mirror of
https://github.com/isc-projects/bind9.git
synced 2026-07-16 18:42:59 -04:00
Merge branch '2498-nsec3-dynamic-update-dnssec-policy-v9_16' into 'v9_16'
Resolve "Regression in BIND 9.16.10, DNSSEC fails due to improper NSEC3 creation witihin named" See merge request isc-projects/bind9!4746
This commit is contained in:
commit
c4c8f78b0a
7 changed files with 88 additions and 6 deletions
4
CHANGES
4
CHANGES
|
|
@ -1,3 +1,7 @@
|
|||
5590. [bug] Process NSEC3PARAM queue when loading a dynamic zone.
|
||||
This will immediately create NSEC3 records for zones
|
||||
that use "dnssec-policy" and "nsec3param". [GL #2498]
|
||||
|
||||
5588. [func] Add "purge-keys" option to "dnssec-policy". This sets
|
||||
the time how long key files should be retained after
|
||||
they have become obsolete. [GL #2408]
|
||||
|
|
|
|||
|
|
@ -56,13 +56,20 @@ zone "nsec-to-nsec3.kasp" {
|
|||
dnssec-policy "nsec";
|
||||
};
|
||||
|
||||
/* This zone uses the default NSEC3 settings. */
|
||||
/* These zones use the default NSEC3 settings. */
|
||||
zone "nsec3.kasp" {
|
||||
type primary;
|
||||
file "nsec3.kasp.db";
|
||||
dnssec-policy "nsec3";
|
||||
};
|
||||
|
||||
zone "nsec3-dynamic.kasp" {
|
||||
type primary;
|
||||
file "nsec3-dynamic.kasp.db";
|
||||
dnssec-policy "nsec3";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
/* This zone uses non-default NSEC3 settings. */
|
||||
zone "nsec3-other.kasp" {
|
||||
type primary;
|
||||
|
|
@ -70,13 +77,20 @@ zone "nsec3-other.kasp" {
|
|||
dnssec-policy "nsec3-other";
|
||||
};
|
||||
|
||||
/* The zone will be reconfigured to use other NSEC3 settings. */
|
||||
/* These zones will be reconfigured to use other NSEC3 settings. */
|
||||
zone "nsec3-change.kasp" {
|
||||
type primary;
|
||||
file "nsec3-change.kasp.db";
|
||||
dnssec-policy "nsec3";
|
||||
};
|
||||
|
||||
zone "nsec3-dynamic-change.kasp" {
|
||||
type primary;
|
||||
file "nsec3-dynamic-change.kasp.db";
|
||||
dnssec-policy "nsec3";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
/* The zone will be reconfigured to use opt-out. */
|
||||
zone "nsec3-to-optout.kasp" {
|
||||
type primary;
|
||||
|
|
|
|||
|
|
@ -57,13 +57,20 @@ zone "nsec-to-nsec3.kasp" {
|
|||
dnssec-policy "nsec3";
|
||||
};
|
||||
|
||||
/* This zone uses the default NSEC3 settings. */
|
||||
/* These zones use the default NSEC3 settings. */
|
||||
zone "nsec3.kasp" {
|
||||
type primary;
|
||||
file "nsec3.kasp.db";
|
||||
dnssec-policy "nsec3";
|
||||
};
|
||||
|
||||
zone "nsec3-dynamic.kasp" {
|
||||
type primary;
|
||||
file "nsec3-dynamic.kasp.db";
|
||||
dnssec-policy "nsec3";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
/* This zone uses non-default NSEC3 settings. */
|
||||
zone "nsec3-other.kasp" {
|
||||
type primary;
|
||||
|
|
@ -71,7 +78,7 @@ zone "nsec3-other.kasp" {
|
|||
dnssec-policy "nsec3-other";
|
||||
};
|
||||
|
||||
/* The zone will be reconfigured to use other NSEC3 settings. */
|
||||
/* These zone will be reconfigured to use other NSEC3 settings. */
|
||||
zone "nsec3-change.kasp" {
|
||||
type primary;
|
||||
file "nsec3-change.kasp.db";
|
||||
|
|
@ -79,6 +86,14 @@ zone "nsec3-change.kasp" {
|
|||
dnssec-policy "nsec3-other";
|
||||
};
|
||||
|
||||
zone "nsec3-dynamic-change.kasp" {
|
||||
type primary;
|
||||
file "nsec3-dynamic-change.kasp.db";
|
||||
//dnssec-policy "nsec3";
|
||||
dnssec-policy "nsec3-other";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
/* The zone will be reconfigured to use opt-out. */
|
||||
zone "nsec3-to-optout.kasp" {
|
||||
type primary;
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ setup() {
|
|||
}
|
||||
|
||||
for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
|
||||
nsec3-to-optout nsec3-from-optout
|
||||
nsec3-to-optout nsec3-from-optout nsec3-dynamic nsec3-dynamic-change
|
||||
do
|
||||
setup "${zn}.kasp"
|
||||
done
|
||||
|
|
|
|||
|
|
@ -175,12 +175,25 @@ echo_i "initial check zone ${ZONE}"
|
|||
check_nsec3
|
||||
dnssec_verify
|
||||
|
||||
# Zone: nsec3-dynamic.kasp.
|
||||
set_zone_policy "nsec3-dynamic.kasp" "nsec3"
|
||||
set_nsec3param "0" "5" "8"
|
||||
echo_i "initial check zone ${ZONE}"
|
||||
check_nsec3
|
||||
dnssec_verify
|
||||
|
||||
# Zone: nsec3-change.kasp.
|
||||
set_zone_policy "nsec3-change.kasp" "nsec3"
|
||||
echo_i "initial check zone ${ZONE}"
|
||||
check_nsec3
|
||||
dnssec_verify
|
||||
|
||||
# Zone: nsec3-dynamic-change.kasp.
|
||||
set_zone_policy "nsec3-dynamic-change.kasp" "nsec3"
|
||||
echo_i "initial check zone ${ZONE}"
|
||||
check_nsec3
|
||||
dnssec_verify
|
||||
|
||||
# Zone: nsec3-to-nsec.kasp.
|
||||
set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
|
||||
echo_i "initial check zone ${ZONE}"
|
||||
|
|
@ -227,6 +240,12 @@ echo_i "check zone ${ZONE} after reconfig"
|
|||
check_nsec3
|
||||
dnssec_verify
|
||||
|
||||
# Zone: nsec3-dyamic.kasp. (same)
|
||||
set_zone_policy "nsec3-dynamic.kasp" "nsec3"
|
||||
echo_i "check zone ${ZONE} after reconfig"
|
||||
check_nsec3
|
||||
dnssec_verify
|
||||
|
||||
# Zone: nsec3-change.kasp. (reconfigured)
|
||||
set_zone_policy "nsec3-change.kasp" "nsec3-other"
|
||||
set_nsec3param "1" "11" "0"
|
||||
|
|
@ -234,6 +253,13 @@ echo_i "check zone ${ZONE} after reconfig"
|
|||
check_nsec3
|
||||
dnssec_verify
|
||||
|
||||
# Zone: nsec3-dynamic-change.kasp. (reconfigured)
|
||||
set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other"
|
||||
set_nsec3param "1" "11" "0"
|
||||
echo_i "check zone ${ZONE} after reconfig"
|
||||
check_nsec3
|
||||
dnssec_verify
|
||||
|
||||
# Zone: nsec3-to-nsec.kasp. (reconfigured)
|
||||
set_zone_policy "nsec3-to-nsec.kasp" "nsec"
|
||||
echo_i "check zone ${ZONE} after reconfig"
|
||||
|
|
|
|||
|
|
@ -54,5 +54,8 @@ Bug Fixes
|
|||
UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue.
|
||||
[GL #2487]
|
||||
|
||||
- NSEC3 records were not immediately created when signing a dynamic zone with
|
||||
``dnssec-policy`` and ``nsec3param``. This has been fixed [GL #2498].
|
||||
|
||||
- An invalid direction field (not one of 'N'/'S' or 'E'/'W') in a LOC record
|
||||
triggered an INSIST failure. [GL #2499]
|
||||
|
|
|
|||
|
|
@ -4834,12 +4834,32 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
|
|||
"could not find NS and/or SOA records");
|
||||
}
|
||||
|
||||
/*
|
||||
* Process any queued NSEC3PARAM change requests. Only for dynamic
|
||||
* zones, an inline-signing zone will perform this action when
|
||||
* receiving the secure db (receive_secure_db).
|
||||
*/
|
||||
is_dynamic = dns_zone_isdynamic(zone, true);
|
||||
if (is_dynamic) {
|
||||
isc_event_t *setnsec3param_event;
|
||||
dns_zone_t *dummy;
|
||||
|
||||
while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) {
|
||||
setnsec3param_event =
|
||||
ISC_LIST_HEAD(zone->setnsec3param_queue);
|
||||
ISC_LIST_UNLINK(zone->setnsec3param_queue,
|
||||
setnsec3param_event, ev_link);
|
||||
dummy = NULL;
|
||||
zone_iattach(zone, &dummy);
|
||||
isc_task_send(zone->task, &setnsec3param_event);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Check to make sure the journal is up to date, and remove the
|
||||
* journal file if it isn't, as we wouldn't be able to apply
|
||||
* updates otherwise.
|
||||
*/
|
||||
is_dynamic = dns_zone_isdynamic(zone, true);
|
||||
if (zone->journal != NULL && is_dynamic &&
|
||||
!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS))
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue