diff --git a/CHANGES b/CHANGES index ff34e5dd65..0743ef503a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,8 @@ --- 9.11.0rc1 released --- +4453. [bug] Prefetching of DS records failed to update their + RRSIGs. [RT #42865] + 4452. [bug] The default key manager policy file is now /dnssec-policy.conf (usually /etc/dnssec-policy.conf). [RT #43064] diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh index 4642cac3b7..c710f72aef 100644 --- a/bin/tests/system/resolver/clean.sh +++ b/bin/tests/system/resolver/clean.sh @@ -21,9 +21,12 @@ rm -f dig.*.prime.* rm -f ns4/tld.db rm -f ns6/K* rm -f ns6/example.net.db.signed ns6/example.net.db +rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db +rm -f ns6/dsset-ds.example.net. rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl rm -f ns7/server.db ns7/server.db.jnl ns7/named.conf rm -f resolve.out rm -f .digrc rm -f ns*/named.lock +rm -f ns5/trusted.conf diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db index 1194929a54..da9fd5c901 100644 --- a/bin/tests/system/resolver/ns4/root.db +++ b/bin/tests/system/resolver/ns4/root.db @@ -19,3 +19,5 @@ a.root-servers.nil. A 10.53.0.4 all-cnames NS cname.tld delegation-only. NS ns.delegation-only. ns.delegation-only. A 10.53.0.6 +example.net. NS ns.example.net. +ns.example.net. A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns5/named.conf b/bin/tests/system/resolver/ns5/named.conf index af0f74e0b0..179fa1eb4d 100644 --- a/bin/tests/system/resolver/ns5/named.conf +++ b/bin/tests/system/resolver/ns5/named.conf @@ -46,3 +46,5 @@ zone "child.server" { zone "delegation-only" { type delegation-only; }; + +include "trusted.conf"; diff --git a/bin/tests/system/resolver/ns6/ds.example.net.db.in b/bin/tests/system/resolver/ns6/ds.example.net.db.in new file mode 100644 index 0000000000..513d070add --- /dev/null +++ b/bin/tests/system/resolver/ns6/ds.example.net.db.in @@ -0,0 +1,12 @@ +; Copyright (C) 2010, 2014, 2016 Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +; $Id: example.net.db.in,v 1.3 2010/11/17 23:47:08 tbox Exp $ + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/example.net.db.in b/bin/tests/system/resolver/ns6/example.net.db.in index ed16f03e03..e956573a70 100644 --- a/bin/tests/system/resolver/ns6/example.net.db.in +++ b/bin/tests/system/resolver/ns6/example.net.db.in @@ -14,4 +14,7 @@ ns IN A 10.53.0.6 mail IN A 10.53.0.6 fetch 10 IN TXT A short ttl non-zero 10 IN TXT A short ttl -zero 0 IN TXT A zero ttl +zero 0 IN TXT A zero ttl +$TTL 10 +ds IN NS ns.ds +ns.ds IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh index 5573d83a66..c1193d584f 100644 --- a/bin/tests/system/resolver/ns6/keygen.sh +++ b/bin/tests/system/resolver/ns6/keygen.sh @@ -11,7 +11,7 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh -zone=example.net +zone=ds.example.net zonefile="${zone}.db" infile="${zonefile}.in" cp $infile $zonefile @@ -19,3 +19,23 @@ ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` cat $ksk.key $zsk.key >> $zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +zone=example.net +zonefile="${zone}.db" +infile="${zonefile}.in" +cp $infile $zonefile +ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` +cat $ksk.key $zsk.key dsset-ds.example.net. >> $zonefile +$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# Configure a trusted key statement (used by delve) +cat $ksk.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < ../ns5/trusted.conf diff --git a/bin/tests/system/resolver/ns6/named.conf b/bin/tests/system/resolver/ns6/named.conf index 4b07dba7ce..17b623918e 100644 --- a/bin/tests/system/resolver/ns6/named.conf +++ b/bin/tests/system/resolver/ns6/named.conf @@ -41,6 +41,12 @@ zone "example.net" { allow-update { any; }; }; +zone "ds.example.net" { + type master; + file "ds.example.net.db.signed"; + allow-update { any; }; +}; + zone "to-be-removed.tld" { type master; file "to-be-removed.tld.db"; diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index 18a57195e5..06bb7d7775 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -422,6 +422,27 @@ test ${ttl:-0} -gt ${ttl2:-1} || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:check prefetch of validated DS's RRSIG TTL is updated (${n})" +ret=0 +$DIG +dnssec @10.53.0.5 -p 5300 ds.example.net ds > dig.out.1.${n} || ret=1 +ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 - 2 }' dig.out.1.${n}` +# sleep so we are in prefetch range +sleep ${ttl1:-0} +# trigger prefetch +$DIG @10.53.0.5 -p 5300 ds.example.net ds > dig.out.2.${n} || ret=1 +ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 }' dig.out.2.${n}` +sleep 1 +# check that prefetch occured +$DIG @10.53.0.5 -p 5300 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1 +dsttl=`awk '$4 == "DS" i&& $7 == "1" { print $2 }' dig.out.3.${n}` +sigttl=`awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}` +test ${dsttl:-0} -gt ${ttl2:-1} || ret=1 +test ${sigttl:-0} -gt ${ttl2:-1} || ret=1 +test ${dsttl:-0} -eq ${sigttl:-1} || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo "I:check prefetch disabled (${n})" ret=0 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index f274048c6b..5b8698060b 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -5028,7 +5028,7 @@ validated(isc_task_t *task, isc_event_t *event) { eresult = DNS_R_NCACHENXRRSET; } else if (vevent->sigrdataset != NULL) { result = dns_db_addrdataset(fctx->cache, node, NULL, now, - vevent->sigrdataset, 0, + vevent->sigrdataset, options, asigrdataset); if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) @@ -5497,8 +5497,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, * Mark the rdataset as being prefetch eligible. */ if (rdataset->ttl > fctx->res->view->prefetch_eligible) - rdataset->attributes |= DNS_RDATASETATTR_PREFETCH; - + rdataset->attributes |= + DNS_RDATASETATTR_PREFETCH; /* * Cache this rdataset/sigrdataset pair as