From 95d2619007f789434883f372831ba02c5feffbdd Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 22 Feb 2012 00:35:53 +0000 Subject: [PATCH] 3286. [bug] Managed key maintenance timer could fail to start after 'rndc reconfig'. [RT #26786] --- CHANGES | 3 +++ bin/named/server.c | 3 ++- bin/tests/system/dnssec/clean.sh | 3 ++- bin/tests/system/dnssec/tests.sh | 16 +++++++++++++++- bin/tests/system/resolver/clean.sh | 4 ++-- lib/dns/include/dns/zone.h | 10 +++++++++- lib/dns/zone.c | 24 ++++++++++++++++++++++-- 7 files changed, 55 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index f4b5e77acd..3792282e61 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3286. [bug] Managed key maintenance timer could fail to start + after 'rndc reconfig'. [RT #26786] + --- 9.9.0rc3 released --- 3285. [bug] val-frdataset was incorrectly disassociated in diff --git a/bin/named/server.c b/bin/named/server.c index aa2f12a9cf..de227e7d76 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.638.4.3 2012/02/07 00:58:40 each Exp $ */ +/* $Id: server.c,v 1.638.4.4 2012/02/22 00:35:52 each Exp $ */ /*! \file */ @@ -3536,6 +3536,7 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) { dns_zone_attach(pview->managed_keys, &view->managed_keys); dns_zone_setview(pview->managed_keys, view); dns_view_detach(&pview); + dns_zone_synckeyzone(view->managed_keys); return (ISC_R_SUCCESS); } diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 8bce9d805f..5226857869 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.46 2011/12/08 16:07:20 each Exp $ +# $Id: clean.sh,v 1.46.36.1 2012/02/22 00:35:53 each Exp $ rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk @@ -51,6 +51,7 @@ rm -f signer/signer.out.* rm -f ns2/algroll.db rm -f ns3/kskonly.example.db rm -f ns4/named.conf +rm -f ns4/managed-keys.bind* rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db rm -f ns3/secure.below-cname.example.db rm -f signer/example.db.after signer/example.db.before diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 809a56c5a9..2d27fd8aa2 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.107 2011/12/22 12:01:43 marka Exp $ +# $Id: tests.sh,v 1.107.20.1 2012/02/22 00:35:53 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -1255,6 +1255,13 @@ else echo "I:The DNSSEC update test requires the Net::DNS library." >&2 fi +echo "I:checking managed key maintenance has not started yet ($n)" +ret=0 +[ -f "ns4/managed-keys.bind.jnl" ] && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + # Reconfigure caching server to use "dnssec-validation auto", and repeat # some of the DNSSEC validation tests to ensure that it works correctly. echo "I:switching to automatic root key configuration" @@ -1262,6 +1269,13 @@ cp ns4/named2.conf ns4/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' sleep 5 +echo "I:checking managed key maintenance timer has now started ($n)" +ret=0 +[ -f "ns4/managed-keys.bind.jnl" ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking positive validation NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh index 862517e478..5438105031 100644 --- a/bin/tests/system/resolver/clean.sh +++ b/bin/tests/system/resolver/clean.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.8.248.2 2012/02/09 23:46:50 tbox Exp $ +# $Id: clean.sh,v 1.8.248.3 2012/02/22 00:35:53 each Exp $ # # Clean up after resolver tests. @@ -28,6 +28,6 @@ rm -f ns4/tld.db rm -f ns6/K* rm -f ns6/example.net.db.signed ns6/example.net.db rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl -rm -r ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl +rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl rm -f ns7/server.db ns7/server.db.jnl rm -f random.data diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 36b445c452..cd481d8c36 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.h,v 1.201 2012/01/25 23:46:49 tbox Exp $ */ +/* $Id: zone.h,v 1.201.2.1 2012/02/22 00:35:53 each Exp $ */ #ifndef DNS_ZONE_H #define DNS_ZONE_H 1 @@ -2037,6 +2037,14 @@ dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header); * Set the data to be included in the header when the zone is dumped in * binary format. */ + +isc_result_t +dns_zone_synckeyzone(dns_zone_t *zone); +/*% + * Force the managed key zone to synchronize, and start the key + * maintenance timer. + */ + ISC_LANG_ENDDECLS #endif /* DNS_ZONE_H */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index a1e2e5e6e4..327bc75889 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.667.2.2 2012/02/07 00:52:05 marka Exp $ */ +/* $Id: zone.c,v 1.667.2.3 2012/02/22 00:35:53 each Exp $ */ /*! \file */ @@ -3559,6 +3559,26 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { return (result); } +isc_result_t +dns_zone_synckeyzone(dns_zone_t *zone) { + isc_result_t result; + dns_db_t *db = NULL; + + if (zone->type != dns_zone_key) + return (DNS_R_BADZONE); + + CHECK(dns_zone_getdb(zone, &db)); + + LOCK_ZONE(zone); + result = sync_keyzone(zone, db); + UNLOCK_ZONE(zone); + + failure: + if (db != NULL) + dns_db_detach(&db); + return (result); +} + static void maybe_send_secure(dns_zone_t *zone) { isc_result_t result; @@ -8389,7 +8409,7 @@ zone_refreshkeys(dns_zone_t *zone) { if (!ISC_LIST_EMPTY(diff.tuples)) { CHECK(update_soa_serial(db, ver, &diff, zone->mctx, zone->updatemethod)); - CHECK(zone_journal(zone, &diff, NULL, "sync_keyzone")); + CHECK(zone_journal(zone, &diff, NULL, "zone_refreshkeys")); commit = ISC_TRUE; DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); zone_needdump(zone, 30);