From 99f6179191e583d23f3c5567d3c00b57b64eb52d Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Mon, 6 Feb 2012 21:33:50 +0000 Subject: [PATCH] 3277. [bug] Make sure automatic key maintenance is started when "auto-dnssec maintain" is turned on during "rndc reconfig". [RT #26805] --- CHANGES | 4 ++++ bin/named/server.c | 8 +++++++- bin/tests/system/autosign/clean.sh | 3 ++- bin/tests/system/autosign/ns3/keygen.sh | 11 ++++++++++- bin/tests/system/autosign/ns3/named.conf | 4 +++- bin/tests/system/autosign/tests.sh | 25 +++++++++++++++++++++++- 6 files changed, 50 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 421c29f1ad..483d8db322 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +3277. [bug] Make sure automatic key maintenance is started + when "auto-dnssec maintain" is turned on during + "rndc reconfig". [RT #26805] + 3276. [bug] win32: isc_socket_dup is not implemented. [RT #27696] 3276. [bug] win32: ns_os_openfile failed to return NULL on diff --git a/bin/named/server.c b/bin/named/server.c index 056f67af13..c86808c3ae 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.644 2012/02/03 22:27:16 each Exp $ */ +/* $Id: server.c,v 1.645 2012/02/06 21:33:49 each Exp $ */ /*! \file */ @@ -3488,6 +3488,12 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, */ CHECK(dns_view_addzone(view, zone)); + /* + * Ensure that zone keys are reloaded on reconfig + */ + if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) + dns_zone_rekey(zone, ISC_FALSE); + cleanup: if (zone != NULL) dns_zone_detach(&zone); diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index d5cbe2a86c..08ebc08bfd 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.13 2011/10/30 23:05:13 each Exp $ +# $Id: clean.sh,v 1.14 2012/02/06 21:33:50 each Exp $ rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk rm -f active.key inact.key del.key unpub.key standby.key rev.key @@ -51,3 +51,4 @@ rm -f ns3/secure-to-insecure2.example.db rm -f ns3/nozsk.example.db ns3/inaczsk.example.db rm -f ns3/ttl*.db rm -f signing.out.* +rm -f ns3/*.nzf diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 8f82da7de2..44ed919feb 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: keygen.sh,v 1.13 2011/07/08 01:43:26 each Exp $ +# $Id: keygen.sh,v 1.14 2012/02/06 21:33:50 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -285,3 +285,12 @@ zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1 echo $zsk > ../inactivezsk.key $SETTIME -I now $zsk > /dev/null + +# +# A zone that is set to 'auto-dnssec maintain' during a recofnig +# +zone=reconf.example +zonefile="${zone}.db" +cp secure.example.db.in $zonefile +$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null +$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf index 34b1f3882b..b658826590 100644 --- a/bin/tests/system/autosign/ns3/named.conf +++ b/bin/tests/system/autosign/ns3/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.13 2011/07/08 01:43:26 each Exp $ */ +/* $Id: named.conf,v 1.14 2012/02/06 21:33:50 each Exp $ */ // NS3 @@ -25,6 +25,7 @@ options { notify-source 10.53.0.3; transfer-source 10.53.0.3; port 5300; + session-keyfile "session.key"; pid-file "named.pid"; listen-on { 10.53.0.3; }; listen-on-v6 { none; }; @@ -33,6 +34,7 @@ options { dnssec-enable yes; dnssec-validation yes; dnssec-loadkeys-interval 10; + allow-new-zones yes; }; key rndc_key { diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index eb101526ec..0d4f953023 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.44 2012/02/02 23:47:33 tbox Exp $ +# $Id: tests.sh,v 1.45 2012/02/06 21:33:50 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -1116,5 +1116,28 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:test turning on auto-dnssec during reconfig ($n)" +ret=0 +# first create a zone that doesn't have auto-dnssec +rm -f ns3/*.nzf +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 addzone reconf.example '{ type master; file "reconf.example.db"; };' 2>&1 | sed 's/^/I:ns3 /' +rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` +[ "$rekey_calls" = 0 ] || ret=1 +# ...then we add auto-dnssec and reconfigure +nzf=`ls ns3/*.nzf` +echo 'zone reconf.example { type master; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' > $nzf +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /' +for i in 0 1 2 3 4 5 6 7 8 9; do + lret=0 + rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` + [ "$rekey_calls" -gt 0 ] || lret=1 + if [ "$lret" = 0 ]; then break; fi + sleep 1 +done +n=`expr $n + 1` +if [ "$lret" != 0 ]; then ret=$lret; fi +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status