Merge branch '3638-tls-settings-for-primaries-not-saved-for-catalog-zone-entries-v9_18' into 'v9_18'

Resolve "TLS settings for primaries not saved for catalog zone entries." [v9_18] See merge request isc-projects/bind9!7122
2026-05-28 04:34:54 -04:00 · 2022-11-25 00:04:40 +00:00 · 2022-11-25 00:04:40 +00:00 · 2c4054a2f7
commit 2c4054a2f7
parent d8027595c5 f21c770733
11 changed files with 163 additions and 12 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+6025.	[bug]		Copy TLS identifier when setting up primaries for
+			catalog member zones. [GL #3638]
+
 6024.	[func]		Deprecate 'auto-dnssec'. [GL #3667]

 6022.	[performance]	The decompression implementation in dns_name_fromwire()
--- a/bin/tests/system/catz/clean.sh
+++ b/bin/tests/system/catz/clean.sh
@ -13,21 +13,24 @@

 rm -f dig.out.*
 rm -f ns*/*.jnl
-rm -f ns*/*.nzf
 rm -f ns*/*.mkeys
+rm -f ns*/*.nzd ns*/*.nzd-lock
+rm -f ns*/*.nzf
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.conf
 rm -f ns*/named.lock
 rm -f ns*/named.memstats
-rm -f ns*/named.conf
 rm -f ns*/named.run
 rm -f ns*/named.run.prev
 rm -f ns1/*dom*example.db
+rm -f ns1/tls1.example.db
 rm -f ns2/__catz__*db
 rm -f ns2/catalog-bad*.db
 rm -f ns2/named.conf.tmp
 rm -f ns3/dom2.example.db ns3/dom13.example.db ns3/dom14.example.db ns3/dom17.example.db ns3/dom18.example.db
-rm -f nsupdate.out.*
+rm -f ns4/__catz__*db
 rm -f ns[123]/catalog[1234].example.db
-rm -rf ns2/zonedir
-rm -f ns*/*.nzd ns*/*.nzd-lock
-rm -f ns*/managed-keys.bind*
+rm -f ns[14]/catalog-tls.example.db
+rm -f nsupdate.out.*
 rm -f wait_for_message.*
+rm -rf ns2/zonedir
--- a/bin/tests/system/catz/ns1/named.conf.in
+++ b/bin/tests/system/catz/ns1/named.conf.in
@ -22,10 +22,12 @@ options {
 	notify-source 10.53.0.1;
 	transfer-source 10.53.0.1;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	allow-new-zones yes;
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on port @EXTRAPORT1@ { 10.53.0.1; };
+	listen-on tls ephemeral { 10.53.0.1; };
 	listen-on-v6 { none; };
 	notify no;
 	recursion no;
@ -104,6 +106,16 @@ view "default" {
 		also-notify { 10.53.0.2; };
 		notify explicit;
 	};
+
+	# A catalog zone that requires TLS to be used
+	zone "catalog-tls.example" {
+		type primary;
+		file "catalog-tls.example.db";
+		allow-transfer transport tls { key tsig_key; };
+		allow-update { any; };
+		also-notify { 10.53.0.4; };
+		notify explicit;
+	};
 };

 view "ch" ch {
@ -122,7 +134,7 @@ view "ch" ch {

 key tsig_key. {
 	secret "LSAnCU+Z";
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 };

 key next_key. {
--- a/bin/tests/system/catz/ns2/named1.conf.in
+++ b/bin/tests/system/catz/ns2/named1.conf.in
@ -165,7 +165,7 @@ view "ch" ch {

 key tsig_key. {
 	secret "LSAnCU+Z";
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 };

 key next_key. {
--- a/bin/tests/system/catz/ns2/named2.conf.in
+++ b/bin/tests/system/catz/ns2/named2.conf.in
@ -122,5 +122,5 @@ view "ch" ch {

 key tsig_key. {
 	secret "LSAnCU+Z";
-	algorithm hmac-md5;
+	algorithm @DEFAULT_HMAC@;
 };
--- a/bin/tests/system/catz/ns4/named.conf.in
+++ b/bin/tests/system/catz/ns4/named.conf.in
@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	tls-port @TLSPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { fd92:7065:b8e:ffff::4; };
+	notify no;
+	notify-delay 0;
+	recursion no;
+	serial-query-rate 100;
+
+	catalog-zones {
+		zone "catalog-tls.example"
+			min-update-interval 1s
+			default-primaries { 10.53.0.1 key tsig_key tls ephemeral; };
+	};
+};
+
+zone "catalog-tls.example" {
+	type secondary;
+	file "catalog-tls.example.db";
+	primaries { 10.53.0.1 key tsig_key tls ephemeral; };
+};
+
+key tsig_key. {
+	secret "LSAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
+
+key next_key. {
+	secret "LaAnCU+Z";
+	algorithm @DEFAULT_HMAC@;
+};
--- a/bin/tests/system/catz/setup.sh
+++ b/bin/tests/system/catz/setup.sh
@ -18,10 +18,12 @@ $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named1.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf

 cp -f ns1/catalog.example.db.in ns1/catalog1.example.db
 cp -f ns3/catalog.example.db.in ns3/catalog2.example.db
 cp -f ns1/catalog.example.db.in ns1/catalog3.example.db
 cp -f ns1/catalog.example.db.in ns1/catalog4.example.db
+cp -f ns1/catalog.example.db.in ns1/catalog-tls.example.db

 mkdir -p ns2/zonedir
--- a/bin/tests/system/catz/tests.sh
+++ b/bin/tests/system/catz/tests.sh
@ -2515,5 +2515,55 @@ rndccmd 10.53.0.2 reconfig || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))

+##########################################################################
+n=$((n+1))
+echo_i "Adding a domain tls1.example. to primary via RNDC ($n)"
+ret=0
+# enough initial content for IXFR response when TXT record is added below
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/tls1.example.db
+echo "@ 3600 IN NS invalid." >> ns1/tls1.example.db
+echo "foo 3600 IN TXT some content here" >> ns1/tls1.example.db
+echo "bar 3600 IN TXT some content here" >> ns1/tls1.example.db
+echo "xxx 3600 IN TXT some content here" >> ns1/tls1.example.db
+echo "yyy 3600 IN TXT some content here" >> ns1/tls1.example.db
+rndccmd 10.53.0.1 addzone tls1.example. in default '{ type primary; file "tls1.example.db"; allow-transfer transport tls { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that tls1.example. is now served by primary ($n)"
+ret=0
+wait_for_soa @10.53.0.1 tls1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+nextpart ns4/named.run >/dev/null
+
+n=$((n+1))
+echo_i "Adding domain tls1.example. to catalog-tls zone ($n)"
+ret=0
+$NSUPDATE -d <<END >> nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add 1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog-tls.example. 3600 IN PTR tls1.example.
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" &&
+wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking that tls1.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -47,6 +47,9 @@ Bug Fixes
  10 to 100 to accomodate for some browsers that send more that 10
  headers by default. :gl:`#3670`

+- Copy TLS identifier when setting up primaries for catalog member
+  zones. :gl:`#3638`
+
 Known Issues
 ~~~~~~~~~~~~

--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@ -375,6 +375,20 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
 		}
 	}

+	for (size_t i = 0; i < eb->opts.masters.count; i++) {
+		if ((ea->opts.masters.tlss[i] == NULL) !=
+		    (eb->opts.masters.tlss[i] == NULL)) {
+			return (false);
+		}
+		if (ea->opts.masters.tlss[i] == NULL) {
+			continue;
+		}
+		if (!dns_name_equal(ea->opts.masters.tlss[i],
+				    eb->opts.masters.tlss[i])) {
+			return (false);
+		}
+	}
+
 	/* If one is NULL and the other isn't, the entries don't match */
 	if ((ea->opts.allow_query == NULL) != (eb->opts.allow_query == NULL)) {
 		return (false);
@ -1972,6 +1986,15 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
 				goto cleanup;
 			}
 		}
+
+		if (entry->opts.masters.tlss[i] != NULL) {
+			isc_buffer_putstr(buffer, " tls ");
+			result = dns_name_totext(entry->opts.masters.tlss[i],
+						 true, buffer);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup;
+			}
+		}
 		isc_buffer_putstr(buffer, "; ");
 	}
 	isc_buffer_putstr(buffer, "}; ");
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -13083,7 +13083,7 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 						    tlsname, &transport);

 			dns_zone_logc(
-				zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
+				zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
 				"got TLS configuration for zone transfer");
 		}

@ -18308,7 +18308,7 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 		result = dns_view_gettransport(view, DNS_TRANSPORT_TLS, tlsname,
 					       &zone->transport);

-		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
 			      "got TLS configuration for zone transfer: %s",
 			      isc_result_totext(result));
 	}
@ -21542,7 +21542,7 @@ checkds_send(dns_zone_t *zone) {
 			(void)dns_view_gettransport(view, DNS_TRANSPORT_TLS,
 						    tlsname, &transport);
 			dns_zone_logc(
-				zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
+				zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
 				"got TLS configuration for zone transfer");
 		}