diff --git a/CHANGES b/CHANGES index 810adfc6c5..d50ad9abb1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6025. [bug] Copy TLS identifier when setting up primaries for + catalog member zones. [GL #3638] + 6024. [func] Deprecate 'auto-dnssec'. [GL #3667] 6022. [performance] The decompression implementation in dns_name_fromwire() diff --git a/bin/tests/system/catz/clean.sh b/bin/tests/system/catz/clean.sh index b98a5b18fc..40a348aa0b 100644 --- a/bin/tests/system/catz/clean.sh +++ b/bin/tests/system/catz/clean.sh @@ -13,21 +13,24 @@ rm -f dig.out.* rm -f ns*/*.jnl -rm -f ns*/*.nzf rm -f ns*/*.mkeys +rm -f ns*/*.nzd ns*/*.nzd-lock +rm -f ns*/*.nzf +rm -f ns*/managed-keys.bind* +rm -f ns*/named.conf rm -f ns*/named.lock rm -f ns*/named.memstats -rm -f ns*/named.conf rm -f ns*/named.run rm -f ns*/named.run.prev rm -f ns1/*dom*example.db +rm -f ns1/tls1.example.db rm -f ns2/__catz__*db rm -f ns2/catalog-bad*.db rm -f ns2/named.conf.tmp rm -f ns3/dom2.example.db ns3/dom13.example.db ns3/dom14.example.db ns3/dom17.example.db ns3/dom18.example.db -rm -f nsupdate.out.* +rm -f ns4/__catz__*db rm -f ns[123]/catalog[1234].example.db -rm -rf ns2/zonedir -rm -f ns*/*.nzd ns*/*.nzd-lock -rm -f ns*/managed-keys.bind* +rm -f ns[14]/catalog-tls.example.db +rm -f nsupdate.out.* rm -f wait_for_message.* +rm -rf ns2/zonedir diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index 3a8e4012ed..caa7b2c162 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -22,10 +22,12 @@ options { notify-source 10.53.0.1; transfer-source 10.53.0.1; port @PORT@; + tls-port @TLSPORT@; allow-new-zones yes; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on port @EXTRAPORT1@ { 10.53.0.1; }; + listen-on tls ephemeral { 10.53.0.1; }; listen-on-v6 { none; }; notify no; recursion no; @@ -104,6 +106,16 @@ view "default" { also-notify { 10.53.0.2; }; notify explicit; }; + + # A catalog zone that requires TLS to be used + zone "catalog-tls.example" { + type primary; + file "catalog-tls.example.db"; + allow-transfer transport tls { key tsig_key; }; + allow-update { any; }; + also-notify { 10.53.0.4; }; + notify explicit; + }; }; view "ch" ch { @@ -122,7 +134,7 @@ view "ch" ch { key tsig_key. { secret "LSAnCU+Z"; - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; }; key next_key. { diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index 23383ed987..5a7babdbfe 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -165,7 +165,7 @@ view "ch" ch { key tsig_key. { secret "LSAnCU+Z"; - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; }; key next_key. { diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in index 62b76a600e..cd5f2b97c7 100644 --- a/bin/tests/system/catz/ns2/named2.conf.in +++ b/bin/tests/system/catz/ns2/named2.conf.in @@ -122,5 +122,5 @@ view "ch" ch { key tsig_key. { secret "LSAnCU+Z"; - algorithm hmac-md5; + algorithm @DEFAULT_HMAC@; }; diff --git a/bin/tests/system/catz/ns4/named.conf.in b/bin/tests/system/catz/ns4/named.conf.in new file mode 100644 index 0000000000..2256836584 --- /dev/null +++ b/bin/tests/system/catz/ns4/named.conf.in @@ -0,0 +1,55 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + tls-port @TLSPORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { fd92:7065:b8e:ffff::4; }; + notify no; + notify-delay 0; + recursion no; + serial-query-rate 100; + + catalog-zones { + zone "catalog-tls.example" + min-update-interval 1s + default-primaries { 10.53.0.1 key tsig_key tls ephemeral; }; + }; +}; + +zone "catalog-tls.example" { + type secondary; + file "catalog-tls.example.db"; + primaries { 10.53.0.1 key tsig_key tls ephemeral; }; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/setup.sh b/bin/tests/system/catz/setup.sh index 9f92499228..ce1f931b18 100644 --- a/bin/tests/system/catz/setup.sh +++ b/bin/tests/system/catz/setup.sh @@ -18,10 +18,12 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named1.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf cp -f ns1/catalog.example.db.in ns1/catalog1.example.db cp -f ns3/catalog.example.db.in ns3/catalog2.example.db cp -f ns1/catalog.example.db.in ns1/catalog3.example.db cp -f ns1/catalog.example.db.in ns1/catalog4.example.db +cp -f ns1/catalog.example.db.in ns1/catalog-tls.example.db mkdir -p ns2/zonedir diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index f359e3aa53..697ae9badf 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -2515,5 +2515,55 @@ rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +########################################################################## +n=$((n+1)) +echo_i "Adding a domain tls1.example. to primary via RNDC ($n)" +ret=0 +# enough initial content for IXFR response when TXT record is added below +echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/tls1.example.db +echo "@ 3600 IN NS invalid." >> ns1/tls1.example.db +echo "foo 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "bar 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "xxx 3600 IN TXT some content here" >> ns1/tls1.example.db +echo "yyy 3600 IN TXT some content here" >> ns1/tls1.example.db +rndccmd 10.53.0.1 addzone tls1.example. in default '{ type primary; file "tls1.example.db"; allow-transfer transport tls { key tsig_key; }; allow-update { any; }; notify explicit; also-notify { 10.53.0.4; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that tls1.example. is now served by primary ($n)" +ret=0 +wait_for_soa @10.53.0.1 tls1.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns4/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain tls1.example. to catalog-tls zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add 1ba056ba375209a66a2c9a0617b1df714b998112.zones.catalog-tls.example. 3600 IN PTR tls1.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns4/named.run "catz: adding zone 'tls1.example' from catalog 'catalog-tls.example'" && +wait_for_message ns4/named.run "transfer of 'tls1.example/IN' from 10.53.0.1#${TLSPORT}: Transfer status: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that tls1.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.4 tls1.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 01073b21be..c2ff29300d 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -47,6 +47,9 @@ Bug Fixes 10 to 100 to accomodate for some browsers that send more that 10 headers by default. :gl:`#3670` +- Copy TLS identifier when setting up primaries for catalog member + zones. :gl:`#3638` + Known Issues ~~~~~~~~~~~~ diff --git a/lib/dns/catz.c b/lib/dns/catz.c index 3aa3ec2f6c..7339ef1c7b 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -375,6 +375,20 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) { } } + for (size_t i = 0; i < eb->opts.masters.count; i++) { + if ((ea->opts.masters.tlss[i] == NULL) != + (eb->opts.masters.tlss[i] == NULL)) { + return (false); + } + if (ea->opts.masters.tlss[i] == NULL) { + continue; + } + if (!dns_name_equal(ea->opts.masters.tlss[i], + eb->opts.masters.tlss[i])) { + return (false); + } + } + /* If one is NULL and the other isn't, the entries don't match */ if ((ea->opts.allow_query == NULL) != (eb->opts.allow_query == NULL)) { return (false); @@ -1972,6 +1986,15 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry, goto cleanup; } } + + if (entry->opts.masters.tlss[i] != NULL) { + isc_buffer_putstr(buffer, " tls "); + result = dns_name_totext(entry->opts.masters.tlss[i], + true, buffer); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } + } isc_buffer_putstr(buffer, "; "); } isc_buffer_putstr(buffer, "}; "); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 57bf2cf8c9..caaae33ee4 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -13083,7 +13083,7 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) { tlsname, &transport); dns_zone_logc( - zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR, + zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO, "got TLS configuration for zone transfer"); } @@ -18308,7 +18308,7 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) { result = dns_view_gettransport(view, DNS_TRANSPORT_TLS, tlsname, &zone->transport); - dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR, + dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO, "got TLS configuration for zone transfer: %s", isc_result_totext(result)); } @@ -21542,7 +21542,7 @@ checkds_send(dns_zone_t *zone) { (void)dns_view_gettransport(view, DNS_TRANSPORT_TLS, tlsname, &transport); dns_zone_logc( - zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR, + zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO, "got TLS configuration for zone transfer"); }