Set DNS_JOURNALOPT_RESIGN when loading the secure journal for an inline-signed zone

When an inline-signed zone is loaded, the master file for its signed version is loaded and then a rollforward of the journal for the signed version of the zone is performed. If DNS_JOURNALOPT_RESIGN is not set during the latter phase, signatures loaded from the journal for the signed version of the zone will not be scheduled for refresh. Fix the conditional expression determining which flags should be used for the dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when zone_postload() is called for the signed version of an inline-signed zone. Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead of "rndc stop" as the former allows master file flushing upon shutdown to be suppressed.
2026-04-23 15:17:01 -04:00 · 2018-08-22 10:48:07 +02:00 · 2018-08-22 10:48:07 +02:00 · 8db550c42f
commit 8db550c42f
parent 71793853df
7 changed files with 84 additions and 6 deletions
--- a/bin/tests/system/inline/clean.sh
+++ b/bin/tests/system/inline/clean.sh
@ -73,6 +73,10 @@ rm -f ns3/nsec3.db
 rm -f ns3/nsec3.db.jnl
 rm -f ns3/nsec3.db.signed
 rm -f ns3/nsec3.db.signed.jnl
+rm -f ns3/delayedkeys.db
+rm -f ns3/delayedkeys.db.jnl
+rm -f ns3/delayedkeys.db.signed
+rm -f ns3/delayedkeys.db.signed.jnl
 rm -f ns3/removedkeys-primary.db
 rm -f ns3/removedkeys-primary.db.jnl
 rm -f ns3/removedkeys-primary.db.signed
--- a/bin/tests/system/inline/ns3/named.conf.in
+++ b/bin/tests/system/inline/ns3/named.conf.in
@ -141,6 +141,13 @@ zone "nokeys" {
 	file "nokeys.bk";
 };

+zone "delayedkeys" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "delayedkeys.db";
+};
+
 zone "removedkeys-primary" {
 	type master;
 	inline-signing yes;
--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@ -96,6 +96,14 @@ keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

+zone=delayedkeys
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+# Keys for the "delayedkeys" zone should not be initially accessible.
+mv K${zone}.+*+*.* ../
+
 zone=removedkeys-primary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
--- a/bin/tests/system/inline/setup.sh
+++ b/bin/tests/system/inline/setup.sh
@ -31,6 +31,7 @@ cp ns3/master.db.in ns3/updated.db
 cp ns3/master.db.in ns3/expired.db
 cp ns3/master.db.in ns3/nsec3.db
 cp ns3/master.db.in ns3/externalkey.db
+cp ns3/master.db.in ns3/delayedkeys.db
 cp ns3/master.db.in ns3/removedkeys-primary.db

 mkdir ns3/removedkeys
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@ -1264,7 +1264,61 @@ grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

+# Check that the master file $2 for zone $1 does not contain RRSIG records
+# while the journal file for that zone does contain them.
+ensure_sigs_only_in_journal() {
+	origin="$1"
+	masterfile="$2"
+	$CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1
+	$CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1
+}
+
 n=`expr $n + 1`
+echo_i "checking that records added from a journal are scheduled to be resigned ($n)"
+ret=0
+# Signing keys for the "delayedkeys" zone are not yet accessible.  Thus, the
+# zone file for the signed version of the zone will contain no DNSSEC records.
+# Move keys into place now and load them, which will cause DNSSEC records to
+# only be present in the journal for the signed version of the zone.
+mv Kdelayedkeys* ns3/
+$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
+# Wait until the zone is signed.
+ans=1
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	$RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1
+	num=`grep "Done signing with" signing.out.test$n | wc -l`
+	if [ $num -eq 2 ]; then
+		ans=0
+		break
+	fi
+	sleep 1
+done
+if [ $ans != 0 ]; then ret=1; fi
+# Halt rather than stopping the server to prevent the master file from being
+# flushed upon shutdown since we specifically want to avoid it.
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --halt --port ${CONTROLPORT} . ns3
+ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns3
+# At this point, the raw zone journal will not have a source serial set.  Upon
+# server startup, receive_secure_serial() will rectify that, update SOA, resign
+# it, and schedule its future resign.  This will cause "rndc zonestatus" to
+# return delayedkeys/SOA as the next node to resign, so we restart the server
+# once again; with the raw zone journal now having a source serial set,
+# receive_secure_serial() should refrain from introducing any zone changes.
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --halt --port ${CONTROLPORT} . ns3
+ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns3
+# We can now test whether the secure zone journal was correctly processed:
+# unless the records contained in it were scheduled for resigning, no resigning
+# event will be scheduled at all since the secure zone master file contains no
+# DNSSEC records.
+$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1
+grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
 echo_i "check that zonestatus reports 'type: master' for a inline master zone ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 zonestatus master > rndc.out.ns3.test$n
--- a/bin/tests/system/stop.pl
+++ b/bin/tests/system/stop.pl
@ -31,11 +31,12 @@ use Getopt::Long;
 #
 #   server          Name of the server directory.

-my $usage = "usage: $0 [--use-rndc [--port port]] test-directory [server-directory]";
+my $usage = "usage: $0 [--use-rndc [--halt] [--port port]] test-directory [server-directory]";

 my $use_rndc = 0;
+my $halt = 0;
 my $port = 9953;
-GetOptions('use-rndc' => \$use_rndc, 'port=i' => \$port) or die "$usage\n";
+GetOptions('use-rndc' => \$use_rndc, 'halt' => \$halt, 'port=i' => \$port) or die "$usage\n";

 my $errors = 0;

@ -131,9 +132,10 @@ sub stop_rndc {

 	return unless ($server =~ /^ns(\d+)$/);
 	my $ip = "10.53.0.$1";
+	my $how = $halt ? "halt" : "stop";

 	# Ugly, but should work.
-	system("$ENV{RNDC} -c ../common/rndc.conf -s $ip -p $port stop | sed 's/^/I:$server /'");
+	system("$ENV{RNDC} -c ../common/rndc.conf -s $ip -p $port $how | sed 's/^/I:$server /'");
 	return;
 }

--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -4488,11 +4488,13 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
 	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
 	{
-		if (zone->type == dns_zone_master &&
-		    (zone->update_acl != NULL || zone->ssutable != NULL))
+		if (zone->type == dns_zone_master && (inline_secure(zone) ||
+		    (zone->update_acl != NULL || zone->ssutable != NULL)))
+		{
 			options = DNS_JOURNALOPT_RESIGN;
-		else
+		} else {
 			options = 0;
+		}
 		result = dns_journal_rollforward(zone->mctx, db, options,
 						 zone->journal);
 		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&