-keys. [RT #46077]
-
4772. [test] Expanded unit testing framework for libns, using
hooks to interrupt query flow and inspect state
at specified locations. [RT #46173]
diff --git a/bin/named/server.c b/bin/named/server.c
index 818838b142..2101c1ded2 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -844,8 +844,7 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
continue;
}
- CHECK(dns_keytable_add2(secroots, managed,
- managed, &dstkey));
+ CHECK(dns_keytable_add(secroots, managed, &dstkey));
}
}
@@ -1044,8 +1043,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
"managed-keys-directory '%s' "
- "must be writable and accessible",
- directory);
+ "is not writable", directory);
result = ISC_R_NOPERM;
goto cleanup;
}
@@ -6170,8 +6168,8 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
if (access(directory, DIR_PERM_OK) != 0) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "working directory '%s' must be "
- "writable and accessible", directory);
+ "directory '%s' is not writable",
+ directory);
return (ISC_R_NOPERM);
}
@@ -6436,7 +6434,7 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
do {
dst_key_t *key = dns_keynode_key(keynode);
- if (key != NULL && !dns_keynode_initial(keynode)) {
+ if (key != NULL) {
name = dst_key_name(key);
if (n < (sizeof(ids)/sizeof(ids[0]))) {
ids[n] = dst_key_id(key);
@@ -6445,19 +6443,16 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
}
nextnode = NULL;
(void)dns_keytable_nextkeynode(keytable, keynode, &nextnode);
- if (keynode != firstnode) {
+ if (keynode != firstnode)
dns_keytable_detachkeynode(keytable, &keynode);
- }
keynode = nextnode;
} while (keynode != NULL);
- if (n == 0) {
+ if (n == 0)
return;
- }
- if (n > 1) {
+ if (n > 1)
qsort(ids, n, sizeof(ids[0]), cid);
- }
/*
* Encoded as "_ta-xxxx\(-xxxx\)*" where xxxx is the hex version of
@@ -6467,23 +6462,20 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
r.base = label;
r.length = sizeof(label);;
m = snprintf(r.base, r.length, "_ta");
- if (m < 0 || (unsigned)m > r.length) {
+ if (m < 0 || (unsigned)m > r.length)
return;
- }
isc_textregion_consume(&r, m);
for (i = 0; i < n; i++) {
m = snprintf(r.base, r.length, "-%04x", ids[i]);
- if (m < 0 || (unsigned)m > r.length) {
+ if (m < 0 || (unsigned)m > r.length)
return;
- }
isc_textregion_consume(&r, m);
}
dns_fixedname_init(&fixed);
tatname = dns_fixedname_name(&fixed);
result = dns_name_fromstring2(tatname, label, name, 0, NULL);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS)
return;
- }
dns_name_format(tatname, namebuf, sizeof(namebuf));
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
@@ -6492,9 +6484,8 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
view->name, namebuf);
tat = isc_mem_get(dotat_arg->view->mctx, sizeof(*tat));
- if (tat == NULL) {
+ if (tat == NULL)
return;
- }
tat->mctx = NULL;
tat->task = NULL;
@@ -8499,8 +8490,7 @@ load_configuration(const char *filename, named_server_t *server,
if (access(".", DIR_PERM_OK) != 0) {
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "the working directory must be "
- "writable and accessible");
+ "the working directory is not writable");
result = ISC_R_NOPERM;
goto cleanup;
}
diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README
index 40310a2d70..8682940f8c 100644
--- a/bin/tests/system/mkeys/README
+++ b/bin/tests/system/mkeys/README
@@ -16,8 +16,16 @@ is used so it will send TAT queries once per second.
ns3 is a validator with a broken key in managed-keys.
-ns4 is a validator with a deliberately broken managed-keys.bind and
-managed-keys.jnl, causing RFC 5011 initialization to fail.
+Tests TODO:
-ns5 is a validator which is prevented from getting a response from the
-root server, causing key refresh queries to fail.
+- initial working KSK
+
+TODO: test using delv with new trusted key too
+
+- introduce a REVOKE bit
+
+- later remove a signature
+
+- corrupt a signature
+
+TODO: also same things with dlv auto updates of trust anchor
diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh
index 8c3e33c71d..a02f05b777 100644
--- a/bin/tests/system/mkeys/clean.sh
+++ b/bin/tests/system/mkeys/clean.sh
@@ -15,4 +15,3 @@ rm -f */named.memstats */named.run
rm -f dig.out* delv.out* rndc.out* signer.out*
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
rm -f ns1/named.conf
-rm -rf ns4/nope
diff --git a/bin/tests/system/mkeys/ns1/named1.conf b/bin/tests/system/mkeys/ns1/named1.conf
index 5f9eeaf91e..0f17bdc16b 100644
--- a/bin/tests/system/mkeys/ns1/named1.conf
+++ b/bin/tests/system/mkeys/ns1/named1.conf
@@ -10,11 +10,6 @@
controls { /* empty */ };
-acl allowed {
- ! 10.53.0.5;
- any;
-};
-
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
@@ -27,7 +22,6 @@ options {
notify no;
dnssec-enable yes;
dnssec-validation yes;
- allow-query { allowed; };
};
key rndc_key {
diff --git a/bin/tests/system/mkeys/ns1/named2.conf b/bin/tests/system/mkeys/ns1/named2.conf
index 42f6712859..a033e10d81 100644
--- a/bin/tests/system/mkeys/ns1/named2.conf
+++ b/bin/tests/system/mkeys/ns1/named2.conf
@@ -10,11 +10,6 @@
controls { /* empty */ };
-acl allowed {
- ! 10.53.0.5;
- any;
-};
-
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
@@ -27,7 +22,6 @@ options {
notify no;
dnssec-enable yes;
dnssec-validation yes;
- allow-query { allowed; };
};
key rndc_key {
diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh
index 054422de55..fb134742d2 100644
--- a/bin/tests/system/mkeys/ns1/sign.sh
+++ b/bin/tests/system/mkeys/ns1/sign.sh
@@ -28,8 +28,6 @@ managed-keys {
EOF
' > managed.conf
cp managed.conf ../ns2/managed.conf
-cp managed.conf ../ns4/managed.conf
-cp managed.conf ../ns5/managed.conf
# Configure a trusted key statement (used by delve)
cat $keyname.key | grep -v '^; ' | $PERL -n -e '
diff --git a/bin/tests/system/mkeys/ns2/named.args b/bin/tests/system/mkeys/ns2/named.args
index 71e466df40..d222b7faea 100644
--- a/bin/tests/system/mkeys/ns2/named.args
+++ b/bin/tests/system/mkeys/ns2/named.args
@@ -1 +1 @@
--m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40 -T tat=1
+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40
diff --git a/bin/tests/system/mkeys/ns4/named.conf b/bin/tests/system/mkeys/ns4/named.conf
deleted file mode 100644
index ad3979d7a7..0000000000
--- a/bin/tests/system/mkeys/ns4/named.conf
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-// NS4
-
-controls { /* empty */ };
-
-options {
- query-source address 10.53.0.4;
- notify-source 10.53.0.4;
- transfer-source 10.53.0.4;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.4; };
- listen-on-v6 { none; };
- recursion yes;
- notify no;
- dnssec-enable yes;
- dnssec-validation auto;
- bindkeys-file "managed.conf";
- managed-keys-directory "nope";
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
-};
-
-zone "." {
- type hint;
- file "../../common/root.hint";
-};
diff --git a/bin/tests/system/mkeys/ns5/named.conf b/bin/tests/system/mkeys/ns5/named.conf
deleted file mode 100644
index 98204929ad..0000000000
--- a/bin/tests/system/mkeys/ns5/named.conf
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-// NS5
-
-options {
- query-source address 10.53.0.5;
- notify-source 10.53.0.5;
- transfer-source 10.53.0.5;
- port 5300;
- pid-file "named.pid";
- listen-on { 10.53.0.5; };
- listen-on-v6 { none; };
- recursion yes;
- notify no;
- dnssec-enable yes;
- dnssec-validation auto;
- bindkeys-file "managed.conf";
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
-};
-
-zone "." {
- type hint;
- file "../../common/root.hint";
-};
diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh
index bb70fe1df3..d555c4e93e 100644
--- a/bin/tests/system/mkeys/setup.sh
+++ b/bin/tests/system/mkeys/setup.sh
@@ -16,9 +16,3 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
cp ns1/named1.conf ns1/named.conf
cd ns1 && $SHELL sign.sh
-
-cd ../ns4
-mkdir nope
-touch nope/managed-keys.bind
-touch nope/managed.keys.bind.jnl
-chmod 444 nope/*
diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh
index c5ebc88ac5..b9806f3431 100644
--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@@ -28,7 +28,6 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: check positive validation with valid trust anchor ($n)"
ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /'
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
@@ -391,7 +390,6 @@ $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns2
n=`expr $n + 1`
echo "I: check positive validation ($n)"
ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /'
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
@@ -448,6 +446,7 @@ rm -f ${revoked}.key ${revoked}.private
$SETTIME -D none -R none -K ns1 `cat ns1/managed.key` > /dev/null
$SETTIME -D now -K ns1 $standby1 > /dev/null
$SETTIME -D now -K ns1 $standby2 > /dev/null
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /'
sleep 1
$SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>&-
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload . | sed 's/^/I: ns1 /'
@@ -455,7 +454,6 @@ sleep 3
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
sleep 1
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /'
$DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
@@ -539,7 +537,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: check that trust-anchor-telemetry queries are logged ($n)"
ret=0
-grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1
+grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns3/named.run > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
@@ -564,45 +562,5 @@ grep "name: \." rndc.out.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo "I: check that trust-anchor-telemetry queries contain the correct key ($n)"
-ret=0
-# convert the hexadecimal key from the TAT query into decimal and
-# compare against the known key.
-tathex=`grep "query '_ta-[0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([a-f0-9][a-f0-d]*\)):/\1/'`
-tatkey=`$PERL -e 'printf("%d\n", hex(@ARGV[0]));' $tathex`
-realkey=`$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots - | grep '; managed' | sed 's#.*SHA256/\([0-9][0-9]*\) ; managed.*#\1#'`
-[ "$tatkey" -eq "$realkey" ] || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo "I: check initialization fails if managed-keys can't be created ($n)"
-ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots | sed 's/^/I: ns4 /'
-grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1
-grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1
-grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo "I: check failure to contact root servers does not prevent key refreshes after restart ($n)"
-ret=0
-# By the time we get here, ns5 should have attempted refreshing its managed
-# keys. These attempts should fail as ns1 is configured to REFUSE all queries
-# from ns5. Note we do not configure ns5 with "-T mkeytimers"; this is to
-# ensure key refresh retry will be scheduled one hour in the future instead of
-# a few seconds in the future, in order to prevent races when ns5 is restarted.
-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns5
-$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5
-sleep 2
-# ns5/named.run will contain logs from both the old instance and the new
-# instance. In order for the test to pass, both must attempt a fetch.
-count=`grep -c "Creating key fetch" ns5/named.run`
-[ $count -lt 2 ] && ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/runtime/ns2/named-alt2.conf b/bin/tests/system/runtime/ns2/named-alt2.conf
index aaca67dd7e..d18ea86211 100644
--- a/bin/tests/system/runtime/ns2/named-alt2.conf
+++ b/bin/tests/system/runtime/ns2/named-alt2.conf
@@ -13,7 +13,7 @@ controls { /* empty */ };
options {
query-source address 10.53.0.2;
port 5300;
- pid-file "named2.pid";
+ pid-file "named3.pid";
listen-on { 10.53.0.2; 10.53.0.3; };
listen-on-v6 { fd92:7065:b8e:ffff::2; };
recursion no;
diff --git a/bin/tests/system/runtime/ns2/named-alt3.conf b/bin/tests/system/runtime/ns2/named-alt3.conf
index b5ad847339..69356ea758 100644
--- a/bin/tests/system/runtime/ns2/named-alt3.conf
+++ b/bin/tests/system/runtime/ns2/named-alt3.conf
@@ -13,7 +13,7 @@ controls { /* empty */ };
options {
query-source address 10.53.0.2;
port 5300;
- pid-file "named2.pid";
+ pid-file "named4.pid";
lock-file none;
listen-on { 10.53.0.2; 10.53.0.3; };
listen-on-v6 { fd92:7065:b8e:ffff::2; };
diff --git a/bin/tests/system/runtime/tests.sh b/bin/tests/system/runtime/tests.sh
index cf285383f5..1d26590ad9 100644
--- a/bin/tests/system/runtime/tests.sh
+++ b/bin/tests/system/runtime/tests.sh
@@ -37,7 +37,7 @@ ret=0
(cd ns2; $NAMED -c named-alt2.conf -D ns2-extra-2 -X named.lock -m record,size,mctx -d 99 -g -U 4 >> named3.run 2>&1 & )
sleep 2
grep "another named process" ns2/named3.run > /dev/null || ret=1
-[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
+[ -s ns2/named3.pid ] && $KILL -15 `cat ns2/named3.pid`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
@@ -47,60 +47,61 @@ ret=0
(cd ns2; $NAMED -c named-alt3.conf -D ns2-extra-3 -m record,size,mctx -d 99 -g -U 4 >> named4.run 2>&1 & )
sleep 2
grep "another named process" ns2/named4.run > /dev/null && ret=1
-[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
+[ -s ns2/named4.pid ] && $KILL -15 `cat ns2/named4.pid`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-if [ ! "$CYGWIN" ]; then
- n=`expr $n + 1`
- echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)"
- ret=0
- cp -f ns2/named-alt4.conf ns2/named.conf
- $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
- grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
- sleep 1
- grep "[^-]directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
+n=`expr $n + 1`
+echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)"
+ret=0
+cp -f ns2/named-alt4.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
- n=`expr $n + 1`
- echo "I: checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)"
- ret=0
- cp -f ns2/named-alt5.conf ns2/named.conf
- $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
- grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
- sleep 1
- grep "managed-keys-directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
+n=`expr $n + 1`
+echo "I: checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)"
+ret=0
+cp -f ns2/named-alt5.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
+grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
+sleep 1
+grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
- echo "I: kill existing named process"
- [ -s "ns2/named.pid" ] && kill -15 `cat ns2/named.pid`
+n=`expr $n + 1`
+echo "I: checking that named refuses to start if working directory is not writable ($n)"
+ret=0
+cd ns2
+$NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 &
+sleep 2
+grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1
+# pidfile could be in either place depending on whether the directory
+# successfully changed.
+[ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
+[ -s ../named.pid ] && kill -15 `cat ../named.pid` > /dev/null 2>&1
+cd ..
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
- n=`expr $n + 1`
- echo "I: checking that named refuses to start if working directory is not writable ($n)"
- ret=0
- cd ns2
- $NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 &
- sleep 2
- grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1
- cd ..
- [ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
-
- n=`expr $n + 1`
- echo "I: checking that named refuses to start if managed-keys-directory is not writable ($n)"
- ret=0
- cd ns2
- $NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 &
- sleep 2
- grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1
- cd ..
- [ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
- if [ $ret != 0 ]; then echo "I:failed"; fi
- status=`expr $status + $ret`
-fi
+n=`expr $n + 1`
+echo "I: checking that named refuses to start if managed-keys-directory is not writable ($n)"
+ret=0
+cd ns2
+$NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 &
+sleep 2
+grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1
+# pidfile could be in either place depending on whether the directory
+# successfully changed.
+[ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
+[ -s ../named.pid ] && kill -15 `cat ../named.pid` > /dev/null 2>&1
+cd ..
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 944b7bf0f4..0ecb342083 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -492,17 +492,6 @@
are not writable by the effective user ID. [RT #46077]
-
-
- Initializing keys specified in a managed-keys
- statement or by dnssec-validation auto; are
- no longer treated as valid for any use other than validation of
- RFC 5011 initialization queries. The effect of this is that
- DNSSEC validation will fail if RFC 5011 key maintenance
- cannot be initialized: initialization problems will not be
- masked, but will be immediately visible. [RT #46077]
-
-
Previously, update-policy local; accepted
diff --git a/lib/dns/client.c b/lib/dns/client.c
index 9a8d9b3819..1d8269912e 100644
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@@ -1546,7 +1546,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
if (result != ISC_R_SUCCESS)
goto cleanup;
- result = dns_keytable_add2(secroots, ISC_FALSE, ISC_FALSE, &dstkey);
+ result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);
cleanup:
if (dstkey != NULL)
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index ff88c8c680..62c55a9788 100644
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -102,19 +102,10 @@ dns_keytable_detach(dns_keytable_t **keytablep);
isc_result_t
dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
- dst_key_t **keyp) ISC_DEPRECATED;
-isc_result_t
-dns_keytable_add2(dns_keytable_t *keytable, isc_boolean_t managed,
- isc_boolean_t initial, dst_key_t **keyp);
+ dst_key_t **keyp);
/*%<
* Add '*keyp' to 'keytable' (using the name in '*keyp').
- * The value of keynode->managed is set to 'managed', and the
- * value of keynode->initial is set to 'initial'. ('initial' should
- * be only used when adding managed-keys from configuration: this
- * indicates a secure root which can be *only* used for validating
- * RFC 5011 key refresh queries, but not for other DNSSEC validation.
- * Once a key refresh query has validated, we update the keynode
- * with inital == ISC_FALSE.)
+ * The value of keynode->managed is set to 'managed'
*
* Notes:
*
@@ -411,19 +402,6 @@ dns_keynode_managed(dns_keynode_t *keynode);
* Is this flagged as a managed key?
*/
-isc_boolean_t
-dns_keynode_initial(dns_keynode_t *keynode);
-/*%<
- * Is this flagged as an initializing key?
- */
-
-void
-dns_keynode_trust(dns_keynode_t *keynode);
-/*%<
- * Sets keynode->initial to ISC_FALSE in order mark the key as
- * trusted: no longer an initializing key.
- */
-
isc_result_t
dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target);
/*%<
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
index 9c5e53d867..86324cf18b 100644
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@@ -47,7 +47,6 @@ struct dns_keynode {
isc_refcount_t refcount;
dst_key_t * key;
isc_boolean_t managed;
- isc_boolean_t initial;
struct dns_keynode * next;
};
@@ -166,7 +165,7 @@ dns_keytable_detach(dns_keytable_t **keytablep) {
}
static isc_result_t
-insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial,
+insert(dns_keytable_t *keytable, isc_boolean_t managed,
const dns_name_t *keyname, dst_key_t **keyp)
{
isc_result_t result;
@@ -181,7 +180,6 @@ insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial,
return (result);
knode->managed = managed;
- knode->initial = initial;
RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
@@ -235,21 +233,14 @@ insert(dns_keytable_t *keytable, isc_boolean_t managed, isc_boolean_t initial,
isc_result_t
dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
dst_key_t **keyp)
-{
- return (dns_keytable_add2(keytable, managed, ISC_FALSE, keyp));
-}
-
-isc_result_t
-dns_keytable_add2(dns_keytable_t *keytable, isc_boolean_t managed,
- isc_boolean_t initial, dst_key_t **keyp)
{
REQUIRE(keyp != NULL && *keyp != NULL);
- return (insert(keytable, managed, initial, dst_key_name(*keyp), keyp));
+ return (insert(keytable, managed, dst_key_name(*keyp), keyp));
}
isc_result_t
dns_keytable_marksecure(dns_keytable_t *keytable, const dns_name_t *name) {
- return (insert(keytable, ISC_TRUE, ISC_FALSE, name, NULL));
+ return (insert(keytable, ISC_TRUE, name, NULL));
}
isc_result_t
@@ -653,9 +644,8 @@ dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **text) {
if (knode->key == NULL)
continue;
dst_key_format(knode->key, pbuf, sizeof(pbuf));
- snprintf(obuf, sizeof(obuf), "%s ; %s%s\n", pbuf,
- knode->initial ? "initializing " : "",
- knode->managed ? "managed" : "trusted");
+ snprintf(obuf, sizeof(obuf), "%s ; %s\n", pbuf,
+ knode->managed ? "managed" : "trusted");
result = putstr(text, obuf);
if (result != ISC_R_SUCCESS)
break;
@@ -733,26 +723,6 @@ dns_keynode_managed(dns_keynode_t *keynode) {
return (keynode->managed);
}
-isc_boolean_t
-dns_keynode_initial(dns_keynode_t *keynode) {
- /*
- * Is this an initailizing key?
- */
- REQUIRE(VALID_KEYNODE(keynode));
-
- return (keynode->initial);
-}
-
-void
-dns_keynode_trust(dns_keynode_t *keynode) {
- /*
- * This is no longer an initializing key.
- */
- REQUIRE(VALID_KEYNODE(keynode));
-
- keynode->initial = ISC_FALSE;
-}
-
isc_result_t
dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
isc_result_t result;
@@ -766,7 +736,6 @@ dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
knode->magic = KEYNODE_MAGIC;
knode->managed = ISC_FALSE;
- knode->initial = ISC_FALSE;
knode->key = NULL;
knode->next = NULL;
diff --git a/lib/dns/tests/keytable_test.c b/lib/dns/tests/keytable_test.c
index 7f5c385082..52219b699c 100644
--- a/lib/dns/tests/keytable_test.c
+++ b/lib/dns/tests/keytable_test.c
@@ -126,7 +126,7 @@ create_tables() {
/* Add a normal key */
create_key(257, 3, 5, "example.com", keystr1, &key);
- ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+ ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
ISC_R_SUCCESS);
/* Add a null key */
@@ -185,7 +185,7 @@ ATF_TC_BODY(add, tc) {
* nextkeynode() should still return NOTFOUND.
*/
create_key(257, 3, 5, "example.com", keystr1, &key);
- ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+ ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
ISC_R_SUCCESS);
ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode), ISC_R_NOTFOUND);
@@ -193,7 +193,7 @@ ATF_TC_BODY(add, tc) {
/* Add another key (different keydata) */
dns_keytable_detachkeynode(keytable, &keynode);
create_key(257, 3, 5, "example.com", keystr2, &key);
- ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+ ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
ISC_R_SUCCESS);
ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"),
&keynode), ISC_R_SUCCESS);
@@ -209,7 +209,7 @@ ATF_TC_BODY(add, tc) {
ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
&null_keynode), ISC_R_SUCCESS);
create_key(257, 3, 5, "null.example", keystr2, &key);
- ATF_REQUIRE_EQ(dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key),
+ ATF_REQUIRE_EQ(dns_keytable_add(keytable, ISC_FALSE, &key),
ISC_R_SUCCESS);
ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
&keynode), ISC_R_SUCCESS);
@@ -523,7 +523,7 @@ ATF_TC_BODY(nta, tc) {
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
create_key(257, 3, 5, "example", keystr1, &key);
- result = dns_keytable_add2(keytable, ISC_FALSE, ISC_FALSE, &key);
+ result = dns_keytable_add(keytable, ISC_FALSE, &key);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
isc_stdtime_get(&now);
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index d0138b800d..db9d4baf0d 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1629,7 +1629,6 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
if (vresult == ISC_R_SUCCESS)
break;
if (val->keynode != NULL) {
- dst_key_t *key = NULL;
dns_keynode_t *nextnode = NULL;
result = dns_keytable_findnextkeynode(
val->keytable,
@@ -1642,13 +1641,9 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
val->key = NULL;
break;
}
- key = dns_keynode_key(val->keynode);
- if (key == NULL)
+ val->key = dns_keynode_key(val->keynode);
+ if (val->key == NULL)
break;
- if (dns_keynode_initial(val->keynode)) {
- continue;
- }
- val->key = key;
} else {
if (get_dst_key(val, val->siginfo, val->keyset)
!= ISC_R_SUCCESS)
@@ -1665,10 +1660,10 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
val->view->acceptexpired);
}
- if (val->keynode != NULL) {
+ if (val->keynode != NULL)
dns_keytable_detachkeynode(val->keytable,
&val->keynode);
- } else {
+ else {
if (val->key != NULL)
dst_key_free(&val->key);
if (val->keyset != NULL) {
@@ -2028,15 +2023,13 @@ validatezonekey(dns_validator_t *val) {
&keynode);
break;
}
- if (! dns_keynode_initial(keynode)) {
- result = verify(val, dstkey,
- &sigrdata, sig.keyid);
- if (result == ISC_R_SUCCESS) {
- dns_keytable_detachkeynode(
+ result = verify(val, dstkey, &sigrdata,
+ sig.keyid);
+ if (result == ISC_R_SUCCESS) {
+ dns_keytable_detachkeynode(
val->keytable,
&keynode);
- break;
- }
+ break;
}
result = dns_keytable_findnextkeynode(
val->keytable,
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 80d9481fed..4966de4cc3 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -3934,8 +3934,7 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
*/
static void
trust_key(dns_zone_t *zone, dns_name_t *keyname,
- dns_rdata_dnskey_t *dnskey, isc_boolean_t initial,
- isc_mem_t *mctx)
+ dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
{
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -3954,7 +3953,7 @@ trust_key(dns_zone_t *zone, dns_name_t *keyname,
goto failure;
CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
- CHECK(dns_keytable_add2(sr, ISC_TRUE, initial, &dstkey));
+ CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
dns_keytable_detach(&sr);
failure:
@@ -4040,8 +4039,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
/* Add to keytables. */
trusted++;
- trust_key(zone, name, &dnskey,
- ISC_TF(keydata.addhd == 0), mctx);
+ trust_key(zone, name, &dnskey, mctx);
}
if (trusted == 0 && pending != 0) {
@@ -4776,9 +4774,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
case dns_zone_key:
result = sync_keyzone(zone, db);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS)
goto cleanup;
- }
break;
default:
@@ -4928,17 +4925,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
return (result);
cleanup:
- if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "failed to initialize managed-keys (%s): "
- "DNSSEC validation WILL FAIL",
- isc_result_totext(result));
- }
-
for (inc = ISC_LIST_HEAD(zone->newincludes);
inc != NULL;
- inc = ISC_LIST_HEAD(zone->newincludes))
- {
+ inc = ISC_LIST_HEAD(zone->newincludes)) {
ISC_LIST_UNLINK(zone->newincludes, inc, link);
isc_mem_free(zone->mctx, inc->name);
isc_mem_put(zone->mctx, inc, sizeof(*inc));
@@ -9099,7 +9088,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
dst_key_t *dstkey;
isc_stdtime_t now;
int pending = 0;
- isc_boolean_t secure = ISC_FALSE, initial = ISC_FALSE;
+ isc_boolean_t secure = ISC_FALSE;
isc_boolean_t free_needed;
UNUSED(task);
@@ -9176,8 +9165,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
*/
for (result = dns_rdataset_first(&kfetch->dnskeysigset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&kfetch->dnskeysigset))
- {
+ result = dns_rdataset_next(&kfetch->dnskeysigset)) {
dns_keynode_t *keynode = NULL;
dns_rdata_reset(&sigrr);
@@ -9196,8 +9184,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
break;
if (dst_key_alg(dstkey) == sig.algorithm &&
- dst_key_id(dstkey) == sig.keyid)
- {
+ dst_key_id(dstkey) == sig.keyid) {
result = dns_dnssec_verify2(keyname,
&kfetch->dnskeyset,
dstkey, ISC_FALSE,
@@ -9215,9 +9202,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
dns_trust_secure;
kfetch->dnskeysigset.trust =
dns_trust_secure;
- secure = ISC_TRUE;
- initial = dns_keynode_initial(keynode);
- dns_keynode_trust(keynode);
break;
}
}
@@ -9228,11 +9212,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
keynode = nextnode;
}
- if (keynode != NULL) {
+ if (keynode != NULL)
dns_keytable_detachkeynode(secroots, &keynode);
- }
- if (secure) {
+ if (kfetch->dnskeyset.trust == dns_trust_secure) {
+ secure = ISC_TRUE;
break;
}
}
@@ -9241,6 +9225,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
* If we were not able to verify the answer using the current
* trusted keys then all we can do is look at any revoked keys.
*/
+
if (!secure) {
dns_zone_log(zone, ISC_LOG_DEBUG(3),
"DNSKEY set for zone '%s' could not be verified "
@@ -9480,13 +9465,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
trustkey = ISC_TRUE;
dns_zone_log(zone, ISC_LOG_INFO,
"Key %d for zone %s "
- "%s: key now trusted",
- keytag, namebuf,
- initial
- ? "initializing key "
- "verified"
- : "acceptance timer "
- "complete");
+ "acceptance timer "
+ "complete: "
+ "key now trusted",
+ keytag, namebuf);
}
} else if (keydata.addhd > now) {
/*
@@ -9585,7 +9567,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
/* Trust this key. */
result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- trust_key(zone, keyname, &dnskey, ISC_FALSE, mctx);
+ trust_key(zone, keyname, &dnskey, mctx);
}
if (secure && !deletekey) {
@@ -9607,6 +9589,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
fail_secure(zone, keyname);
done:
+
if (!ISC_LIST_EMPTY(diff.tuples)) {
/* Write changes to journal file. */
CHECK(update_soa_serial(kfetch->db, ver, &diff, mctx,
@@ -9619,12 +9602,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
}
failure:
- if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "error during managed-keys processing (%s): "
- "DNSSEC validation may be at risk",
- isc_result_totext(result));
- }
+
dns_diff_clear(&diff);
if (ver != NULL)
dns_db_closeversion(kfetch->db, &ver, commit);
@@ -9734,7 +9712,7 @@ zone_refreshkeys(dns_zone_t *zone) {
}
/* Acceptance timer expired? */
- if (kd.addhd < now)
+ if (kd.addhd != 0 && kd.addhd < now)
timer = kd.addhd;
/* Or do we just need to refresh the keyset? */