diff --git a/CHANGES b/CHANGES index b2edb6163c..7675e64b75 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6265. [bug] Don't schedule resign operations on the raw version + of an inline-signing zone. [GL #4350] + 6264. [func] Use atomics to handle some ADB entry members to reduce ADB locking contention. [GL #4326] diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index db264c2810..d31b53a464 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -29,6 +29,7 @@ rm -f ns*/*.mkeys rm -f ns*/zones ns*/*.db.infile rm -f ns*/*.zsk1 ns*/*.zsk2 rm -f ns3/legacy-keys.* +rm -rf ns3/keys/ rm -f *.created published.test* retired.test* rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.* rm -f python.out.* diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index 0f1d2c1e2e..cef81f94d5 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -134,6 +134,18 @@ zone "dynamic-inline-signing.kasp" { allow-update { any; }; }; +/* + * A dynamic inline-signed zone with dnssec-policy with DNSSEC records in the + * raw version of the zone. + */ +zone "dynamic-signed-inline-signing.kasp" { + type primary; + file "dynamic-signed-inline-signing.kasp.db.signed"; + key-directory "keys"; + dnssec-policy "default"; + allow-update { any; }; +}; + /* An inline-signed zone with dnssec-policy. */ zone "inline-signing.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index c198428c24..be8ad8c80f 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -164,6 +164,19 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" cp $infile $zonefile $SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +# We are signing the raw version of the zone here. This is unusual and not +# common operation, but want to make sure that in such a case BIND 9 does not +# schedule a resigning operation on the raw version. Add expired signatures so +# a resign is imminent. +setup dynamic-signed-inline-signing.kasp +T="now-1d" +csktimes="-P $T -A $T -P sync $T" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +cp $infile $zonefile +$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + # These signatures are set to expire long in the past, update immediately. setup expired-sigs.autosign T="now-6mo" diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 67cfa92e7d..f733de92d1 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -19,6 +19,7 @@ set -e $SHELL clean.sh mkdir keys +mkdir ns3/keys copy_setports ns2/named.conf.in ns2/named.conf if ! $SHELL ../testcrypto.sh -q RSASHA1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index dfc2df3e82..2f251edb30 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -487,6 +487,23 @@ retry_quiet 10 update_is_signed || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# +# Zone: dynamic-signed-inline-signing.kasp +# +set_zone "dynamic-signed-inline-signing.kasp" +set_dynamic +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +dnssec_verify +# Ensure no zone_resigninc for the unsigned version of the zone is triggered. +n=$((n+1)) +echo_i "check if resigning the raw version of the zone is prevented for zone ${ZONE} ($n)" +ret=0 +grep "zone_resigninc: zone $ZONE/IN (unsigned): enter" $DIR/named.run && ret=1 +grep "error reading K$ZONE" $DIR/named.run && ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # # Zone: inline-signing.kasp # diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 28c11682c6..6dc098cd47 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -48,7 +48,9 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- None. +- For inline-signing zones, if the unsigned version of the zone contains + DNSSEC records, it was scheduled to be resigning. This unwanted behavior + has been fixed. :gl:`#4350` Known Issues ~~~~~~~~~~~~ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index b9bea598ef..6fb44e43cd 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3825,15 +3825,11 @@ set_resigntime(dns_zone_t *zone) { INSIST(LOCKED_ZONE(zone)); /* We only re-sign zones that can be dynamically updated */ - if (zone->update_disabled) { + if (!dns_zone_isdynamic(zone, false)) { return; } - if (!inline_secure(zone) && - (zone->type != dns_zone_primary || - (zone->ssutable == NULL && - (zone->update_acl == NULL || dns_acl_isnone(zone->update_acl))))) - { + if (inline_raw(zone)) { return; } @@ -5174,7 +5170,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, is_dynamic = dns_zone_isdynamic(zone, false); if (zone->type == dns_zone_primary && is_dynamic && - dns_db_issecure(db)) + dns_db_issecure(db) && !inline_raw(zone)) { dns_name_t *name; dns_fixedname_t fixed;