mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 22:45:39 +00:00
4453. [bug] Prefetching of DS records failed to update their
RRSIGs. [RT #42865]
This commit is contained in:
Mark Andrews
3
CHANGES
3
CHANGES
@@ -1,5 +1,8 @@
|
|||||||
--- 9.11.0rc1 released ---
|
--- 9.11.0rc1 released ---
|
||||||
|
|
||||||
|
4453. [bug] Prefetching of DS records failed to update their
|
||||||
|
RRSIGs. [RT #42865]
|
||||||
|
|
||||||
4452. [bug] The default key manager policy file is now
|
4452. [bug] The default key manager policy file is now
|
||||||
<sysdir>/dnssec-policy.conf (usually
|
<sysdir>/dnssec-policy.conf (usually
|
||||||
/etc/dnssec-policy.conf). [RT #43064]
|
/etc/dnssec-policy.conf). [RT #43064]
|
||||||
|
|||||||
@@ -21,9 +21,12 @@ rm -f dig.*.prime.*
|
|||||||
rm -f ns4/tld.db
|
rm -f ns4/tld.db
|
||||||
rm -f ns6/K*
|
rm -f ns6/K*
|
||||||
rm -f ns6/example.net.db.signed ns6/example.net.db
|
rm -f ns6/example.net.db.signed ns6/example.net.db
|
||||||
|
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
|
||||||
|
rm -f ns6/dsset-ds.example.net.
|
||||||
rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl
|
rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl
|
||||||
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
|
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
|
||||||
rm -f ns7/server.db ns7/server.db.jnl ns7/named.conf
|
rm -f ns7/server.db ns7/server.db.jnl ns7/named.conf
|
||||||
rm -f resolve.out
|
rm -f resolve.out
|
||||||
rm -f .digrc
|
rm -f .digrc
|
||||||
rm -f ns*/named.lock
|
rm -f ns*/named.lock
|
||||||
|
rm -f ns5/trusted.conf
|
||||||
|
|||||||
@@ -19,3 +19,5 @@ a.root-servers.nil. A 10.53.0.4
|
|||||||
all-cnames NS cname.tld
|
all-cnames NS cname.tld
|
||||||
delegation-only. NS ns.delegation-only.
|
delegation-only. NS ns.delegation-only.
|
||||||
ns.delegation-only. A 10.53.0.6
|
ns.delegation-only. A 10.53.0.6
|
||||||
|
example.net. NS ns.example.net.
|
||||||
|
ns.example.net. A 10.53.0.6
|
||||||
|
|||||||
@@ -46,3 +46,5 @@ zone "child.server" {
|
|||||||
zone "delegation-only" {
|
zone "delegation-only" {
|
||||||
type delegation-only;
|
type delegation-only;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
include "trusted.conf";
|
||||||
|
|||||||
12
bin/tests/system/resolver/ns6/ds.example.net.db.in
Normal file
12
bin/tests/system/resolver/ns6/ds.example.net.db.in
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
; Copyright (C) 2010, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
|
||||||
|
;
|
||||||
|
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||||
|
|
||||||
|
; $Id: example.net.db.in,v 1.3 2010/11/17 23:47:08 tbox Exp $
|
||||||
|
|
||||||
|
$TTL 600
|
||||||
|
@ IN SOA ns hostmaster 1 1800 900 604800 600
|
||||||
|
@ IN NS ns
|
||||||
|
ns IN A 10.53.0.6
|
||||||
@@ -14,4 +14,7 @@ ns IN A 10.53.0.6
|
|||||||
mail IN A 10.53.0.6
|
mail IN A 10.53.0.6
|
||||||
fetch 10 IN TXT A short ttl
|
fetch 10 IN TXT A short ttl
|
||||||
non-zero 10 IN TXT A short ttl
|
non-zero 10 IN TXT A short ttl
|
||||||
zero 0 IN TXT A zero ttl
|
zero 0 IN TXT A zero ttl
|
||||||
|
$TTL 10
|
||||||
|
ds IN NS ns.ds
|
||||||
|
ns.ds IN A 10.53.0.6
|
||||||
|
|||||||
@@ -11,7 +11,7 @@
|
|||||||
SYSTEMTESTTOP=../..
|
SYSTEMTESTTOP=../..
|
||||||
. $SYSTEMTESTTOP/conf.sh
|
. $SYSTEMTESTTOP/conf.sh
|
||||||
|
|
||||||
zone=example.net
|
zone=ds.example.net
|
||||||
zonefile="${zone}.db"
|
zonefile="${zone}.db"
|
||||||
infile="${zonefile}.in"
|
infile="${zonefile}.in"
|
||||||
cp $infile $zonefile
|
cp $infile $zonefile
|
||||||
@@ -19,3 +19,23 @@ ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
|||||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||||
cat $ksk.key $zsk.key >> $zonefile
|
cat $ksk.key $zsk.key >> $zonefile
|
||||||
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
|
zone=example.net
|
||||||
|
zonefile="${zone}.db"
|
||||||
|
infile="${zonefile}.in"
|
||||||
|
cp $infile $zonefile
|
||||||
|
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
|
||||||
|
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||||
|
cat $ksk.key $zsk.key dsset-ds.example.net. >> $zonefile
|
||||||
|
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
|
||||||
|
|
||||||
|
# Configure a trusted key statement (used by delve)
|
||||||
|
cat $ksk.key | grep -v '^; ' | $PERL -n -e '
|
||||||
|
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
|
||||||
|
local $key = join("", @rest);
|
||||||
|
print <<EOF
|
||||||
|
trusted-keys {
|
||||||
|
"$dn" $flags $proto $alg "$key";
|
||||||
|
};
|
||||||
|
EOF
|
||||||
|
' > ../ns5/trusted.conf
|
||||||
|
|||||||
@@ -41,6 +41,12 @@ zone "example.net" {
|
|||||||
allow-update { any; };
|
allow-update { any; };
|
||||||
};
|
};
|
||||||
|
|
||||||
|
zone "ds.example.net" {
|
||||||
|
type master;
|
||||||
|
file "ds.example.net.db.signed";
|
||||||
|
allow-update { any; };
|
||||||
|
};
|
||||||
|
|
||||||
zone "to-be-removed.tld" {
|
zone "to-be-removed.tld" {
|
||||||
type master;
|
type master;
|
||||||
file "to-be-removed.tld.db";
|
file "to-be-removed.tld.db";
|
||||||
|
|||||||
@@ -422,6 +422,27 @@ test ${ttl:-0} -gt ${ttl2:-1} || ret=1
|
|||||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||||
status=`expr $status + $ret`
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
|
n=`expr $n + 1`
|
||||||
|
echo "I:check prefetch of validated DS's RRSIG TTL is updated (${n})"
|
||||||
|
ret=0
|
||||||
|
$DIG +dnssec @10.53.0.5 -p 5300 ds.example.net ds > dig.out.1.${n} || ret=1
|
||||||
|
ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 - 2 }' dig.out.1.${n}`
|
||||||
|
# sleep so we are in prefetch range
|
||||||
|
sleep ${ttl1:-0}
|
||||||
|
# trigger prefetch
|
||||||
|
$DIG @10.53.0.5 -p 5300 ds.example.net ds > dig.out.2.${n} || ret=1
|
||||||
|
ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 }' dig.out.2.${n}`
|
||||||
|
sleep 1
|
||||||
|
# check that prefetch occured
|
||||||
|
$DIG @10.53.0.5 -p 5300 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1
|
||||||
|
dsttl=`awk '$4 == "DS" i&& $7 == "1" { print $2 }' dig.out.3.${n}`
|
||||||
|
sigttl=`awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}`
|
||||||
|
test ${dsttl:-0} -gt ${ttl2:-1} || ret=1
|
||||||
|
test ${sigttl:-0} -gt ${ttl2:-1} || ret=1
|
||||||
|
test ${dsttl:-0} -eq ${sigttl:-1} || ret=1
|
||||||
|
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||||
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
n=`expr $n + 1`
|
n=`expr $n + 1`
|
||||||
echo "I:check prefetch disabled (${n})"
|
echo "I:check prefetch disabled (${n})"
|
||||||
ret=0
|
ret=0
|
||||||
|
|||||||
@@ -5028,7 +5028,7 @@ validated(isc_task_t *task, isc_event_t *event) {
|
|||||||
eresult = DNS_R_NCACHENXRRSET;
|
eresult = DNS_R_NCACHENXRRSET;
|
||||||
} else if (vevent->sigrdataset != NULL) {
|
} else if (vevent->sigrdataset != NULL) {
|
||||||
result = dns_db_addrdataset(fctx->cache, node, NULL, now,
|
result = dns_db_addrdataset(fctx->cache, node, NULL, now,
|
||||||
vevent->sigrdataset, 0,
|
vevent->sigrdataset, options,
|
||||||
asigrdataset);
|
asigrdataset);
|
||||||
if (result != ISC_R_SUCCESS &&
|
if (result != ISC_R_SUCCESS &&
|
||||||
result != DNS_R_UNCHANGED)
|
result != DNS_R_UNCHANGED)
|
||||||
@@ -5497,8 +5497,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
|
|||||||
* Mark the rdataset as being prefetch eligible.
|
* Mark the rdataset as being prefetch eligible.
|
||||||
*/
|
*/
|
||||||
if (rdataset->ttl > fctx->res->view->prefetch_eligible)
|
if (rdataset->ttl > fctx->res->view->prefetch_eligible)
|
||||||
rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
|
rdataset->attributes |=
|
||||||
|
DNS_RDATASETATTR_PREFETCH;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Cache this rdataset/sigrdataset pair as
|
* Cache this rdataset/sigrdataset pair as
|
||||||
|
|||||||
Reference in New Issue
Block a user