Merge branch '3438-dnssec-policy-does-not-set-inline-signing' into 'main'

Fix inheritance for dnssec-policy when checking for inline-signing

Closes #3438

See merge request isc-projects/bind9!6541

CHANGES

@@ -1,3 +1,6 @@
+5923.	[bug]		Fix inheritance for dnssec-policy when checking for
+			inline-signing. [GL #3438]
+
 5922.	[bug]		Forwarding of UPDATE message could fail with the
 			introduction of netmgr. This has been fixed. [GL #3389]
 

bin/named/zoneconf.c

@@ -2132,6 +2132,7 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
 	const cfg_obj_t *updatepolicy = NULL;
 	bool zone_is_dynamic = false;
 	bool inline_signing = false;
+	bool dnssec_policy = false;
 
 	(void)cfg_map_get(config, "options", &options);
 
@@ -2183,16 +2184,23 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
 	 * inline-signing.
 	 */
 	signing = NULL;
-	if (!inline_signing && !zone_is_dynamic &&
-	    cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS &&
-	    signing != NULL)
-	{
-		if (strcmp(cfg_obj_asstring(signing), "none") != 0) {
-			inline_signing = true;
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "inline-signing: "
-				     "implicitly through dnssec-policy");
-		}
+	res = cfg_map_get(zoptions, "dnssec-policy", &signing);
+	if (res != ISC_R_SUCCESS && voptions != NULL) {
+		res = cfg_map_get(voptions, "dnssec-policy", &signing);
+	}
+	if (res != ISC_R_SUCCESS && options != NULL) {
+		res = cfg_map_get(options, "dnssec-policy", &signing);
+	}
+	if (res == ISC_R_SUCCESS) {
+		dnssec_policy = (strcmp(cfg_obj_asstring(signing), "none") !=
+				 0);
+	}
+
+	if (!inline_signing && !zone_is_dynamic && dnssec_policy) {
+		inline_signing = true;
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "inline-signing: "
+			     "implicitly through dnssec-policy");
 	}
 
 	return (inline_signing);

bin/tests/system/kasp.sh

@@ -823,9 +823,9 @@ check_keys() {
 	status=$((status+ret))
 }
 
-# Call rndc dnssec -status on server $1 for zone $2 and check output.
-# This is a loose verification, it just tests if the right policy
-# name is returned, and if all expected keys are listed.  The rndc
+# Call rndc dnssec -status on server $1 for zone $3 in view $4 with policy $2
+# and check output. This is a loose verification, it just tests if the right
+# policy name is returned, and if all expected keys are listed.  The rndc
 # dnssec -status output also lists whether a key is published,
 # used for signing, is retired, or is removed, and if not when
 # it is scheduled to do so, and it shows the states for the various
@@ -864,6 +864,28 @@ check_dnssecstatus() {
 	status=$((status+ret))
 }
 
+# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if
+# inline-signing is enabled.
+check_inlinesigning() {
+	_server=$1
+	_zone=$2
+	_view=$3
+
+	_rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1
+	grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1
+}
+
+# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if
+# the zone is dynamic.
+check_isdynamic() {
+	_server=$1
+	_zone=$2
+	_view=$3
+
+	_rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1
+	grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1
+}
+
 # Check if RRset of type $1 in file $2 is signed with the right keys.
 # The right keys are the ones that expect a signature and matches the role $3.
 _check_signatures() {

bin/tests/system/kasp/clean.sh

@@ -29,7 +29,7 @@ rm -f ns*/zones ns*/*.db.infile
 rm -f ns*/*.zsk1 ns*/*.zsk2
 rm -f ns3/legacy-keys.*
 rm -f *.created published.test* retired.test*
-rm -f rndc.dnssec.*.out.*
+rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
 rm -f python.out.*
 rm -f *-supported.file
 rm -f created.key-* unused.key-*

bin/tests/system/kasp/ns4/named.conf.in

@@ -145,9 +145,12 @@ view "none" {
 view "example1" {
 	match-clients { key "keyforview1"; };
 
+	allow-update { any; };
+
 	zone "example.net" {
 		type primary;
 		file "example1.db";
+		// Dynamic zone, inline-signing disabled, policy inerhited.
 	};
 };
 
@@ -157,6 +160,7 @@ view "example2" {
 	zone "example.net" {
 		type primary;
 		file "example2.db";
+		// Static zone, inline-signing, policy inherited.
 	};
 };
 

bin/tests/system/kasp/tests.sh

@@ -1880,8 +1880,16 @@ set_keytimes_csk_policy
 check_keytimes
 check_apex
 dnssec_verify
+# check zonestatus
 n=$((n+1))
+echo_i "check $ZONE (view example1) zonestatus ($n)"
+ret=0
+check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic"
+check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 # check subdomain
+n=$((n+1))
 echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)"
 ret=0
 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
@@ -1897,8 +1905,16 @@ check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
 check_apex
 dnssec_verify
+# check zonestatus
 n=$((n+1))
+echo_i "check $ZONE (view example2) zonestatus ($n)"
+ret=0
+check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected"
+check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 # check subdomain
+n=$((n+1))
 echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)"
 ret=0
 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
@@ -1911,12 +1927,20 @@ status=$((status+ret))
 TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3"
 wait_for_nsec
 check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3"
 check_apex
 dnssec_verify
+# check zonestatus
 n=$((n+1))
+echo_i "check $ZONE (view example3) zonestatus ($n)"
+ret=0
+check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected"
+check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 # check subdomain
-echo_i "check TXT example.net (in-view example2) rrset is signed correctly ($n)"
+n=$((n+1))
+echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)"
 ret=0
 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
 grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
@@ -4671,6 +4695,7 @@ _check_soa_ttl() {
 	test ${ttl2:-0} -eq $2 || return 1
 }
 
+n=$((n+1))
 echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)"
 TSIG=
 ret=0
@@ -4684,8 +4709,8 @@ wait_for_log 3 "all zones loaded" ns6/named.run
 retry_quiet 10 _check_soa_ttl 300 300 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
-n=$((n+1))
 
+n=$((n+1))
 echo_i "Check that restart with zone changes and deleted journal works ($n)"
 TSIG=
 ret=0
@@ -4702,7 +4727,6 @@ wait_for_log 3 "all zones loaded" ns6/named.run
 retry_quiet 10 _check_soa_ttl 300 400 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
-n=$((n+1))
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

doc/notes/notes-current.rst

@@ -42,3 +42,7 @@ Bug Fixes
 
 - A DNS compression would be applied on the root zone name if it is repeatedly
   used in the same RRSet. :gl:`#3423`
+
+- Non-dynamic zones that inherit dnssec-policy from the view or
+  options level were not marked as inline-signed, and thus were never
+  scheduled to be re-signed. This is now fixed. :gl:`#3438`