From b5f4cc132e91afb1217f4aa79424793c0e11c09a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 4 Sep 2013 13:45:00 +1000 Subject: [PATCH] 3641. [bug] Handle changes to sig-validity-interval settings better. [RT #34625] --- CHANGES | 3 +++ bin/dnssec/dnssec-signzone.c | 5 ---- bin/named/update.c | 1 - bin/tests/system/dnssec/clean.sh | 3 +++ bin/tests/system/dnssec/ns3/named.conf | 2 ++ .../dnssec/ns3/siginterval.example.db.in | 26 +++++++++++++++++++ bin/tests/system/dnssec/ns3/siginterval1.conf | 7 +++++ bin/tests/system/dnssec/ns3/siginterval2.conf | 7 +++++ bin/tests/system/dnssec/ns3/sign.sh | 10 +++++++ bin/tests/system/dnssec/setup.sh | 1 + bin/tests/system/dnssec/tests.sh | 14 ++++++++++ lib/dns/diff.c | 9 ------- lib/dns/journal.c | 1 - lib/dns/nsec3.c | 1 - lib/dns/update.c | 2 -- lib/dns/zone.c | 26 ++++++++----------- 16 files changed, 84 insertions(+), 34 deletions(-) create mode 100644 bin/tests/system/dnssec/ns3/siginterval.example.db.in create mode 100644 bin/tests/system/dnssec/ns3/siginterval1.conf create mode 100644 bin/tests/system/dnssec/ns3/siginterval2.conf diff --git a/CHANGES b/CHANGES index f58b51894d..8679c71d14 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3641. [bug] Handle changes to sig-validity-interval settings + better. [RT #34625] + 3640. [bug] ndots was not being checked when searching. Only continue searching on NXDOMAIN responses. Add the ability to specify ndots to nslookup. [RT #34711] diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 380b6b10c6..599855e0f9 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -950,7 +950,6 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { result = dns_db_newversion(db, &ver); check_result(result, "dns_db_newversion"); dns_diff_init(mctx, &diff); - diff.resign = cycle; for (result = dns_rdataset_first(&keyset); result == ISC_R_SUCCESS; @@ -1038,7 +1037,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) { */ dns_diff_init(mctx, &del); dns_diff_init(mctx, &add); - del.resign = add.resign = cycle; rdsiter = NULL; result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); @@ -2084,7 +2082,6 @@ remove_duplicates(void) { dns_name_t *name; dns_diff_init(mctx, &diff); - diff.resign = cycle; dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_rdataset_init(&rdataset); @@ -2555,7 +2552,6 @@ build_final_keylist() { check_result(result, "dns_db_newversion"); dns_diff_init(mctx, &diff); - diff.resign = cycle; /* * Update keylist with information from from the key repository. @@ -2763,7 +2759,6 @@ writeset(const char *prefix, dns_rdatatype_t type) { strcat(filename, namestr); dns_diff_init(mctx, &diff); - diff.resign = cycle; if (type == dns_rdatatype_dlv) { dns_name_t tname; diff --git a/bin/named/update.c b/bin/named/update.c index 30dfcce19c..b522f59991 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -404,7 +404,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, * Create a singleton diff. */ dns_diff_init(diff->mctx, &temp_diff); - temp_diff.resign = diff->resign; ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); /* diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 615a8dd545..388f5b48aa 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -63,6 +63,7 @@ rm -f signer/nsec3param.out rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed rm -f ns3/ttlpatch.example.db.patched rm -f ns3/split-smart.example.db +rm -f ns3/siginterval.example.db rm -f ns3/inline.example.db.signed rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower rm -f ns6/optout-tld.db @@ -70,3 +71,5 @@ rm -f nosign.before rm -f signing.out* rm -f canonical?.* rm -f ns1/resolve.key +rm -f ns3/siginterval.conf +rm -f ns4/named_dump.db diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index e745a7525f..d87a452fca 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -270,4 +270,6 @@ zone "publish-inactive.example" { update-policy local; }; +include "siginterval.conf"; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/siginterval.example.db.in b/bin/tests/system/dnssec/ns3/siginterval.example.db.in new file mode 100644 index 0000000000..52202fb31b --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: upper.example.db.in,v 1.1.2.1 2012/01/17 08:31:00 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns +ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf new file mode 100644 index 0000000000..45d449db76 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval1.conf @@ -0,0 +1,7 @@ +zone "siginterval.example" { + type master; + allow-update { any; }; + sig-validity-interval 1 23; + auto-dnssec maintain; + file "siginterval.example.db"; +}; diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf new file mode 100644 index 0000000000..996aa62403 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval2.conf @@ -0,0 +1,7 @@ +zone "siginterval.example" { + type master; + allow-update { any; }; + sig-validity-interval 35 28; + auto-dnssec maintain; + file "siginterval.example.db"; +}; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 24b0fed7dd..d5ec859519 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -451,3 +451,13 @@ kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone` zskname=`$KEYGEN -q -r $RANDFILE $zone` cp $infile $zonefile $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone which will change its sig-validity-interval +# +zone=siginterval.example +infile=siginterval.example.db.in +zonefile=siginterval.example.db +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +cp $infile $zonefile diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 424792966a..5d4ed600fe 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -25,6 +25,7 @@ cd ns1 && sh sign.sh echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed +cd ../ns3 && cp -f siginterval1.conf siginterval.conf cd ../ns4 && cp -f named1.conf named.conf cd ../ns5 && cp -f trusted.conf.bad trusted.conf diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 43fcd74cc6..311bc1150f 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2326,5 +2326,19 @@ test $sigs -eq 2 || ret=1 if test $ret != 0 ; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check that increasing the sig-validity-interval resigning triggers re-signing" +before=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA` +cp ns3/siginterval2.conf ns3/siginterval.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /' +for i in 1 2 3 4 5 6 7 8 9 0 +do +after=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA` +test "$before" != "$after" && break +sleep 1 +done +n=`expr $n + 1` +if test "$before" = "$after" ; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/diff.c b/lib/dns/diff.c index ff60d462f3..20f8e3c068 100644 --- a/lib/dns/diff.c +++ b/lib/dns/diff.c @@ -379,15 +379,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, diff->resign); dns_db_setsigningtime(db, modified, resign); - if (diff->resign == 0 && - (op == DNS_DIFFOP_ADDRESIGN || - op == DNS_DIFFOP_DELRESIGN)) - isc_log_write( - DIFF_COMMON_LOGARGS, - ISC_LOG_WARNING, - "resign requested " - "with 0 resign " - "interval"); } } else if (result == DNS_R_UNCHANGED) { /* diff --git a/lib/dns/journal.c b/lib/dns/journal.c index 05878e119e..4f903a4db7 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -1277,7 +1277,6 @@ roll_forward(dns_journal_t *j, dns_db_t *db, unsigned int options, REQUIRE(DNS_DB_VALID(db)); dns_diff_init(j->mctx, &diff); - diff.resign = resign; /* * Set up empty initial buffers for unchecked and checked diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index 5d4a3dcdc7..eef1a1bb19 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -300,7 +300,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, * Create a singleton diff. */ dns_diff_init(diff->mctx, &temp_diff); - temp_diff.resign = diff->resign; ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); /* diff --git a/lib/dns/update.c b/lib/dns/update.c index 713fa87f97..e727c347ce 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -232,7 +232,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, * Create a singleton diff. */ dns_diff_init(diff->mctx, &temp_diff); - temp_diff.resign = diff->resign; ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); /* @@ -1356,7 +1355,6 @@ dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, dns_diff_init(diff->mctx, &affected); dns_diff_init(diff->mctx, &sig_diff); - sig_diff.resign = dns_zone_getsigresigninginterval(zone); dns_diff_init(diff->mctx, &nsec_diff); dns_diff_init(diff->mctx, &nsec_mindiff); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 47f6ee5b47..daf495b6a3 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -2061,8 +2061,7 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) { result = dns_master_loadfileinc4(load->zone->masterfile, dns_db_origin(load->db), dns_db_origin(load->db), - load->zone->rdclass, options, - load->zone->sigresigninginterval, + load->zone->rdclass, options, 0, &load->callbacks, task, zone_loaddone, load, &load->zone->lctx, @@ -2226,8 +2225,7 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) { } result = dns_master_loadfile4(zone->masterfile, &zone->origin, &zone->origin, - zone->rdclass, options, - zone->sigresigninginterval, + zone->rdclass, options, 0, &callbacks, zone_registerinclude, zone, zone->mctx, @@ -3227,7 +3225,7 @@ set_resigntime(dns_zone_t *zone) { goto cleanup; } - resign = rdataset.resign; + resign = rdataset.resign - zone->sigresigninginterval; dns_rdataset_disassociate(&rdataset); isc_random_get(&nanosecs); nanosecs %= 1000000000; @@ -3632,7 +3630,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, * Create a singleton diff. */ dns_diff_init(diff->mctx, &temp_diff); - temp_diff.resign = diff->resign; ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); /* @@ -4100,8 +4097,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, else options = 0; result = dns_journal_rollforward2(zone->mctx, db, options, - zone->sigresigninginterval, - zone->journal); + 0, zone->journal); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND && result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL && result != ISC_R_RANGE) { @@ -4431,7 +4427,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, dns_zone_log(zone, ISC_LOG_DEBUG(3), "next resign: %s/%s in %d seconds", namebuf, typebuf, - next.resign - timenow); + next.resign - timenow - + zone->sigresigninginterval); dns_rdataset_disassociate(&next); } else dns_zone_log(zone, ISC_LOG_WARNING, @@ -5803,6 +5800,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, result = offline(db, ver, zonediff, name, rdataset.ttl, &rdata); + changed = ISC_TRUE; break; } result = update_one_rr(db, ver, zonediff->diff, @@ -5971,7 +5969,6 @@ zone_resigninc(dns_zone_t *zone) { dns_rdataset_init(&rdataset); dns_fixedname_init(&fixed); dns_diff_init(zone->mctx, &_sig_diff); - _sig_diff.resign = zone->sigresigninginterval; zonediff_init(&zonediff, &_sig_diff); /* @@ -6031,7 +6028,7 @@ zone_resigninc(dns_zone_t *zone) { i = 0; while (result == ISC_R_SUCCESS) { - resign = rdataset.resign; + resign = rdataset.resign - zone->sigresigninginterval; covers = rdataset.covers; dns_rdataset_disassociate(&rdataset); @@ -6900,7 +6897,6 @@ zone_nsec3chain(dns_zone_t *zone) { dns_diff_init(zone->mctx, &nsec3_diff); dns_diff_init(zone->mctx, &nsec_diff); dns_diff_init(zone->mctx, &_sig_diff); - _sig_diff.resign = zone->sigresigninginterval; zonediff_init(&zonediff, &_sig_diff); ISC_LIST_INIT(cleanup); @@ -7746,7 +7742,6 @@ zone_sign(dns_zone_t *zone) { dns_fixedname_init(&nextfixed); nextname = dns_fixedname_name(&nextfixed); dns_diff_init(zone->mctx, &_sig_diff); - _sig_diff.resign = zone->sigresigninginterval; dns_diff_init(zone->mctx, &post_diff); zonediff_init(&zonediff, &_sig_diff); ISC_LIST_INIT(cleanup); @@ -8513,7 +8508,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { INSIST(result == ISC_R_SUCCESS); dns_diff_init(mctx, &diff); - diff.resign = zone->sigresigninginterval; CHECK(dns_db_newversion(kfetch->db, &ver)); @@ -14083,7 +14077,10 @@ void dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) { REQUIRE(DNS_ZONE_VALID(zone)); + LOCK_ZONE(zone); zone->sigresigninginterval = interval; + set_resigntime(zone); + UNLOCK_ZONE(zone); } isc_uint32_t @@ -16370,7 +16367,6 @@ zone_rekey(dns_zone_t *zone) { mctx = zone->mctx; dns_diff_init(mctx, &diff); dns_diff_init(mctx, &_sig_diff); - _sig_diff.resign = zone->sigresigninginterval; zonediff_init(&zonediff, &_sig_diff); CHECK(dns_zone_getdb(zone, &db));