mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00
Code Issues Releases Wiki Activity

3641. [bug] Handle changes to sig-validity-interval settings

Browse Source 
better. [RT #34625]
This commit is contained in:
Mark Andrews 2013-09-04 13:45:00 +10:00
parent 8afea636ab
commit b5f4cc132e
16 changed files with 84 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,3 +1,6 @@
3641. [bug] Handle changes to sig-validity-interval settings
better. [RT #34625]
3640. [bug] ndots was not being checked when searching. Only 3640. [bug] ndots was not being checked when searching. Only
continue searching on NXDOMAIN responses. Add the continue searching on NXDOMAIN responses. Add the
ability to specify ndots to nslookup. [RT #34711] ability to specify ndots to nslookup. [RT #34711]

5
bin/dnssec/dnssec-signzone.c
View File

@ -950,7 +950,6 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
result = dns_db_newversion(db, &ver); result = dns_db_newversion(db, &ver);
check_result(result, "dns_db_newversion"); check_result(result, "dns_db_newversion");
dns_diff_init(mctx, &diff); dns_diff_init(mctx, &diff);
diff.resign = cycle;
for (result = dns_rdataset_first(&keyset); for (result = dns_rdataset_first(&keyset);
result == ISC_R_SUCCESS; result == ISC_R_SUCCESS;
@ -1038,7 +1037,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
*/ */
dns_diff_init(mctx, &del); dns_diff_init(mctx, &del);
dns_diff_init(mctx, &add); dns_diff_init(mctx, &add);
del.resign = add.resign = cycle;
rdsiter = NULL; rdsiter = NULL;
result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()"); check_result(result, "dns_db_allrdatasets()");
@ -2084,7 +2082,6 @@ remove_duplicates(void) {
dns_name_t *name; dns_name_t *name;
dns_diff_init(mctx, &diff); dns_diff_init(mctx, &diff);
diff.resign = cycle;
dns_fixedname_init(&fname); dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname); name = dns_fixedname_name(&fname);
dns_rdataset_init(&rdataset); dns_rdataset_init(&rdataset);
@ -2555,7 +2552,6 @@ build_final_keylist() {
check_result(result, "dns_db_newversion"); check_result(result, "dns_db_newversion");
dns_diff_init(mctx, &diff); dns_diff_init(mctx, &diff);
diff.resign = cycle;
/* /*
* Update keylist with information from from the key repository. * Update keylist with information from from the key repository.
@ -2763,7 +2759,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
strcat(filename, namestr); strcat(filename, namestr);
dns_diff_init(mctx, &diff); dns_diff_init(mctx, &diff);
diff.resign = cycle;
if (type == dns_rdatatype_dlv) { if (type == dns_rdatatype_dlv) {
dns_name_t tname; dns_name_t tname;

1
bin/named/update.c
View File

@ -404,7 +404,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff. * Create a singleton diff.
*/ */
dns_diff_init(diff->mctx, &temp_diff); dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/* /*

3
bin/tests/system/dnssec/clean.sh
View File

@ -63,6 +63,7 @@ rm -f signer/nsec3param.out
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/split-smart.example.db rm -f ns3/split-smart.example.db
rm -f ns3/siginterval.example.db
rm -f ns3/inline.example.db.signed rm -f ns3/inline.example.db.signed
rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
rm -f ns6/optout-tld.db rm -f ns6/optout-tld.db
@ -70,3 +71,5 @@ rm -f nosign.before
rm -f signing.out* rm -f signing.out*
rm -f canonical?.* rm -f canonical?.*
rm -f ns1/resolve.key rm -f ns1/resolve.key
rm -f ns3/siginterval.conf
rm -f ns4/named_dump.db

2
bin/tests/system/dnssec/ns3/named.conf
View File

@ -270,4 +270,6 @@ zone "publish-inactive.example" {
update-policy local; update-policy local;
}; };
include "siginterval.conf";
include "trusted.conf"; include "trusted.conf";

26
bin/tests/system/dnssec/ns3/siginterval.example.db.in Normal file
View File

@ -0,0 +1,26 @@
; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: upper.example.db.in,v 1.1.2.1 2012/01/17 08:31:00 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2012042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ NS ns
ns A 10.53.0.3

7
bin/tests/system/dnssec/ns3/siginterval1.conf Normal file
View File

@ -0,0 +1,7 @@
zone "siginterval.example" {
type master;
allow-update { any; };
sig-validity-interval 1 23;
auto-dnssec maintain;
file "siginterval.example.db";
};

7
bin/tests/system/dnssec/ns3/siginterval2.conf Normal file
View File

@ -0,0 +1,7 @@
zone "siginterval.example" {
type master;
allow-update { any; };
sig-validity-interval 35 28;
auto-dnssec maintain;
file "siginterval.example.db";
};

10
bin/tests/system/dnssec/ns3/sign.sh
View File

@ -451,3 +451,13 @@ kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
zskname=`$KEYGEN -q -r $RANDFILE $zone` zskname=`$KEYGEN -q -r $RANDFILE $zone`
cp $infile $zonefile cp $infile $zonefile
$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A zone which will change its sig-validity-interval
#
zone=siginterval.example
infile=siginterval.example.db.in
zonefile=siginterval.example.db
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
cp $infile $zonefile

1
bin/tests/system/dnssec/setup.sh
View File

@ -25,6 +25,7 @@ cd ns1 && sh sign.sh
echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed
cd ../ns3 && cp -f siginterval1.conf siginterval.conf
cd ../ns4 && cp -f named1.conf named.conf cd ../ns4 && cp -f named1.conf named.conf
cd ../ns5 && cp -f trusted.conf.bad trusted.conf cd ../ns5 && cp -f trusted.conf.bad trusted.conf

14
bin/tests/system/dnssec/tests.sh
View File

@ -2326,5 +2326,19 @@ test $sigs -eq 2 || ret=1
if test $ret != 0 ; then echo "I:failed"; fi if test $ret != 0 ; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:check that increasing the sig-validity-interval resigning triggers re-signing"
before=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA`
cp ns3/siginterval2.conf ns3/siginterval.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /'
for i in 1 2 3 4 5 6 7 8 9 0
do
after=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA`
test "$before" != "$after" && break
sleep 1
done
n=`expr $n + 1`
if test "$before" = "$after" ; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status" echo "I:exit status: $status"
exit $status exit $status

9
lib/dns/diff.c
View File

@ -379,15 +379,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
diff->resign); diff->resign);
dns_db_setsigningtime(db, modified, dns_db_setsigningtime(db, modified,
resign); resign);
if (diff->resign == 0 &&
(op == DNS_DIFFOP_ADDRESIGN ||
op == DNS_DIFFOP_DELRESIGN))
isc_log_write(
DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"resign requested "
"with 0 resign "
"interval");
} }
} else if (result == DNS_R_UNCHANGED) { } else if (result == DNS_R_UNCHANGED) {
/* /*

1
lib/dns/journal.c
View File

@ -1277,7 +1277,6 @@ roll_forward(dns_journal_t *j, dns_db_t *db, unsigned int options,
REQUIRE(DNS_DB_VALID(db)); REQUIRE(DNS_DB_VALID(db));
dns_diff_init(j->mctx, &diff); dns_diff_init(j->mctx, &diff);
diff.resign = resign;
/* /*
* Set up empty initial buffers for unchecked and checked * Set up empty initial buffers for unchecked and checked

1
lib/dns/nsec3.c
View File

@ -300,7 +300,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff. * Create a singleton diff.
*/ */
dns_diff_init(diff->mctx, &temp_diff); dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/* /*

2
lib/dns/update.c
View File

@ -232,7 +232,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff. * Create a singleton diff.
*/ */
dns_diff_init(diff->mctx, &temp_diff); dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/* /*
@ -1356,7 +1355,6 @@ dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_diff_init(diff->mctx, &affected); dns_diff_init(diff->mctx, &affected);
dns_diff_init(diff->mctx, &sig_diff); dns_diff_init(diff->mctx, &sig_diff);
sig_diff.resign = dns_zone_getsigresigninginterval(zone);
dns_diff_init(diff->mctx, &nsec_diff); dns_diff_init(diff->mctx, &nsec_diff);
dns_diff_init(diff->mctx, &nsec_mindiff); dns_diff_init(diff->mctx, &nsec_mindiff);

26
lib/dns/zone.c
View File

@ -2061,8 +2061,7 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
result = dns_master_loadfileinc4(load->zone->masterfile, result = dns_master_loadfileinc4(load->zone->masterfile,
dns_db_origin(load->db), dns_db_origin(load->db),
dns_db_origin(load->db), dns_db_origin(load->db),
load->zone->rdclass, options, load->zone->rdclass, options, 0,
load->zone->sigresigninginterval,
&load->callbacks, task, &load->callbacks, task,
zone_loaddone, load, zone_loaddone, load,
&load->zone->lctx, &load->zone->lctx,
@ -2226,8 +2225,7 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
} }
result = dns_master_loadfile4(zone->masterfile, result = dns_master_loadfile4(zone->masterfile,
&zone->origin, &zone->origin, &zone->origin, &zone->origin,
zone->rdclass, options, zone->rdclass, options, 0,
zone->sigresigninginterval,
&callbacks, &callbacks,
zone_registerinclude, zone_registerinclude,
zone, zone->mctx, zone, zone->mctx,
@ -3227,7 +3225,7 @@ set_resigntime(dns_zone_t *zone) {
goto cleanup; goto cleanup;
} }
resign = rdataset.resign; resign = rdataset.resign - zone->sigresigninginterval;
dns_rdataset_disassociate(&rdataset); dns_rdataset_disassociate(&rdataset);
isc_random_get(&nanosecs); isc_random_get(&nanosecs);
nanosecs %= 1000000000; nanosecs %= 1000000000;
@ -3632,7 +3630,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff. * Create a singleton diff.
*/ */
dns_diff_init(diff->mctx, &temp_diff); dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/* /*
@ -4100,8 +4097,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
else else
options = 0; options = 0;
result = dns_journal_rollforward2(zone->mctx, db, options, result = dns_journal_rollforward2(zone->mctx, db, options,
zone->sigresigninginterval, 0, zone->journal);
zone->journal);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND && if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL && result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL &&
result != ISC_R_RANGE) { result != ISC_R_RANGE) {
@ -4431,7 +4427,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
dns_zone_log(zone, ISC_LOG_DEBUG(3), dns_zone_log(zone, ISC_LOG_DEBUG(3),
"next resign: %s/%s in %d seconds", "next resign: %s/%s in %d seconds",
namebuf, typebuf, namebuf, typebuf,
next.resign - timenow); next.resign - timenow -
zone->sigresigninginterval);
dns_rdataset_disassociate(&next); dns_rdataset_disassociate(&next);
} else } else
dns_zone_log(zone, ISC_LOG_WARNING, dns_zone_log(zone, ISC_LOG_WARNING,
@ -5803,6 +5800,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
result = offline(db, ver, zonediff, result = offline(db, ver, zonediff,
name, rdataset.ttl, name, rdataset.ttl,
&rdata); &rdata);
changed = ISC_TRUE;
break; break;
} }
result = update_one_rr(db, ver, zonediff->diff, result = update_one_rr(db, ver, zonediff->diff,
@ -5971,7 +5969,6 @@ zone_resigninc(dns_zone_t *zone) {
dns_rdataset_init(&rdataset); dns_rdataset_init(&rdataset);
dns_fixedname_init(&fixed); dns_fixedname_init(&fixed);
dns_diff_init(zone->mctx, &_sig_diff); dns_diff_init(zone->mctx, &_sig_diff);
_sig_diff.resign = zone->sigresigninginterval;
zonediff_init(&zonediff, &_sig_diff); zonediff_init(&zonediff, &_sig_diff);
/* /*
@ -6031,7 +6028,7 @@ zone_resigninc(dns_zone_t *zone) {
i = 0; i = 0;
while (result == ISC_R_SUCCESS) { while (result == ISC_R_SUCCESS) {
resign = rdataset.resign; resign = rdataset.resign - zone->sigresigninginterval;
covers = rdataset.covers; covers = rdataset.covers;
dns_rdataset_disassociate(&rdataset); dns_rdataset_disassociate(&rdataset);
@ -6900,7 +6897,6 @@ zone_nsec3chain(dns_zone_t *zone) {
dns_diff_init(zone->mctx, &nsec3_diff); dns_diff_init(zone->mctx, &nsec3_diff);
dns_diff_init(zone->mctx, &nsec_diff); dns_diff_init(zone->mctx, &nsec_diff);
dns_diff_init(zone->mctx, &_sig_diff); dns_diff_init(zone->mctx, &_sig_diff);
_sig_diff.resign = zone->sigresigninginterval;
zonediff_init(&zonediff, &_sig_diff); zonediff_init(&zonediff, &_sig_diff);
ISC_LIST_INIT(cleanup); ISC_LIST_INIT(cleanup);
@ -7746,7 +7742,6 @@ zone_sign(dns_zone_t *zone) {
dns_fixedname_init(&nextfixed); dns_fixedname_init(&nextfixed);
nextname = dns_fixedname_name(&nextfixed); nextname = dns_fixedname_name(&nextfixed);
dns_diff_init(zone->mctx, &_sig_diff); dns_diff_init(zone->mctx, &_sig_diff);
_sig_diff.resign = zone->sigresigninginterval;
dns_diff_init(zone->mctx, &post_diff); dns_diff_init(zone->mctx, &post_diff);
zonediff_init(&zonediff, &_sig_diff); zonediff_init(&zonediff, &_sig_diff);
ISC_LIST_INIT(cleanup); ISC_LIST_INIT(cleanup);
@ -8513,7 +8508,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
INSIST(result == ISC_R_SUCCESS); INSIST(result == ISC_R_SUCCESS);
dns_diff_init(mctx, &diff); dns_diff_init(mctx, &diff);
diff.resign = zone->sigresigninginterval;
CHECK(dns_db_newversion(kfetch->db, &ver)); CHECK(dns_db_newversion(kfetch->db, &ver));
@ -14083,7 +14077,10 @@ void
dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) { dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) {
REQUIRE(DNS_ZONE_VALID(zone)); REQUIRE(DNS_ZONE_VALID(zone));
LOCK_ZONE(zone);
zone->sigresigninginterval = interval; zone->sigresigninginterval = interval;
set_resigntime(zone);
UNLOCK_ZONE(zone);
} }
isc_uint32_t isc_uint32_t
@ -16370,7 +16367,6 @@ zone_rekey(dns_zone_t *zone) {
mctx = zone->mctx; mctx = zone->mctx;
dns_diff_init(mctx, &diff); dns_diff_init(mctx, &diff);
dns_diff_init(mctx, &_sig_diff); dns_diff_init(mctx, &_sig_diff);
_sig_diff.resign = zone->sigresigninginterval;
zonediff_init(&zonediff, &_sig_diff); zonediff_init(&zonediff, &_sig_diff);
CHECK(dns_zone_getdb(zone, &db)); CHECK(dns_zone_getdb(zone, &db));