mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-10 19:29:59 -04:00
Merge branch '1647-addtrustedkey-dnskey' into 'master'
Resolve "delv 9.16.0, failed to add trusted key '.': ran out of space" Closes #1647 See merge request isc-projects/bind9!3158
This commit is contained in:
Evan Hunt
commit
4c0591574f
5 changed files with 46 additions and 23 deletions
3
CHANGES
3
CHANGES
|
|
@ -1,3 +1,6 @@
|
|||
5360. [bug] delv could fail to load trust anchors in DNSKEY
|
||||
format. [GL #1647]
|
||||
|
||||
5359. [func] "rndc nta -d" and "rndc secroots" now include
|
||||
"validate-except" entries when listing negative
|
||||
trust anchors. These are indicated by the keyword
|
||||
|
|
|
|||
|
|
@ -23,3 +23,4 @@ rm -f ./dig.out.nn.*
|
|||
rm -f ./ns*/named.lock
|
||||
rm -f ./ns*/managed-keys.bind*
|
||||
rm -f ./ns2/example.db ./ns2/K* ./ns2/keyid ./ns2/keydata
|
||||
rm -f ./*/anchor.*
|
||||
|
|
|
|||
|
|
@ -14,11 +14,14 @@
|
|||
|
||||
set -e
|
||||
|
||||
keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "dnskey.example.")
|
||||
ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.)
|
||||
|
||||
cp example.db.in example.db
|
||||
|
||||
cat "$keyname.key" >> example.db
|
||||
"$SIGNER" -Sz -f example.db -o example example.db.in > /dev/null 2>&1
|
||||
|
||||
keyfile_to_key_id "$keyname" > keyid
|
||||
< "$keyname.key" grep -Ev '^;' | cut -f 7- -d ' ' > keydata
|
||||
keyfile_to_key_id "$ksk" > keyid
|
||||
grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata
|
||||
|
||||
keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey
|
||||
keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds
|
||||
|
|
|
|||
|
|
@ -117,7 +117,7 @@ if [ -x "$DIG" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking dig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)"
|
||||
ret=0
|
||||
dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1
|
||||
grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n > /dev/null && ret=1
|
||||
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
|
|
@ -135,7 +135,7 @@ if [ -x "$DIG" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking dig +rrcomments works for DNSKEY($n)"
|
||||
ret=0
|
||||
dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > dig.out.test$n || ret=1
|
||||
grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1
|
||||
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
|
|
@ -144,7 +144,7 @@ if [ -x "$DIG" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
|
||||
ret=0
|
||||
dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1
|
||||
grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < dig.out.test$n > /dev/null || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
|
@ -152,7 +152,7 @@ if [ -x "$DIG" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking dig +short +nosplit works($n)"
|
||||
ret=0
|
||||
dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > dig.out.test$n || ret=1
|
||||
grep "$NOSPLIT" < dig.out.test$n > /dev/null || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
|
@ -160,7 +160,7 @@ if [ -x "$DIG" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking dig +short +rrcomments works($n)"
|
||||
ret=0
|
||||
dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1
|
||||
grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
|
@ -168,10 +168,10 @@ if [ -x "$DIG" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking dig multi flag is local($n)"
|
||||
ret=0
|
||||
dig_with_opts +tcp @10.53.0.3 -t DNSKEY dnskey.example +nomulti dnskey.example +nomulti > dig.out.nn.$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 -t DNSKEY dnskey.example +multi dnskey.example +nomulti > dig.out.mn.$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 -t DNSKEY dnskey.example +nomulti dnskey.example +multi > dig.out.nm.$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 -t DNSKEY dnskey.example +multi dnskey.example +multi > dig.out.mm.$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +nomulti > dig.out.nn.$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +nomulti > dig.out.mn.$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +nomulti example +multi > dig.out.nm.$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 -t DNSKEY example +multi example +multi > dig.out.mm.$n || ret=1
|
||||
lcnn=$(wc -l < dig.out.nn.$n)
|
||||
lcmn=$(wc -l < dig.out.mn.$n)
|
||||
lcnm=$(wc -l < dig.out.nm.$n)
|
||||
|
|
@ -199,7 +199,7 @@ if [ -x "$DIG" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking dig +short +rrcomments works($n)"
|
||||
ret=0
|
||||
dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
dig_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > dig.out.test$n || ret=1
|
||||
grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID\$" < dig.out.test$n || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
|
@ -795,7 +795,7 @@ if [ -x "$MDIG" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking mdig +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)"
|
||||
ret=0
|
||||
mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
mdig_with_opts +tcp @10.53.0.3 +multi +norrcomments -t DNSKEY example > dig.out.test$n || ret=1
|
||||
grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" dig.out.test$n && ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
|
@ -917,7 +917,7 @@ if [ -x "$DELV" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking delv +multi +norrcomments works for DNSKEY (when default is rrcomments)($n)"
|
||||
ret=0
|
||||
delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
delv_with_opts +tcp @10.53.0.3 +multi +norrcomments DNSKEY example > delv.out.test$n || ret=1
|
||||
grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null && ret=1
|
||||
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
|
|
@ -935,7 +935,7 @@ if [ -x "$DELV" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking delv +rrcomments works for DNSKEY($n)"
|
||||
ret=0
|
||||
delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
delv_with_opts +tcp @10.53.0.3 +rrcomments DNSKEY example > delv.out.test$n || ret=1
|
||||
grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1
|
||||
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
|
|
@ -944,7 +944,7 @@ if [ -x "$DELV" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
|
||||
ret=0
|
||||
delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1
|
||||
grep "; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n > /dev/null || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
|
@ -952,7 +952,7 @@ if [ -x "$DELV" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking delv +short +rrcomments works ($n)"
|
||||
ret=0
|
||||
delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
delv_with_opts +tcp @10.53.0.3 +short +rrcomments DNSKEY example > delv.out.test$n || ret=1
|
||||
grep -q "$KEYDATA ; ZSK; alg = $DEFAULT_ALGORITHM ; key id = $KEYID" < delv.out.test$n || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
|
@ -960,7 +960,7 @@ if [ -x "$DELV" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking delv +short +nosplit works ($n)"
|
||||
ret=0
|
||||
delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
delv_with_opts +tcp @10.53.0.3 +short +nosplit DNSKEY example > delv.out.test$n || ret=1
|
||||
grep -q "$NOSPLIT" < delv.out.test$n || ret=1
|
||||
test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1
|
||||
test "$(awk '{print NF}' < delv.out.test$n)" -eq 14 || ret=1
|
||||
|
|
@ -970,7 +970,7 @@ if [ -x "$DELV" ] ; then
|
|||
n=$((n+1))
|
||||
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
|
||||
ret=0
|
||||
delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
delv_with_opts +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY example > delv.out.test$n || ret=1
|
||||
grep -q "$NOSPLIT\$" < delv.out.test$n || ret=1
|
||||
test "$(wc -l < delv.out.test$n)" -eq 1 || ret=1
|
||||
test "$(awk '{print NF}' < delv.out.test$n)" -eq 4 || ret=1
|
||||
|
|
@ -1042,6 +1042,22 @@ if [ -x "$DELV" ] ; then
|
|||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that delv loads key-style trust anchors ($n)"
|
||||
ret=0
|
||||
delv_with_opts -a ns3/anchor.dnskey +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1
|
||||
grep "fully validated" delv.out.test$n > /dev/null || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "check that delv loads DS-style trust anchors ($n)"
|
||||
ret=0
|
||||
delv_with_opts -a ns3/anchor.ds +root=example @10.53.0.3 -t DNSKEY example > delv.out.test$n 2>&1 || ret=1
|
||||
grep "fully validated" delv.out.test$n > /dev/null || ret=1
|
||||
if [ $ret -ne 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
||||
if [ $HAS_PYYAML -ne 0 ] ; then
|
||||
n=$((n+1))
|
||||
echo_i "check delv +yaml output ($n)"
|
||||
|
|
|
|||
|
|
@ -1519,7 +1519,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
|
|||
dns_view_t *view = NULL;
|
||||
dns_keytable_t *secroots = NULL;
|
||||
dns_name_t *name = NULL;
|
||||
char dsbuf[DNS_DS_BUFFERSIZE];
|
||||
char rdatabuf[DST_KEY_MAXSIZE];
|
||||
unsigned char digest[ISC_MAX_MD_SIZE];
|
||||
dns_rdata_ds_t ds;
|
||||
dns_decompress_t dctx;
|
||||
|
|
@ -1543,7 +1543,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
|
|||
goto cleanup;
|
||||
}
|
||||
|
||||
isc_buffer_init(&b, dsbuf, sizeof(dsbuf));
|
||||
isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
|
||||
dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
|
||||
dns_rdata_init(&rdata);
|
||||
isc_buffer_setactive(databuf, isc_buffer_usedlength(databuf));
|
||||
|
|
|
|||
Loading…
Reference in a new issue