Merge branch '2650-handle-soa-rrsigs-not-at-zone-apex' into 'main'

Handle RRSIG(SOA) RRsets not at zone apex Closes #2650 See merge request isc-projects/bind9!4936
2026-06-08 21:22:09 -04:00 · 2021-04-26 11:06:00 +00:00 · 2021-04-26 11:06:00 +00:00 · 3793733704
commit 3793733704
parent a64dd511f4 47a7b042e5
4 changed files with 27 additions and 3 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+5627.	[bug]		RRSIG(SOA) RRsets placed anywhere else than at zone apex
+			were triggering infinite resigning loops. This has been
+			fixed. [GL #2650]
+
 5626.	[bug]		When generating new keys, check for keyid conflicts
 			between new keys too. [GL #2628]

--- a/bin/tests/system/dnssec/ns7/sign.sh
+++ b/bin/tests/system/dnssec/ns7/sign.sh
@ -25,8 +25,18 @@ k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")

 cat "$infile" "$k1.key" "$k2.key" > "$zonefile"

+# The awk script below achieves two goals:
+#
+# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so
+#   that these two records (forming a single RRset) are not placed immediately
+#   next to each other; the test then checks if RRSIG RRsets split this way are
+#   correctly added to resigning heaps,
+#
+# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the
+#   zone apex; the test then checks whether such signatures are automatically
+#   removed from the zone after it is loaded.
 "$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1
 awk 'BEGIN { r = ""; }
     $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
     { print }
-     END { print r }' "$zonefile.unsplit" > "$zonefile.signed"
+     END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed"
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -3244,6 +3244,14 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))

+echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)"
+ret=0
+dig_with_opts split-rrsig AXFR @10.53.0.7 > dig.out.test$n || ret=1
+grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
 ret=0
 alg=1
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -7089,8 +7089,10 @@ zone_resigninc(dns_zone_t *zone) {
 		 * recent signature.
 		 */
 		/* XXXMPA increase number of RRsets signed pre call */
-		if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
-		    resign > stop) {
+		if ((covers == dns_rdatatype_soa &&
+		     dns_name_equal(name, &zone->origin)) ||
+		    i++ > zone->signatures || resign > stop)
+		{
 			break;
 		}