From cef109efa70b55ec1cd3ed706a9607ba1c3382d5 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Mon, 23 Nov 2009 02:55:41 +0000 Subject: [PATCH] 2780. [bug] dnssec-keygen -A none didn't properly unset the activation date in all cases. [RT #20648] 2779. [bug] Dynamic key revokation could fail. [RT #20644] 2778. [bug] dnssec-signzone could fail when a key was revoked without deleting the unrevoked version. [RT #20638] --- CHANGES | 12 ++++++++-- bin/dnssec/dnssec-keyfromlabel.c | 8 ++++--- bin/dnssec/dnssec-keygen.c | 9 ++++--- bin/dnssec/dnssec-signzone.c | 21 ++++++----------- bin/named/update.c | 6 ++--- lib/dns/dnssec.c | 27 +++++++++++---------- lib/dns/include/dns/dnssec.h | 11 ++++----- lib/dns/zone.c | 40 ++++++++++++++------------------ 8 files changed, 67 insertions(+), 67 deletions(-) diff --git a/CHANGES b/CHANGES index 9be2e9470c..aedfea7da5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,13 @@ + --- 9.7.0b3 released --- + +2780. [bug] dnssec-keygen -A none didn't properly unset the + activation date in all cases. [RT #20648] + +2779. [bug] Dynamic key revokation could fail. [RT #20644] + +2778. [bug] dnssec-signzone could fail when a key was revoked + without deleting the unrevoked version. [RT #20638] + 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong. 2776. [bug] Change #2762 was not correct. [RT #20647] @@ -11,8 +21,6 @@ 2773. [bug] In autosigned zones, the SOA could be signed with the KSK. [RT #20628] - --- 9.7.0b3 released --- - 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 918cf24ac2..d615e58d06 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keyfromlabel.c,v 1.27 2009/11/21 17:51:49 fdupont Exp $ */ +/* $Id: dnssec-keyfromlabel.c,v 1.28 2009/11/23 02:55:40 each Exp $ */ /*! \file */ @@ -461,12 +461,14 @@ main(int argc, char **argv) { if (setpub) dst_key_settime(key, DST_TIME_PUBLISH, publish); - else if (!genonly) + else if (setact) + dst_key_settime(key, DST_TIME_PUBLISH, activate); + else if (!genonly && !unsetpub) dst_key_settime(key, DST_TIME_PUBLISH, now); if (setact) dst_key_settime(key, DST_TIME_ACTIVATE, activate); - else if (!genonly) + else if (!genonly && !unsetact) dst_key_settime(key, DST_TIME_ACTIVATE, now); if (setrev) { diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index b40d477a71..7095170711 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.106 2009/10/28 00:27:10 marka Exp $ */ +/* $Id: dnssec-keygen.c,v 1.107 2009/11/23 02:55:40 each Exp $ */ /*! \file */ @@ -772,13 +772,16 @@ main(int argc, char **argv) { if (setpub) dst_key_settime(key, DST_TIME_PUBLISH, publish); - else if (!genonly && !setact) + else if (setact) + dst_key_settime(key, DST_TIME_PUBLISH, + activate); + else if (!genonly && !unsetpub) dst_key_settime(key, DST_TIME_PUBLISH, now); if (setact) dst_key_settime(key, DST_TIME_ACTIVATE, activate); - else if (!genonly && !setpub) + else if (!genonly && !unsetact) dst_key_settime(key, DST_TIME_ACTIVATE, now); if (setrev) { diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 5c2deede34..4bc1df2056 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.253 2009/11/16 04:27:44 each Exp $ */ +/* $Id: dnssec-signzone.c,v 1.254 2009/11/23 02:55:40 each Exp $ */ /*! \file */ @@ -2760,7 +2760,7 @@ static void build_final_keylist() { isc_result_t result; dns_dbversion_t *ver = NULL; - dns_diff_t del, add; + dns_diff_t diff; dns_dnsseckeylist_t matchkeys; char name[DNS_NAME_FORMATSIZE]; @@ -2777,31 +2777,24 @@ build_final_keylist() { result = dns_db_newversion(gdb, &ver); check_result(result, "dns_db_newversion"); - dns_diff_init(mctx, &del); - dns_diff_init(mctx, &add); + dns_diff_init(mctx, &diff); /* * Update keylist with information from from the key repository. */ dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl, - &add, &del, ignore_kskflag, mctx, report); + &diff, ignore_kskflag, mctx, report); dns_name_format(gorigin, name, sizeof(name)); - result = dns_diff_applysilently(&del, gdb, ver); + result = dns_diff_applysilently(&diff, gdb, ver); if (result != ISC_R_SUCCESS) - fatal("failed to delete DNSKEYs at node '%s': %s", - name, isc_result_totext(result)); - - result = dns_diff_applysilently(&add, gdb, ver); - if (result != ISC_R_SUCCESS) - fatal("failed to add DNSKEYs at node '%s': %s", + fatal("failed to update DNSKEY RRset at node '%s': %s", name, isc_result_totext(result)); dns_db_closeversion(gdb, &ver, ISC_TRUE); - dns_diff_clear(&del); - dns_diff_clear(&add); + dns_diff_clear(&diff); } static void diff --git a/bin/named/update.c b/bin/named/update.c index a31606a4a9..4fb9fb0df6 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.169 2009/11/18 21:22:31 each Exp $ */ +/* $Id: update.c,v 1.170 2009/11/23 02:55:41 each Exp $ */ #include @@ -1883,8 +1883,8 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, (isc_stdtime_t) 0, &rdataset, NULL)); dns_db_detachnode(db, &node); -#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) == 1) -#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) == 1) +#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) +#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) #define ALG(x) dst_key_alg(x) /* diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index c629dcf197..9033c8b386 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -16,7 +16,7 @@ */ /* - * $Id: dnssec.c,v 1.110 2009/11/17 05:46:53 each Exp $ + * $Id: dnssec.c,v 1.111 2009/11/23 02:55:41 each Exp $ */ /*! \file */ @@ -1078,7 +1078,7 @@ get_hints(dns_dnsseckey_t *key) { * * If it hasn't already been done, we should also revoke it now. */ - if (key->hint_publish && (revset && revoke < now)) { + if (key->hint_publish && (revset && revoke <= now)) { isc_uint32_t flags; key->hint_sign = ISC_TRUE; flags = dst_key_flags(key->key); @@ -1384,7 +1384,7 @@ make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize, } static isc_result_t -publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin, +publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin, dns_ttl_t ttl, isc_mem_t *mctx, isc_boolean_t allzsk, void (*report)(const char *, ...)) { @@ -1418,7 +1418,7 @@ publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin, /* publish key */ RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl, &dnskey, &tuple)); - dns_diff_append(add, &tuple); + dns_diff_appendminimal(diff, &tuple); result = ISC_R_SUCCESS; failure: @@ -1426,7 +1426,7 @@ publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin, } static isc_result_t -remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin, +remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin, dns_ttl_t ttl, isc_mem_t *mctx, const char *reason, void (*report)(const char *, ...)) { @@ -1443,7 +1443,7 @@ remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin, RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey)); RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, &dnskey, &tuple)); - dns_diff_append(del, &tuple); + dns_diff_appendminimal(diff, &tuple); result = ISC_R_SUCCESS; failure: @@ -1459,9 +1459,8 @@ remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin, isc_result_t dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, dns_dnsseckeylist_t *removed, dns_name_t *origin, - dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del, - isc_boolean_t allzsk, isc_mem_t *mctx, - void (*report)(const char *, ...)) + dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk, + isc_mem_t *mctx, void (*report)(const char *, ...)) { isc_result_t result; dns_dnsseckey_t *key, *key1, *key2, *next; @@ -1476,7 +1475,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, key = ISC_LIST_NEXT(key, link)) { if (key->source == dns_keysource_user && (key->hint_publish || key->force_publish)) { - RETERR(publish_key(add, key, origin, ttl, + RETERR(publish_key(diff, key, origin, ttl, mctx, allzsk, report)); } } @@ -1515,7 +1514,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, if (key1->source != dns_keysource_zoneapex && (key1->hint_publish || key1->force_publish)) { - RETERR(publish_key(add, key1, origin, ttl, + RETERR(publish_key(diff, key1, origin, ttl, mctx, allzsk, report)); if (key1->hint_sign || key1->force_sign) key1->first_sign = ISC_TRUE; @@ -1526,7 +1525,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, /* Match found: remove or update it as needed */ if (key1->hint_remove) { - RETERR(remove_key(del, key2, origin, ttl, mctx, + RETERR(remove_key(diff, key2, origin, ttl, mctx, "expired", report)); ISC_LIST_UNLINK(*keys, key2, link); if (removed != NULL) @@ -1541,7 +1540,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, * We need to remove the old version and pull * in the new one. */ - RETERR(remove_key(del, key2, origin, ttl, mctx, + RETERR(remove_key(diff, key2, origin, ttl, mctx, "revoked", report)); ISC_LIST_UNLINK(*keys, key2, link); if (removed != NULL) @@ -1549,7 +1548,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, else dns_dnsseckey_destroy(mctx, &key2); - RETERR(publish_key(add, key1, origin, ttl, + RETERR(publish_key(diff, key1, origin, ttl, mctx, allzsk, report)); ISC_LIST_UNLINK(*newkeys, key1, link); ISC_LIST_APPEND(*keys, key1, link); diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index 2edc8efe71..bc2549b958 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec.h,v 1.39 2009/10/27 03:59:45 each Exp $ */ +/* $Id: dnssec.h,v 1.40 2009/11/23 02:55:41 each Exp $ */ #ifndef DNS_DNSSEC_H #define DNS_DNSSEC_H 1 @@ -290,19 +290,18 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin, isc_result_t dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, dns_dnsseckeylist_t *removed, dns_name_t *origin, - dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del, - isc_boolean_t allzsk, isc_mem_t *mctx, - void (*report)(const char *, ...)); + dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk, + isc_mem_t *mctx, void (*report)(const char *, ...)); /*%< * Update the list of keys in 'keys' with new key information in 'newkeys'. * * For each key in 'newkeys', see if it has a match in 'keys'. * - If not, and if the metadata says the key should be published: - * add it to 'keys', and place a dns_difftuple into 'add' so + * add it to 'keys', and place a dns_difftuple into 'diff' so * the key can be added to the DNSKEY set. If the metadata says it * should be active, set the first_sign flag. * - If so, and if the metadata says it should be removed: - * remove it from 'keys', and place a dns_difftuple into 'del' so + * remove it from 'keys', and place a dns_difftuple into 'diff' so * the key can be removed from the DNSKEY set. if 'removed' is non-NULL, * copy the key into that list; otherwise destroy it. * - Otherwise, make sure keys has current metadata. diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 1473360003..aa4fbd01fa 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.530 2009/11/18 21:22:31 each Exp $ */ +/* $Id: zone.c,v 1.531 2009/11/23 02:55:41 each Exp $ */ /*! \file */ @@ -4549,8 +4549,8 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, goto failure; } -#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) == 1) -#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) == 1) +#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) +#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) #define ALG(x) dst_key_alg(x) for (i = 0; i < nkeys; i++) { @@ -13441,7 +13441,7 @@ zone_rekey(dns_zone_t *zone) { dns_rdataset_t soaset, soasigs, keyset, keysigs; dns_dnsseckeylist_t dnskeys, keys, oldkeys; dns_dnsseckey_t *key; - dns_diff_t add, del; + dns_diff_t diff; isc_boolean_t commit = ISC_FALSE; dns_ttl_t ttl = 3600; const char *dir; @@ -13459,8 +13459,7 @@ zone_rekey(dns_zone_t *zone) { dns_rdataset_init(&keysigs); dir = dns_zone_getkeydirectory(zone); mctx = zone->mctx; - dns_diff_init(mctx, &add); - dns_diff_init(mctx, &del); + dns_diff_init(mctx, &diff); isc_stdtime_get(&now); CHECK(dns_zone_getdb(zone, &db)); @@ -13492,23 +13491,15 @@ zone_rekey(dns_zone_t *zone) { check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); CHECK(dns_dnssec_updatekeys(&dnskeys, &keys, &oldkeys, - &zone->origin, ttl, &add, &del, + &zone->origin, ttl, &diff, ISC_TF(!check_ksk), mctx, logmsg)); - if (!ISC_LIST_EMPTY(del.tuples)) { + if (!ISC_LIST_EMPTY(diff.tuples)) { commit = ISC_TRUE; - add_signing_records(db, zone->privatetype, ver, &del); - dns_diff_apply(&del, db, ver); - result = increment_soa_serial(db, ver, &del, mctx); + add_signing_records(db, zone->privatetype, ver, &diff); + dns_diff_apply(&diff, db, ver); + result = increment_soa_serial(db, ver, &diff, mctx); if (result == ISC_R_SUCCESS) - zone_journal(zone, &del, "zone_rekey"); - } - if (!ISC_LIST_EMPTY(add.tuples)) { - commit = ISC_TRUE; - add_signing_records(db, zone->privatetype, ver, &add); - dns_diff_apply(&add, db, ver); - result = increment_soa_serial(db, ver, &add, mctx); - if (result == ISC_R_SUCCESS) - zone_journal(zone, &add, "zone_rekey"); + zone_journal(zone, &diff, "zone_rekey"); } } @@ -13548,16 +13539,22 @@ zone_rekey(dns_zone_t *zone) { * key metadata indicates there is a key change event * scheduled in the future, set the key refresh timer. */ +//HERE +dns_zone_log(zone, ISC_LOG_NOTICE, "1"); if (!DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) break; +dns_zone_log(zone, ISC_LOG_NOTICE, "2"); result = next_keyevent(key->key, &then); if (result != ISC_R_SUCCESS) continue; +dns_zone_log(zone, ISC_LOG_NOTICE, "3"); isc_time_set(&timethen, then, 0); if (isc_time_isepoch(&zone->refreshkeytime) || isc_time_compare(&timethen, &zone->refreshkeytime) < 0) { +//HERE +dns_zone_log(zone, ISC_LOG_NOTICE, "setting refreshkeytime to %d\n", then); zone->refreshkeytime = timethen; zone_settimer(zone, &timenow); } @@ -13566,8 +13563,7 @@ zone_rekey(dns_zone_t *zone) { result = ISC_R_SUCCESS; failure: - dns_diff_clear(&add); - dns_diff_clear(&del); + dns_diff_clear(&diff); clear_keylist(&dnskeys, mctx); clear_keylist(&keys, mctx);