diff --git a/CHANGES b/CHANGES index 28df46719b..ae83d90b91 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ recursion was requested by the client, not on whether recursion was available. [GL #963] +5209. [bug] When update-check-ksk is true, add_sigs was not + considering offline keys, leaving record sets signed + with the incorrect type key. [GL #763] + 5208. [test] Run valid rdata wire encodings through totext+fromtext and tofmttext+fromtext methods to check these methods. [GL #899] diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index f4bf6d9f48..fd237cd4c9 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -998,7 +998,7 @@ $RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i echo_i "waiting for changes to take effect" sleep 5 -echo_i "checking former standby key is now active ($n)" +echo_i "checking former standby key $newid is now active ($n)" ret=0 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index f67c61d52f..9ca3f2c003 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -15,7 +15,7 @@ rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/dlvset-* ./*/signedkey-* ./*/*.signed rm -f ./*/example.bk rm -f ./*/named.conf rm -f ./*/named.memstats -rm -f ./*/named.run +rm -f ./*/named.run ./*/named.run.prev rm -f ./*/named.secroots rm -f ./*/tmp* ./*/*.jnl ./*/*.bk ./*/*.jbk rm -f ./*/trusted.conf ./*/managed.conf ./*/revoked.conf @@ -48,6 +48,9 @@ rm -f ./ns2/in-addr.arpa.db rm -f ./ns2/nsec3chain-test.db rm -f ./ns2/private.secure.example.db rm -f ./ns2/single-nsec3.db +rm -f ./ns2/updatecheck-kskonly.secure.* +rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db +rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db rm -f ./ns3/badds.example.db rm -f ./ns3/dname-at-apex-nsec3.example.db diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 67cff87b76..6124f4540f 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -26,6 +26,15 @@ options { notify-delay 1; }; +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -133,4 +142,20 @@ zone "cdnskey-auto.secure" { allow-update { any; }; }; +zone "updatecheck-kskonly.secure" { + type master; + auto-dnssec maintain; + key-directory "."; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + sig-validity-interval 10; + file "updatecheck-kskonly.secure.db.signed"; + allow-update { any; }; +}; + +zone "corp" { + type master; + file "corp.db"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index ca186084ca..6ee989b14f 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -239,3 +239,20 @@ key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds cat $infile $key1.cds > $zonefile.signed + +zone=updatecheck-kskonly.secure +infile=template.secure.db.in +zonefile=${zone}.db +key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone` +key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +# Save key id's for checking active key usage +echo $key1 | sed -e 's/.*[+]//' -e 's/^0*//' > $zone.ksk.id +echo $key2 | sed -e 's/.*[+]//' -e 's/^0*//' > $zone.zsk.id +echo ${key1} > $zone.ksk.key +echo ${key2} > $zone.zsk.key +# Add CDS and CDNSKEY records +sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cdnskey +$DSFROMKEY -C $key1.key > $key1.cds +cat $infile $key1.key $key2.key $key1.cdnskey $key1.cds > $zonefile +# Don't sign, let auto-dnssec maintain do it. +mv $zonefile $zonefile.signed diff --git a/bin/tests/system/dnssec/ns2/template.secure.db.in b/bin/tests/system/dnssec/ns2/template.secure.db.in new file mode 100644 index 0000000000..e42cb4a29e --- /dev/null +++ b/bin/tests/system/dnssec/ns2/template.secure.db.in @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns2.example. . 1 3600 1200 86400 1200 +@ NS ns2.example. diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 8fedb8a878..67d66fa5ec 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -23,6 +23,26 @@ ANSWEROPTS="+noall +answer +dnssec -p ${PORT}" DELVOPTS="-a ns1/trusted.conf -p ${PORT}" RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" +# TODO: Move wait_for_log and loadkeys_on to conf.sh.common +wait_for_log() { + msg=$1 + file=$2 + for i in 1 2 3 4 5 6 7 8 9 10; do + nextpart "$file" | grep "$msg" > /dev/null && return + sleep 1 + done + echo_i "exceeded time limit waiting for '$msg' in $file" + ret=1 +} + +dnssec_loadkeys_on() { + nsidx=$1 + zone=$2 + nextpart ns${nsidx}/named.run > /dev/null + $RNDCCMD 10.53.0.${nsidx} loadkeys ${zone} | sed "s/^/ns${nsidx} /" | cat_i + wait_for_log "next key event" ns${nsidx}/named.run +} + # convert private-type records to readable form showprivate () { echo "-- $@ --" @@ -2586,7 +2606,7 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking dnskey query with no data still gets put in cache ($n)" +echo_i "checking DNSKEY query with no data still gets put in cache ($n)" ret=0 myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT} @10.53.0.4" firstVal=`$DIG $myDIGOPTS insecure.example. dnskey| awk '$1 != ";;" { print $2 }'` @@ -2643,7 +2663,7 @@ do fi echo_i "sleeping ...." sleep 3 -done; +done grep "ANSWER: 3," dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "nsec3 chain generation not complete"; fi $DIG $DIGOPTS +noauth +nodnssec soa nsec3chain-test @10.53.0.2 > dig.out.ns2.test$n || ret=1 @@ -3573,5 +3593,187 @@ n=`expr $n + 1` test "$ret" -eq 0 || echo_i "failed" status=`expr $status + $ret` +### +### Additional checks for when the KSK is offline. +### + +# Save some useful information +zone="updatecheck-kskonly.secure" +KSK=`cat ns2/${zone}.ksk.key` +ZSK=`cat ns2/${zone}.zsk.key` +KSK_ID=`cat ns2/${zone}.ksk.id` +ZSK_ID=`cat ns2/${zone}.zsk.id` +SECTIONS="+answer +noauthority +noadditional" +echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" + +# Basic checks to make sure everything is fine before the KSK is made offline. +echo_i "checking DNSKEY RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" +ret=0 +$DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +grep $KSK_ID dig.out.test$n > /dev/null || ret=1 +grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk, dnssec-ksk-only) ($n)" +ret=0 +$DIG $DIGOPTS $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "SOA" {print}' dig.out.test$n | wc -l) +grep $KSK_ID dig.out.test$n > /dev/null && ret=1 +grep $ZSK_ID dig.out.test$n > /dev/null || ret=1 +test "$lines" -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Roll the ZSK. +echo_i "roll ZSK for zone $zone" +sleep 1 +zsk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -K ns2 -n zone $zone` +echo_i "new ZSK $zsk2 created for zone $zone" +echo "$zsk2" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id2 +ZSK_ID2=`cat ns2/$zone.zsk.id2` +dnssec_loadkeys_on 2 $zone + +# Wait until new ZSK becomes active. +sleep 1 +echo_i "make ZSK $ZSK inactive and make new ZSK $zsk2 active for zone $zone" +$SETTIME -I now -K ns2 $ZSK > /dev/null +$SETTIME -A now -K ns2 $zsk2 > /dev/null +dnssec_loadkeys_on 2 $zone + +# Remove the KSK from disk. +sleep 1 +echo_i "remove the KSK $KSK for zone $zone from disk" +mv ns2/$KSK.key ns2/$KSK.key.bak +mv ns2/$KSK.private ns2/$KSK.private.bak + +# Update the zone that requires a resign of the SOA RRset. +sleep 1 +echo_i "update the zone with $zone IN TXT nsupdate added me" +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update add $zone. 300 in txt "nsupdate added me" +echo send +) | $NSUPDATE + +# Redo the tests now that the zone is updated and the KSK is offline. +echo_i "checking DNSKEY RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" +ret=0 +$DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +grep $KSK_ID dig.out.test$n > /dev/null || ret=1 +grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 +grep $ZSK_ID2 dig.out.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +for qtype in "SOA" "TXT" +do + echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" + ret=0 + $DIG $DIGOPTS $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l) + grep $KSK_ID dig.out.test$n > /dev/null && ret=1 + grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 + grep $ZSK_ID2 dig.out.test$n > /dev/null || ret=1 + test "$lines" -eq 1 || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done + +# Put back the KSK. +sleep 1 +echo_i "put back the KSK $KSK for zone $zone from disk" +mv ns2/$KSK.key.bak ns2/$KSK.key +mv ns2/$KSK.private.bak ns2/$KSK.private + +# Roll the ZSK again. +sleep 1 +zsk3=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -K ns2 -n zone $zone` +echo_i "new ZSK $zsk3 created for zone $zone" +echo "$zsk3" | sed -e 's/.*[+]//' -e 's/^0*//' > ns2/$zone.zsk.id3 +ZSK_ID3=`cat ns2/$zone.zsk.id3` +dnssec_loadkeys_on 2 $zone + +# Wait until new ZSK becomes active. +sleep 1 +echo_i "delete old ZSK $ZSK make ZSK $ZSK2 inactive and make new ZSK $zsk3 active for zone $zone" +$SETTIME -D now -K ns2 $ZSK > /dev/null +$SETTIME -I +5 -K ns2 $zsk2 > /dev/null +$SETTIME -A +5 -K ns2 $zsk3 > /dev/null +dnssec_loadkeys_on 2 $zone + +# Remove the KSK from disk. +sleep 1 +echo_i "remove the KSK $KSK for zone $zone from disk" +mv ns2/$KSK.key ns2/$KSK.key.bak +mv ns2/$KSK.private ns2/$KSK.private.bak + +# Update the zone that requires a resign of the SOA RRset. +sleep 1 +echo_i "update the zone with $zone IN TXT nsupdate added me again" +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update add $zone. 300 in txt "nsupdate added me again" +echo send +) | $NSUPDATE + +# Redo the tests now that the ZSK roll has deleted the old key. +echo_i "checking DNSKEY RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" +ret=0 +$DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +grep $KSK_ID dig.out.test$n > /dev/null || ret=1 +grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 +grep $ZSK_ID2 dig.out.test$n > /dev/null && ret=1 +grep $ZSK_ID3 dig.out.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +for qtype in "SOA" "TXT" +do + echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" + ret=0 + $DIG $DIGOPTS $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n + lines=$(awk -v qt="$qtype" '$4 == "RRSIG" && $5 == qt {print}' dig.out.test$n | wc -l) + grep $KSK_ID dig.out.test$n > /dev/null && ret=1 + grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 + grep $ZSK_ID2 dig.out.test$n > /dev/null || ret=1 + grep $ZSK_ID3 dig.out.test$n > /dev/null && ret=1 + test "$lines" -eq 1 || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +done + +# Wait for newest ZSK to become active. +echo_i "sleep 6 to make new ZSK $zsk3 active and ZSK $zsk2 inactive" +sleep 6 + +# Redo the tests one more time. +echo_i "checking DNSKEY RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" +ret=0 +$DIG $DIGOPTS $SECTIONS @10.53.0.2 DNSKEY $zone > dig.out.test$n +lines=$(awk '$4 == "RRSIG" && $5 == "DNSKEY" {print}' dig.out.test$n | wc -l) +test "$lines" -eq 1 || ret=1 +grep $KSK_ID dig.out.test$n > /dev/null || ret=1 +grep $ZSK_ID dig.out.test$n > /dev/null && ret=1 +grep $ZSK_ID2 dig.out.test$n > /dev/null && ret=1 +grep $ZSK_ID3 dig.out.test$n > /dev/null && ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/dns/update.c b/lib/dns/update.c index 47cc4cf4ef..7c9afc24e8 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1105,10 +1105,13 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, for (i = 0; i < nkeys; i++) { bool both = false; - if (!dst_key_isprivate(keys[i])) + /* Don't add signatures for offline or inactive keys */ + if (!dst_key_isprivate(keys[i])) { continue; - if (dst_key_inactive(keys[i])) /* Should be redundant. */ + } + if (dst_key_inactive(keys[i])) { continue; + } if (check_ksk && !REVOKE(keys[i])) { bool have_ksk, have_nonksk; @@ -1120,21 +1123,31 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, have_nonksk = true; } for (j = 0; j < nkeys; j++) { - if (j == i || ALG(keys[i]) != ALG(keys[j])) + if (j == i || ALG(keys[i]) != ALG(keys[j])) { continue; - if (!dst_key_isprivate(keys[j])) + } + + /* Don't consider inactive keys, however + * the key may be temporary offline, so do + * consider keys which private key files are + * unavailable. + */ + if (dst_key_inactive(keys[j])) { continue; - if (dst_key_inactive(keys[j])) /* SBR */ + } + + if (REVOKE(keys[j])) { continue; - if (REVOKE(keys[j])) - continue; - if (KSK(keys[j])) + } + if (KSK(keys[j])) { have_ksk = true; - else + } else { have_nonksk = true; + } both = have_ksk && have_nonksk; - if (both) + if (both) { break; + } } } diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 3f1bc448c6..000b42b841 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6365,10 +6365,11 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, * If there is not a matching DNSKEY then * delete the RRSIG. */ - if (!found) + if (!found) { result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_DELRESIGN, name, rdataset.ttl, &rdata); + } if (result != ISC_R_SUCCESS) break; } @@ -6433,10 +6434,13 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, for (i = 0; i < nkeys; i++) { bool both = false; - if (!dst_key_isprivate(keys[i])) + /* Don't add signatures for offline or inactive keys */ + if (!dst_key_isprivate(keys[i])) { continue; - if (dst_key_inactive(keys[i])) /* Should be redundant. */ + } + if (dst_key_inactive(keys[i])) { continue; + } if (check_ksk && !REVOKE(keys[i])) { bool have_ksk, have_nonksk; @@ -6447,24 +6451,36 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, have_ksk = false; have_nonksk = true; } + for (j = 0; j < nkeys; j++) { - if (j == i || ALG(keys[i]) != ALG(keys[j])) + if (j == i || ALG(keys[i]) != ALG(keys[j])) { continue; - if (!dst_key_isprivate(keys[j])) + } + + /* Don't consider inactive keys, however + * the key may be temporary offline, so do + * consider keys which private key files are + * unavailable. + */ + if (dst_key_inactive(keys[j])) { continue; - if (dst_key_inactive(keys[j])) /* SBR */ + } + + if (REVOKE(keys[j])) { continue; - if (REVOKE(keys[j])) - continue; - if (KSK(keys[j])) + } + if (KSK(keys[j])) { have_ksk = true; - else + } else { have_nonksk = true; + } both = have_ksk && have_nonksk; - if (both) + if (both) { break; + } } } + if (both) { if (type == dns_rdatatype_dnskey) { if (!KSK(keys[i]) && keyset_kskonly) @@ -8653,9 +8669,6 @@ zone_sign(dns_zone_t *zone) { */ if (!dst_key_isprivate(zone_keys[i])) continue; - /* - * Should be redundant. - */ if (dst_key_inactive(zone_keys[i])) continue; @@ -8694,11 +8707,11 @@ zone_sign(dns_zone_t *zone) { continue; if (!dst_key_isprivate(zone_keys[j])) continue; - /* - * Should be redundant. + /* Don't consider inactive keys, however + * the key may be temporary offline, so do + * consider keys which private key files are + * unavailable. */ - if (dst_key_inactive(zone_keys[j])) - continue; if (REVOKE(zone_keys[j])) continue; if (KSK(zone_keys[j])) @@ -10220,14 +10233,17 @@ zone_maintenance(dns_zone_t *zone) { if (zone->rss_event != NULL) break; if (!isc_time_isepoch(&zone->signingtime) && - isc_time_compare(&now, &zone->signingtime) >= 0) + isc_time_compare(&now, &zone->signingtime) >= 0) { zone_sign(zone); + } else if (!isc_time_isepoch(&zone->resigntime) && - isc_time_compare(&now, &zone->resigntime) >= 0) + isc_time_compare(&now, &zone->resigntime) >= 0) { zone_resigninc(zone); + } else if (!isc_time_isepoch(&zone->nsec3chaintime) && - isc_time_compare(&now, &zone->nsec3chaintime) >= 0) + isc_time_compare(&now, &zone->nsec3chaintime) >= 0) { zone_nsec3chain(zone); + } /* * Do we need to issue a key expiry warning? */ @@ -17770,15 +17786,18 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link)) { - if (tuple->rdata.type != dns_rdatatype_dnskey) + if (tuple->rdata.type != dns_rdatatype_dnskey) { continue; + } result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE) + { continue; + } dns_rdata_toregion(&tuple->rdata, &r); @@ -17796,8 +17815,10 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, if (sign_all || tuple->op == DNS_DIFFOP_DEL) { CHECK(rr_exists(db, ver, name, &rdata, &flag)); - if (flag) + if (flag) { continue; + } + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0, &rdata, &newtuple)); CHECK(do_one_tuple(&newtuple, db, ver, diff)); @@ -18097,7 +18118,6 @@ zone_rekey(dns_zone_t *zone) { } else if (result != ISC_R_NOTFOUND) goto failure; - /* Get the CDS rdataset */ result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cds, dns_rdatatype_none, 0, &cdsset, NULL); @@ -18121,7 +18141,6 @@ zone_rekey(dns_zone_t *zone) { if (result == ISC_R_SUCCESS) { bool check_ksk; check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); - result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys, &zone->origin, ttl, &diff, !check_ksk, diff --git a/util/copyrights b/util/copyrights index 4f7b0050cf..22b7896f69 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1095,6 +1095,7 @@ ./bin/tests/system/dnssec/ns2/rfc2335.example.db X 2004,2018,2019 ./bin/tests/system/dnssec/ns2/sign.sh SH 2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2018,2019 ./bin/tests/system/dnssec/ns2/single-nsec3.db.in ZONE 2010,2016,2018,2019 +./bin/tests/system/dnssec/ns2/template.secure.db.in ZONE 2019 ./bin/tests/system/dnssec/ns3/auto-nsec.example.db.in ZONE 2011,2016,2018,2019 ./bin/tests/system/dnssec/ns3/auto-nsec3.example.db.in ZONE 2011,2016,2018,2019 ./bin/tests/system/dnssec/ns3/bogus.example.db.in ZONE 2000,2001,2004,2007,2014,2016,2018,2019