upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-03 13:59:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

2980. [bug] named didn't properly handle UPDATES that changed the

Browse source 
TTL of the NSEC3PARAM RRset. [RT #22363]
This commit is contained in:
Mark Andrews 2010-12-07 02:53:34 +00:00
parent 631e4420e1
commit 8aee18709f
11 changed files with 342 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -1,3 +1,6 @@
2980. [bug] named didn't properly handle UPDATES that changed the
TTL of the NSEC3PARAM RRset. [RT #22363]
2979. [bug] named could deadlock during shutdown if two
"rndc stop" commands were issued at the same
time. [RT #22108]

212
bin/named/update.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.182 2010/05/18 01:39:41 marka Exp $ */
/* $Id: update.c,v 1.183 2010/12/07 02:53:33 marka Exp $ */
#include <config.h>
@ -1250,11 +1250,10 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
return (ISC_FALSE);
INSIST(db_rr->length >= 4 && update_rr->length >= 4);
/*
* Replace records added in this UPDATE request.
* Replace NSEC3PARAM records that only differ by the
* flags field.
*/
if (db_rr->data[0] == update_rr->data[0] &&
(db_rr->data[1] & DNS_NSEC3FLAG_UPDATE) != 0 &&
(update_rr->data[1] & DNS_NSEC3FLAG_UPDATE) != 0 &&
memcmp(db_rr->data+2, update_rr->data+2,
update_rr->length - 2) == 0)
return (ISC_TRUE);
@ -3110,6 +3109,8 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
isc_boolean_t flag;
dns_name_t *name = dns_zone_getorigin(zone);
dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);;
isc_uint32_t ttl = 0;
isc_boolean_t ttl_good = ISC_FALSE;
update_log(client, zone, ISC_LOG_DEBUG(3),
"checking for NSEC3PARAM changes");
@ -3132,53 +3133,143 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
}
/*
* Extract TTL changes pairs, we don't need to convert these to
* delayed changes.
*/
for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
tuple != NULL; tuple = next) {
if (tuple->op == DNS_DIFFOP_ADD) {
next = ISC_LIST_NEXT(tuple, link);
if (!ttl_good) {
/*
* Any adds here will contain the final
* NSEC3PARAM RRset TTL.
*/
ttl = tuple->ttl;
ttl_good = ISC_TRUE;
}
/*
* Walk the temp_diff list looking for the
* corresponding delete.
*/
next = ISC_LIST_HEAD(temp_diff.tuples);
while (next != NULL) {
unsigned char *next_data = next->rdata.data;
unsigned char *tuple_data = tuple->rdata.data;
if (next_data[0] != tuple_data[0] ||
/* Ignore flags. */
if (next->op == DNS_DIFFOP_DEL &&
next->rdata.length == tuple->rdata.length &&
!memcmp(next_data, tuple_data,
next->rdata.length)) {
ISC_LIST_UNLINK(temp_diff.tuples, next,
link);
ISC_LIST_APPEND(diff->tuples, next,
link);
break;
}
next = ISC_LIST_NEXT(next, link);
}
/*
* If we have not found a pair move onto the next
* tuple.
*/
if (next == NULL) {
next = ISC_LIST_NEXT(tuple, link);
continue;
}
/*
* Find the next tuple to be processed before
* unlinking then complete moving the pair to 'diff'.
*/
next = ISC_LIST_NEXT(tuple, link);
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
ISC_LIST_APPEND(diff->tuples, tuple, link);
} else
next = ISC_LIST_NEXT(tuple, link);
}
/*
* Preserve any ongoing changes from a BIND 9.6.x upgrade.
*
* Any NSEC3PARAM records with flags other than OPTOUT named
* in managing and should not be touched so revert such changes
* taking into account any TTL change of the NSEC3PARAM RRset.
*/
for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
tuple != NULL; tuple = next) {
next = ISC_LIST_NEXT(tuple, link);
if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
/*
* If we havn't had any adds then the tuple->ttl must
* be the original ttl and should be used for any
* future changes.
*/
if (!ttl_good) {
ttl = tuple->ttl;
ttl_good = ISC_TRUE;
}
op = (tuple->op == DNS_DIFFOP_DEL) ?
DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
CHECK(dns_difftuple_create(diff->mctx, op, name,
ttl, &tuple->rdata,
&newtuple));
CHECK(do_one_tuple(&newtuple, db, ver, diff));
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
dns_diff_appendminimal(diff, &tuple);
}
}
/*
* We now have just the actual changes to the NSEC3PARAM RRset.
* Convert the adds to delayed adds and the deletions into delayed
* deletions.
*/
for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
tuple != NULL; tuple = next) {
/*
* If we havn't had any adds then the tuple->ttl must be the
* original ttl and should be used for any future changes.
*/
if (!ttl_good) {
ttl = tuple->ttl;
ttl_good = ISC_TRUE;
}
if (tuple->op == DNS_DIFFOP_ADD) {
/*
* Look for any deletes which match this ADD ignoring
* OPTOUT. We don't need to explictly remove them as
* they will be removed a side effect of processing
* the add.
*/
next = ISC_LIST_HEAD(temp_diff.tuples);
while (next != NULL) {
unsigned char *next_data = next->rdata.data;
unsigned char *tuple_data = tuple->rdata.data;
if (next->op != DNS_DIFFOP_DEL ||
next->rdata.length != tuple->rdata.length ||
next_data[0] != tuple_data[0] ||
next_data[2] != tuple_data[2] ||
next_data[3] != tuple_data[3] ||
next_data[4] != tuple_data[4] ||
!memcmp(&next_data[5], &tuple_data[5],
tuple_data[4])) {
memcmp(next_data + 4, tuple_data + 4,
tuple->rdata.length - 4)) {
next = ISC_LIST_NEXT(next, link);
continue;
}
op = (next->op == DNS_DIFFOP_DEL) ?
DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
CHECK(dns_difftuple_create(diff->mctx, op,
name, next->ttl,
&next->rdata,
&newtuple));
CHECK(do_one_tuple(&newtuple, db, ver, diff));
ISC_LIST_UNLINK(temp_diff.tuples, next, link);
dns_diff_appendminimal(diff, &next);
next = ISC_LIST_NEXT(tuple, link);
ISC_LIST_APPEND(diff->tuples, next, link);
next = ISC_LIST_HEAD(temp_diff.tuples);
}
INSIST(tuple->rdata.data[1] & DNS_NSEC3FLAG_UPDATE);
/*
* See if we already have a CREATE request in progress.
*/
dns_nsec3param_toprivate(&tuple->rdata, &rdata,
privatetype, buf, sizeof(buf));
buf[2] |= DNS_NSEC3FLAG_CREATE;
buf[2] &= ~DNS_NSEC3FLAG_UPDATE;
CHECK(rr_exists(db, ver, name, &rdata, &flag));
if (!flag) {
CHECK(dns_difftuple_create(diff->mctx,
DNS_DIFFOP_ADD,
name, tuple->ttl,
&rdata,
name, 0, &rdata,
&newtuple));
CHECK(do_one_tuple(&newtuple, db, ver, diff));
}
@ -3194,20 +3285,20 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
if (flag) {
CHECK(dns_difftuple_create(diff->mctx,
DNS_DIFFOP_DEL,
name, tuple->ttl,
&rdata,
name, 0, &rdata,
&newtuple));
CHECK(do_one_tuple(&newtuple, db, ver, diff));
}
/*
* Remove the temporary add record.
* Find the next tuple to be processed and remove the
* temporary add record.
*/
CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
name, tuple->ttl,
&tuple->rdata, &newtuple));
CHECK(do_one_tuple(&newtuple, db, ver, diff));
next = ISC_LIST_NEXT(tuple, link);
CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
name, ttl, &tuple->rdata,
&newtuple));
CHECK(do_one_tuple(&newtuple, db, ver, diff));
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
dns_diff_appendminimal(diff, &tuple);
dns_rdata_reset(&rdata);
@ -3215,48 +3306,33 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
next = ISC_LIST_NEXT(tuple, link);
}
/*
* Reverse any pending changes.
*/
for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
tuple != NULL; tuple = next) {
next = ISC_LIST_NEXT(tuple, link);
if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
op = (tuple->op == DNS_DIFFOP_DEL) ?
DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
CHECK(dns_difftuple_create(diff->mctx, op, name,
tuple->ttl, &tuple->rdata,
&newtuple));
CHECK(do_one_tuple(&newtuple, db, ver, diff));
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
dns_diff_appendminimal(diff, &tuple);
}
}
/*
* Convert deletions into delayed deletions.
*/
for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
tuple != NULL; tuple = next) {
INSIST(ttl_good);
next = ISC_LIST_NEXT(tuple, link);
/*
* See if we already have a REMOVE request in progress.
*/
dns_nsec3param_toprivate(&tuple->rdata, &rdata,
privatetype, buf, sizeof(buf));
buf[2] |= DNS_NSEC3FLAG_REMOVE;
dns_nsec3param_toprivate(&tuple->rdata, &rdata, privatetype,
buf, sizeof(buf));
buf[2] |= DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
CHECK(rr_exists(db, ver, name, &rdata, &flag));
if (!flag) {
buf[2] &= ~DNS_NSEC3FLAG_NONSEC;
CHECK(rr_exists(db, ver, name, &rdata, &flag));
}
if (!flag) {
CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
name, tuple->ttl, &rdata,
&newtuple));
name, 0, &rdata, &newtuple));
CHECK(do_one_tuple(&newtuple, db, ver, diff));
}
CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
tuple->ttl, &tuple->rdata,
&newtuple));
ttl, &tuple->rdata, &newtuple));
CHECK(do_one_tuple(&newtuple, db, ver, diff));
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
dns_diff_appendminimal(diff, &tuple);
@ -3435,7 +3511,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
unsigned int options;
dns_difftuple_t *tuple;
dns_rdata_dnskey_t dnskey;
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
isc_boolean_t had_dnskey;
dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
@ -3820,19 +3895,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
"flag");
continue;
}
/*
* NSEC3CHAIN creation flag.
*/
INSIST(rdata.length <= sizeof(buf));
memcpy(buf, rdata.data, rdata.length);
buf[1] |= DNS_NSEC3FLAG_UPDATE;
rdata.data = buf;
/*
* Force the TTL to zero for NSEC3PARAM records.
*/
ttl = 0;
}
if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&

6
bin/tests/system/conf.sh.in
View file

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: conf.sh.in,v 1.52 2010/11/16 01:37:36 sar Exp $
# $Id: conf.sh.in,v 1.53 2010/12/07 02:53:33 marka Exp $
#
# Common configuration data for system tests, to be sourced into
@ -47,6 +47,7 @@ CHECKCONF=$TOP/bin/check/named-checkconf
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s 0 -p 1234"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s 0 -p 1234"
PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s 0 -p 1234"
JOURNALPRINT=$TOP/bin/tools/named-journalprint
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
@ -72,4 +73,5 @@ else
fi
export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \
PERL SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6
PERL SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6 \
JOURNALPRINT

7
bin/tests/system/nsupdate/clean.sh
View file

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.19 2010/12/03 00:37:33 marka Exp $
# $Id: clean.sh,v 1.20 2010/12/07 02:53:33 marka Exp $
#
# Clean up after zone transfer tests.
@ -29,3 +29,8 @@ rm -f ns2/example.bk
rm -f ns2/update.bk
rm -f */named.memstats
rm -f nsupdate.out
rm -f ns3/example.db.jnl ns3/example.db
rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test.
rm -f ns3/K*
rm -f dig.out.ns3.*
rm -f jp.out.ns3.*

4
bin/tests/system/nsupdate/ns3/example.db.in Normal file
View file

@ -0,0 +1,4 @@
example. 10 IN SOA example. hostmaster.example. 1 3600 900 2419200 3600
example. 10 IN NS example.
example. 10 IN A 10.53.0.3
example. 10 IN NSEC3PARAM 1 1 0 -

57
bin/tests/system/nsupdate/ns3/named.conf Normal file
View file

@ -0,0 +1,57 @@
/*
* Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.2 2010/12/07 02:53:34 marka Exp $ */
// NS1
controls { /* empty */ };
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
/*
zone "." {
type master;
file "root.db.signed";
};
*/
// include "trusted.conf";
zone "example" {
type master;
allow-update { any; };
file "example.db";
};
zone "nsec3param.test" {
type master;
allow-update { any; };
file "nsec3param.test.db.signed";
};

4
bin/tests/system/nsupdate/ns3/nsec3param.test.db.in Normal file
View file

@ -0,0 +1,4 @@
$TTL 10
nsec3param.test. IN SOA nsec3param.test. hostmaster.nsec3param.test. 1 3600 900 2419200 3600
nsec3param.test. IN NS nsec3param.test.
nsec3param.test. IN A 10.53.0.3

33
bin/tests/system/nsupdate/ns3/sign.sh Normal file
View file

@ -0,0 +1,33 @@
#!/bin/sh -e
#
# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.2 2010/12/07 02:53:34 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=../random.data
zone=nsec3param.test.
infile=nsec3param.test.db.in
zonefile=nsec3param.test.db
keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -3 - -H 1 -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null

6
bin/tests/system/nsupdate/setup.sh
View file

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.14 2009/12/04 03:33:15 marka Exp $
# $Id: setup.sh,v 1.15 2010/12/07 02:53:33 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -25,9 +25,11 @@ SYSTEMTESTTOP=..
#
rm -f ns1/*.jnl ns1/example.db ns2/*.jnl ns2/example.bk
rm -f ns3/example.db.jnl
cp -f ns1/example1.db ns1/example.db
sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db
cp -f ns3/example.db.in ns3/example.db
# update_test.pl has its own zone file because it
# requires a specific NS record set.
@ -48,3 +50,5 @@ EOF
../../../tools/genrandom 400 random.data
$DDNSCONFGEN -q -r random.data -z example.nil > ns1/ddns.key
(cd ns3; sh -e sign.sh)

88
bin/tests/system/nsupdate/tests.sh
View file

@ -15,12 +15,13 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.31 2010/12/03 00:37:33 marka Exp $
# $Id: tests.sh,v 1.32 2010/12/07 02:53:34 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
n=0
# wait for zone transfer to complete
tries=0
@ -223,6 +224,90 @@ fi
echo "I:end RT #482 regression test"
n=`expr $n + 1`
echo "I:start NSEC3PARAM changes via UPDATE on a unsigned zone test ($n)"
ret=0
$NSUPDATE << EOF
server 10.53.0.3 5300
update add example 3600 nsec3param 1 0 0 -
send
EOF
sleep 1
# the zone is not signed. The nsec3param records should be removed.
# this also proves that the server is still running.
$DIG +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
@10.53.0.3 nsec3param -p 5300 > dig.out.ns3.$n || ret=1
grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo "I: failed"; status=`expr $ret + $status`; fi
n=`expr $n + 1`
echo "I:change the NSEC3PARAM ttl via update ($n)"
ret=0
$NSUPDATE << EOF
server 10.53.0.3 5300
update add nsec3param.test 3600 NSEC3PARAM 1 0 1 -
send
EOF
sleep 1
$DIG +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
@10.53.0.3 nsec3param -p 5300 > dig.out.ns3.$n || ret=1
grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo "I: failed"; status=`expr $ret + $status`; fi
n=`expr $n + 1`
echo "I:add a new the NSEC3PARAM via update ($n)"
ret=0
$NSUPDATE << EOF
server 10.53.0.3 5300
update add nsec3param.test 3600 NSEC3PARAM 1 0 4 -
send
EOF
sleep 1
$DIG +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
@10.53.0.3 nsec3param -p 5300 > dig.out.ns3.$n || ret=1
grep "ANSWER: 2" dig.out.ns3.$n > /dev/null || ret=1
grep "NSEC3PARAM 1 0 4 -" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo "I: failed"; status=`expr $ret + $status`; fi
n=`expr $n + 1`
echo "I:add, delete and change the ttl of the NSEC3PARAM rrset via update ($n)"
ret=0
$NSUPDATE << EOF
server 10.53.0.3 5300
update delete nsec3param.test NSEC3PARAM
update add nsec3param.test 7200 NSEC3PARAM 1 0 5 -
send
EOF
sleep 1
$DIG +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
@10.53.0.3 nsec3param -p 5300 > dig.out.ns3.$n || ret=1
grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
grep "7200.*NSEC3PARAM 1 0 5 -" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
$JOURNALPRINT ns3/nsec3param.test.db.signed.jnl > jp.out.ns3.$n
# intermediate TTL changes.
grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 4 -" jp.out.ns3.$n > /dev/null || ret=1
grep "add nsec3param.test. 7200 IN NSEC3PARAM 1 0 1 -" jp.out.ns3.$n > /dev/null || ret=1
# delayed adds and deletes.
grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000180000500" jp.out.ns3.$n > /dev/null || ret=1
grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000100" jp.out.ns3.$n > /dev/null || ret=1
grep "add nsec3param.test. 0 IN TYPE65534 .# 6 000140000400" jp.out.ns3.$n > /dev/null || ret=1
if [ $ret != 0 ] ; then echo "I: failed"; status=`expr $ret + $status`; fi
echo "I:testing that rndc stop updates the master file"
$NSUPDATE -k ns1/ddns.key <<END > /dev/null || status=1
server 10.53.0.1 5300
@ -248,5 +333,6 @@ then
echo "I:failed"; status=1
fi
echo "I:exit status: $status"
exit $status

3
lib/dns/nsec3.c
View file

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsec3.c,v 1.18 2010/06/02 00:38:29 marka Exp $ */
/* $Id: nsec3.c,v 1.19 2010/12/07 02:53:34 marka Exp $ */
#include <config.h>
@ -1143,6 +1143,7 @@ dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
CHECK(do_one_tuple(&tuple, db, ver, diff));
INSIST(tuple == NULL);
rdata.data = buf;
buf[2] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
CHECK(rr_exists(db, ver, origin, &rdata, &flag));