Merge branch '2783-in-view-dnssec-policy-deadlock' into 'main'

Fix in-view /w dnssec-policy deadlock at startup

Closes #2783

See merge request isc-projects/bind9!5202

CHANGES

@@ -1,3 +1,8 @@
+5661.	[bug]		A deadlock was introduced when fixing [GL #1875] because
+			when locking the key file mutex for each zone structure
+			that is in a different view, "in-view" logic was not
+			taken into account. This has been fixed. [GL #2783]
+
 5660.	[bug]		Checking of key-directory and dnssec-policy was broken.
 			The checks failed to account for key-directory
 			inheritance. [GL #2778]

bin/tests/system/kasp.sh

@@ -31,6 +31,7 @@ SHA224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="
 SHA256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="
 VIEW1="YPfMoAk6h+3iN8MDRQC004iSNHY="
 VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8="
+VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0="
 
 ###############################################################################
 # Key properties                                                              #

bin/tests/system/kasp/ns4/named.conf.in

@@ -45,6 +45,11 @@ key "keyforview2" {
 	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
 };
 
+key "keyforview3" {
+	algorithm "hmac-sha1";
+	secret "C1Azf+gGPMmxrUg/WQINP6eV9Y0=";
+};
+
 dnssec-policy "test" {
 	keys {
 		csk key-directory lifetime 0 algorithm 14;
@@ -152,3 +157,10 @@ view "example2" {
 		file "example2.db";
 	};
 };
+
+view "example3" {
+	match-clients { key "keyforview3"; };
+	zone "example.net" {
+		in-view example2;
+	};
+};

bin/tests/system/kasp/tests.sh

@@ -1829,6 +1829,7 @@ check_apex
 check_subdomain
 dnssec_verify
 
+# Test with views.
 set_zone "example.net"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:keyforview1:$VIEW1"
@@ -1867,6 +1868,23 @@ check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+TSIG="hmac-sha1:keyforview3:$VIEW3"
+wait_for_nsec
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
+check_apex
+dnssec_verify
+n=$((n+1))
+# check subdomain
+echo_i "check TXT example.net (in-view example2) rrset is signed correctly ($n)"
+ret=0
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 # Clear TSIG.
 TSIG=""
 

doc/notes/notes-current.rst

@@ -55,3 +55,7 @@ Bug Fixes
 
 - Checking of ``key-directory`` and ``dnssec-policy`` was broken.
   The checks failed to account for key-directory inheritance. :gl:`#2778`
+
+- A deadlock at startup was introduced when fixing :gl:`#1875` because when
+  locking key files for reading and writing, "in-view" logic was not taken into
+  account. This has been fixed. [GL #2783]

lib/dns/zone.c

@@ -6395,6 +6395,17 @@ dns__zone_lockunlock_keyfiles(dns_zone_t *zone, bool lock) {
 		if (ret == ISC_R_SUCCESS) {
 			INSIST(DNS_ZONE_VALID(z));
 
+			/*
+			 * Skip in-view zones, in other words if the view
+			 * pointer is not the same as the zone view pointer:
+			 * 'in-view' zones can be part of another view,
+			 * while they also have their own home view.
+			 */
+			if (v != z->view) {
+				dns_zone_detach(&z);
+				continue;
+			}
+
 			/* WMM check if policy is the same? */
 			if (lock) {
 				LOCK_KEYFILES(z);