From b7e40659efd6cf6f5e6b3b1f904f16f74efb0d16 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 14 Jun 2013 10:16:10 -0700 Subject: [PATCH] [master] rebuild resigning heaps when loading map files 3597. [bug] Ensure automatic-resigning heaps are reconstructed when loading zones in map format. [RT #33381] --- CHANGES | 3 ++ bin/dnssec/dnssec-signzone.c | 46 +++++++++++--------- bin/tests/system/masterformat/clean.sh | 5 ++- bin/tests/system/masterformat/ns1/compile.sh | 8 ++++ bin/tests/system/masterformat/ns1/named.conf | 18 ++++++++ bin/tests/system/masterformat/ns1/signed.db | 32 ++++++++++++++ bin/tests/system/masterformat/setup.sh | 3 ++ bin/tests/system/masterformat/tests.sh | 19 ++++++++ lib/dns/include/dns/rbt.h | 10 +++-- lib/dns/master.c | 1 - lib/dns/rbt.c | 23 +++++----- lib/dns/rbtdb.c | 24 +++++++--- lib/dns/tests/rbt_test.c | 11 +++-- lib/dns/zone.c | 16 ++++--- 14 files changed, 166 insertions(+), 53 deletions(-) create mode 100644 bin/tests/system/masterformat/ns1/signed.db diff --git a/CHANGES b/CHANGES index 94b5b89af7..44e6cdda41 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3597. [bug] Ensure automatic-resigning heaps are reconstructed + when loading zones in map format. [RT #33381] + 3596. [port] Updated win32 build documentation, added dnssec-verify. [RT #22067] diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 5be654d7e5..380b6b10c6 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -306,8 +306,8 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key, } tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, ttl, &trdata, - &tuple); + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, + name, ttl, &trdata, &tuple); check_result(result, "dns_difftuple_create"); dns_diff_append(add, &tuple); } @@ -602,24 +602,23 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, vbprintf(2, "\tfixing ttl %s\n", sigstr); tuple = NULL; result = dns_difftuple_create(mctx, - DNS_DIFFOP_DEL, - name, sigset.ttl, - &sigrdata, - &tuple); + DNS_DIFFOP_DELRESIGN, + name, sigset.ttl, + &sigrdata, &tuple); check_result(result, "dns_difftuple_create"); dns_diff_append(del, &tuple); result = dns_difftuple_create(mctx, - DNS_DIFFOP_ADD, - name, ttl, - &sigrdata, - &tuple); + DNS_DIFFOP_ADDRESIGN, + name, ttl, + &sigrdata, &tuple); check_result(result, "dns_difftuple_create"); dns_diff_append(add, &tuple); } } else { tuple = NULL; vbprintf(2, "removing signature by %s\n", sigstr); - result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, + result = dns_difftuple_create(mctx, + DNS_DIFFOP_DELRESIGN, name, sigset.ttl, &sigrdata, &tuple); check_result(result, "dns_difftuple_create"); @@ -951,6 +950,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { result = dns_db_newversion(db, &ver); check_result(result, "dns_db_newversion"); dns_diff_init(mctx, &diff); + diff.resign = cycle; for (result = dns_rdataset_first(&keyset); result == ISC_R_SUCCESS; @@ -963,7 +963,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { dsbuf, &ds); check_result(result, "dns_ds_buildrdata"); - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name, ttl, &ds, &tuple); check_result(result, "dns_difftuple_create"); dns_diff_append(&diff, &tuple); @@ -973,7 +973,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { dsbuf, &ds); check_result(result, "dns_ds_buildrdata"); - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name, ttl, &ds, &tuple); check_result(result, "dns_difftuple_create"); dns_diff_append(&diff, &tuple); @@ -1038,6 +1038,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) { */ dns_diff_init(mctx, &del); dns_diff_init(mctx, &add); + del.resign = add.resign = cycle; rdsiter = NULL; result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); @@ -2060,10 +2061,9 @@ rrset_remove_duplicates(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_current(&tmprdataset, &rdata2); if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) { result = dns_difftuple_create(mctx, - DNS_DIFFOP_DEL, - name, - rdataset->ttl, - &rdata2, &tuple); + DNS_DIFFOP_DELRESIGN, + name, rdataset->ttl, + &rdata2, &tuple); check_result(result, "dns_difftuple_create"); dns_diff_append(diff, &tuple); } @@ -2084,6 +2084,7 @@ remove_duplicates(void) { dns_name_t *name; dns_diff_init(mctx, &diff); + diff.resign = cycle; dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_rdataset_init(&rdataset); @@ -2554,6 +2555,7 @@ build_final_keylist() { check_result(result, "dns_db_newversion"); dns_diff_init(mctx, &diff); + diff.resign = cycle; /* * Update keylist with information from from the key repository. @@ -2761,6 +2763,7 @@ writeset(const char *prefix, dns_rdatatype_t type) { strcat(filename, namestr); dns_diff_init(mctx, &diff); + diff.resign = cycle; if (type == dns_rdatatype_dlv) { dns_name_t tname; @@ -2817,7 +2820,8 @@ writeset(const char *prefix, dns_rdatatype_t type) { check_result(result, "dns_ds_buildrdata"); if (type == dns_rdatatype_dlv) ds.type = dns_rdatatype_dlv; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + result = dns_difftuple_create(mctx, + DNS_DIFFOP_ADDRESIGN, name, 0, &ds, &tuple); check_result(result, "dns_difftuple_create"); dns_diff_append(&diff, &tuple); @@ -2829,11 +2833,13 @@ writeset(const char *prefix, dns_rdatatype_t type) { check_result(result, "dns_ds_buildrdata"); if (type == dns_rdatatype_dlv) ds.type = dns_rdatatype_dlv; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + result = dns_difftuple_create(mctx, + DNS_DIFFOP_ADDRESIGN, name, 0, &ds, &tuple); } else - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, + result = dns_difftuple_create(mctx, + DNS_DIFFOP_ADDRESIGN, gorigin, zone_soa_min_ttl, &rdata, &tuple); check_result(result, "dns_difftuple_create"); diff --git a/bin/tests/system/masterformat/clean.sh b/bin/tests/system/masterformat/clean.sh index 740ddef7d7..d6245f4688 100755 --- a/bin/tests/system/masterformat/clean.sh +++ b/bin/tests/system/masterformat/clean.sh @@ -21,7 +21,7 @@ rm -f ns1/example.db.raw* rm -f ns1/example.db.compat rm -f ns1/example.db.serial.raw rm -f ns1/large.db ns1/large.db.raw -rm -f ns1/example.db.map +rm -f ns1/example.db.map ns1/signed.db.map rm -f dig.out.* rm -f dig.out rm -f */named.memstats @@ -32,3 +32,6 @@ rm -f ns2/db-* rm -f ns2/large.bk rm -f ns3/example.db.map ns3/dynamic.db.map rm -f baseline.txt text.1 text.2 raw.1 raw.2 map.1 map.2 map.5 text.5 badmap +rm -f ns1/Ksigned.* ns1/dsset-signed. ns1/signed.db.signed +rm -f random.data +rm -f rndc.out diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index 409dd4d6e7..34e7a659fc 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -14,6 +14,10 @@ # $Id$ +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh +RANDFILE=../random.data + ../named-compilezone -D -F raw -o example.db.raw example \ example.db > /dev/null 2>&1 ../named-compilezone -D -F map -o ../ns3/example.db.map example \ @@ -30,3 +34,7 @@ ../named-compilezone -D -F map -o example.db.map example-map \ example.db > /dev/null 2>&1 +$KEYGEN -q -r $RANDFILE signed > /dev/null 2>&1 +$KEYGEN -q -r $RANDFILE -fk signed > /dev/null 2>&1 +$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1 +../named-compilezone -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1 diff --git a/bin/tests/system/masterformat/ns1/named.conf b/bin/tests/system/masterformat/ns1/named.conf index 6232b6aac9..ae414b7ed3 100644 --- a/bin/tests/system/masterformat/ns1/named.conf +++ b/bin/tests/system/masterformat/ns1/named.conf @@ -30,6 +30,15 @@ options { dnssec-enable yes; }; +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; }; +}; + zone "example" { type master; masterfile-format raw; @@ -66,3 +75,12 @@ zone "large" { masterfile-format raw; allow-transfer { any; }; }; + +zone "signed" { + type master; + file "signed.db.map"; + masterfile-format map; + allow-transfer { any; }; + update-policy local; + auto-dnssec maintain; +}; diff --git a/bin/tests/system/masterformat/ns1/signed.db b/bin/tests/system/masterformat/ns1/signed.db new file mode 100644 index 0000000000..cb6361804a --- /dev/null +++ b/bin/tests/system/masterformat/ns1/signed.db @@ -0,0 +1,32 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 +mx MX 10 mail +a A 10.53.0.1 + A 10.53.0.2 +aaaa AAAA 2001:db8::53 +cname CNAME cname-target +dname DNAME dname-target +txt TXT "this is text" diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index beac865a2f..da0d2dc18c 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -16,6 +16,9 @@ rm -f named-compilezone ln -s $CHECKZONE named-compilezone + +../../../tools/genrandom 400 random.data + rm -f ns1/example.db.raw cp ns1/example.db ns2/ cp ns2/formerly-text.db.in ns2/formerly-text.db diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 032a3b4ec9..d50af8332d 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -255,5 +255,24 @@ stomp badmap 2897 5 127 [ $ret -eq 0 ] || echo "I:failed" status=`expr $status + $ret` +echo "I:checking map format zone is scheduled for resigning (compilezone)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 zonestatus signed > rndc.out 2>&1 || ret=1 +grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +echo "I:checking map format zone is scheduled for resigning (signzone)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 freeze signed > rndc.out 2>&1 || ret=1 +cd ns1 +$SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null 2>&1 +cd .. +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload signed > rndc.out 2>&1 || ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 zonestatus signed > rndc.out 2>&1 || ret=1 +grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h index 85c3479df8..7433d90872 100644 --- a/lib/dns/include/dns/rbt.h +++ b/lib/dns/include/dns/rbt.h @@ -158,7 +158,9 @@ typedef isc_result_t (*dns_rbtdatawriter_t)(FILE *file, typedef isc_result_t (*dns_rbtdatafixer_t)(dns_rbtnode_t *rbtnode, void *base, size_t offset, - isc_uint64_t *crc); + void *arg, isc_uint64_t *crc); + +typedef void (*dns_rbtdeleter_t)(void *, void *); /***** ***** Chain Info @@ -256,7 +258,7 @@ typedef struct dns_rbtnodechain { ***** Public interfaces. *****/ isc_result_t -dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *), +dns_rbt_create(isc_mem_t *mctx, dns_rbtdeleter_t deleter, void *deleter_arg, dns_rbt_t **rbtp); /*%< * Initialize a red-black tree of trees. @@ -710,8 +712,8 @@ dns_rbt_serialize_tree(FILE *file, dns_rbt_t *rbt, isc_result_t dns_rbt_deserialize_tree(void *base_address, size_t filesize, off_t header_offset, isc_mem_t *mctx, - void (*deleter)(void *, void *), void *deleter_arg, - dns_rbtdatafixer_t datafixer, + dns_rbtdeleter_t deleter, void *deleter_arg, + dns_rbtdatafixer_t datafixer, void *fixer_arg, dns_rbtnode_t **originp, dns_rbt_t **rbtp); /*%< * Read a RBT structure and its data from a file. diff --git a/lib/dns/master.c b/lib/dns/master.c index 05d28bc98e..aa8f1ac4a4 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -2999,7 +2999,6 @@ commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx, if (dataset.type == dns_rdatatype_rrsig && (lctx->options & DNS_MASTER_RESIGN) != 0) { dataset.attributes |= DNS_RDATASETATTR_RESIGN; - dns_name_format(owner, namebuf, sizeof(namebuf)); dataset.resign = resign_fromlist(this, lctx->resign); } result = ((*callbacks->add)(callbacks->add_private, owner, diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c index 559293645f..bd70f5279f 100644 --- a/lib/dns/rbt.c +++ b/lib/dns/rbt.c @@ -370,7 +370,8 @@ deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp); static isc_result_t treefix(dns_rbt_t *rbt, void *base, size_t size, dns_rbtnode_t *n, dns_name_t *name, - dns_rbtdatafixer_t datafixer, isc_uint64_t *crc); + dns_rbtdatafixer_t datafixer, void *fixer_arg, + isc_uint64_t *crc); static isc_result_t deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node); @@ -694,7 +695,8 @@ dns_rbt_serialize_tree(FILE *file, dns_rbt_t *rbt, static isc_result_t treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n, - dns_name_t *name, dns_rbtdatafixer_t datafixer, isc_uint64_t *crc) + dns_name_t *name, dns_rbtdatafixer_t datafixer, + void *fixer_arg, isc_uint64_t *crc) { isc_result_t result = ISC_R_SUCCESS; dns_fixedname_t fixed; @@ -772,16 +774,16 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n, /* a change in the order (from left, right, down) will break hashing*/ if (n->left != NULL) CHECK(treefix(rbt, base, filesize, n->left, name, - datafixer, crc)); + datafixer, fixer_arg, crc)); if (n->right != NULL) CHECK(treefix(rbt, base, filesize, n->right, name, - datafixer, crc)); + datafixer, fixer_arg, crc)); if (n->down != NULL) CHECK(treefix(rbt, base, filesize, n->down, fullname, - datafixer, crc)); + datafixer, fixer_arg, crc)); if (datafixer != NULL && n->data != NULL) - CHECK(datafixer(n, base, filesize, crc)); + CHECK(datafixer(n, base, filesize, fixer_arg, crc)); rbt->nodecount++; node_data = (unsigned char *) n + sizeof(dns_rbtnode_t); @@ -807,9 +809,8 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n, isc_result_t dns_rbt_deserialize_tree(void *base_address, size_t filesize, off_t header_offset, isc_mem_t *mctx, - void (*deleter)(void *, void *), - void *deleter_arg, - dns_rbtdatafixer_t datafixer, + dns_rbtdeleter_t deleter, void *deleter_arg, + dns_rbtdatafixer_t datafixer, void *fixer_arg, dns_rbtnode_t **originp, dns_rbt_t **rbtp) { isc_result_t result = ISC_R_SUCCESS; @@ -861,7 +862,7 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, rehash(rbt, header->nodecount); CHECK(treefix(rbt, base_address, filesize, rbt->root, - dns_rootname, datafixer, &crc)); + dns_rootname, datafixer, fixer_arg, &crc)); isc_crc64_final(&crc); #ifdef DEBUG @@ -895,7 +896,7 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, * Initialize a red/black tree of trees. */ isc_result_t -dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *), +dns_rbt_create(isc_mem_t *mctx, dns_rbtdeleter_t deleter, void *deleter_arg, dns_rbt_t **rbtp) { #ifdef DNS_RBT_USEHASH diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index f9a34883da..b0a153b482 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -7005,8 +7005,10 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) { static isc_result_t rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize, - isc_uint64_t *crc) + void *arg, isc_uint64_t *crc) { + isc_result_t result; + dns_rbtdb_t *rbtdb = (dns_rbtdb_t *) arg; rdatasetheader_t *header; unsigned char *limit = ((unsigned char *) base) + filesize; unsigned char *p; @@ -7028,6 +7030,14 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize, header->is_mmapped = 1; header->node = rbtnode; header->node_is_relative = 0; + + if (rbtdb != NULL && RESIGN(header) && header->resign != 0) { + int idx = header->node->locknum; + result = isc_heap_insert(rbtdb->heaps[idx], header); + if (result != ISC_R_SUCCESS) + return (result); + } + if (header->next != NULL) { size_t cooked = dns_rbt_serialize_align(size); if ((uintptr_t)header->next != @@ -7090,8 +7100,8 @@ deserialize(void *arg, FILE *f, off_t offset) { result = dns_rbt_deserialize_tree(base, filesize, (size_t) header->tree, rbtdb->common.mctx, - delete_callback, - rbtdb, rbt_datafixer, + delete_callback, rbtdb, + rbt_datafixer, rbtdb, &rbtdb->origin_node, &temporary_rbt); if (temporary_rbt != NULL) { @@ -7110,8 +7120,8 @@ deserialize(void *arg, FILE *f, off_t offset) { result = dns_rbt_deserialize_tree(base, filesize, (size_t) header->nsec, rbtdb->common.mctx, - delete_callback, - rbtdb, rbt_datafixer, + delete_callback, rbtdb, + rbt_datafixer, rbtdb, NULL, &temporary_rbt); if (temporary_rbt != NULL) { dns_rbt_destroy(&rbtdb->nsec); @@ -7126,8 +7136,8 @@ deserialize(void *arg, FILE *f, off_t offset) { result = dns_rbt_deserialize_tree(base, filesize, (size_t) header->nsec3, rbtdb->common.mctx, - delete_callback, - rbtdb, rbt_datafixer, + delete_callback, rbtdb, + rbt_datafixer, rbtdb, NULL, &temporary_rbt); if (temporary_rbt != NULL) { dns_rbt_destroy(&rbtdb->nsec3); diff --git a/lib/dns/tests/rbt_test.c b/lib/dns/tests/rbt_test.c index 0fef45897b..01fab10da7 100644 --- a/lib/dns/tests/rbt_test.c +++ b/lib/dns/tests/rbt_test.c @@ -140,12 +140,15 @@ write_data(FILE *file, unsigned char *datap, isc_uint32_t serial, } static isc_result_t -fix_data(dns_rbtnode_t *p, void *base, size_t max, isc_uint64_t *crc) { +fix_data(dns_rbtnode_t *p, void *base, size_t max, void *arg, + isc_uint64_t *crc) +{ data_holder_t *data = p->data; size_t size; UNUSED(base); UNUSED(max); + UNUSED(arg); REQUIRE(crc != NULL); REQUIRE(p != NULL); @@ -350,8 +353,8 @@ ATF_TC_BODY(serialize, tc) { close(fd); result = dns_rbt_deserialize_tree(base, filesize, 0, mctx, - delete_data, NULL, - fix_data, NULL, &rbt_deserialized); + delete_data, NULL, fix_data, NULL, + NULL, &rbt_deserialized); /* Test to make sure we have a valid tree */ ATF_REQUIRE(result == ISC_R_SUCCESS); @@ -427,7 +430,7 @@ ATF_TC_BODY(deserialize_corrupt, tc) { result = dns_rbt_deserialize_tree(base, filesize, 0, mctx, delete_data, NULL, fix_data, NULL, - &rbt_deserialized); + NULL, &rbt_deserialized); printf("%d: %s\n", i, isc_result_totext(result)); /* Test to make sure we have a valid tree */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index ce7aea9b0c..643cbc25f9 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -1954,7 +1954,7 @@ static unsigned int get_master_options(dns_zone_t *zone) { unsigned int options; - options = DNS_MASTER_ZONE; + options = DNS_MASTER_ZONE | DNS_MASTER_RESIGN; if (zone->type == dns_zone_slave || (zone->type == dns_zone_redirect && zone->masters == NULL)) options |= DNS_MASTER_SLAVE; @@ -1974,10 +1974,6 @@ get_master_options(dns_zone_t *zone) { options |= DNS_MASTER_CHECKMXFAIL; if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD)) options |= DNS_MASTER_CHECKWILDCARD; - if (inline_secure(zone) || (zone->type == dns_zone_master && - ((zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl)) || - zone->ssutable != NULL))) - options |= DNS_MASTER_RESIGN; return (options); } @@ -3122,6 +3118,15 @@ set_resigntime(dns_zone_t *zone) { isc_result_t result; isc_uint32_t nanosecs; + /* We only re-sign zones that can be dynamically updated */ + if (zone->update_disabled) + return; + + if (!inline_secure(zone) && (zone->type != dns_zone_master || + (zone->ssutable == NULL && + (zone->update_acl == NULL || dns_acl_isnone(zone->update_acl))))) + return; + dns_rdataset_init(&rdataset); dns_fixedname_init(&fixed); result = dns_db_getsigningtime(zone->db, &rdataset, @@ -3130,6 +3135,7 @@ set_resigntime(dns_zone_t *zone) { isc_time_settoepoch(&zone->resigntime); return; } + resign = rdataset.resign; dns_rdataset_disassociate(&rdataset); isc_random_get(&nanosecs);