diff --git a/CHANGES b/CHANGES index c701da6e8f..0f7ed65ff9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +5661. [bug] A deadlock was introduced when fixing [GL #1875] because + when locking the key file mutex for each zone structure + that is in a different view, "in-view" logic was not + taken into account. This has been fixed. [GL #2783] + 5660. [bug] Checking of key-directory and dnssec-policy was broken. The checks failed to account for key-directory inheritance. [GL #2778] diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index d21839a08b..0129374d71 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -31,6 +31,7 @@ SHA224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" SHA256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" VIEW1="YPfMoAk6h+3iN8MDRQC004iSNHY=" VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8=" +VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0=" ############################################################################### # Key properties # diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in index 5743d71ac1..b1f87fdf44 100644 --- a/bin/tests/system/kasp/ns4/named.conf.in +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -45,6 +45,11 @@ key "keyforview2" { secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; }; +key "keyforview3" { + algorithm "hmac-sha1"; + secret "C1Azf+gGPMmxrUg/WQINP6eV9Y0="; +}; + dnssec-policy "test" { keys { csk key-directory lifetime 0 algorithm 14; @@ -152,3 +157,10 @@ view "example2" { file "example2.db"; }; }; + +view "example3" { + match-clients { key "keyforview3"; }; + zone "example.net" { + in-view example2; + }; +}; diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index d970491f2c..aa84ebe43f 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1829,6 +1829,7 @@ check_apex check_subdomain dnssec_verify +# Test with views. set_zone "example.net" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:keyforview1:$VIEW1" @@ -1867,6 +1868,23 @@ check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +TSIG="hmac-sha1:keyforview3:$VIEW3" +wait_for_nsec +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" +check_apex +dnssec_verify +n=$((n+1)) +# check subdomain +echo_i "check TXT example.net (in-view example2) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # Clear TSIG. TSIG="" diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index e872dcb97c..6e46da2b39 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -55,3 +55,7 @@ Bug Fixes - Checking of ``key-directory`` and ``dnssec-policy`` was broken. The checks failed to account for key-directory inheritance. :gl:`#2778` + +- A deadlock at startup was introduced when fixing :gl:`#1875` because when + locking key files for reading and writing, "in-view" logic was not taken into + account. This has been fixed. [GL #2783] diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 8497e23c0b..0755baf636 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6395,6 +6395,17 @@ dns__zone_lockunlock_keyfiles(dns_zone_t *zone, bool lock) { if (ret == ISC_R_SUCCESS) { INSIST(DNS_ZONE_VALID(z)); + /* + * Skip in-view zones, in other words if the view + * pointer is not the same as the zone view pointer: + * 'in-view' zones can be part of another view, + * while they also have their own home view. + */ + if (v != z->view) { + dns_zone_detach(&z); + continue; + } + /* WMM check if policy is the same? */ if (lock) { LOCK_KEYFILES(z);