From 3631a23c7fb547ff30708dfb77398bfba100faa4 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 23 Jun 2021 11:17:02 +0200 Subject: [PATCH 1/3] Add configuration that causes setnsec3param hang Add a zone to the configuration file that uses NSEC3 with dnssec-policy and fails to load. This will cause setnsec3param to go into a busy wait and will cause a hang on shutdown. --- bin/tests/system/nsec3/ns3/named2.conf.in | 8 ++++++++ bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in | 8 ++++++++ bin/tests/system/nsec3/ns3/setup.sh | 2 ++ 3 files changed, 18 insertions(+) create mode 100644 bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index ece1549395..5c1094e276 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -117,3 +117,11 @@ zone "nsec3-to-nsec.kasp" { //dnssec-policy "nsec3"; dnssec-policy "nsec"; }; + +/* Add a zone that fails to load, should not prevent shutdown. */ +zone "nsec3-fails-to-load.kasp" { + type primary; + file "nsec3-fails-to-load.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in new file mode 100644 index 0000000000..5703d810d3 --- /dev/null +++ b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in @@ -0,0 +1,8 @@ +@ IN SOA kasp. nsec3-fails-to-load.kasp. ( + 1 ; serial + 30 ; refresh (30 seconds) + 10 ; retry (10 seconds) + 3600000 ; expire (5 weeks 6 days 16 hours) + 300 ; minimum (5 minutes) + ) + NS nsec3-fails-to-load.kasp. diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index 4b529d33d9..ffedec558f 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -27,3 +27,5 @@ for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ do setup "${zn}.kasp" done + +cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db From 10055d44e3083ab6fb66d26f5f0bfbb67125edb5 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 23 Jun 2021 11:20:43 +0200 Subject: [PATCH 2/3] Fix setnsec3param hang on shutdown When performing the 'setnsec3param' task, zones that are not loaded will have their task rescheduled. We should do this only if the zone load is still pending, this prevents zones that failed to load get stuck in a busy wait and causing a hang on shutdown. --- bin/tests/system/nsec3/ns3/named.conf.in | 8 ++++++++ bin/tests/system/nsec3/ns3/named2.conf.in | 2 +- bin/tests/system/nsec3/tests.sh | 11 ++++++++++- lib/dns/zone.c | 7 ++++++- 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index 791881225b..2241bc87bf 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -111,3 +111,11 @@ zone "nsec3-to-nsec.kasp" { file "nsec3-to-nsec.kasp.db"; dnssec-policy "nsec3"; }; + +/* The zone fails to load, this should not prevent shutdown. */ +zone "nsec3-fails-to-load.kasp" { + type primary; + file "nsec3-fails-to-load.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index 5c1094e276..380e56654c 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -118,7 +118,7 @@ zone "nsec3-to-nsec.kasp" { dnssec-policy "nsec"; }; -/* Add a zone that fails to load, should not prevent shutdown. */ +/* The zone fails to load, but is fixed after a reload. */ zone "nsec3-fails-to-load.kasp" { type primary; file "nsec3-fails-to-load.kasp.db"; diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 62c49e5904..ac3a3c13cd 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -218,7 +218,6 @@ echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 - # Zone: nsec-to-nsec3.kasp. (reconfigured) set_zone_policy "nsec-to-nsec3.kasp" "nsec3" set_nsec3param "0" "5" "8" @@ -324,5 +323,15 @@ echo_i "check zone ${ZONE} after restart has salt ${SALT}" check_nsec3 dnssec_verify +# Zone: nsec3-fails-to-load.kasp. (should be fixed after reload) +cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db +rndc_reload ns3 10.53.0.3 + +set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" +set_nsec3param "0" "5" "8" +echo_i "check zone ${ZONE} after reload" +check_nsec3 +dnssec_verify + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 0755baf636..3d24967577 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -21228,6 +21228,7 @@ static void setnsec3param(isc_task_t *task, isc_event_t *event) { const char *me = "setnsec3param"; dns_zone_t *zone = event->ev_arg; + bool loadpending; INSIST(DNS_ZONE_VALID(zone)); @@ -21235,6 +21236,10 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { ENTER; + LOCK_ZONE(zone); + loadpending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING); + UNLOCK_ZONE(zone); + /* * If receive_secure_serial is still processing or we have a * queued event append rss_post queue. @@ -21252,7 +21257,7 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { * be picked up later. This turns this function into a busy * wait, but it only happens at startup. */ - if (zone->db == NULL) { + if (zone->db == NULL && loadpending) { rescheduled = true; isc_task_send(task, &event); } From 2f270428fc5130030e3b20113f1e6e370ad15113 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 23 Jun 2021 11:58:54 +0200 Subject: [PATCH 3/3] Add changes for [#2791] --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 8eff7be497..72c9a9b44a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5668. [bug] When a zone fails to load on startup, the setnsec3param + task is rescheduled. This caused a hang on shutdown, and + is now fixed. [GL #2791] + 5667. [bug] The configuration-checking code failed to account for the inheritance rules of the "dnssec-policy" option. [GL #2780]