diff --git a/CHANGES b/CHANGES index f13c3f0f36..8bc632c62c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,8 @@ 1700. [func] nslookup is no longer to be treated as deprecated. Remove "deprecated" warning message. Add man page. -1699. [placeholder] rt12281 +1699. [bug] dnssec-signzone can generate "not exact" errors + when resigning. [RT #12281] 1698. [doc] Use reserved IPv6 documentation prefix. diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index b5777598cb..26a36abf34 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.180 2004/08/11 08:55:47 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.181 2004/08/20 00:47:40 marka Exp $ */ #include @@ -341,7 +341,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, * be generated. */ static void -signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, +signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, dns_rdataset_t *set) { dns_rdataset_t sigset; @@ -467,13 +467,31 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, if (keep) { nowsignedby[key->position] = ISC_TRUE; INCSTAT(nretained); + if (sigset.ttl != ttl) { + vbprintf(2, "\tfixing ttl %s\n", sigstr); + tuple = NULL; + result = dns_difftuple_create(mctx, + DNS_DIFFOP_DEL, + name, sigset.ttl, + &sigrdata, + &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(del, &tuple); + result = dns_difftuple_create(mctx, + DNS_DIFFOP_ADD, + name, ttl, + &sigrdata, + &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(add, &tuple); + } } else { tuple = NULL; result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name, sigset.ttl, &sigrdata, &tuple); check_result(result, "dns_difftuple_create"); - dns_diff_append(diff, &tuple); + dns_diff_append(del, &tuple); INCSTAT(ndropped); } @@ -483,6 +501,8 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, unsigned char array[BUFSIZE]; char keystr[KEY_FORMATSIZE]; + INSIST(!keep); + key_format(key->key, keystr, sizeof(keystr)); vbprintf(1, "\tresigning with dnskey %s\n", keystr); isc_buffer_init(&b, array, sizeof(array)); @@ -493,7 +513,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, name, ttl, &trdata, &tuple); check_result(result, "dns_difftuple_create"); - dns_diff_append(diff, &tuple); + dns_diff_append(add, &tuple); } dns_rdata_reset(&sigrdata); @@ -536,7 +556,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, ttl, &trdata, &tuple); check_result(result, "dns_difftuple_create"); - dns_diff_append(diff, &tuple); + dns_diff_append(add, &tuple); } isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t)); @@ -767,7 +787,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) { isc_boolean_t hasds = ISC_FALSE; isc_boolean_t atorigin; isc_boolean_t changed = ISC_FALSE; - dns_diff_t diff; + dns_diff_t del, add; char namestr[DNS_NAME_FORMATSIZE]; isc_uint32_t nsttl = 0; @@ -852,7 +872,8 @@ signname(dns_dbnode_t *node, dns_name_t *name) { /* * Now iterate through the rdatasets. */ - dns_diff_init(mctx, &diff); + dns_diff_init(mctx, &del); + dns_diff_init(mctx, &add); rdsiter = NULL; result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); @@ -880,7 +901,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) { namebuf); } - signset(&diff, node, name, &rdataset); + signset(&del, &add, node, name, &rdataset); skip: dns_rdataset_disassociate(&rdataset); @@ -892,12 +913,18 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_rdatasetiter_destroy(&rdsiter); - result = dns_diff_applysilently(&diff, gdb, gversion); + result = dns_diff_applysilently(&del, gdb, gversion); + if (result != ISC_R_SUCCESS) + fatal("failed to delete SIGs at node '%s': %s", + namestr, isc_result_totext(result)); + + result = dns_diff_applysilently(&add, gdb, gversion); if (result != ISC_R_SUCCESS) fatal("failed to add SIGs at node '%s': %s", namestr, isc_result_totext(result)); - dns_diff_clear(&diff); + dns_diff_clear(&del); + dns_diff_clear(&add); } static inline isc_boolean_t