diff --git a/CHANGES b/CHANGES index ccb3131258..6afcc66316 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5983. [bug] Changing just the TSIG key names for primaries in + catalog zones' member zones was not effective. + [GL #3557] + 5982. [func] Extend dig to allow requests to be signed using SIG(0) as well as providing a mechanism to specify the signing time. [GL !5923] diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index e1ec120d60..57f445d9d3 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -125,3 +125,8 @@ key tsig_key. { secret "LSAnCU+Z"; algorithm @DEFAULT_HMAC@; }; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index 002b22cefe..b60d9b515f 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -177,3 +177,8 @@ key tsig_key. { secret "LSAnCU+Z"; algorithm @DEFAULT_HMAC@; }; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index c6b1eb7746..f359e3aa53 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -1229,6 +1229,56 @@ wait_for_soa @10.53.0.2 dom9.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "change TSIG key name on primary ($n)" +ret=0 +rndccmd 10.53.0.1 modzone dom9.example. in default '{type primary; notify yes; file "dom9.example.db"; allow-transfer { key next_key; }; };' || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "update TSIG key name in catalog zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update del label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + update add label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key" + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns2/named.run "catz: modifying zone 'dom9.example' from catalog 'catalog1.example'" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "update zone contents and reload ($n)" +ret=0 +echo "@ 3600 IN SOA . . 2 3600 3600 3600 3600" > ns1/dom9.example.db +echo "@ IN NS ns2" >> ns1/dom9.example.db +echo "ns2 IN A 10.53.0.2" >> ns1/dom9.example.db +rndccmd 10.53.0.1 reload dom9.example. || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for primary to update zone ($n)" +ret=0 +wait_for_a @10.53.0.1 ns2.dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "wait for secondary to update zone ($n)" +ret=0 +wait_for_a @10.53.0.2 ns2.dom9.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + n=$((n+1)) echo_i "deleting domain dom9.example. from catalog1 zone ($n)" ret=0 @@ -1236,7 +1286,7 @@ $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN PTR dom9.example. update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN A 10.53.0.1 - update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "tsig_key" + update delete label1.primaries.ext.f0f989bc71c5c8ca3a1eb9c9ab5246521907e3af.zones.catalog1.example. 3600 IN TXT "next_key" send END if [ $ret -ne 0 ]; then echo_i "failed"; fi diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 3385bdd975..367d5b3e8c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -73,3 +73,7 @@ Bug Fixes - :iscman:`named` could incorrectly return non-truncated, glueless referrals for responses whose size was close to the UDP packet size limit. :gl:`#1967` + +- Changing just the TSIG key names for primaries in catalog zones' member + zones was not effective. :gl:`#3557` + diff --git a/lib/dns/catz.c b/lib/dns/catz.c index 203327624b..5c12874983 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -365,6 +365,20 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) { return (false); } + for (size_t i = 0; i < eb->opts.masters.count; i++) { + if ((ea->opts.masters.keys[i] == NULL) != + (eb->opts.masters.keys[i] == NULL)) { + return (false); + } + if (ea->opts.masters.keys[i] == NULL) { + continue; + } + if (!dns_name_equal(ea->opts.masters.keys[i], + eb->opts.masters.keys[i])) { + return (false); + } + } + /* If one is NULL and the other isn't, the entries don't match */ if ((ea->opts.allow_query == NULL) != (eb->opts.allow_query == NULL)) { return (false); @@ -393,7 +407,7 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) { } } - /* xxxwpk TODO compare dscps/keys! */ + /* xxxwpk TODO compare dscps! */ return (true); }