diff --git a/CHANGES b/CHANGES index 328dd25501..5e06da59b4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +5359. [func] "rndc nta -d" and "rndc secroots" now include + "validate-except" entries when listing negative + trust anchors. These are indicated by the keyword + "permanent" in place of an expiry date. [GL #1532] + 5358. [bug] Inline master zones whose master files were touched but otherwise unchanged and were subsequently reloaded may have stopped re-signing. [GL !3135] diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 39db3e7b9c..a8213f6cb8 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1743,7 +1743,7 @@ check_secroots_layout named.secroots.test$n || ret=1 linecount=$(grep -c "./${DEFAULT_ALGORITHM}/$keyid ; static" named.secroots.test$n || true) [ "$linecount" -eq 1 ] || ret=1 linecount=$(< named.secroots.test$n wc -l) -[ "$linecount" -eq 9 ] || ret=1 +[ "$linecount" -eq 10 ] || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1863,14 +1863,14 @@ rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 lines=$(wc -l < rndc.out.ns4.test$n.1) -[ "$lines" -eq 2 ] || ret=1 +[ "$lines" -eq 3 ] || ret=1 rndccmd 10.53.0.4 nta secure.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i # reload should maintain NTAs rndc_reload ns4 10.53.0.4 rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 lines=$(wc -l < rndc.out.ns4.test$n.2) -[ "$lines" -eq 4 ] || ret=1 +[ "$lines" -eq 5 ] || ret=1 # shellcheck disable=SC2016 start=$($PERL -e 'print time()."\n";') @@ -2077,7 +2077,7 @@ sleep 4 # rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 lines=$(wc -l < rndc.out.ns4.test$n.3) -[ "$lines" -eq 1 ] || ret=1 +[ "$lines" -eq 2 ] || ret=1 grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1 dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 @@ -2101,7 +2101,7 @@ n=$((n+1)) echo_i "testing loading regular attribute from NTA file ($n)" rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null lines=$(wc -l < rndc.out.ns4.test$n.1) -[ "$lines" -eq 0 ] || ret=1 +[ "$lines" -eq 1 ] || ret=1 # initially, secure.example. validates with AD=1 dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 @@ -2159,7 +2159,7 @@ n=$((n+1)) echo_i "testing loading forced attribute from NTA file ($n)" rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null lines=$(wc -l < rndc.out.ns4.test$n.1) -[ "$lines" -eq 0 ] || ret=1 +[ "$lines" -eq 1 ] || ret=1 # initially, secure.example. validates with AD=1 dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 @@ -2240,10 +2240,11 @@ echo_i "sleeping for an additional 4 seconds for ns4 to fully startup" sleep 4 # dump the NTA to a file (omit validate-except entries) -echo_i "testing 'rndc nta'" -rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null +echo_i "testing 'rndc nta -d' with NTA" +rndccmd 10.53.0.4 nta -d | grep -v ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null # "corp" is configured as a validate-except domain and thus should be -# omitted. only "secure.example" should be in the dump at this point. +# removed by the grep -v above. only "secure.example" should appear in +# the dump. lines=$(wc -l < rndc.out.ns4.test$n.1) [ "$lines" -eq 1 ] || ret=1 grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1 @@ -2265,11 +2266,28 @@ else echo_i "skipped ntadiff test; install PERL module Time::Piece" fi +echo_i "testing 'rndc nta' lifetime clamping" +rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null +# "corp" is configured as a validate-except domain and thus should be +# the only entry in the dump. +lines=$(wc -l < rndc.out.ns4.test$n.1) +[ "$lines" -eq 1 ] || ret=1 +grep 'corp/_default' rndc.out.ns4.test$n.1 > /dev/null || ret=1 + # cleanup rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null n=$((n+1)) -if [ "$ret" -ne 0 ]; then echo_i "failed - NTA lifetime clamping failed"; fi +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "testing 'rndc nta -d' displays validate-except entries" +rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null +lines=$(wc -l < rndc.out.ns4.test$n.1) +[ "$lines" -eq 1 ] || ret=1 +grep 'corp/_default' rndc.out.ns4.test$n.1 > /dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)" diff --git a/doc/arm/notes-9.17.0.xml b/doc/arm/notes-9.17.0.xml index 3dbf63d931..2b0de4afd7 100644 --- a/doc/arm/notes-9.17.0.xml +++ b/doc/arm/notes-9.17.0.xml @@ -11,6 +11,21 @@
Notes for BIND 9.17.0 +
Feature Changes + + + + The rndc nta -dump and + rndc secroots commands now both include + validate-except entries when listing negative + trust anchors. These are indicated by the keyword + permanent in place of the expiry + date. [GL #1532] + + + +
+
Bug Fixes diff --git a/lib/dns/include/dns/nta.h b/lib/dns/include/dns/nta.h index c67da1ca17..b0f6c32e93 100644 --- a/lib/dns/include/dns/nta.h +++ b/lib/dns/include/dns/nta.h @@ -192,12 +192,6 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, const char *view, * \li "*buf" is a valid buffer. */ -isc_result_t -dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp); -/*%< - * Dump the NTA table to the file opened as 'fp'. - */ - isc_result_t dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp); /*%< diff --git a/lib/dns/nta.c b/lib/dns/nta.c index 525bdabdb7..8440463372 100644 --- a/lib/dns/nta.c +++ b/lib/dns/nta.c @@ -539,13 +539,12 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, const char *view, dns_name_t *name; isc_time_t t; - /* - * Skip "validate-except" entries. - */ + name = dns_fixedname_initname(&fn); + dns_rbt_fullnamefromnode(node, name); + dns_name_format(name, nbuf, sizeof(nbuf)); + if (n->expiry != 0xffffffffU) { - name = dns_fixedname_initname(&fn); - dns_rbt_fullnamefromnode(node, name); - dns_name_format(name, nbuf, sizeof(nbuf)); + /* Normal NTA entries */ isc_time_set(&t, n->expiry, 0); isc_time_formattimestamp(&t, tbuf, sizeof(tbuf)); @@ -557,11 +556,18 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, const char *view, n->expiry <= now ? "expired" : "expiry", tbuf); - first = false; - result = putstr(buf, obuf); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + } else { + /* "validate-except" entries */ + snprintf(obuf, sizeof(obuf), "%s%s%s%s: %s", + first ? "" : "\n", nbuf, + view != NULL ? "/" : "", + view != NULL ? view : "", "permanent"); + } + + first = false; + result = putstr(buf, obuf); + if (result != ISC_R_SUCCESS) { + goto cleanup; } } result = dns_rbtnodechain_next(&chain, NULL, NULL); @@ -579,31 +585,6 @@ cleanup: return (result); } -isc_result_t -dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) { - isc_result_t result; - isc_buffer_t *text = NULL; - int len = 4096; - - isc_buffer_allocate(ntatable->view->mctx, &text, len); - - result = dns_ntatable_totext(ntatable, NULL, &text); - - if (isc_buffer_usedlength(text) != 0) { - (void)putstr(&text, "\n"); - } else if (result == ISC_R_SUCCESS) { - (void)putstr(&text, "none"); - } else { - (void)putstr(&text, "could not dump NTA table: "); - (void)putstr(&text, isc_result_totext(result)); - } - - fprintf(fp, "%.*s", (int)isc_buffer_usedlength(text), - (char *)isc_buffer_base(text)); - isc_buffer_free(&text); - return (result); -} - isc_result_t dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) { isc_result_t result; diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 38ee1a123a..b5f2e57c65 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -673,7 +673,6 @@ dns_ntatable_covered dns_ntatable_create dns_ntatable_delete dns_ntatable_detach -dns_ntatable_dump dns_ntatable_save dns_ntatable_totext dns_opcode_totext