Merge branch '4350-resign-triggered-on-raw-dnssec-zone' into 'main'

Don't schedule resign for raw version of an inline-signing zone Closes #4350 See merge request isc-projects/bind9!8385
2026-06-08 23:52:05 -04:00 · 2023-10-16 08:21:25 +00:00 · 2023-10-16 08:21:25 +00:00 · 65d97a54ef
commit 65d97a54ef
parent 7a3ba34475 a8306b541b
8 changed files with 53 additions and 8 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+6265.	[bug]		Don't schedule resign operations on the raw version
+			of an inline-signing zone. [GL #4350]
+
 6264.	[func]		Use atomics to handle some ADB entry members
 			to reduce ADB locking contention. [GL #4326]

--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@ -29,6 +29,7 @@ rm -f ns*/*.mkeys
 rm -f ns*/zones ns*/*.db.infile
 rm -f ns*/*.zsk1 ns*/*.zsk2
 rm -f ns3/legacy-keys.*
+rm -rf ns3/keys/
 rm -f *.created published.test* retired.test*
 rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
 rm -f python.out.*
--- a/bin/tests/system/kasp/ns3/named-fips.conf.in
+++ b/bin/tests/system/kasp/ns3/named-fips.conf.in
@ -134,6 +134,18 @@ zone "dynamic-inline-signing.kasp" {
 	allow-update { any; };
 };

+/*
+ * A dynamic inline-signed zone with dnssec-policy with DNSSEC records in the
+ * raw version of the zone.
+ */
+zone "dynamic-signed-inline-signing.kasp" {
+	type primary;
+	file "dynamic-signed-inline-signing.kasp.db.signed";
+	key-directory "keys";
+	dnssec-policy "default";
+	allow-update { any; };
+};
+
 /* An inline-signed zone with dnssec-policy. */
 zone "inline-signing.kasp" {
 	type primary;
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@ -164,6 +164,19 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
 cp $infile $zonefile
 $SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

+# We are signing the raw version of the zone here. This is unusual and not
+# common operation, but want to make sure that in such a case BIND 9 does not
+# schedule a resigning operation on the raw version. Add expired signatures so
+# a resign is imminent.
+setup dynamic-signed-inline-signing.kasp
+T="now-1d"
+csktimes="-P $T -A $T -P sync $T"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+cp $infile $zonefile
+$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
 # These signatures are set to expire long in the past, update immediately.
 setup expired-sigs.autosign
 T="now-6mo"
--- a/bin/tests/system/kasp/setup.sh
+++ b/bin/tests/system/kasp/setup.sh
@ -19,6 +19,7 @@ set -e
 $SHELL clean.sh

 mkdir keys
+mkdir ns3/keys

 copy_setports ns2/named.conf.in ns2/named.conf
 if ! $SHELL ../testcrypto.sh -q RSASHA1
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@ -487,6 +487,23 @@ retry_quiet 10 update_is_signed || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))

+#
+# Zone: dynamic-signed-inline-signing.kasp
+#
+set_zone "dynamic-signed-inline-signing.kasp"
+set_dynamic
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+dnssec_verify
+# Ensure no zone_resigninc for the unsigned version of the zone is triggered.
+n=$((n+1))
+echo_i "check if resigning the raw version of the zone is prevented for zone ${ZONE} ($n)"
+ret=0
+grep "zone_resigninc: zone $ZONE/IN (unsigned): enter" $DIR/named.run && ret=1
+grep "error reading K$ZONE" $DIR/named.run && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 #
 # Zone: inline-signing.kasp
 #
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -48,7 +48,9 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~

- None.
+- For inline-signing zones, if the unsigned version of the zone contains
+  DNSSEC records, it was scheduled to be resigning. This unwanted behavior
+  has been fixed. :gl:`#4350`

 Known Issues
 ~~~~~~~~~~~~
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -3825,15 +3825,11 @@ set_resigntime(dns_zone_t *zone) {
 	INSIST(LOCKED_ZONE(zone));

 	/* We only re-sign zones that can be dynamically updated */
-	if (zone->update_disabled) {
+	if (!dns_zone_isdynamic(zone, false)) {
 		return;
 	}

-	if (!inline_secure(zone) &&
-	    (zone->type != dns_zone_primary ||
-	     (zone->ssutable == NULL &&
-	      (zone->update_acl == NULL || dns_acl_isnone(zone->update_acl)))))
-	{
+	if (inline_raw(zone)) {
 		return;
 	}

@ -5174,7 +5170,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,

 		is_dynamic = dns_zone_isdynamic(zone, false);
 		if (zone->type == dns_zone_primary && is_dynamic &&
-		    dns_db_issecure(db))
+		    dns_db_issecure(db) && !inline_raw(zone))
 		{
 			dns_name_t *name;
 			dns_fixedname_t fixed;