3020. [bug] auto-dnssec failed to correctly update the zone when changing the DNSKEY RRset. [RT #23232]

CHANGES

@@ -1,3 +1,6 @@
+3020.	[bug]		auto-dnssec failed to correctly update the zone when
+			changing the DNSKEY RRset. [RT #23232]
+
 3019.	[func]		Test: check apex NSEC3 records after adding DNSKEY
 			record via UPDATE. [RT #23229]
 

bin/tests/system/dnssec/ns2/example.db.in

@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db.in,v 1.25 2011/02/14 23:53:43 marka Exp $
+; $Id: example.db.in,v 1.26 2011/02/15 22:02:36 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -110,3 +110,9 @@ ns.kskonly		A	10.53.0.3
 
 update-nsec3		NS	ns.update-nsec3
 ns.update-nsec3		A	10.53.0.3
+
+auto-nsec		NS	ns.auto-nsec
+ns.auto-nsec		A	10.53.0.3
+
+auto-nsec3		NS	ns.auto-nsec3
+ns.auto-nsec3		A	10.53.0.3

bin/tests/system/dnssec/ns2/sign.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.42 2011/02/14 23:53:44 marka Exp $
+# $Id: sign.sh,v 1.43 2011/02/15 22:02:36 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -31,7 +31,8 @@ zonefile=example.db
 ( cd ../ns3 && sh sign.sh )
 
 for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
-    optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3
+    optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
+    auto-nsec auto-nsec3 
 do
 	cp ../ns3/dsset-$subdomain.example. .
 done

bin/tests/system/dnssec/ns3/auto-nsec.example.db.in

@@ -0,0 +1,45 @@
+; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: auto-nsec.example.db.in,v 1.2 2011/02/15 22:02:36 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
+nosoa 			NS	ns.nosoa
+ns.nosoa		A	10.53.0.7
+
+normalthenrrsig		A	10.0.0.28
+rrsigonly		A	10.0.0.29

bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in

@@ -0,0 +1,45 @@
+; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: auto-nsec3.example.db.in,v 1.2 2011/02/15 22:02:36 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
+
+private			NS	ns.private
+ns.private		A	10.53.0.2
+
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.2
+
+nosoa 			NS	ns.nosoa
+ns.nosoa		A	10.53.0.7
+
+normalthenrrsig		A	10.0.0.28
+rrsigonly		A	10.0.0.29

bin/tests/system/dnssec/ns3/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.41 2011/02/14 23:53:44 marka Exp $ */
+/* $Id: named.conf,v 1.42 2011/02/15 22:02:36 marka Exp $ */
 
 // NS3
 
@@ -178,4 +178,18 @@ zone "update-nsec3.example" {
 	file "update-nsec3.example.db.signed";
 };
 
+zone "auto-nsec.example" {
+	type master;
+	auto-dnssec maintain;
+	allow-update { !0.0.0.0; };
+	file "auto-nsec.example.db.signed";
+};
+
+zone "auto-nsec3.example" {
+	type master;
+	auto-dnssec maintain;
+	allow-update { !0.0.0.0; };
+	file "auto-nsec3.example.db.signed";
+};
+
 include "trusted.conf";

bin/tests/system/dnssec/ns3/sign.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.35 2011/02/14 23:53:44 marka Exp $
+# $Id: sign.sh,v 1.36 2011/02/15 22:02:36 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -285,3 +285,33 @@ kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
 $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+#
+# A NSEC signed zone that will have auto-dnssec enabled and
+# extra keys not in the initial signed zone.
+#
+zone=auto-nsec.example.
+infile=auto-nsec.example.db.in
+zonefile=auto-nsec.example.db
+
+kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
+zskname=`$KEYGEN -q -r $RANDFILE $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
+zskname=`$KEYGEN -q -r $RANDFILE $zone`
+cat $infile $kskname.key $zskname.key >$zonefile
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+#
+# A NSEC3 signed zone that will have auto-dnssec enabled and
+# extra keys not in the initial signed zone.
+#
+zone=auto-nsec3.example.
+infile=auto-nsec3.example.db.in
+zonefile=auto-nsec3.example.db
+
+kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
+kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
+cat $infile $kskname.key $zskname.key >$zonefile
+$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1

bin/tests/system/dnssec/setup.sh

@@ -15,7 +15,9 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.19 2011/01/04 23:47:13 tbox Exp $
+# $Id: setup.sh,v 1.20 2011/02/15 22:02:36 marka Exp $
+
+sh clean.sh 
 
 ../../../tools/genrandom 400 random.data
 

bin/tests/system/dnssec/tests.sh

@@ -15,13 +15,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.75 2011/02/14 23:53:43 marka Exp $
+# $Id: tests.sh,v 1.76 2011/02/15 22:02:36 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 status=0
-n=0
+n=1
 
 rm -f dig.out.*
 
@@ -1135,5 +1135,25 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
+grep "IN.NSEC[^3].* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
+grep "IN.NSEC3 .* TYPE65534" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

lib/dns/zone.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.584 2011/02/07 00:10:36 marka Exp $ */
+/* $Id: zone.c,v 1.585 2011/02/15 22:02:36 marka Exp $ */
 
 /*! \file */
 
@@ -13649,7 +13649,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
 
 static isc_result_t
 sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	  dns_rdatatype_t type, dns_diff_t *diff)
+	  dns_diff_t *diff, dns_diff_t *sig_diff)
 {
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire;
@@ -13673,23 +13673,15 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
 	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
 
-	result = del_sigs(zone, db, ver, &zone->origin, type, diff,
+	result = update_sigs(diff, db, ver, zone_keys, nkeys, zone,
-			  zone_keys, nkeys, now);
+			     inception, soaexpire, now, check_ksk,
-	if (result != ISC_R_SUCCESS) {
+			     keyset_kskonly, sig_diff);
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "sign_apex:del_sigs -> %s\n",
-			     dns_result_totext(result));
-		goto failure;
-	}
-
-	result = add_sigs(db, ver, &zone->origin, type, diff, zone_keys,
-			  nkeys, zone->mctx, inception, soaexpire,
-			  check_ksk, keyset_kskonly);
 
 	if (result != ISC_R_SUCCESS)
-		dns_zone_log(zone, ISC_LOG_ERROR, "sign_apex:add_sigs -> %s\n",
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "sign_apex:update_sigs -> %s\n",
 			     dns_result_totext(result));
- failure:
+
 	for (i = 0; i < nkeys; i++)
 		dst_key_free(&zone_keys[i]);
 	return (result);
@@ -13804,6 +13796,26 @@ signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
 	return (ISC_FALSE);
 }
 
+static isc_result_t
+add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	   dns_diff_t *diff)
+{
+	dns_name_t *origin;
+	isc_boolean_t build_nsec3;
+	isc_result_t result;
+
+	origin = dns_db_origin(db);
+	CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
+				 &build_nsec3));
+	if (build_nsec3)
+		CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone->minimum,
+					   ISC_FALSE, zone->privatetype, diff));
+	CHECK(updatesecure(db, ver, origin, zone->minimum, ISC_TRUE, diff));
+
+ failure:
+	return (result);
+}
+
 static void
 zone_rekey(dns_zone_t *zone) {
 	isc_result_t result;
@@ -13813,7 +13825,7 @@ zone_rekey(dns_zone_t *zone) {
 	dns_rdataset_t soaset, soasigs, keyset, keysigs;
 	dns_dnsseckeylist_t dnskeys, keys, rmkeys;
 	dns_dnsseckey_t *key;
-	dns_diff_t diff;
+	dns_diff_t diff, sig_diff;
 	isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE;
 	isc_boolean_t fullsign;
 	dns_ttl_t ttl = 3600;
@@ -13836,6 +13848,7 @@ zone_rekey(dns_zone_t *zone) {
 	dir = dns_zone_getkeydirectory(zone);
 	mctx = zone->mctx;
 	dns_diff_init(mctx, &diff);
+	dns_diff_init(mctx, &sig_diff);
 
 	CHECK(dns_zone_getdb(zone, &db));
 	CHECK(dns_db_newversion(db, &ver));
@@ -13904,14 +13917,12 @@ zone_rekey(dns_zone_t *zone) {
 		    dnskey_sane(zone, db, ver, &diff)) {
 			CHECK(dns_diff_apply(&diff, db, ver));
 			CHECK(clean_nsec3param(zone, db, ver, &diff));
-			CHECK(sign_apex(zone, db, ver, dns_rdatatype_dnskey,
-					&diff));
 			CHECK(add_signing_records(db, zone->privatetype, ver,
 						  &diff));
 			CHECK(increment_soa_serial(db, ver, &diff, mctx));
-			CHECK(sign_apex(zone, db, ver, dns_rdatatype_soa,
+			CHECK(add_chains(zone, db, ver, &diff));
-					&diff));
+			CHECK(sign_apex(zone, db, ver, &diff, &sig_diff));
-			CHECK(zone_journal(zone, &diff, "zone_rekey"));
+			CHECK(zone_journal(zone, &sig_diff, "zone_rekey"));
 			commit = ISC_TRUE;
 		}
 	}
@@ -13936,7 +13947,7 @@ zone_rekey(dns_zone_t *zone) {
 		 * Has a new key become active?  If so, is it for
 		 * a new algorithm?
 		 */
-		for (tuple = ISC_LIST_HEAD(diff.tuples);
+		for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
 		     tuple != NULL;
 		     tuple = ISC_LIST_NEXT(tuple, link)) {
 			dns_rdata_dnskey_t dnskey;
@@ -14015,7 +14026,7 @@ zone_rekey(dns_zone_t *zone) {
 			 * the full zone, but only with the newly-added
 			 * keys.
 			 */
-			for (tuple = ISC_LIST_HEAD(diff.tuples);
+			for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
 			     tuple != NULL;
 			     tuple = ISC_LIST_NEXT(tuple, link)) {
 				dns_rdata_dnskey_t dnskey;
@@ -14056,7 +14067,7 @@ zone_rekey(dns_zone_t *zone) {
 		 * Cause the zone to add/delete NSEC3 chains for the
 		 * deferred NSEC3PARAM changes.
 		 */
-		for (tuple = ISC_LIST_HEAD(diff.tuples);
+		for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
 		     tuple != NULL;
 		     tuple = ISC_LIST_NEXT(tuple, link)) {
 			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
@@ -14129,6 +14140,7 @@ zone_rekey(dns_zone_t *zone) {
 
  failure:
 	dns_diff_clear(&diff);
+	dns_diff_clear(&sig_diff);
 
 	clear_keylist(&dnskeys, mctx);
 	clear_keylist(&keys, mctx);