diff --git a/CHANGES b/CHANGES index 3c00f7e1cf..e3b3ada5df 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6016. [func] Change NSEC3PARAM TTL to match the SOA MINIMUM. + [GL #3570] + 6015. [bug] Some browsers (Firefox) send more than 10 HTTP headers. Bump the number of allowed HTTP headers to 100. [GL #3670] diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh index 7ca6829689..fab9352c1c 100644 --- a/bin/tests/system/nsec3/clean.sh +++ b/bin/tests/system/nsec3/clean.sh @@ -13,7 +13,7 @@ set -e -rm -f dig.out.* rndc.signing.* update.out.* verify.out.* +rm -f dig.out.* rndc.reload.* rndc.signing.* update.out.* verify.out.* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind rm -f ns*/K*.private ns*/K*.key ns*/K*.state diff --git a/bin/tests/system/nsec3/ns3/template2.db.in b/bin/tests/system/nsec3/ns3/template2.db.in new file mode 100644 index 0000000000..963606b9dd --- /dev/null +++ b/bin/tests/system/nsec3/ns3/template2.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 900 ; minimum (15 minutes) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 0abbbce71c..bf744b696a 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -290,6 +290,24 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 +# Test that NSEC3PARAM TTL is equal to SOA MINIMUM. +n=$((n+1)) +echo_i "check TTL of NSEC3PARAM in zone $ZONE is equal to SOA MINIMUM ($n)" +ret=0 +dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n" || ret=1 +grep "${ZONE}\..*3600.*IN.*NSEC3PARAM" "dig.out.test$n" > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Update SOA MINIMUM. +cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" +rndccmd $SERVER reload $ZONE > rndc.reload.test$n.$ZONE || log_error "failed to call rndc reload $ZONE" +_wait_for_new_soa() { + dig_with_opts +noquestion "@${SERVER}" "$ZONE" SOA > "dig.out.soa.test$n" || return 1 + grep "${ZONE}\..*IN.*SOA.*mname1..*..*20.*20.*.1814400.*900" "dig.out.soa.test$n" > /dev/null || return 1 +} +retry_quiet 10 _wait_for_new_soa || log_error "failed to update SOA record in zone $ZONE" + # Zone: nsec3-dynamic-change.kasp. set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" @@ -453,6 +471,16 @@ set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 +# Test that NSEC3PARAM TTL is equal to new SOA MINIMUM. +n=$((n+1)) +echo_i "check TTL of NSEC3PARAM in zone $ZONE is updated after SOA MINIMUM changed ($n)" +ret=0 +# Check NSEC3PARAM TTL. +dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.nsec3param.test$n" || ret=1 +grep "${ZONE}\..*900.*IN.*NSEC3PARAM" "dig.out.nsec3param.test$n" > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # Zone: nsec3-dynamic-change.kasp. (reconfigured) set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600 set_nsec3param "1" "11" "8" diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index b689ac2d9c..d4c9bb2ad6 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -30,7 +30,8 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- None. +- The NSEC3PARAM TTL was previously set to 0 and is now changed to be the same + value as in the SOA MINIMUM field. :gl:`#3570` Bug Fixes ~~~~~~~~~ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index fe7cb5bed3..f8a7ab4633 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -8120,6 +8120,7 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain, dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; dns_rdata_nsec3param_t nsec3param; + dns_rdata_soa_t soa; isc_result_t result; isc_buffer_t buffer; unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE]; @@ -8130,6 +8131,21 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain, result = dns_db_getoriginnode(db, &node); RUNTIME_CHECK(result == ISC_R_SUCCESS); + + /* Default TTL is SOA MINIMUM */ + result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0, 0, + &rdataset, NULL); + if (result == ISC_R_SUCCESS) { + CHECK(dns_rdataset_first(&rdataset)); + dns_rdataset_current(&rdataset, &rdata); + CHECK(dns_rdata_tostruct(&rdata, &soa, NULL)); + ttl = soa.minimum; + dns_rdata_reset(&rdata); + } + if (dns_rdataset_isassociated(&rdataset)) { + dns_rdataset_disassociate(&rdataset); + } + result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0, 0, &rdataset, NULL); if (result == ISC_R_NOTFOUND) {