From fb7b7ac4959be1f8b038a6cb53a8ba823ee7f7da Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 9 Nov 2022 12:12:07 +0000 Subject: [PATCH 1/3] Report the key name that failed in retry_keyfetch When there are multiple managed trust anchors we need to know the name of the trust anchor that is failing. Extend the error message to include the trust anchor name. --- lib/dns/zone.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 76f6dc4bc3..951bbfd34c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -10642,6 +10642,11 @@ retry_keyfetch(dns_keyfetch_t *kfetch, dns_name_t *kname) { isc_time_t timenow, timethen; dns_zone_t *zone = kfetch->zone; bool free_needed; + char namebuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(kname, namebuf, sizeof(namebuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "Failed to create fetch for %s DNSKEY update", namebuf); /* * Error during a key fetch; cancel and retry in an hour. @@ -10653,8 +10658,6 @@ retry_keyfetch(dns_keyfetch_t *kfetch, dns_name_t *kname) { dns_rdataset_disassociate(&kfetch->keydataset); dns_name_free(kname, zone->mctx); isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(*kfetch)); - dnssec_log(zone, ISC_LOG_WARNING, - "Failed to create fetch for DNSKEY update"); if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { /* Don't really retry if we are exiting */ From 41bdb5b9fe10cae075cb27b417fdb4aa1c1538c4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 9 Nov 2022 16:01:42 +0000 Subject: [PATCH 2/3] Add islands of trust to mkeys test This adds an island of trust that is reachable from the root where the trust anchors are added to island.conf. This add an island of trust that is not reachable from the root where the trust anchors are added to private.conf. --- bin/tests/system/mkeys/clean.sh | 9 ++++- bin/tests/system/mkeys/ns1/named1.conf.in | 10 +++++ bin/tests/system/mkeys/ns1/named2.conf.in | 10 +++++ bin/tests/system/mkeys/ns1/named3.conf.in | 10 +++++ bin/tests/system/mkeys/ns1/root.db | 3 ++ bin/tests/system/mkeys/ns1/sign.sh | 18 +++++++++ bin/tests/system/mkeys/ns1/sub.tld.db | 21 +++++++++++ bin/tests/system/mkeys/ns1/tld.db | 23 ++++++++++++ bin/tests/system/mkeys/ns4/named.conf.in | 5 +++ bin/tests/system/mkeys/ns4/sign.sh | 24 ++++++++++++ bin/tests/system/mkeys/ns4/sub.foo.db | 21 +++++++++++ bin/tests/system/mkeys/ns5/foo.db | 23 ++++++++++++ bin/tests/system/mkeys/ns5/named.conf.in | 8 ++++ bin/tests/system/mkeys/setup.sh | 1 + bin/tests/system/mkeys/tests.sh | 46 +++++++++++++++++++++-- 15 files changed, 227 insertions(+), 5 deletions(-) create mode 100644 bin/tests/system/mkeys/ns1/sub.tld.db create mode 100644 bin/tests/system/mkeys/ns1/tld.db create mode 100644 bin/tests/system/mkeys/ns4/sign.sh create mode 100644 bin/tests/system/mkeys/ns4/sub.foo.db create mode 100644 bin/tests/system/mkeys/ns5/foo.db diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh index 102cb3710f..3f297a22a2 100644 --- a/bin/tests/system/mkeys/clean.sh +++ b/bin/tests/system/mkeys/clean.sh @@ -12,17 +12,22 @@ # information regarding copyright ownership. rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk +rm -f */island.conf +rm -f */private.conf rm -f */managed*.conf ns1/managed.key ns1/managed.key.id rm -f */managed-keys.bind* */named.secroots rm -f */named.conf -rm -f ns3/broken.conf rm -f */named.memstats */named.run */named.run.prev rm -f dig.out* delv.out* rndc.out* signer.out* rm -f dsset-. ns1/dsset-. -rm -f ns1/zone.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock +rm -f ns1/dsset-sub.tld. +rm -f ns1/dsset-tld. rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp +rm -f ns1/zone.key +rm -f ns3/broken.conf +rm -f ns4/dsset-sub.foo. rm -f ns5/named.args rm -f ns7/view1.mkeys ns7/view2.mkeys rm -rf ns4/nope diff --git a/bin/tests/system/mkeys/ns1/named1.conf.in b/bin/tests/system/mkeys/ns1/named1.conf.in index a63b54b4d2..0b3f068a27 100644 --- a/bin/tests/system/mkeys/ns1/named1.conf.in +++ b/bin/tests/system/mkeys/ns1/named1.conf.in @@ -47,3 +47,13 @@ zone "." { allow-update { any; }; auto-dnssec maintain; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns1/named2.conf.in b/bin/tests/system/mkeys/ns1/named2.conf.in index 729251bb32..4271668ea9 100644 --- a/bin/tests/system/mkeys/ns1/named2.conf.in +++ b/bin/tests/system/mkeys/ns1/named2.conf.in @@ -45,3 +45,13 @@ zone "." { type primary; file "root.db.signed"; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns1/named3.conf.in b/bin/tests/system/mkeys/ns1/named3.conf.in index 0f5d11f110..686177edb0 100644 --- a/bin/tests/system/mkeys/ns1/named3.conf.in +++ b/bin/tests/system/mkeys/ns1/named3.conf.in @@ -39,3 +39,13 @@ zone "." { type primary; file "root.db.signed"; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db index ae5c1251c4..bc83788672 100644 --- a/bin/tests/system/mkeys/ns1/root.db +++ b/bin/tests/system/mkeys/ns1/root.db @@ -23,3 +23,6 @@ a.root-servers.nil. A 10.53.0.1 ; no delegation example. TXT "This is a test." + +tld. NS ns.tld. +ns.tld. A 10.53.0.1 diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 3fb598ce72..626e18f776 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -13,6 +13,24 @@ . ../../conf.sh +zone=sub.tld +zonefile=sub.tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > island.conf +cp island.conf ../ns5/island.conf + +zone=tld +zonefile=tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null + zone=. zonefile=root.db diff --git a/bin/tests/system/mkeys/ns1/sub.tld.db b/bin/tests/system/mkeys/ns1/sub.tld.db new file mode 100644 index 0000000000..35d436112d --- /dev/null +++ b/bin/tests/system/mkeys/ns1/sub.tld.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.tld. IN SOA marka.isc.org. ns.sub.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff --git a/bin/tests/system/mkeys/ns1/tld.db b/bin/tests/system/mkeys/ns1/tld.db new file mode 100644 index 0000000000..5c54e0e9db --- /dev/null +++ b/bin/tests/system/mkeys/ns1/tld.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +tld. IN SOA marka.isc.org. ns.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +tld. NS ns.tld. +ns.tld. A 10.53.0.1 +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff --git a/bin/tests/system/mkeys/ns4/named.conf.in b/bin/tests/system/mkeys/ns4/named.conf.in index fc200ce282..5c2370887b 100644 --- a/bin/tests/system/mkeys/ns4/named.conf.in +++ b/bin/tests/system/mkeys/ns4/named.conf.in @@ -41,3 +41,8 @@ zone "." { type hint; file "../../common/root.hint"; }; + +zone "sub.foo" { + type primary; + file "sub.foo.db.signed"; +}; diff --git a/bin/tests/system/mkeys/ns4/sign.sh b/bin/tests/system/mkeys/ns4/sign.sh new file mode 100644 index 0000000000..d364e8e363 --- /dev/null +++ b/bin/tests/system/mkeys/ns4/sign.sh @@ -0,0 +1,24 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +. ../../conf.sh + +zone=sub.foo +zonefile=sub.foo.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > private.conf +cp private.conf ../ns5/private.conf diff --git a/bin/tests/system/mkeys/ns4/sub.foo.db b/bin/tests/system/mkeys/ns4/sub.foo.db new file mode 100644 index 0000000000..7bc31047b6 --- /dev/null +++ b/bin/tests/system/mkeys/ns4/sub.foo.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff --git a/bin/tests/system/mkeys/ns5/foo.db b/bin/tests/system/mkeys/ns5/foo.db new file mode 100644 index 0000000000..092a1c3b0e --- /dev/null +++ b/bin/tests/system/mkeys/ns5/foo.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +foo. NS ns.foo. +ns.foo. A 10.53.0.5 +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff --git a/bin/tests/system/mkeys/ns5/named.conf.in b/bin/tests/system/mkeys/ns5/named.conf.in index 167938c04e..757d61495a 100644 --- a/bin/tests/system/mkeys/ns5/named.conf.in +++ b/bin/tests/system/mkeys/ns5/named.conf.in @@ -41,3 +41,11 @@ zone "." { type hint; file "../../common/root.hint"; }; + +zone "foo" { + type primary; + file "foo.db"; +}; + +include "island.conf"; +include "private.conf"; diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh index 3d4337071b..d1a30a21c9 100644 --- a/bin/tests/system/mkeys/setup.sh +++ b/bin/tests/system/mkeys/setup.sh @@ -31,6 +31,7 @@ copy_setports ns7/named.conf.in ns7/named.conf cp ns5/named1.args ns5/named.args ( cd ns1 && $SHELL sign.sh ) +( cd ns4 && $SHELL sign.sh ) ( cd ns6 && $SHELL setup.sh ) cp ns2/managed.conf ns2/managed1.conf diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index 295034d2ab..062149602c 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -722,7 +722,9 @@ ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns5 nextpart ns5/named.run > /dev/null start_server --noclean --restart --port "${PORT}" ns5 -wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1 # ns5/named.run will contain logs from both the old instance and the new # instance. In order for the test to pass, both must attempt a fetch. count=$(grep -c "Creating key fetch" ns5/named.run) || true @@ -730,6 +732,23 @@ count=$(grep -c "Creating key fetch" ns5/named.run) || true if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# one indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + n=$((n+1)) echo_i "check key refreshes are resumed after root servers become available ($n)" ret=0 @@ -741,7 +760,9 @@ rm -f ns5/managed-keys.bind* cp ns5/named2.args ns5/named.args nextpart ns5/named.run > /dev/null start_server --noclean --restart --port "${PORT}" ns5 -wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 # ns1 should still REFUSE queries from ns5, so resolving should be impossible @@ -754,7 +775,9 @@ copy_setports ns1/named3.conf.in ns1/named.conf rm -f ns1/root.db.signed.jnl nextpart ns5/named.run > /dev/null mkeys_reconfig_on 1 || ret=1 -wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 grep '; managed' ns5/named.secroots > /dev/null || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be @@ -835,5 +858,22 @@ grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# theee lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From 2928f217339c144969eb117ff87a02c69a3e54c6 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 17 Nov 2022 12:18:49 +1100 Subject: [PATCH 3/3] Add CHANGES note for [GL #3662] --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 1cc24da1a8..a7059ae332 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6095. [test] Test various 'islands of trust' configurations when + using managed keys. [GL #3662] + 6094. [bug] Building against (or running with) libuv versions 1.35.0 and 1.36.0 is now a fatal error. The rules for mixing and matching compile-time and run-time libuv