From 45d4d62a0c968db1e7aee68087e1033b1d59d126 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 29 Oct 2017 16:42:14 -0700 Subject: [PATCH 1/5] [master] copyrights --- bin/tests/system/checkconf/tests.sh | 2 +- util/copyrights | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index ebb64fa568..b6bb12a9c6 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -1,4 +1,4 @@ -# Copyright (C) 2005, 2007, 2010-2016 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2005, 2007, 2010-2017 Internet Systems Consortium, Inc. ("ISC") # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this diff --git a/util/copyrights b/util/copyrights index f8d09b5e76..c804afa800 100644 --- a/util/copyrights +++ b/util/copyrights @@ -832,8 +832,6 @@ ./bin/tests/system/checkconf/bad-acl.conf CONF-C 2016 ./bin/tests/system/checkconf/bad-also-notify.conf CONF-C 2012,2013,2016 ./bin/tests/system/checkconf/bad-catz-zone.conf CONF-C 2016 -./bin/tests/system/checkconf/bad-dlv-auto.conf CONF-C 2017 -./bin/tests/system/checkconf/bad-dlv-dlv.isc.org.conf CONF-C 2017 ./bin/tests/system/checkconf/bad-dnssec.conf CONF-C 2012,2013,2016 ./bin/tests/system/checkconf/bad-glue-cache-bogus.conf CONF-C 2017 ./bin/tests/system/checkconf/bad-hint.conf CONF-C 2014,2016 @@ -917,6 +915,8 @@ ./bin/tests/system/checkconf/view-class-any2.conf CONF-C 2016 ./bin/tests/system/checkconf/view-class-in1.conf CONF-C 2016 ./bin/tests/system/checkconf/view-class-in2.conf CONF-C 2016 +./bin/tests/system/checkconf/warn-dlv-auto.conf CONF-C 2017 +./bin/tests/system/checkconf/warn-dlv-dlv.isc.org.conf CONF-C 2017 ./bin/tests/system/checkconf/warn-keydir.conf CONF-C 2013,2016 ./bin/tests/system/checkds/clean.sh SH 2012,2013,2014,2016,2017 ./bin/tests/system/checkds/dig.bat BAT 2016 @@ -1423,7 +1423,6 @@ ./bin/tests/system/filter-aaaa/ns4/signed.db.in ZONE 2010,2012,2016,2017 ./bin/tests/system/filter-aaaa/ns4/signed.db.presigned X 2014 ./bin/tests/system/filter-aaaa/ns4/unsigned.db ZONE 2010,2012,2016,2017 -./bin/tests/system/filter-aaaa/prereq.sh SH 2010,2012,2014,2016 ./bin/tests/system/filter-aaaa/setup.sh SH 2010,2012,2014,2016,2017 ./bin/tests/system/filter-aaaa/tests.sh SH 2010,2012,2015,2016 ./bin/tests/system/formerr/clean.sh SH 2013,2014,2015,2016 From 4ae8f2871153884b0d92b7374ab1e06c55212c48 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Mon, 30 Oct 2017 01:08:21 +0000 Subject: [PATCH 2/5] regen master --- doc/arm/Bv9ARM.ch09.html | 16 ++++++++-------- doc/arm/notes.html | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index a4e7f7c52d..66bb8a59ed 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -515,15 +515,15 @@

  • - The ISC DNSSEC Lookaside Validation (DLV) service has been shut - down; all DLV records in the dlv.isc.org zone have been removed. - References to the service have been removed from BIND documentation. - Lookaside validation is no longer used by default by - delv. The DLV key has been removed from - bind.keys. Setting - dnssec-lookaside to + The ISC DNSSEC Lookaside Validation (DLV) service has + been shut down; all DLV records in the dlv.isc.org zone + have been removed. References to the service have been + removed from BIND documentation. Lookaside validation + is no longer used by default by delv. + The DLV key has been removed from bind.keys. + Setting dnssec-lookaside to auto or to use dlv.isc.org as a trust - anchor is now a fatal configuration error. [RT #46155] + anchor results in a warning being issued.

  • diff --git a/doc/arm/notes.html b/doc/arm/notes.html index 4e0e53c3ca..85c87c98b1 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -475,15 +475,15 @@

    • - The ISC DNSSEC Lookaside Validation (DLV) service has been shut - down; all DLV records in the dlv.isc.org zone have been removed. - References to the service have been removed from BIND documentation. - Lookaside validation is no longer used by default by - delv. The DLV key has been removed from - bind.keys. Setting - dnssec-lookaside to + The ISC DNSSEC Lookaside Validation (DLV) service has + been shut down; all DLV records in the dlv.isc.org zone + have been removed. References to the service have been + removed from BIND documentation. Lookaside validation + is no longer used by default by delv. + The DLV key has been removed from bind.keys. + Setting dnssec-lookaside to auto or to use dlv.isc.org as a trust - anchor is now a fatal configuration error. [RT #46155] + anchor results in a warning being issued.

    • From facf8118474f19a383e76154ef318beb6814e6e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 30 Oct 2017 08:30:54 +0100 Subject: [PATCH 3/5] [master] Refactor mkeys system test 4802. [test] Refactor mkeys system test to make it quicker and more reliable. [RT #45293] --- CHANGES | 3 + bin/tests/system/conf.sh.in | 13 + bin/tests/system/mkeys/clean.sh | 2 +- bin/tests/system/mkeys/ns1/root.db | 2 +- bin/tests/system/mkeys/ns2/named.args | 2 +- bin/tests/system/mkeys/ns3/named.args | 2 +- bin/tests/system/mkeys/ns3/named.conf | 1 + bin/tests/system/mkeys/tests.sh | 338 +++++++++++++++++--------- bin/tests/system/sfcache/tests.sh | 9 - 9 files changed, 250 insertions(+), 122 deletions(-) diff --git a/CHANGES b/CHANGES index 0ffb200288..89ca7e3847 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4802. [test] Refactor mkeys system test to make it quicker and more + reliable. [RT #45293] + 4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside . trust-anchor dlv.isc.org;' now elicit warnings rather than being fatal configuration errors. [RT #46410] diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 752497a738..ecccbe43c1 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -186,6 +186,19 @@ else } fi +# +# Useful functions in test scripts +# + +# nextpart: read everything that's been appended to a file since the +# last time 'nextpart' was called. +nextpart () { + [ -f $1.prev ] || echo "0" > $1.prev + prev=`cat $1.prev` + awk "FNR > $prev "'{ print } + END { print NR > "/dev/stderr" }' $1 2> $1.prev +} + # # Export command paths # diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh index 609da5e49b..e4fc738039 100644 --- a/bin/tests/system/mkeys/clean.sh +++ b/bin/tests/system/mkeys/clean.sh @@ -11,7 +11,7 @@ rm -f dsset-. ns1/dsset-. rm -f ns*/named.lock rm -f */managed-keys.bind* */named.secroots rm -f */managed*.conf ns1/managed.key ns1/managed.key.id -rm -f */named.memstats */named.run +rm -f */named.memstats */named.run */named.run.prev rm -f dig.out* delv.out* rndc.out* signer.out* rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp rm -f ns1/named.conf diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db index 3a52276610..1d12a834f1 100644 --- a/bin/tests/system/mkeys/ns1/root.db +++ b/bin/tests/system/mkeys/ns1/root.db @@ -4,7 +4,7 @@ ; License, v. 2.0. If a copy of the MPL was not distributed with this ; file, You can obtain one at http://mozilla.org/MPL/2.0/. -$TTL 2 +$TTL 20 . IN SOA gson.nominum.com. a.root.servers.nil. ( 2000042100 ; serial 600 ; refresh diff --git a/bin/tests/system/mkeys/ns2/named.args b/bin/tests/system/mkeys/ns2/named.args index 71e466df40..5c5a6b2521 100644 --- a/bin/tests/system/mkeys/ns2/named.args +++ b/bin/tests/system/mkeys/ns2/named.args @@ -1 +1 @@ --m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40 -T tat=1 +-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20 -T tat=1 diff --git a/bin/tests/system/mkeys/ns3/named.args b/bin/tests/system/mkeys/ns3/named.args index 71e466df40..02f8f670f6 100644 --- a/bin/tests/system/mkeys/ns3/named.args +++ b/bin/tests/system/mkeys/ns3/named.args @@ -1 +1 @@ --m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40 -T tat=1 +-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20 diff --git a/bin/tests/system/mkeys/ns3/named.conf b/bin/tests/system/mkeys/ns3/named.conf index 9133fce6ee..d6d033900e 100644 --- a/bin/tests/system/mkeys/ns3/named.conf +++ b/bin/tests/system/mkeys/ns3/named.conf @@ -23,6 +23,7 @@ options { dnssec-enable yes; dnssec-validation yes; bindkeys-file "managed.conf"; + trust-anchor-telemetry no; }; key rndc_key { diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index 5a3d7a2e96..336c4fce3d 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -9,6 +9,78 @@ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh +wait_for_log() { + msg=$1 + file=$2 + for i in 1 2 3 4 5 6 7 8 9 10; do + nextpart "$file" | grep "$msg" > /dev/null && return + sleep 1 + done + echo "I: exceeded time limit waiting for '$msg' in $file" + ret=1 +} + +mkeys_reconfig_on() { + nsidx=$1 + nextpart ns${nsidx}/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 reconfig . | sed "s/^/I: ns${nsidx} /" + wait_for_log "running" ns${nsidx}/named.run +} + +mkeys_reload_on() { + nsidx=$1 + nextpart ns${nsidx}/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 reload . | sed "s/^/I: ns${nsidx} /" + wait_for_log "loaded serial" ns${nsidx}/named.run +} + +mkeys_loadkeys_on() { + nsidx=$1 + nextpart ns${nsidx}/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 loadkeys . | sed "s/^/I: ns${nsidx} /" + wait_for_log "next key event" ns${nsidx}/named.run +} + +mkeys_refresh_on() { + nsidx=$1 + nextpart ns${nsidx}/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 managed-keys refresh | sed "s/^/I: ns${nsidx} /" + wait_for_log "Returned from key fetch in keyfetch_done()" ns${nsidx}/named.run +} + +mkeys_sync_on() { + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # dns_zone_flush(), which also attempts to take that zone's lock + nsidx=$1 + nextpart ns${nsidx}/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 managed-keys sync | sed "s/^/I: ns${nsidx} /" + wait_for_log "dump_done" ns${nsidx}/named.run +} + +mkeys_status_on() { + # No race with mkeys_refresh_on() is possible as even if the latter + # returns immediately after the expected log message is written, the + # managed-keys zone is already locked and the command below calls + # mkey_status(), which in turn calls dns_zone_getrefreshkeytime(), + # which also attempts to take that zone's lock + nsidx=$1 + $RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 managed-keys status +} + +mkeys_flush_on() { + nsidx=$1 + nextpart ns${nsidx}/named.run > /dev/null + $RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 flush | sed "s/^/I: ns${nsidx} /" + wait_for_log "flushing caches in all views succeeded" ns${nsidx}/named.run +} + +mkeys_secroots_on() { + nsidx=$1 + $RNDC -c ../common/rndc.conf -s 10.53.0.${nsidx} -p 9953 secroots | sed "s/^/I: ns${nsidx} /" +} + status=0 n=1 @@ -58,11 +130,14 @@ n=`expr $n + 1` echo "I: check new trust anchor can be added ($n)" ret=0 standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' -sleep 5 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_loadkeys_on 1 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent the refresh from not being initiated due to all +# acceptance timers being equal to current timestamp. +sleep 1 +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # there should be two keys listed now count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 2 ] || ret=1 @@ -81,10 +156,8 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: check new trust anchor can't be added with bad initial key ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 managed-keys refresh | sed 's/^/I: ns3 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 managed-keys sync | sed 's/^/I: ns3 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_refresh_on 3 +mkeys_status_on 3 > rndc.out.$n 2>&1 # there should be one key listed now count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 1 ] || ret=1 @@ -100,14 +173,17 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: remove untrusted standby key, check timer restarts ($n)" ret=0 -$SETTIME -D now -K ns1 $standby1 > /dev/null +mkeys_sync_on 2 t1=`grep "trust pending" ns2/managed-keys.bind` -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' +$SETTIME -D now -K ns1 $standby1 > /dev/null +mkeys_loadkeys_on 1 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent false negatives caused by the acceptance timer getting +# reset to the same timestamp. sleep 1 +mkeys_refresh_on 2 +mkeys_sync_on 2 t2=`grep "trust pending" ns2/managed-keys.bind` # trust pending date must be different [ -n "$t2" ] || ret=1 @@ -121,12 +197,15 @@ echo "I: restore untrusted standby key, revoke original key ($n)" t1=$t2 $SETTIME -D none -K ns1 $standby1 > /dev/null $SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' +mkeys_loadkeys_on 1 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent false negatives caused by the acceptance timer getting +# reset to the same timestamp. sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_refresh_on 2 +mkeys_sync_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # two keys listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 2 ] || ret=1 @@ -153,10 +232,14 @@ n=`expr $n + 1` ret=0 echo "I: refresh managed-keys, ensure same result ($n)" t1=$t2 -sleep 2 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent false negatives caused by the acceptance timer getting +# reset to the same timestamp. +sleep 1 +mkeys_refresh_on 2 +mkeys_sync_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # two keys listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 2 ] || ret=1 @@ -184,15 +267,17 @@ ret=0 echo "I: restore revoked key, ensure same result ($n)" t1=$t2 $SETTIME -R none -D now -K ns1 `cat ns1/managed.key` > /dev/null -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' -sleep 3 +mkeys_loadkeys_on 1 $SETTIME -D none -K ns1 `cat ns1/managed.key` > /dev/null -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' +mkeys_loadkeys_on 1 +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent false negatives caused by the acceptance timer getting +# reset to the same timestamp. sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_refresh_on 2 +mkeys_sync_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # two keys listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 2 ] || ret=1 @@ -229,14 +314,14 @@ managed-keys { }; EOF ' > ns2/managed.conf +nextpart ns2/named.run > /dev/null $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns2 n=`expr $n + 1` echo "I: check that no key from bind.keys is marked as an initializing key ($n)" ret=0 -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots | sed 's/^/I: ns2 /' -sleep 1 +wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run +mkeys_secroots_on 2 grep '; initializing' ns2/named.secroots > /dev/null 2>&1 && ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -245,14 +330,20 @@ echo "I: reinitialize trust anchors, revert to one key in bind.keys" $PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns2 rm -f ns2/managed-keys.bind* mv ns2/managed1.conf ns2/managed.conf +nextpart ns2/named.run > /dev/null $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns2 n=`expr $n + 1` echo "I: check that standby key is now trusted ($n)" ret=0 -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure status is checked at a different +# timestamp to prevent false negatives caused by the add hold-down time for the +# standby key being equal to current time ("trust pending") instead of in the +# past ("trusted since"). +sleep 1 +mkeys_status_on 2 > rndc.out.$n 2>&1 # two keys listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 2 ] || ret=1 @@ -270,12 +361,9 @@ echo "I: revoke original key, add new standby ($n)" ret=0 standby2=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` $SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_loadkeys_on 1 +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # three keys listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 3 ] || ret=1 @@ -304,11 +392,9 @@ n=`expr $n + 1` echo "I: revoke standby before it is trusted ($n)" ret=0 standby3=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .` -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.a.$n 2>&1 +mkeys_loadkeys_on 1 +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.a.$n 2>&1 # four keys listed count=`grep -c "keyid: " rndc.out.a.$n` [ "$count" -eq 4 ] || { echo "keyid: count ($count) != 4"; ret=1; } @@ -319,11 +405,9 @@ count=`grep -c "trust revoked" rndc.out.a.$n` count=`grep -c "trust pending" rndc.out.a.$n` [ "$count" -eq 2 ] || { echo "trust pending count ($count) != 2"; ret=1; } $SETTIME -R now -K ns1 $standby3 > /dev/null -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.b.$n 2>&1 +mkeys_loadkeys_on 1 +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.b.$n 2>&1 # now three keys listed count=`grep -c "keyid: " rndc.out.b.$n` [ "$count" -eq 3 ] || { echo "keyid: count ($count) != 3"; ret=1; } @@ -334,18 +418,20 @@ count=`grep -c "trust revoked" rndc.out.b.$n` count=`grep -c "trust pending" rndc.out.b.$n` [ "$count" -eq 1 ] || { echo "trust pending count ($count) != 1"; ret=1; } $SETTIME -D now -K ns1 $standby3 > /dev/null -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' +mkeys_loadkeys_on 1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo "I: wait 30 seconds for key add/remove holddowns to expire ($n)" +echo "I: wait 21 seconds for key add/remove holddowns to expire ($n)" ret=0 -sleep 30 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +# Wait for "month" plus 1 second. If we only wait for "month" and the previous +# two tests fit into a single second, we will get a false negative caused by +# the add hold-down time for the second standby key being equal to current time +# ("trust pending") instead of in the past ("trusted since"). +sleep 21 +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # two keys listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 2 ] || ret=1 @@ -367,12 +453,9 @@ ret=0 $SETTIME -D now -K ns1 `cat ns1/managed.key` > /dev/null $SETTIME -R now -K ns1 $standby1 > /dev/null $SETTIME -R now -K ns1 $standby2 > /dev/null -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_loadkeys_on 1 +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # two keys listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 2 ] || ret=1 @@ -394,8 +477,10 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: check for insecure response ($n)" ret=0 +mkeys_refresh_on 2 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null && ret=1 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -407,16 +492,18 @@ $SETTIME -D now -K ns1 $standby2 > /dev/null $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>&- cp ns1/named2.conf ns1/named.conf rm -f ns1/root.db.signed.jnl -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reconfig +mkeys_reconfig_on 1 echo "I: reinitialize trust anchors" $PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns2 rm -f ns2/managed-keys.bind* +nextpart ns2/named.run > /dev/null $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns2 n=`expr $n + 1` echo "I: check positive validation ($n)" ret=0 +wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 @@ -430,17 +517,32 @@ orig=`cat ns1/managed.key` keyid=`cat ns1/managed.key.id` revoked=`$REVOKE -K ns1 $orig` rkeyid=`expr $revoked : 'ns1/K\.+00.+0*\([1-9]*[0-9]*[0-9]\)'` +rm -f ns1/root.db.signed.jnl +# We need to activate at least one valid DNSKEY to prevent dnssec-signzone from +# failing. Alternatively, we could use -P to disable post-sign verification, +# but we actually do want post-sign verification to happen to ensure the zone +# is correct before we break it on purpose. $SETTIME -R none -D none -K ns1 $standby1 > /dev/null $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>&- cp -f ns1/root.db.signed ns1/root.db.tmp BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg==" -sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' +# We need to prevent two different races here: +# +# 1. Less than a second may have passed since ns1 was started. If we call +# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by +# the subsequent "rndc reload ." call on platforms which do not set the +# "nanoseconds" field of isc_time_t, due to zone load time being seemingly +# equal to master file modification time. +# +# 2. Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent the refresh from not being initiated due to all +# acceptance timers being equal to current timestamp. sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys sync | sed 's/^/I: ns2 /' -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed +mkeys_reload_on 1 +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # one key listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 1 ] || { echo "'keyid:' count ($count) != 1"; ret=1; } @@ -461,6 +563,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: check validation fails with bad DNSKEY rrset ($n)" ret=0 +mkeys_flush_on 2 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 grep "status: SERVFAIL" dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi @@ -470,17 +573,18 @@ n=`expr $n + 1` echo "I: restore DNSKEY rrset, check validation succeeds again ($n)" ret=0 rm -f ${revoked}.key ${revoked}.private +rm -f ns1/root.db.signed.jnl $SETTIME -D none -R none -K ns1 `cat ns1/managed.key` > /dev/null $SETTIME -D now -K ns1 $standby1 > /dev/null -$SETTIME -D now -K ns1 $standby2 > /dev/null +# Less than a second may have passed since ns1 was started. If we call +# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the +# subsequent "rndc reload ." call on platforms which do not set the +# "nanoseconds" field of isc_time_t, due to zone load time being seemingly +# equal to master file modification time. sleep 1 $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>&- -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /' +mkeys_reload_on 1 +mkeys_flush_on 2 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 @@ -489,15 +593,24 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: reset the root server with no keys, check for minimal update ($n)" -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +ret=0 +# Refresh keys first to prevent previous checks from influencing this one. +# Note that we might still get occasional false negatives on some really slow +# machines, when $t1 equals $t2 due to the time elapsed between "rndc +# managed-keys status" calls being equal to the normal active refresh period +# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as +# set using -T mkeytimers). +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 t1=`grep 'next refresh:' rndc.out.$n` $PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns1 +rm -f ns1/root.db.signed.jnl cp ns1/root.db ns1/root.db.signed +nextpart ns1/named.run > /dev/null $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns1 -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +wait_for_log "loaded serial" ns1/named.run +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # one key listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 1 ] || ret=1 @@ -519,14 +632,23 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: reset the root server with no signatures, check for minimal update ($n)" -t2=$t1 +ret=0 +# Refresh keys first to prevent previous checks from influencing this one +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 +t1=`grep 'next refresh:' rndc.out.$n` $PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns1 +rm -f ns1/root.db.signed.jnl cat ns1/K*.key >> ns1/root.db.signed +nextpart ns1/named.run > /dev/null $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns1 -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' +wait_for_log "loaded serial" ns1/named.run +# Less than a second may have passed since the last time ns2 received a +# ./DNSKEY response from ns1. Ensure keys are refreshed at a different +# timestamp to prevent minimal update from resetting it to the same timestamp. sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 # one key listed count=`grep -c "keyid: " rndc.out.$n` [ "$count" -eq 1 ] || ret=1 @@ -548,13 +670,12 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: restore root server, check validation succeeds again ($n)" +ret=0 rm -f ns1/root.db.signed.jnl $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>&- -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload . | sed 's/^/I: ns1 /' -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_reload_on 1 +mkeys_refresh_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 @@ -579,12 +700,10 @@ n=`expr $n + 1` echo "I: check 'rndc-managed-keys destroy' ($n)" ret=0 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys destroy | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_status_on 2 > rndc.out.$n 2>&1 grep "no views with managed keys" rndc.out.$n > /dev/null || ret=1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig | sed 's/^/I: ns2 /' -sleep 1 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1 +mkeys_reconfig_on 2 +mkeys_status_on 2 > rndc.out.$n 2>&1 grep "name: \." rndc.out.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -604,7 +723,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I: check initialization fails if managed-keys can't be created ($n)" ret=0 -$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots | sed 's/^/I: ns4 /' +mkeys_secroots_on 4 grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1 grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1 grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1 @@ -621,8 +740,9 @@ ret=0 # key refresh failure instead of just a few seconds, in order to prevent races # between the next scheduled key refresh time and startup time of restarted ns5. $PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns5 +nextpart ns5/named.run > /dev/null $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5 -sleep 2 +wait_for_log "Returned from key fetch in keyfetch_done()" ns5/named.run # ns5/named.run will contain logs from both the old instance and the new # instance. In order for the test to pass, both must attempt a fetch. count=`grep -c "Creating key fetch" ns5/named.run` @@ -635,14 +755,14 @@ echo "I: check key refreshes are resumed after root servers become available ($n ret=0 $PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns5 # Prevent previous check from affecting this one -rm -f ns2/managed-keys.bind* +rm -f ns5/managed-keys.bind* # named2.args adds "-T mkeytimers=2/20/40" to named1.args as we need to wait for # an "hour" until keys are refreshed again after initial failure cp ns5/named2.args ns5/named.args +nextpart ns5/named.run > /dev/null $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5 -sleep 2 -$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 secroots | sed 's/^/I: ns4 /' -sleep 1 +wait_for_log "Returned from key fetch in keyfetch_done()" ns5/named.run +mkeys_secroots_on 5 grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 # ns1 should still REFUSE queries from ns5, so resolving should be impossible $DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.a.test$n || ret=1 @@ -652,10 +772,10 @@ grep "status: SERVFAIL" dig.out.ns5.a.test$n > /dev/null || ret=1 # Allow queries from ns5 to ns1 cp ns1/named3.conf ns1/named.conf rm -f ns1/root.db.signed.jnl -$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reconfig -sleep 3 -$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 secroots | sed 's/^/I: ns4 /' -sleep 1 +mkeys_reconfig_on 1 +nextpart ns5/named.run > /dev/null +wait_for_log "Returned from key fetch in keyfetch_done()" ns5/named.run +mkeys_secroots_on 5 grep '; managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be # correctly refreshed and resolving should succeed diff --git a/bin/tests/system/sfcache/tests.sh b/bin/tests/system/sfcache/tests.sh index 764a83cc1e..b3dc27f5ea 100644 --- a/bin/tests/system/sfcache/tests.sh +++ b/bin/tests/system/sfcache/tests.sh @@ -16,15 +16,6 @@ rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300" -# read everything that's been appended to a file since the last time -# 'nextpart' was called. -nextpart () { - [ -f $1.prev ] || echo "0" > $1.prev - prev=`cat $1.prev` - awk "FNR > $prev "'{ print } - END { print NR > "/dev/stderr" }' $1 2> $1.prev -} - echo "I:checking DNSSEC SERVFAIL is cached ($n)" ret=0 $DIG $DIGOPTS +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1 From 0ed0c4b1a562937ea01c752e20bd4726ee5f7702 Mon Sep 17 00:00:00 2001 From: Tinderbox User Date: Mon, 30 Oct 2017 23:30:10 +0000 Subject: [PATCH 4/5] newcopyrights --- util/copyrights | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/copyrights b/util/copyrights index c804afa800..df6ffa30bc 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1711,12 +1711,12 @@ ./bin/tests/system/mkeys/ns1/named1.conf CONF-C 2015,2016,2017 ./bin/tests/system/mkeys/ns1/named2.conf CONF-C 2015,2016,2017 ./bin/tests/system/mkeys/ns1/named3.conf CONF-C 2017 -./bin/tests/system/mkeys/ns1/root.db ZONE 2015,2016 +./bin/tests/system/mkeys/ns1/root.db ZONE 2015,2016,2017 ./bin/tests/system/mkeys/ns1/sign.sh SH 2015,2016,2017 ./bin/tests/system/mkeys/ns2/named.args X 2015,2016,2017 ./bin/tests/system/mkeys/ns2/named.conf CONF-C 2015,2016 -./bin/tests/system/mkeys/ns3/named.args X 2015,2016 -./bin/tests/system/mkeys/ns3/named.conf CONF-C 2015,2016 +./bin/tests/system/mkeys/ns3/named.args X 2015,2016,2017 +./bin/tests/system/mkeys/ns3/named.conf CONF-C 2015,2016,2017 ./bin/tests/system/mkeys/ns4/named.conf CONF-C 2017 ./bin/tests/system/mkeys/ns5/named.conf CONF-C 2017 ./bin/tests/system/mkeys/ns5/named1.args X 2017 From 6e023590349813470399d590958065f4d206a5fb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 31 Oct 2017 10:35:07 +1100 Subject: [PATCH 5/5] tmp should be a (struct in_addr) not (struct in_addr *) --- lib/dns/rdata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index 27b959ea01..cecfd7dd38 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -386,7 +386,7 @@ getquad(const void *src, struct in_addr *dst, isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks) { int result; - struct in_addr *tmp; + struct in_addr tmp; result = inet_aton(src, dst); if (result == 1 && callbacks != NULL &&