Do not reuse zones whose "mirror" setting was changed

Update named_zone_reusable() so that it does not consider a zone to be eligible for reuse if its old value of the "mirror" option differs from the new one. This causes "rndc reconfig" to create a new zone structure whenever the value of the "mirror" option is changed, which ensures that the previous zone database is not reused and that flags are properly set in responses sourced from zones whose "mirror" setting was changed at runtime.
2025-08-29 13:38:26 +00:00 · 2018-07-05 10:54:56 +02:00 · 2018-07-05 10:54:56 +02:00 · dbfd19c668
commit dbfd19c668
parent 802a58d5c6
6 changed files with 73 additions and 2 deletions
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@ -1892,7 +1892,7 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 	const char *cfilename;
 	const char *zfilename;
 	dns_zone_t *raw = NULL;
-	isc_boolean_t has_raw;
+	isc_boolean_t has_raw, mirror;
 	dns_zonetype_t ztype;

 	zoptions = cfg_tuple_get(zconfig, "options");
@ -1932,6 +1932,21 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 		return (ISC_FALSE);
 	}

+	/*
+	 * Do not reuse a zone whose "mirror" setting was changed.
+	 */
+	obj = NULL;
+	mirror = ISC_FALSE;
+	(void)cfg_map_get(zoptions, "mirror", &obj);
+	if (obj != NULL) {
+		mirror = cfg_obj_asboolean(obj);
+	}
+	if (dns_zone_ismirror(zone) != mirror) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "not reusable: mirror setting changed");
+		return (ISC_FALSE);
+	}
+
 	if (zonetype_fromconfig(zoptions) != ztype) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "not reusable: type mismatch");
--- a/bin/tests/system/mirror/clean.sh
+++ b/bin/tests/system/mirror/clean.sh
@ -17,6 +17,7 @@ rm -f */K*
 rm -f */db-*
 rm -f */dsset-*
 rm -f */jn-*
+rm -f */managed-keys.bind*
 rm -f */named.memstats
 rm -f */named.run
 rm -f dig.out.*
--- a/bin/tests/system/mirror/ns2/named.conf.in
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@ -56,6 +56,11 @@ zone "verify-ixfr" {
 	ixfr-from-differences yes;
 };

+zone "verify-reconfig" {
+	type master;
+	file "verify-reconfig.db.signed";
+};
+
 zone "verify-unsigned" {
 	type master;
 	file "verify.db.in";
--- a/bin/tests/system/mirror/ns2/sign.sh
+++ b/bin/tests/system/mirror/ns2/sign.sh
@ -36,7 +36,7 @@ ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
 UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
 UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`

-for variant in axfr ixfr load untrusted; do
+for variant in axfr ixfr load reconfig untrusted; do
 	zone=verify-$variant
 	infile=verify.db.in
 	zonefile=verify-$variant.db
--- a/bin/tests/system/mirror/ns3/named.conf.in
+++ b/bin/tests/system/mirror/ns3/named.conf.in
@ -72,6 +72,14 @@ zone "verify-load" {
 	masterfile-format text;
 };

+zone "verify-reconfig" {
+	type slave;
+	masters { 10.53.0.2; };
+	mirror yes;
+	file "verify-reconfig.db.mirror";
+	masterfile-format text;
+};
+
 zone "verify-unsigned" {
 	type slave;
 	masters { 10.53.0.2; };
--- a/bin/tests/system/mirror/tests.sh
+++ b/bin/tests/system/mirror/tests.sh
@ -362,5 +362,47 @@ grep "type: mirror" rndc.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

+n=`expr $n + 1`
+echo_i "checking that \"rndc reconfig\" properly handles a yes -> no \"mirror\" setting change ($n)"
+ret=0
+# Sanity check before we start.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1
+grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
+# Reconfigure the zone so that it is no longer a mirror zone.
+nextpart ns3/named.run > /dev/null
+sed '/^zone "verify-reconfig" {$/,/^};$/{s/mirror yes;/mirror no;/}' ns3/named.conf > ns3/named.conf.modified
+mv ns3/named.conf.modified ns3/named.conf
+$RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1
+# Zones whose "mirror" setting was changed should not be reusable, which means
+# the tested zone should have been reloaded from disk.
+wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run
+# Ensure responses sourced from the reconfigured zone have AA=1 and AD=0.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1
+grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that \"rndc reconfig\" properly handles a no -> yes \"mirror\" setting change ($n)"
+ret=0
+# Put an incorrectly signed version of the zone in the zone file used by ns3.
+nextpart ns3/named.run > /dev/null
+cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror
+# Reconfigure the zone so that it is a mirror zone again.
+sed '/^zone "verify-reconfig" {$/,/^};$/{s/mirror no;/mirror yes;/}' ns3/named.conf > ns3/named.conf.modified
+mv ns3/named.conf.modified ns3/named.conf
+$RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1
+# The reconfigured zone should fail verification.
+wait_for_load verify-reconfig ${UPDATED_SERIAL_BAD} ns3/named.run
+$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
+nextpart ns3/named.run | grep "No correct RSASHA256 signature for verify-reconfig SOA" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1