From 3e0d9bd6d2f5aadeeda6a02a46a0b6f9624e5b49 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 13 May 2022 20:55:23 -0700 Subject: [PATCH 1/2] don't create managed-keys zone unless dnssec-validation is "auto" previously, a managed-keys zone was created for every view regardless of whether rfc5011 was in use; when it was not in use, the zone would be left empty. this made for some confusing log messages. we now only set up the managed-keys zone if dnssec-validation is set to the default value of "auto". certain system test servers have had their dnssec-validation settings changed to auto because the tests depended on the existence of the zone. --- bin/named/server.c | 4 +++- bin/tests/system/journal/ns1/named.conf.in | 2 +- bin/tests/system/journal/ns2/named.conf.in | 2 +- bin/tests/system/mkeys/ns3/named.conf.in | 2 +- bin/tests/system/mkeys/ns6/named.conf.in | 2 +- bin/tests/system/rndc/tests.sh | 2 +- 6 files changed, 8 insertions(+), 6 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 84cc98419a..ca25b073ba 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1200,7 +1200,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, } } - CHECK(add_keydata_zone(view, directory, named_g_mctx)); + if (auto_root) { + CHECK(add_keydata_zone(view, directory, named_g_mctx)); + } cleanup: return (result); diff --git a/bin/tests/system/journal/ns1/named.conf.in b/bin/tests/system/journal/ns1/named.conf.in index 1f6e983340..c3e2843b97 100644 --- a/bin/tests/system/journal/ns1/named.conf.in +++ b/bin/tests/system/journal/ns1/named.conf.in @@ -20,7 +20,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; - dnssec-validation yes; + dnssec-validation auto; minimal-responses no; recursion no; notify yes; diff --git a/bin/tests/system/journal/ns2/named.conf.in b/bin/tests/system/journal/ns2/named.conf.in index 4c07c920db..4d58c28468 100644 --- a/bin/tests/system/journal/ns2/named.conf.in +++ b/bin/tests/system/journal/ns2/named.conf.in @@ -20,7 +20,7 @@ options { pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on-v6 { none; }; - dnssec-validation yes; + dnssec-validation auto; minimal-responses no; recursion no; notify yes; diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in index 7ad8419a93..e6e19f54c3 100644 --- a/bin/tests/system/mkeys/ns3/named.conf.in +++ b/bin/tests/system/mkeys/ns3/named.conf.in @@ -23,7 +23,7 @@ options { listen-on-v6 { none; }; recursion yes; notify no; - dnssec-validation yes; + dnssec-validation auto; bindkeys-file "managed.conf"; trust-anchor-telemetry no; }; diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in index ff8137a6f2..50892fa3bb 100644 --- a/bin/tests/system/mkeys/ns6/named.conf.in +++ b/bin/tests/system/mkeys/ns6/named.conf.in @@ -23,7 +23,7 @@ options { listen-on-v6 { none; }; recursion yes; notify no; - dnssec-validation yes; + dnssec-validation auto; trust-anchor-telemetry no; }; diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh index e678153cd9..17b007e850 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh @@ -429,7 +429,7 @@ n=$((n+1)) echo_i "testing automatic zones are reported ($n)" ret=0 $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf status > rndc.out.1.test$n || ret=1 -grep "number of zones: 201 (198 automatic)" rndc.out.1.test$n > /dev/null || ret=1 +grep "number of zones: 199 (198 automatic)" rndc.out.1.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) From dc524ad39267778646d5415424bc9663d7954e92 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 31 May 2022 10:55:31 -0700 Subject: [PATCH 2/2] CHANGES for [GL #3349] --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 8081f2dd5b..508810b2f4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5897. [bug] Views that weren't configured to use RFC 5011 key + management would still set up an empty managed-keys + zone. This has been fixed. [GL #3349] + 5896. [func] Add some more dnssec-policy checks to detect weird policies. [GL #1611]