diff --git a/CHANGES b/CHANGES index b743ba6d09..71bacf6fac 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4812. [bug] Minor improvements to stability and consistency of code + handling managed keys. [RT #46468] + 4811. [bug] Revert api changes to use inline macros. Provide a alternative mechanism to turn on the use of inline macros when building BIND. diff --git a/bin/named/server.c b/bin/named/server.c index 54d86f6bbb..0972a83a64 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -14455,10 +14455,10 @@ mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) { else if (revoked) snprintf(buf, sizeof(buf), "\n\ttrust revoked"); - else if (kd.addhd < now) + else if (kd.addhd <= now) snprintf(buf, sizeof(buf), "\n\ttrusted since: %s", tbuf); - else if (kd.addhd >= now) + else if (kd.addhd > now) snprintf(buf, sizeof(buf), "\n\ttrust pending: %s", tbuf); CHECK(putstr(text, buf)); diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index 336c4fce3d..fe8d8e4510 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -131,11 +131,6 @@ echo "I: check new trust anchor can be added ($n)" ret=0 standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` mkeys_loadkeys_on 1 -# Less than a second may have passed since the last time ns2 received a -# ./DNSKEY response from ns1. Ensure keys are refreshed at a different -# timestamp to prevent the refresh from not being initiated due to all -# acceptance timers being equal to current timestamp. -sleep 1 mkeys_refresh_on 2 mkeys_status_on 2 > rndc.out.$n 2>&1 # there should be two keys listed now @@ -337,12 +332,6 @@ n=`expr $n + 1` echo "I: check that standby key is now trusted ($n)" ret=0 wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run -# Less than a second may have passed since the last time ns2 received a -# ./DNSKEY response from ns1. Ensure status is checked at a different -# timestamp to prevent false negatives caused by the add hold-down time for the -# standby key being equal to current time ("trust pending") instead of in the -# past ("trusted since"). -sleep 1 mkeys_status_on 2 > rndc.out.$n 2>&1 # two keys listed count=`grep -c "keyid: " rndc.out.$n` @@ -423,13 +412,9 @@ if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo "I: wait 21 seconds for key add/remove holddowns to expire ($n)" +echo "I: wait 20 seconds for key add/remove holddowns to expire ($n)" ret=0 -# Wait for "month" plus 1 second. If we only wait for "month" and the previous -# two tests fit into a single second, we will get a false negative caused by -# the add hold-down time for the second standby key being equal to current time -# ("trust pending") instead of in the past ("trusted since"). -sleep 21 +sleep 20 mkeys_refresh_on 2 mkeys_status_on 2 > rndc.out.$n 2>&1 # two keys listed @@ -526,18 +511,11 @@ $SETTIME -R none -D none -K ns1 $standby1 > /dev/null $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>&- cp -f ns1/root.db.signed ns1/root.db.tmp BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg==" -# We need to prevent two different races here: -# -# 1. Less than a second may have passed since ns1 was started. If we call -# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by -# the subsequent "rndc reload ." call on platforms which do not set the -# "nanoseconds" field of isc_time_t, due to zone load time being seemingly -# equal to master file modification time. -# -# 2. Less than a second may have passed since the last time ns2 received a -# ./DNSKEY response from ns1. Ensure keys are refreshed at a different -# timestamp to prevent the refresh from not being initiated due to all -# acceptance timers being equal to current timestamp. +# Less than a second may have passed since ns1 was started. If we call +# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the +# subsequent "rndc reload ." call on platforms which do not set the +# "nanoseconds" field of isc_time_t, due to zone load time being seemingly +# equal to master file modification time. sleep 1 sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed mkeys_reload_on 1 diff --git a/contrib/scripts/check5011.pl b/contrib/scripts/check5011.pl index 0751a80d49..78b0a4c612 100644 --- a/contrib/scripts/check5011.pl +++ b/contrib/scripts/check5011.pl @@ -43,7 +43,7 @@ sub printstatus ($) { my $a = shift; if ($a->{removehd} ne "19700101000000") { printf " untrusted and to be removed at %s\n", ext8601 $a->{removehd}; - } elsif ($a->{addhd} lt $now) { + } elsif ($a->{addhd} le $now) { printf " trusted\n"; } else { printf " waiting for %s\n", ext8601 $a->{addhd}; diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 37be1630df..dab209cbb3 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9722,7 +9722,7 @@ zone_refreshkeys(dns_zone_t *zone) { } /* Acceptance timer expired? */ - if (kd.addhd < now) + if (kd.addhd <= now) timer = kd.addhd; /* Or do we just need to refresh the keyset? */ @@ -9824,12 +9824,10 @@ zone_refreshkeys(dns_zone_t *zone) { isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s", timebuf); - - if (!fetching) - DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING); } - UNLOCK_ZONE(zone); + if (!fetching) + DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING); dns_diff_clear(&diff); if (ver != NULL) { @@ -9838,6 +9836,8 @@ zone_refreshkeys(dns_zone_t *zone) { } dns_db_detach(&db); + UNLOCK_ZONE(zone); + INSIST(ver == NULL); }