3632. [bug] Signature from newly inactive keys were not being

removed. [RT #32178]
2025-08-23 02:28:55 +00:00 · 2013-08-15 10:48:05 +10:00 · 2013-08-15 10:48:05 +10:00 · 7ace327795
commit 7ace327795
parent 5f630b9417
14 changed files with 147 additions and 14 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
 3632.	[bug]		Signature from newly inactive keys were not being
 			removed. [RT #32178]
 3631.	[bug]		Remove spurious warning about missing signatures when
 			qtype is SIG. [RT #34600]
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@ -319,11 +319,35 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
 	isc_result_t result;
 	const char *orig = str;
 	char *endp;
 	int n;
 	if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
 		return ((isc_stdtime_t) 0);
-	if (strncmp(str, "now", 3) == 0) {
+	/*
 	 * We accept times in the following formats:
 	 *   now([+-]offset)
 	 *   YYYYMMDD([+-]offset)
 	 *   YYYYMMDDhhmmss([+-]offset)
 	 *   [+-]offset
 	 */
 	n = strspn(str, "0123456789");
 	if ((n == 8 || n == 14) &&
 	    (str[n] == '\0' || str[n] == '-' || str[n] == '+'))
 	{
 		char timestr[15];
 		strlcpy(timestr, str, sizeof(timestr));
 		timestr[n] = 0;
 		if (n == 8)
 			strlcat(timestr, "000000", sizeof(timestr));
 		result = dns_time64_fromtext(timestr, &val);
 		if (result != ISC_R_SUCCESS)
 			fatal("time value %s is invalid: %s", orig,
 			      isc_result_totext(result));
 		base = val;
 		str += n;
 	} else if (strncmp(str, "now", 3) == 0) {
 		base = now;
 		str += 3;
 	}
@ -338,18 +362,7 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
 		offset = strtol(str + 1, &endp, 0);
 		offset = time_units((isc_stdtime_t) offset, endp, orig);
 		val = base - offset;
 	} else if (strlen(str) == 8U) {
 		char timestr[15];
 		sprintf(timestr, "%s000000", str);
 		result = dns_time64_fromtext(timestr, &val);
 		if (result != ISC_R_SUCCESS)
 			fatal("time value %s is invalid: %s", orig,
 			      isc_result_totext(result));
 	} else if (strlen(str) > 14U) {
 		fatal("time value %s is invalid", orig);
 	} else {
 		result = dns_time64_fromtext(str, &val);
 		if (result != ISC_R_SUCCESS)
 			fatal("time value %s is invalid: %s", orig,
 			      isc_result_totext(result));
 	}
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@ -56,6 +56,7 @@ rm -f ns4/named.conf
 rm -f ns4/managed-keys.bind*
 rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
 rm -f ns3/secure.below-cname.example.db
 rm -f ns3/publish-inactive.example.db
 rm -f signer/example.db.after signer/example.db.before
 rm -f signer/example.db.changed
 rm -f signer/nsec3param.out
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@ -33,6 +33,7 @@ options {
 	notify yes;
 	dnssec-enable yes;
 	dnssec-validation yes;
 	session-keyfile "session.key";
 };
 key rndc_key {
@ -262,4 +263,11 @@ zone "inline.example" {
        auto-dnssec maintain;
 };
 zone "publish-inactive.example" {
 	type master;
 	file "publish-inactive.example.db";
 	auto-dnssec maintain;
 	update-policy local;
 };
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in
+++ b/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in
@ -0,0 +1,31 @@
 ; Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
 ; copyright notice and this permission notice appear in all copies.
 ;
 ; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 ; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 ; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 ; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 ; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 ; $Id: insecure.example.db,v 1.9 2007/06/19 23:47:02 tbox Exp $
 $TTL 300	; 5 minutes
@			IN SOA	mname1. . (
 				2000042407 ; serial
 				20         ; refresh (20 seconds)
 				20         ; retry (20 seconds)
 				1814400    ; expire (3 weeks)
 				3600       ; minimum (1 hour)
 				)
 			NS	ns
 ns			A	10.53.0.3
 a			A	10.0.0.1
 b			A	10.0.0.2
 d			A	10.0.0.4
 z			A	10.0.0.26
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@ -437,3 +437,17 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \
 zone=inline.example.
 kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
 #
 # publish a new key while deactivating another key at the same time.
 #
 zone=publish-inactive.example
 infile=publish-inactive.example.db.in
 zonefile=publish-inactive.example.db
 now=`date -u +%Y%m%d%H%M%S`
 kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone`
 kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
 zskname=`$KEYGEN -q -r $RANDFILE $zone`
 cp $infile $zonefile
 $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -2295,5 +2295,25 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)"
 ret=0
 cnt=0
 while :
 do
 $DIG $DIGOPTS publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n
 keys=`awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l`
 test $keys -gt 2 && break
 cnt=`expr $cnt + 1`
 test $cnt -gt 120 && break
 sleep 1
 done
 test $keys -gt 2 || ret=1
 sigs=`grep RRSIG dig.out.ns3.test$n | wc -l`
 sigs=`expr $sigs + 0`
 n=`expr $n + 1`
 test $sigs -eq 2 || ret=1
 if test $ret != 0 ; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:exit status: $status"
 exit $status
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@ -764,6 +764,7 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 		 * If a key is marked inactive, skip it
 		 */
 		if (!key_active(keys[count], now)) {
 			dst_key_setinactive(pubkey, ISC_TRUE);
 			dst_key_free(&keys[count]);
 			keys[count] = pubkey;
 			pubkey = NULL;
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@ -1354,10 +1354,27 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 		key->times[i] = 0;
 		key->timeset[i] = ISC_FALSE;
 	}
 	key->inactive = ISC_FALSE;
 	key->magic = KEY_MAGIC;
 	return (key);
 }
 isc_boolean_t
 dst_key_inactive(const dst_key_t *key) {
 	REQUIRE(VALID_KEY(key));
 	return (key->inactive);
 }
 void
 dst_key_setinactive(dst_key_t *key, isc_boolean_t inactive) {
 	REQUIRE(VALID_KEY(key));
 	key->inactive = inactive;
 }
 /*%
 * Reads a public key from disk
 */
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@ -126,6 +126,8 @@ struct dst_key {
 	isc_boolean_t	timeset[DST_MAX_TIMES + 1];  /*%< data set? */
 	isc_stdtime_t	nums[DST_MAX_NUMERIC + 1];   /*%< numeric metadata */
 	isc_boolean_t	numset[DST_MAX_NUMERIC + 1]; /*%< data set? */
 	isc_boolean_t 	inactive;      /*%< private key not present as it is
 					    inactive */
 	int		fmt_major;     /*%< private key format, major version */
 	int		fmt_minor;     /*%< private key format, minor version */
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@ -935,6 +935,23 @@ dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
 		unsigned int protocol, dns_rdataclass_t rdclass,
 		isc_mem_t *mctx, const char *keystr, dst_key_t **keyp);
 isc_boolean_t
 dst_key_inactive(const dst_key_t *key);
 /*%<
 * Determines if the private key is missing due the key being deemed inactive.
 *
 * Requires:
 *	'key' to be valid.
 */
 void
 dst_key_setinactive(dst_key_t *key, isc_boolean_t inactive);
 /*%<
 * Set key inactive state.
 *
 * Requires:
 *	'key' to be valid.
 */
 ISC_LANG_ENDDECLS
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@ -1211,7 +1211,9 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		for (i = 0; i < nkeys; i++) {
 			if (rrsig.keyid == dst_key_id(keys[i])) {
 				found = ISC_TRUE;
-				if (!dst_key_isprivate(keys[i])) {
+				if (!dst_key_isprivate(keys[i]) &&
 				    !dst_key_inactive(keys[i]))
 				{
 					/*
 					 * The re-signing code in zone.c
 					 * will mark this as offline.
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@ -1062,6 +1062,7 @@ dst_key_getprivateformat
 dst_key_gettime
 dst_key_getttl
 dst_key_id
 dst_key_inactive
 dst_key_isnullkey
 dst_key_isprivate
 dst_key_iszonekey
@ -1074,6 +1075,7 @@ dst_key_rid
 dst_key_secretsize
 dst_key_setbits
 dst_key_setflags
 dst_key_setinactive
 dst_key_setprivateformat
 dst_key_settime
 dst_key_setttl
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -5755,7 +5755,9 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				 * We want the earliest offline expire time
 				 * iff there is a new offline signature.
 				 */
-				if (!dst_key_isprivate(keys[i])) {
+				if (!dst_key_inactive(keys[i]) &&
 				    !dst_key_isprivate(keys[i]))
 				{
 					isc_int64_t timeexpire =
 					   dns_time64_from32(rrsig.timeexpire);
 					if (warn != 0 && warn > timeexpire)