1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.

[RT #15465]
2025-08-29 13:38:26 +00:00 · 2006-01-05 03:14:33 +00:00 · 2006-01-05 03:14:33 +00:00 · 6eb8591f00
commit 6eb8591f00
parent a1bc941093
2 changed files with 28 additions and 6 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+1960.	[bug]		Update code should set NSEC ttls from SOA MINIMUM.
+			[RT #15465]
+
 1959.	[func]		Control the zeroing of the negative response TTL to
 			a soa query.  Defaults "zero-no-soa-ttl yes;" and
 			"zero-no-soa-ttl-cache no;". [RT #15460]
--- a/bin/named/update.c
+++ b/bin/named/update.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: update.c,v 1.125 2005/10/07 04:03:24 marka Exp $ */
+/* $Id: update.c,v 1.126 2006/01/05 03:14:33 marka Exp $ */

 #include <config.h>

@ -1519,7 +1519,8 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 */
 static isc_result_t
 add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-	dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff)
+	 dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl,
+	 dns_diff_t *diff)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@ -1554,8 +1555,7 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	 * Add the new NSEC and record the change.
 	 */
 	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
-				   3600,	/* XXXRTH */
-				   &rdata, &tuple));
+				   nsecttl, &rdata, &tuple));
 	CHECK(do_one_tuple(&tuple, db, ver, diff));
 	INSIST(tuple == NULL);

@ -1680,6 +1680,11 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	unsigned int nkeys = 0;
 	unsigned int i;
 	isc_stdtime_t now, inception, expire;
+	dns_ttl_t nsecttl;
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;

 	dns_diff_init(client->mctx, &diffnames);
 	dns_diff_init(client->mctx, &affected);
@ -1700,6 +1705,20 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	inception = now - 3600; /* Allow for some clock skew. */
 	expire = now + sigvalidityinterval;

+	/*
+	 * Get the NSEC's TTL from the SOA MINIMUM field.
+	 */
+	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0,
+                                  (isc_stdtime_t) 0, &rdataset, NULL));
+	CHECK(dns_rdataset_first(&rdataset));
+	dns_rdataset_current(&rdataset, &rdata);
+	CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
+	nsecttl = soa.minimum;
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+
 	/*
 	 * Find all RRsets directly affected by the update, and
 	 * update their RRSIGs.  Also build a list of names affected
@ -1903,8 +1922,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			 * there is other data, and if there is other data,
 			 * there are other RRSIGs.
 			 */
-			CHECK(add_nsec(client, zone, db, newver,
-				      &t->name, &nsec_diff));
+			CHECK(add_nsec(client, zone, db, newver, &t->name,
+				       nsecttl, &nsec_diff));
 		}
 	}