mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 23:55:27 +00:00
Code Issues Releases Wiki Activity

Merge branch '1532-nta-validate-except' into 'master'

Browse Source 
list "validate-except" entries in "rndc nta -d" and "rndc secroots"

Closes #1532

See merge request isc-projects/bind9!3152
This commit is contained in:
Evan Hunt
2020-03-04 09:09:53 +00:00
parent 13073c95d3 7a3fa9f593
commit bae860d20a
6 changed files with 65 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -1,3 +1,8 @@
5359. [func] "rndc nta -d" and "rndc secroots" now include
"validate-except" entries when listing negative
trust anchors. These are indicated by the keyword
"permanent" in place of an expiry date. [GL #1532]
5358. [bug] Inline master zones whose master files were touched 5358. [bug] Inline master zones whose master files were touched
but otherwise unchanged and were subsequently reloaded but otherwise unchanged and were subsequently reloaded
may have stopped re-signing. [GL !3135] may have stopped re-signing. [GL !3135]

38
bin/tests/system/dnssec/tests.sh
View File

@@ -1743,7 +1743,7 @@ check_secroots_layout named.secroots.test$n || ret=1
linecount=$(grep -c "./${DEFAULT_ALGORITHM}/$keyid ; static" named.secroots.test$n || true) linecount=$(grep -c "./${DEFAULT_ALGORITHM}/$keyid ; static" named.secroots.test$n || true)
[ "$linecount" -eq 1 ] || ret=1 [ "$linecount" -eq 1 ] || ret=1
linecount=$(< named.secroots.test$n wc -l) linecount=$(< named.secroots.test$n wc -l)
[ "$linecount" -eq 9 ] || ret=1 [ "$linecount" -eq 10 ] || ret=1
n=$((n+1)) n=$((n+1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret)) status=$((status+ret))
@@ -1863,14 +1863,14 @@ rndccmd 10.53.0.4 nta badds.example 2>&1 | sed 's/^/ns4 /' | cat_i
rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 reconfig 2>&1 | sed 's/^/ns4 /' | cat_i
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1
lines=$(wc -l < rndc.out.ns4.test$n.1) lines=$(wc -l < rndc.out.ns4.test$n.1)
[ "$lines" -eq 2 ] || ret=1 [ "$lines" -eq 3 ] || ret=1
rndccmd 10.53.0.4 nta secure.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta secure.example 2>&1 | sed 's/^/ns4 /' | cat_i
rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i rndccmd 10.53.0.4 nta fakenode.secure.example 2>&1 | sed 's/^/ns4 /' | cat_i
# reload should maintain NTAs # reload should maintain NTAs
rndc_reload ns4 10.53.0.4 rndc_reload ns4 10.53.0.4
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2 rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.2
lines=$(wc -l < rndc.out.ns4.test$n.2) lines=$(wc -l < rndc.out.ns4.test$n.2)
[ "$lines" -eq 4 ] || ret=1 [ "$lines" -eq 5 ] || ret=1
# shellcheck disable=SC2016 # shellcheck disable=SC2016
start=$($PERL -e 'print time()."\n";') start=$($PERL -e 'print time()."\n";')
@@ -2077,7 +2077,7 @@ sleep 4
# #
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3 rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.3
lines=$(wc -l < rndc.out.ns4.test$n.3) lines=$(wc -l < rndc.out.ns4.test$n.3)
[ "$lines" -eq 1 ] || ret=1 [ "$lines" -eq 2 ] || ret=1
grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1 grep "bogus.example/_default: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1
dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1 dig_with_opts b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1
@@ -2101,7 +2101,7 @@ n=$((n+1))
echo_i "testing loading regular attribute from NTA file ($n)" echo_i "testing loading regular attribute from NTA file ($n)"
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
lines=$(wc -l < rndc.out.ns4.test$n.1) lines=$(wc -l < rndc.out.ns4.test$n.1)
[ "$lines" -eq 0 ] || ret=1 [ "$lines" -eq 1 ] || ret=1
# initially, secure.example. validates with AD=1 # initially, secure.example. validates with AD=1
dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1
@@ -2159,7 +2159,7 @@ n=$((n+1))
echo_i "testing loading forced attribute from NTA file ($n)" echo_i "testing loading forced attribute from NTA file ($n)"
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
lines=$(wc -l < rndc.out.ns4.test$n.1) lines=$(wc -l < rndc.out.ns4.test$n.1)
[ "$lines" -eq 0 ] || ret=1 [ "$lines" -eq 1 ] || ret=1
# initially, secure.example. validates with AD=1 # initially, secure.example. validates with AD=1
dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1 dig_with_opts a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1 grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1
@@ -2240,10 +2240,11 @@ echo_i "sleeping for an additional 4 seconds for ns4 to fully startup"
sleep 4 sleep 4
# dump the NTA to a file (omit validate-except entries) # dump the NTA to a file (omit validate-except entries)
echo_i "testing 'rndc nta'" echo_i "testing 'rndc nta -d' with NTA"
rndccmd 10.53.0.4 nta -d > rndc.out.ns4.test$n.1 2>/dev/null rndccmd 10.53.0.4 nta -d | grep -v ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null
# "corp" is configured as a validate-except domain and thus should be # "corp" is configured as a validate-except domain and thus should be
# omitted. only "secure.example" should be in the dump at this point. # removed by the grep -v above. only "secure.example" should appear in
# the dump.
lines=$(wc -l < rndc.out.ns4.test$n.1) lines=$(wc -l < rndc.out.ns4.test$n.1)
[ "$lines" -eq 1 ] || ret=1 [ "$lines" -eq 1 ] || ret=1
grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1 grep 'secure.example' rndc.out.ns4.test$n.1 > /dev/null || ret=1
@@ -2265,11 +2266,28 @@ else
echo_i "skipped ntadiff test; install PERL module Time::Piece" echo_i "skipped ntadiff test; install PERL module Time::Piece"
fi fi
echo_i "testing 'rndc nta' lifetime clamping"
rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null
# "corp" is configured as a validate-except domain and thus should be
# the only entry in the dump.
lines=$(wc -l < rndc.out.ns4.test$n.1)
[ "$lines" -eq 1 ] || ret=1
grep 'corp/_default' rndc.out.ns4.test$n.1 > /dev/null || ret=1
# cleanup # cleanup
rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null rndccmd 10.53.0.4 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null
n=$((n+1)) n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed - NTA lifetime clamping failed"; fi if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "testing 'rndc nta -d' displays validate-except entries"
rndccmd 10.53.0.4 nta -d | grep ": permanent" > rndc.out.ns4.test$n.1 2>/dev/null
lines=$(wc -l < rndc.out.ns4.test$n.1)
[ "$lines" -eq 1 ] || ret=1
grep 'corp/_default' rndc.out.ns4.test$n.1 > /dev/null || ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret)) status=$((status+ret))
echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)" echo_i "checking that NTAs work with 'forward only;' to a validating resolver ($n)"

15
doc/arm/notes-9.17.0.xml
View File

@@ -11,6 +11,21 @@
<section xml:id="relnotes-9.17.0"><info><title>Notes for BIND 9.17.0</title></info> <section xml:id="relnotes-9.17.0"><info><title>Notes for BIND 9.17.0</title></info>
<section xml:id="relnotes-9.17.0-changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
The <command>rndc nta -dump</command> and
<command>rndc secroots</command> commands now both include
<command>validate-except</command> entries when listing negative
trust anchors. These are indicated by the keyword
<literal>permanent</literal> in place of the expiry
date. [GL #1532]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.0-bugs"><info><title>Bug Fixes</title></info> <section xml:id="relnotes-9.17.0-bugs"><info><title>Bug Fixes</title></info>
<itemizedlist> <itemizedlist>
<listitem> <listitem>

6
lib/dns/include/dns/nta.h
View File

@@ -192,12 +192,6 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, const char *view,
* \li "*buf" is a valid buffer. * \li "*buf" is a valid buffer.
*/ */
isc_result_t
dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp);
/*%<
* Dump the NTA table to the file opened as 'fp'.
*/
isc_result_t isc_result_t
dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp); dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp);
/*%< /*%<

53
lib/dns/nta.c
View File

@@ -539,13 +539,12 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, const char *view,
dns_name_t *name; dns_name_t *name;
isc_time_t t; isc_time_t t;
/* name = dns_fixedname_initname(&fn);
* Skip "validate-except" entries. dns_rbt_fullnamefromnode(node, name);
*/ dns_name_format(name, nbuf, sizeof(nbuf));
if (n->expiry != 0xffffffffU) { if (n->expiry != 0xffffffffU) {
name = dns_fixedname_initname(&fn); /* Normal NTA entries */
dns_rbt_fullnamefromnode(node, name);
dns_name_format(name, nbuf, sizeof(nbuf));
isc_time_set(&t, n->expiry, 0); isc_time_set(&t, n->expiry, 0);
isc_time_formattimestamp(&t, tbuf, isc_time_formattimestamp(&t, tbuf,
sizeof(tbuf)); sizeof(tbuf));
@@ -557,11 +556,18 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, const char *view,
n->expiry <= now ? "expired" n->expiry <= now ? "expired"
: "expiry", : "expiry",
tbuf); tbuf);
first = false; } else {
result = putstr(buf, obuf); /* "validate-except" entries */
if (result != ISC_R_SUCCESS) { snprintf(obuf, sizeof(obuf), "%s%s%s%s: %s",
goto cleanup; first ? "" : "\n", nbuf,
} view != NULL ? "/" : "",
view != NULL ? view : "", "permanent");
}
first = false;
result = putstr(buf, obuf);
if (result != ISC_R_SUCCESS) {
goto cleanup;
} }
} }
result = dns_rbtnodechain_next(&chain, NULL, NULL); result = dns_rbtnodechain_next(&chain, NULL, NULL);
@@ -579,31 +585,6 @@ cleanup:
return (result); return (result);
} }
isc_result_t
dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
isc_result_t result;
isc_buffer_t *text = NULL;
int len = 4096;
isc_buffer_allocate(ntatable->view->mctx, &text, len);
result = dns_ntatable_totext(ntatable, NULL, &text);
if (isc_buffer_usedlength(text) != 0) {
(void)putstr(&text, "\n");
} else if (result == ISC_R_SUCCESS) {
(void)putstr(&text, "none");
} else {
(void)putstr(&text, "could not dump NTA table: ");
(void)putstr(&text, isc_result_totext(result));
}
fprintf(fp, "%.*s", (int)isc_buffer_usedlength(text),
(char *)isc_buffer_base(text));
isc_buffer_free(&text);
return (result);
}
isc_result_t isc_result_t
dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) { dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) {
isc_result_t result; isc_result_t result;

1
lib/dns/win32/libdns.def.in
View File

@@ -673,7 +673,6 @@ dns_ntatable_covered
dns_ntatable_create dns_ntatable_create
dns_ntatable_delete dns_ntatable_delete
dns_ntatable_detach dns_ntatable_detach
dns_ntatable_dump
dns_ntatable_save dns_ntatable_save
dns_ntatable_totext dns_ntatable_totext
dns_opcode_totext dns_opcode_totext