diff --git a/CHANGES b/CHANGES index 376ca421fe..bcf492e3f8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,8 @@ --- 9.9.0 released --- +3270. [bug] "rndc reload" didn't reuse existing zones correctly + when inline-signing was in use. [RT #27650] + 3269. [port] darwin 11 and later now built threaded by default. 3268. [bug] Convert RRSIG expiry times to 64 timestamps to work diff --git a/bin/named/server.c b/bin/named/server.c index 36581ced8c..64e1ad7003 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.638 2012/01/25 02:46:53 marka Exp $ */ +/* $Id: server.c,v 1.639 2012/01/31 01:13:09 each Exp $ */ /*! \file */ @@ -3406,6 +3406,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, result = dns_view_findzone(pview, origin, &zone); if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) goto cleanup; + if (zone != NULL && !ns_zone_reusable(zone, zconfig)) dns_zone_detach(&zone); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 4d6a2ce2e9..c5ce96d45a 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.186 2011/12/20 00:06:54 marka Exp $ */ +/* $Id: zoneconf.c,v 1.187 2012/01/31 01:13:09 each Exp $ */ /*% */ @@ -1600,18 +1600,50 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { const char *zfilename; dns_zone_t *raw = NULL; isc_boolean_t has_raw; + dns_zonetype_t ztype; zoptions = cfg_tuple_get(zconfig, "options"); - if (zonetype_fromconfig(zoptions) != dns_zone_gettype(zone)) - return (ISC_FALSE); - /* * We always reconfigure a static-stub zone for simplicity, assuming * the amount of data to be loaded is small. */ - if (zonetype_fromconfig(zoptions) == dns_zone_staticstub) + if (zonetype_fromconfig(zoptions) == dns_zone_staticstub) { + dns_zone_log(zone, ISC_LOG_DEBUG(1), + "not reusable: staticstub"); return (ISC_FALSE); + } + + /* If there's a raw zone, use that for filename and type comparison */ + dns_zone_getraw(zone, &raw); + if (raw != NULL) { + zfilename = dns_zone_getfile(raw); + ztype = dns_zone_gettype(raw); + dns_zone_detach(&raw); + has_raw = ISC_TRUE; + } else { + zfilename = dns_zone_getfile(zone); + ztype = dns_zone_gettype(zone); + has_raw = ISC_FALSE; + } + + obj = NULL; + (void)cfg_map_get(zoptions, "inline-signing", &obj); + if ((obj == NULL || !cfg_obj_asboolean(obj)) && has_raw) { + dns_zone_log(zone, ISC_LOG_DEBUG(1), + "not reusable: old zone was inline-signing"); + return (ISC_FALSE); + } else if ((obj != NULL && cfg_obj_asboolean(obj)) && !has_raw) { + dns_zone_log(zone, ISC_LOG_DEBUG(1), + "not reusable: old zone was not inline-signing"); + return (ISC_FALSE); + } + + if (zonetype_fromconfig(zoptions) != ztype) { + dns_zone_log(zone, ISC_LOG_DEBUG(1), + "not reusable: type mismatch"); + return (ISC_FALSE); + } obj = NULL; (void)cfg_map_get(zoptions, "file", &obj); @@ -1619,25 +1651,14 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { cfilename = cfg_obj_asstring(obj); else cfilename = NULL; - zfilename = dns_zone_getfile(zone); if (!((cfilename == NULL && zfilename == NULL) || (cfilename != NULL && zfilename != NULL && strcmp(cfilename, zfilename) == 0))) + { + dns_zone_log(zone, ISC_LOG_DEBUG(1), + "not reusable: filename mismatch"); return (ISC_FALSE); - - dns_zone_getraw(zone, &raw); - if (raw != NULL) { - dns_zone_detach(&raw); - has_raw = ISC_TRUE; - } else - has_raw = ISC_FALSE; - - obj = NULL; - (void)cfg_map_get(zoptions, "inline-signing", &obj); - if ((obj == NULL || !cfg_obj_asboolean(obj)) && has_raw) - return (ISC_FALSE); - if ((obj != NULL && cfg_obj_asboolean(obj)) && !has_raw) - return (ISC_FALSE); + } return (ISC_TRUE); } diff --git a/bin/tests/system/inline/ns3/master3.db.in b/bin/tests/system/inline/ns3/master3.db.in new file mode 100644 index 0000000000..658e7e083e --- /dev/null +++ b/bin/tests/system/inline/ns3/master3.db.in @@ -0,0 +1,136 @@ +; Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: master3.db.in,v 1.2 2012/01/31 01:13:09 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042409 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 +d A 10.0.0.4 +e A 10.0.0.5 + +; Used for testing ANY queries +foo TXT "testing" +foo A 10.0.1.0 + +bad-cname CNAME a +bad-dname DNAME @ + +; Used for testing CNAME queries +cname1 CNAME cname1-target +cname1-target TXT "testing cname" + +cname2 CNAME cname2-target +cname2-target TXT "testing cname" + +; Used for testing DNAME queries +dname1 DNAME dname1-target +foo.dname1-target TXT "testing dname" + +dname2 DNAME dname2-target +foo.dname2-target TXT "testing dname" + +; A secure subdomain +secure NS ns.secure +ns.secure A 10.53.0.3 + +; An insecure subdomain +insecure NS ns.insecure +ns.insecure A 10.53.0.3 + +; A secure subdomain we're going to inject bogus data into +bogus NS ns.bogus +ns.bogus A 10.53.0.3 + +; A dynamic secure subdomain +dynamic NS dynamic +dynamic A 10.53.0.3 + +; A insecure subdomain +mustbesecure NS ns.mustbesecure +ns.mustbesecure A 10.53.0.3 + +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + +z A 10.0.0.26 + +keyless NS ns.keyless +ns.keyless A 10.53.0.3 + +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 + +optout NS ns.optout +ns.optout A 10.53.0.3 + +nsec3-unknown NS ns.nsec3-unknown +ns.nsec3-unknown A 10.53.0.3 + +optout-unknown NS ns.optout-unknown +ns.optout-unknown A 10.53.0.3 + +multiple NS ns.multiple +ns.multiple A 10.53.0.3 + +*.wild A 10.0.0.27 + +rsasha256 NS ns.rsasha256 +ns.rsasha256 A 10.53.0.3 + +rsasha512 NS ns.rsasha512 +ns.rsasha512 A 10.53.0.3 + +kskonly NS ns.kskonly +ns.kskonly A 10.53.0.3 + +update-nsec3 NS ns.update-nsec3 +ns.update-nsec3 A 10.53.0.3 + +auto-nsec NS ns.auto-nsec +ns.auto-nsec A 10.53.0.3 + +auto-nsec3 NS ns.auto-nsec3 +ns.auto-nsec3 A 10.53.0.3 + + +below-cname CNAME some.where.else. + +insecure.below-cname NS ns.insecure.below-cname +ns.insecure.below-cname A 10.53.0.3 + +secure.below-cname NS ns.secure.below-cname +ns.secure.below-cname A 10.53.0.3 + +ttlpatch NS ns.ttlpatch +ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index a5ef0b156d..736b938901 100644 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.16 2012/01/17 08:26:03 marka Exp $ +# $Id: tests.sh,v 1.17 2012/01/31 01:13:09 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -319,10 +319,8 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:check adding of record to unsigned master ($n)" ret=0 -sleep 1 cp ns3/master2.db.in ns3/master.db $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1 - for i in 1 2 3 4 5 6 7 8 9 do ans=0 @@ -333,7 +331,35 @@ do sleep 1 done [ $ans = 0 ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:check adding record fails when SOA serial not changed ($n)" +ret=0 +echo "c A 10.0.0.3" >> ns3/master.db +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload || ret=1 +sleep 1 +$DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n +grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:check adding record works after updating SOA serial ($n)" +ret=0 +cp ns3/master3.db.in ns3/master.db +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload master || ret=1 +for i in 1 2 3 4 5 6 7 8 9 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 c.master A > dig.out.ns3.test$n + grep "10.0.0.3" dig.out.ns3.test$n > /dev/null || ans=1 + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -647,6 +673,15 @@ done if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:check rndc reload allows reuse of inline-signing zones ($n)" +ret=0 +{ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload 2>&1 || ret=1 ; } | +sed 's/^/I:ns3 /' +grep "not reusable" ns3/named.run > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo "I:check rndc sync removes both signed and unsigned journals ($n)" ret=0 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index ab6b28322c..b4039bdb85 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.667 2012/01/30 00:06:13 marka Exp $ */ +/* $Id: zone.c,v 1.668 2012/01/31 01:13:10 each Exp $ */ /*! \file */ @@ -3768,9 +3768,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, } } - zone->loadtime = loadtime; - - dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded"); + dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded; checking validity"); /* * Master / Slave / Stub zones require both NS and SOA records at @@ -4033,6 +4031,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s", serial, dns_db_issecure(db) ? " (DNSSEC signed)" : ""); + zone->loadtime = loadtime; DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING); return (result);