From e5c276b36b0ecc9f6da2dc85ecb5cf1bab550279 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 4 Sep 2013 13:45:00 +1000 Subject: [PATCH] 3641. [bug] Handle changes to sig-validity-interval settings better. [RT #34625] (cherry picked from commit b5f4cc132e91afb1217f4aa79424793c0e11c09a) --- CHANGES | 3 +++ bin/named/update.c | 1 - bin/tests/system/dnssec/clean.sh | 4 +++ bin/tests/system/dnssec/ns3/named.conf | 2 ++ .../dnssec/ns3/siginterval.example.db.in | 26 ++++++++++++++++++ bin/tests/system/dnssec/ns3/siginterval1.conf | 7 +++++ bin/tests/system/dnssec/ns3/siginterval2.conf | 7 +++++ bin/tests/system/dnssec/ns3/sign.sh | 10 +++++++ bin/tests/system/dnssec/setup.sh | 1 + bin/tests/system/dnssec/tests.sh | 14 ++++++++++ lib/dns/diff.c | 9 ------- lib/dns/journal.c | 1 - lib/dns/nsec3.c | 1 - lib/dns/update.c | 2 -- lib/dns/zone.c | 27 +++++++++---------- 15 files changed, 86 insertions(+), 29 deletions(-) create mode 100644 bin/tests/system/dnssec/ns3/siginterval.example.db.in create mode 100644 bin/tests/system/dnssec/ns3/siginterval1.conf create mode 100644 bin/tests/system/dnssec/ns3/siginterval2.conf diff --git a/CHANGES b/CHANGES index 469f8e4ef4..45e618cd25 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,9 @@ 3646. [bug] Journal filename string could be set incorrectly, causing garbage in log messages. [RT #34738] +3641. [bug] Handle changes to sig-validity-interval settings + better. [RT #34625] + 3640. [bug] ndots was not being checked when searching. Only continue searching on NXDOMAIN responses. Add the ability to specify ndots to nslookup. [RT #34711] diff --git a/bin/named/update.c b/bin/named/update.c index 2263382ea5..f3ad838785 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -404,7 +404,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, * Create a singleton diff. */ dns_diff_init(diff->mctx, &temp_diff); - temp_diff.resign = diff->resign; ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); /* diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 0f333409b3..d4b5c5f54c 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -63,9 +63,13 @@ rm -f signer/nsec3param.out rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed rm -f ns3/ttlpatch.example.db.patched rm -f ns3/split-smart.example.db +rm -f ns3/siginterval.example.db rm -f ns3/inline.example.db.signed rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower rm -f ns6/optout-tld.db rm -f nosign.before rm -f signing.out* rm -f canonical?.* +rm -f ns1/resolve.key +rm -f ns3/siginterval.conf +rm -f ns4/named_dump.db diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index c67a83e26b..9e22504bbc 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -270,4 +270,6 @@ zone "publish-inactive.example" { update-policy local; }; +include "siginterval.conf"; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/siginterval.example.db.in b/bin/tests/system/dnssec/ns3/siginterval.example.db.in new file mode 100644 index 0000000000..52202fb31b --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval.example.db.in @@ -0,0 +1,26 @@ +; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: upper.example.db.in,v 1.1.2.1 2012/01/17 08:31:00 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2012042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) +@ NS ns +ns A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf new file mode 100644 index 0000000000..45d449db76 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval1.conf @@ -0,0 +1,7 @@ +zone "siginterval.example" { + type master; + allow-update { any; }; + sig-validity-interval 1 23; + auto-dnssec maintain; + file "siginterval.example.db"; +}; diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf new file mode 100644 index 0000000000..996aa62403 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/siginterval2.conf @@ -0,0 +1,7 @@ +zone "siginterval.example" { + type master; + allow-update { any; }; + sig-validity-interval 35 28; + auto-dnssec maintain; + file "siginterval.example.db"; +}; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 24b0fed7dd..d5ec859519 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -451,3 +451,13 @@ kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone` zskname=`$KEYGEN -q -r $RANDFILE $zone` cp $infile $zonefile $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 + +# +# A zone which will change its sig-validity-interval +# +zone=siginterval.example +infile=siginterval.example.db.in +zonefile=siginterval.example.db +kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone` +zskname=`$KEYGEN -q -3 -r $RANDFILE $zone` +cp $infile $zonefile diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh index 424792966a..5d4ed600fe 100644 --- a/bin/tests/system/dnssec/setup.sh +++ b/bin/tests/system/dnssec/setup.sh @@ -25,6 +25,7 @@ cd ns1 && sh sign.sh echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed +cd ../ns3 && cp -f siginterval1.conf siginterval.conf cd ../ns4 && cp -f named1.conf named.conf cd ../ns5 && cp -f trusted.conf.bad trusted.conf diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index a88c8d3f42..b9408b0fc9 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2291,5 +2291,19 @@ test $sigs -eq 2 || ret=1 if test $ret != 0 ; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check that increasing the sig-validity-interval resigning triggers re-signing" +before=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA` +cp ns3/siginterval2.conf ns3/siginterval.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /' +for i in 1 2 3 4 5 6 7 8 9 0 +do +after=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA` +test "$before" != "$after" && break +sleep 1 +done +n=`expr $n + 1` +if test "$before" = "$after" ; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/diff.c b/lib/dns/diff.c index ff60d462f3..20f8e3c068 100644 --- a/lib/dns/diff.c +++ b/lib/dns/diff.c @@ -379,15 +379,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, diff->resign); dns_db_setsigningtime(db, modified, resign); - if (diff->resign == 0 && - (op == DNS_DIFFOP_ADDRESIGN || - op == DNS_DIFFOP_DELRESIGN)) - isc_log_write( - DIFF_COMMON_LOGARGS, - ISC_LOG_WARNING, - "resign requested " - "with 0 resign " - "interval"); } } else if (result == DNS_R_UNCHANGED) { /* diff --git a/lib/dns/journal.c b/lib/dns/journal.c index 55b3918ddc..00ea3fa440 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -1282,7 +1282,6 @@ roll_forward(dns_journal_t *j, dns_db_t *db, unsigned int options, REQUIRE(DNS_DB_VALID(db)); dns_diff_init(j->mctx, &diff); - diff.resign = resign; /* * Set up empty initial buffers for unchecked and checked diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index 935f515d23..c5db9957d1 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -300,7 +300,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, * Create a singleton diff. */ dns_diff_init(diff->mctx, &temp_diff); - temp_diff.resign = diff->resign; ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); /* diff --git a/lib/dns/update.c b/lib/dns/update.c index 713fa87f97..e727c347ce 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -232,7 +232,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, * Create a singleton diff. */ dns_diff_init(diff->mctx, &temp_diff); - temp_diff.resign = diff->resign; ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); /* @@ -1356,7 +1355,6 @@ dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, dns_diff_init(diff->mctx, &affected); dns_diff_init(diff->mctx, &sig_diff); - sig_diff.resign = dns_zone_getsigresigninginterval(zone); dns_diff_init(diff->mctx, &nsec_diff); dns_diff_init(diff->mctx, &nsec_mindiff); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index d17ae680c7..c548363dd3 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -1889,8 +1889,7 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) { result = dns_master_loadfileinc3(load->zone->masterfile, dns_db_origin(load->db), dns_db_origin(load->db), - load->zone->rdclass, options, - load->zone->sigresigninginterval, + load->zone->rdclass, options, 0, &load->callbacks, task, zone_loaddone, load, &load->zone->lctx, load->zone->mctx, @@ -2056,8 +2055,7 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) { } result = dns_master_loadfile3(zone->masterfile, &zone->origin, &zone->origin, - zone->rdclass, options, - zone->sigresigninginterval, + zone->rdclass, options, 0, &callbacks, zone->mctx, zone->masterformat); tresult = dns_db_endload(db, &callbacks.add_private); @@ -3045,7 +3043,8 @@ set_resigntime(dns_zone_t *zone) { isc_time_settoepoch(&zone->resigntime); goto cleanup; } - resign = rdataset.resign; + + resign = rdataset.resign - zone->sigresigninginterval; dns_rdataset_disassociate(&rdataset); isc_random_get(&nanosecs); nanosecs %= 1000000000; @@ -3450,7 +3449,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, * Create a singleton diff. */ dns_diff_init(diff->mctx, &temp_diff); - temp_diff.resign = diff->resign; ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); /* @@ -3918,8 +3916,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, else options = 0; result = dns_journal_rollforward2(zone->mctx, db, options, - zone->sigresigninginterval, - zone->journal); + 0, zone->journal); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND && result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL && result != ISC_R_RANGE) { @@ -4246,7 +4243,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, dns_zone_log(zone, ISC_LOG_DEBUG(3), "next resign: %s/%s in %d seconds", namebuf, typebuf, - next.resign - timenow); + next.resign - timenow - + zone->sigresigninginterval); dns_rdataset_disassociate(&next); } else dns_zone_log(zone, ISC_LOG_WARNING, @@ -5468,6 +5466,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, result = offline(db, ver, zonediff, name, rdataset.ttl, &rdata); + changed = ISC_TRUE; break; } result = update_one_rr(db, ver, zonediff->diff, @@ -5636,7 +5635,6 @@ zone_resigninc(dns_zone_t *zone) { dns_rdataset_init(&rdataset); dns_fixedname_init(&fixed); dns_diff_init(zone->mctx, &_sig_diff); - _sig_diff.resign = zone->sigresigninginterval; zonediff_init(&zonediff, &_sig_diff); /* @@ -5696,7 +5694,7 @@ zone_resigninc(dns_zone_t *zone) { i = 0; while (result == ISC_R_SUCCESS) { - resign = rdataset.resign; + resign = rdataset.resign - zone->sigresigninginterval; covers = rdataset.covers; dns_rdataset_disassociate(&rdataset); @@ -6565,7 +6563,6 @@ zone_nsec3chain(dns_zone_t *zone) { dns_diff_init(zone->mctx, &nsec3_diff); dns_diff_init(zone->mctx, &nsec_diff); dns_diff_init(zone->mctx, &_sig_diff); - _sig_diff.resign = zone->sigresigninginterval; zonediff_init(&zonediff, &_sig_diff); ISC_LIST_INIT(cleanup); @@ -7411,7 +7408,6 @@ zone_sign(dns_zone_t *zone) { dns_fixedname_init(&nextfixed); nextname = dns_fixedname_name(&nextfixed); dns_diff_init(zone->mctx, &_sig_diff); - _sig_diff.resign = zone->sigresigninginterval; dns_diff_init(zone->mctx, &post_diff); zonediff_init(&zonediff, &_sig_diff); ISC_LIST_INIT(cleanup); @@ -8178,7 +8174,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { INSIST(result == ISC_R_SUCCESS); dns_diff_init(mctx, &diff); - diff.resign = zone->sigresigninginterval; CHECK(dns_db_newversion(kfetch->db, &ver)); @@ -13693,7 +13688,10 @@ void dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) { REQUIRE(DNS_ZONE_VALID(zone)); + LOCK_ZONE(zone); zone->sigresigninginterval = interval; + set_resigntime(zone); + UNLOCK_ZONE(zone); } isc_uint32_t @@ -15966,7 +15964,6 @@ zone_rekey(dns_zone_t *zone) { mctx = zone->mctx; dns_diff_init(mctx, &diff); dns_diff_init(mctx, &_sig_diff); - _sig_diff.resign = zone->sigresigninginterval; zonediff_init(&zonediff, &_sig_diff); CHECK(dns_zone_getdb(zone, &db));