From 89069e6b3abc5ab00c77227f31b771cc2fa4768f Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 22 Feb 2012 00:37:54 +0000 Subject: [PATCH] 3286. [bug] Managed key maintenance timer could fail to start after 'rndc reconfig'. [RT #26786] --- CHANGES | 3 +++ bin/named/server.c | 3 ++- bin/tests/system/dnssec/clean.sh | 3 ++- bin/tests/system/dnssec/tests.sh | 16 +++++++++++++++- bin/tests/system/resolver/clean.sh | 4 ++-- lib/dns/include/dns/zone.h | 12 ++++++++++-- lib/dns/zone.c | 24 ++++++++++++++++++++++-- 7 files changed, 56 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index 79bf6f9864..80c51eb92b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3286. [bug] Managed key maintenance timer could fail to start + after 'rndc reconfig'. [RT #26786] + 3285. [bug] val-frdataset was incorrectly disassociated in proveunsecure after calling startfinddlvsep. [RT #27928] diff --git a/bin/named/server.c b/bin/named/server.c index c86808c3ae..a332a3b713 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.645 2012/02/06 21:33:49 each Exp $ */ +/* $Id: server.c,v 1.646 2012/02/22 00:37:53 each Exp $ */ /*! \file */ @@ -3536,6 +3536,7 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) { dns_zone_attach(pview->managed_keys, &view->managed_keys); dns_zone_setview(pview->managed_keys, view); dns_view_detach(&pview); + dns_zone_synckeyzone(view->managed_keys); return (ISC_R_SUCCESS); } diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 8bce9d805f..7a901e6a00 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.46 2011/12/08 16:07:20 each Exp $ +# $Id: clean.sh,v 1.47 2012/02/22 00:37:54 each Exp $ rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk @@ -51,6 +51,7 @@ rm -f signer/signer.out.* rm -f ns2/algroll.db rm -f ns3/kskonly.example.db rm -f ns4/named.conf +rm -f ns4/managed-keys.bind* rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db rm -f ns3/secure.below-cname.example.db rm -f signer/example.db.after signer/example.db.before diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 809a56c5a9..e4cde557c2 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.107 2011/12/22 12:01:43 marka Exp $ +# $Id: tests.sh,v 1.108 2012/02/22 00:37:54 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -1255,6 +1255,13 @@ else echo "I:The DNSSEC update test requires the Net::DNS library." >&2 fi +echo "I:checking managed key maintenance has not started yet ($n)" +ret=0 +[ -f "ns4/managed-keys.bind.jnl" ] && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + # Reconfigure caching server to use "dnssec-validation auto", and repeat # some of the DNSSEC validation tests to ensure that it works correctly. echo "I:switching to automatic root key configuration" @@ -1262,6 +1269,13 @@ cp ns4/named2.conf ns4/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' sleep 5 +echo "I:checking managed key maintenance timer has now started ($n)" +ret=0 +[ -f "ns4/managed-keys.bind.jnl" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking positive validation NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh index 6fbc8442e7..a3a28aff06 100644 --- a/bin/tests/system/resolver/clean.sh +++ b/bin/tests/system/resolver/clean.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.10 2012/02/09 23:47:17 tbox Exp $ +# $Id: clean.sh,v 1.11 2012/02/22 00:37:54 each Exp $ # # Clean up after resolver tests. @@ -28,6 +28,6 @@ rm -f ns4/tld.db rm -f ns6/K* rm -f ns6/example.net.db.signed ns6/example.net.db rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl -rm -r ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl +rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl rm -f ns7/server.db ns7/server.db.jnl rm -f random.data diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 2e4230ad77..99439dc6bd 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.h,v 1.203 2012/02/01 21:28:39 marka Exp $ */ +/* $Id: zone.h,v 1.204 2012/02/22 00:37:54 each Exp $ */ #ifndef DNS_ZONE_H #define DNS_ZONE_H 1 @@ -2037,7 +2037,13 @@ dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header); * Set the data to be included in the header when the zone is dumped in * binary format. */ -ISC_LANG_ENDDECLS + +isc_result_t +dns_zone_synckeyzone(dns_zone_t *zone); +/*% + * Force the managed key zone to synchronize, and start the key + * maintenance timer. + */ isc_result_t dns_zone_getloadtime(dns_zone_t *zone, isc_time_t *loadtime); @@ -2073,5 +2079,7 @@ dns_zone_getincludes(dns_zone_t *zone, char ***includesp); * The array and its contents need to be freed using isc_mem_free. */ +ISC_LANG_ENDDECLS + #endif /* DNS_ZONE_H */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 3e8b1ef212..8064316fcb 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.672 2012/02/07 00:47:21 marka Exp $ */ +/* $Id: zone.c,v 1.673 2012/02/22 00:37:54 each Exp $ */ /*! \file */ @@ -3608,6 +3608,26 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { return (result); } +isc_result_t +dns_zone_synckeyzone(dns_zone_t *zone) { + isc_result_t result; + dns_db_t *db = NULL; + + if (zone->type != dns_zone_key) + return (DNS_R_BADZONE); + + CHECK(dns_zone_getdb(zone, &db)); + + LOCK_ZONE(zone); + result = sync_keyzone(zone, db); + UNLOCK_ZONE(zone); + + failure: + if (db != NULL) + dns_db_detach(&db); + return (result); +} + static void maybe_send_secure(dns_zone_t *zone) { isc_result_t result; @@ -8438,7 +8458,7 @@ zone_refreshkeys(dns_zone_t *zone) { if (!ISC_LIST_EMPTY(diff.tuples)) { CHECK(update_soa_serial(db, ver, &diff, zone->mctx, zone->updatemethod)); - CHECK(zone_journal(zone, &diff, NULL, "sync_keyzone")); + CHECK(zone_journal(zone, &diff, NULL, "zone_refreshkeys")); commit = ISC_TRUE; DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); zone_needdump(zone, 30);