mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

Merge branch '3662-extend-mkeys-system-test-to-handle-islands-of-trust' into 'main'

Browse Source 
Resolve "Extend mkeys system test to handle islands of trust"

Closes #3662

See merge request isc-projects/bind9!7049
This commit is contained in:
Mark Andrews
2023-02-13 23:32:05 +00:00
parent 2f54ba3977 2928f21733
commit b274d388f1
17 changed files with 235 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
6095. [test] Test various 'islands of trust' configurations when
using managed keys. [GL #3662]
6094. [bug] Building against (or running with) libuv versions 6094. [bug] Building against (or running with) libuv versions
1.35.0 and 1.36.0 is now a fatal error. The rules for 1.35.0 and 1.36.0 is now a fatal error. The rules for
mixing and matching compile-time and run-time libuv mixing and matching compile-time and run-time libuv

9
bin/tests/system/mkeys/clean.sh
View File

@@ -12,17 +12,22 @@
# information regarding copyright ownership. # information regarding copyright ownership.
rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
rm -f */island.conf
rm -f */private.conf
rm -f */managed*.conf ns1/managed.key ns1/managed.key.id rm -f */managed*.conf ns1/managed.key ns1/managed.key.id
rm -f */managed-keys.bind* */named.secroots rm -f */managed-keys.bind* */named.secroots
rm -f */named.conf rm -f */named.conf
rm -f ns3/broken.conf
rm -f */named.memstats */named.run */named.run.prev rm -f */named.memstats */named.run */named.run.prev
rm -f dig.out* delv.out* rndc.out* signer.out* rm -f dig.out* delv.out* rndc.out* signer.out*
rm -f dsset-. ns1/dsset-. rm -f dsset-. ns1/dsset-.
rm -f ns1/zone.key
rm -f ns*/managed-keys.bind* rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock rm -f ns*/named.lock
rm -f ns1/dsset-sub.tld.
rm -f ns1/dsset-tld.
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
rm -f ns1/zone.key
rm -f ns3/broken.conf
rm -f ns4/dsset-sub.foo.
rm -f ns5/named.args rm -f ns5/named.args
rm -f ns7/view1.mkeys ns7/view2.mkeys rm -f ns7/view1.mkeys ns7/view2.mkeys
rm -rf ns4/nope rm -rf ns4/nope

10
bin/tests/system/mkeys/ns1/named1.conf.in
View File

@@ -47,3 +47,13 @@ zone "." {
allow-update { any; }; allow-update { any; };
auto-dnssec maintain; auto-dnssec maintain;
}; };
zone "tld" {
type primary;
file "tld.db.signed";
};
zone "sub.tld" {
type primary;
file "sub.tld.db.signed";
};

10
bin/tests/system/mkeys/ns1/named2.conf.in
View File

@@ -45,3 +45,13 @@ zone "." {
type primary; type primary;
file "root.db.signed"; file "root.db.signed";
}; };
zone "tld" {
type primary;
file "tld.db.signed";
};
zone "sub.tld" {
type primary;
file "sub.tld.db.signed";
};

10
bin/tests/system/mkeys/ns1/named3.conf.in
View File

@@ -39,3 +39,13 @@ zone "." {
type primary; type primary;
file "root.db.signed"; file "root.db.signed";
}; };
zone "tld" {
type primary;
file "tld.db.signed";
};
zone "sub.tld" {
type primary;
file "sub.tld.db.signed";
};

3
bin/tests/system/mkeys/ns1/root.db
View File

@@ -23,3 +23,6 @@ a.root-servers.nil. A 10.53.0.1
; no delegation ; no delegation
example. TXT "This is a test." example. TXT "This is a test."
tld. NS ns.tld.
ns.tld. A 10.53.0.1

18
bin/tests/system/mkeys/ns1/sign.sh
View File

@@ -13,6 +13,24 @@
. ../../conf.sh . ../../conf.sh
zone=sub.tld
zonefile=sub.tld.db
keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
keyfile_to_initial_ds $keyname > island.conf
cp island.conf ../ns5/island.conf
zone=tld
zonefile=tld.db
keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
zone=. zone=.
zonefile=root.db zonefile=root.db

21
bin/tests/system/mkeys/ns1/sub.tld.db Normal file
View File

@@ -0,0 +1,21 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 20
sub.tld. IN SOA marka.isc.org. ns.sub.tld. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
sub.tld. NS ns.sub.tld.
ns.sub.tld. A 10.53.0.1

23
bin/tests/system/mkeys/ns1/tld.db Normal file
View File

@@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 20
tld. IN SOA marka.isc.org. ns.tld. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
tld. NS ns.tld.
ns.tld. A 10.53.0.1
sub.tld. NS ns.sub.tld.
ns.sub.tld. A 10.53.0.1

5
bin/tests/system/mkeys/ns4/named.conf.in
View File

@@ -41,3 +41,8 @@ zone "." {
type hint; type hint;
file "../../common/root.hint"; file "../../common/root.hint";
}; };
zone "sub.foo" {
type primary;
file "sub.foo.db.signed";
};

24
bin/tests/system/mkeys/ns4/sign.sh Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/sh -e
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ../../conf.sh
zone=sub.foo
zonefile=sub.foo.db
keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
keyfile_to_initial_ds $keyname > private.conf
cp private.conf ../ns5/private.conf

21
bin/tests/system/mkeys/ns4/sub.foo.db Normal file
View File

@@ -0,0 +1,21 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 20
sub.foo. IN SOA marka.isc.org. ns.foo. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
sub.foo. NS ns.sub.foo.
ns.sub.foo. A 10.53.0.4

23
bin/tests/system/mkeys/ns5/foo.db Normal file
View File

@@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 20
foo. IN SOA marka.isc.org. ns.foo. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
foo. NS ns.foo.
ns.foo. A 10.53.0.5
sub.foo. NS ns.sub.foo.
ns.sub.foo. A 10.53.0.4

8
bin/tests/system/mkeys/ns5/named.conf.in
View File

@@ -41,3 +41,11 @@ zone "." {
type hint; type hint;
file "../../common/root.hint"; file "../../common/root.hint";
}; };
zone "foo" {
type primary;
file "foo.db";
};
include "island.conf";
include "private.conf";

1
bin/tests/system/mkeys/setup.sh
View File

@@ -31,6 +31,7 @@ copy_setports ns7/named.conf.in ns7/named.conf
cp ns5/named1.args ns5/named.args cp ns5/named1.args ns5/named.args
( cd ns1 && $SHELL sign.sh ) ( cd ns1 && $SHELL sign.sh )
( cd ns4 && $SHELL sign.sh )
( cd ns6 && $SHELL setup.sh ) ( cd ns6 && $SHELL setup.sh )
cp ns2/managed.conf ns2/managed1.conf cp ns2/managed.conf ns2/managed1.conf

46
bin/tests/system/mkeys/tests.sh
View File

@@ -722,7 +722,9 @@ ret=0
stop_server --use-rndc --port "${CONTROLPORT}" ns5 stop_server --use-rndc --port "${CONTROLPORT}" ns5
nextpart ns5/named.run > /dev/null nextpart ns5/named.run > /dev/null
start_server --noclean --restart --port "${PORT}" ns5 start_server --noclean --restart --port "${PORT}" ns5
wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1
# ns5/named.run will contain logs from both the old instance and the new # ns5/named.run will contain logs from both the old instance and the new
# instance. In order for the test to pass, both must attempt a fetch. # instance. In order for the test to pass, both must attempt a fetch.
count=$(grep -c "Creating key fetch" ns5/named.run) || true count=$(grep -c "Creating key fetch" ns5/named.run) || true
@@ -730,6 +732,23 @@ count=$(grep -c "Creating key fetch" ns5/named.run) || true
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret)) status=$((status+ret))
n=$((n+1))
echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)"
ret=0
mkeys_sync_on 5
mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
# there should be three keys listed now
count=$(grep -c "keyid: " rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
# three lines indicating trust status
count=$(grep -c "trust" rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
# one indicates current trust
count=$(grep -c "trusted since" rndc.out.$n) || true
[ "$count" -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1)) n=$((n+1))
echo_i "check key refreshes are resumed after root servers become available ($n)" echo_i "check key refreshes are resumed after root servers become available ($n)"
ret=0 ret=0
@@ -741,7 +760,9 @@ rm -f ns5/managed-keys.bind*
cp ns5/named2.args ns5/named.args cp ns5/named2.args ns5/named.args
nextpart ns5/named.run > /dev/null nextpart ns5/named.run > /dev/null
start_server --noclean --restart --port "${PORT}" ns5 start_server --noclean --restart --port "${PORT}" ns5
wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
mkeys_secroots_on 5 || ret=1 mkeys_secroots_on 5 || ret=1
grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
# ns1 should still REFUSE queries from ns5, so resolving should be impossible # ns1 should still REFUSE queries from ns5, so resolving should be impossible
@@ -754,7 +775,9 @@ copy_setports ns1/named3.conf.in ns1/named.conf
rm -f ns1/root.db.signed.jnl rm -f ns1/root.db.signed.jnl
nextpart ns5/named.run > /dev/null nextpart ns5/named.run > /dev/null
mkeys_reconfig_on 1 || ret=1 mkeys_reconfig_on 1 || ret=1
wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1
wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
mkeys_secroots_on 5 || ret=1 mkeys_secroots_on 5 || ret=1
grep '; managed' ns5/named.secroots > /dev/null || ret=1 grep '; managed' ns5/named.secroots > /dev/null || ret=1
# ns1 should not longer REFUSE queries from ns5, so managed keys should be # ns1 should not longer REFUSE queries from ns5, so managed keys should be
@@ -835,5 +858,22 @@ grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret)) status=$((status+ret))
n=$((n+1))
echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)"
ret=0
mkeys_sync_on 5
mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
# there should be three keys listed now
count=$(grep -c "keyid: " rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
# theee lines indicating trust status
count=$(grep -c "trust" rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
# three indicates current trust
count=$(grep -c "trusted since" rndc.out.$n) || true
[ "$count" -eq 3 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status" echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1

7
lib/dns/zone.c
View File

@@ -10642,6 +10642,11 @@ retry_keyfetch(dns_keyfetch_t *kfetch, dns_name_t *kname) {
isc_time_t timenow, timethen; isc_time_t timenow, timethen;
dns_zone_t *zone = kfetch->zone; dns_zone_t *zone = kfetch->zone;
bool free_needed; bool free_needed;
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(kname, namebuf, sizeof(namebuf));
dnssec_log(zone, ISC_LOG_WARNING,
"Failed to create fetch for %s DNSKEY update", namebuf);
/* /*
* Error during a key fetch; cancel and retry in an hour. * Error during a key fetch; cancel and retry in an hour.
@@ -10653,8 +10658,6 @@ retry_keyfetch(dns_keyfetch_t *kfetch, dns_name_t *kname) {
dns_rdataset_disassociate(&kfetch->keydataset); dns_rdataset_disassociate(&kfetch->keydataset);
dns_name_free(kname, zone->mctx); dns_name_free(kname, zone->mctx);
isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(*kfetch)); isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(*kfetch));
dnssec_log(zone, ISC_LOG_WARNING,
"Failed to create fetch for DNSKEY update");
if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
/* Don't really retry if we are exiting */ /* Don't really retry if we are exiting */