mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-12 19:49:59 -04:00
Merge branch '3570-nsec3param-ttl-default-soa-minimum' into 'main'
Change default NSEC3PARAM TTL Closes #3570 See merge request isc-projects/bind9!6897
This commit is contained in:
Matthijs Mekking
commit
9e6c449f7b
6 changed files with 77 additions and 2 deletions
3
CHANGES
3
CHANGES
|
|
@ -1,3 +1,6 @@
|
|||
6016. [func] Change NSEC3PARAM TTL to match the SOA MINIMUM.
|
||||
[GL #3570]
|
||||
|
||||
6015. [bug] Some browsers (Firefox) send more than 10 HTTP
|
||||
headers. Bump the number of allowed HTTP headers
|
||||
to 100. [GL #3670]
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
set -e
|
||||
|
||||
rm -f dig.out.* rndc.signing.* update.out.* verify.out.*
|
||||
rm -f dig.out.* rndc.reload.* rndc.signing.* update.out.* verify.out.*
|
||||
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
|
||||
rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
|
||||
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
|
||||
|
|
|
|||
27
bin/tests/system/nsec3/ns3/template2.db.in
Normal file
27
bin/tests/system/nsec3/ns3/template2.db.in
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; SPDX-License-Identifier: MPL-2.0
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300
|
||||
@ IN SOA mname1. . (
|
||||
2 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
900 ; minimum (15 minutes)
|
||||
)
|
||||
|
||||
NS ns3
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
c A 10.0.0.3
|
||||
|
||||
|
|
@ -290,6 +290,24 @@ set_key_default_values "KEY1"
|
|||
echo_i "initial check zone ${ZONE}"
|
||||
check_nsec3
|
||||
|
||||
# Test that NSEC3PARAM TTL is equal to SOA MINIMUM.
|
||||
n=$((n+1))
|
||||
echo_i "check TTL of NSEC3PARAM in zone $ZONE is equal to SOA MINIMUM ($n)"
|
||||
ret=0
|
||||
dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n" || ret=1
|
||||
grep "${ZONE}\..*3600.*IN.*NSEC3PARAM" "dig.out.test$n" > /dev/null || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
# Update SOA MINIMUM.
|
||||
cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db"
|
||||
rndccmd $SERVER reload $ZONE > rndc.reload.test$n.$ZONE || log_error "failed to call rndc reload $ZONE"
|
||||
_wait_for_new_soa() {
|
||||
dig_with_opts +noquestion "@${SERVER}" "$ZONE" SOA > "dig.out.soa.test$n" || return 1
|
||||
grep "${ZONE}\..*IN.*SOA.*mname1..*..*20.*20.*.1814400.*900" "dig.out.soa.test$n" > /dev/null || return 1
|
||||
}
|
||||
retry_quiet 10 _wait_for_new_soa || log_error "failed to update SOA record in zone $ZONE"
|
||||
|
||||
# Zone: nsec3-dynamic-change.kasp.
|
||||
set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600
|
||||
set_nsec3param "0" "0" "0"
|
||||
|
|
@ -453,6 +471,16 @@ set_key_default_values "KEY1"
|
|||
echo_i "check zone ${ZONE} after reconfig"
|
||||
check_nsec3
|
||||
|
||||
# Test that NSEC3PARAM TTL is equal to new SOA MINIMUM.
|
||||
n=$((n+1))
|
||||
echo_i "check TTL of NSEC3PARAM in zone $ZONE is updated after SOA MINIMUM changed ($n)"
|
||||
ret=0
|
||||
# Check NSEC3PARAM TTL.
|
||||
dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.nsec3param.test$n" || ret=1
|
||||
grep "${ZONE}\..*900.*IN.*NSEC3PARAM" "dig.out.nsec3param.test$n" > /dev/null || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
# Zone: nsec3-dynamic-change.kasp. (reconfigured)
|
||||
set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600
|
||||
set_nsec3param "1" "11" "8"
|
||||
|
|
|
|||
|
|
@ -30,7 +30,8 @@ Removed Features
|
|||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- None.
|
||||
- The NSEC3PARAM TTL was previously set to 0 and is now changed to be the same
|
||||
value as in the SOA MINIMUM field. :gl:`#3570`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
|
|
|||
|
|
@ -8120,6 +8120,7 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
|
|||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
dns_rdataset_t rdataset;
|
||||
dns_rdata_nsec3param_t nsec3param;
|
||||
dns_rdata_soa_t soa;
|
||||
isc_result_t result;
|
||||
isc_buffer_t buffer;
|
||||
unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
|
||||
|
|
@ -8130,6 +8131,21 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
|
|||
|
||||
result = dns_db_getoriginnode(db, &node);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
|
||||
/* Default TTL is SOA MINIMUM */
|
||||
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0, 0,
|
||||
&rdataset, NULL);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
CHECK(dns_rdataset_first(&rdataset));
|
||||
dns_rdataset_current(&rdataset, &rdata);
|
||||
CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
|
||||
ttl = soa.minimum;
|
||||
dns_rdata_reset(&rdata);
|
||||
}
|
||||
if (dns_rdataset_isassociated(&rdataset)) {
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
}
|
||||
|
||||
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
|
||||
0, &rdataset, NULL);
|
||||
if (result == ISC_R_NOTFOUND) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue