diff --git a/CHANGES b/CHANGES index 7b2e0b1943..9e843dc630 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3282. [bug] Restrict the TTL of NS RRset to no more than that + of the old NS RRset when replacing it. [RT #27792] + 3281. [bug] SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh index 8cf4dab6a1..6a42968610 100644 --- a/bin/tests/system/resolver/clean.sh +++ b/bin/tests/system/resolver/clean.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.8 2011/03/13 23:47:35 tbox Exp $ +# $Id: clean.sh,v 1.9 2012/02/09 20:54:45 marka Exp $ # # Clean up after resolver tests. @@ -23,8 +23,11 @@ rm -f */named.memstats rm -f dig.out dig.*.out.* rm -f dig.*.foo.* rm -f dig.*.bar.* +rm -f dig.*.prime.* +rm -f ns4/tld.db rm -f ns6/K* rm -f ns6/example.net.db.signed ns6/example.net.db rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl +rm -r ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl rm -f ns7/server.db ns7/server.db.jnl rm -f random.data diff --git a/bin/tests/system/resolver/ns4/named.conf b/bin/tests/system/resolver/ns4/named.conf index 814c59791d..69433daa0c 100644 --- a/bin/tests/system/resolver/ns4/named.conf +++ b/bin/tests/system/resolver/ns4/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2011/03/13 23:47:36 tbox Exp $ */ +/* $Id: named.conf,v 1.5 2012/02/09 20:54:45 marka Exp $ */ // NS4 @@ -46,3 +46,17 @@ zone "child.server" { type master; file "child.server.db"; }; + +zone "tld" { + type master; + file "tld.db"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; + +controls { + inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; }; +}; diff --git a/bin/tests/system/resolver/ns4/tld1.db b/bin/tests/system/resolver/ns4/tld1.db new file mode 100644 index 0000000000..1dadbd2af1 --- /dev/null +++ b/bin/tests/system/resolver/ns4/tld1.db @@ -0,0 +1,29 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: tld1.db,v 1.2 2012/02/09 20:54:46 marka Exp $ + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.tld. +ns A 10.53.0.4 +$TTL 5 +to-be-removed NS ns.to-be-removed +ns.to-be-removed A 10.53.0.6 diff --git a/bin/tests/system/resolver/ns4/tld2.db b/bin/tests/system/resolver/ns4/tld2.db new file mode 100644 index 0000000000..783b283c2c --- /dev/null +++ b/bin/tests/system/resolver/ns4/tld2.db @@ -0,0 +1,26 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: tld2.db,v 1.2 2012/02/09 20:54:46 marka Exp $ + +$TTL 300 +@ IN SOA marka.isc.org. ns.server. ( + 2010 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS ns.tld. +ns A 10.53.0.4 diff --git a/bin/tests/system/resolver/ns6/named.conf b/bin/tests/system/resolver/ns6/named.conf index 78c39ca84c..759cb62565 100644 --- a/bin/tests/system/resolver/ns6/named.conf +++ b/bin/tests/system/resolver/ns6/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2 2010/11/16 06:46:44 marka Exp $ */ +/* $Id: named.conf,v 1.3 2012/02/09 20:54:46 marka Exp $ */ // NS4 @@ -42,3 +42,9 @@ zone "example.net" { file "example.net.db.signed"; allow-update { any; }; }; + +zone "to-be-removed.tld" { + type master; + file "to-be-removed.tld.db"; + allow-update { any; }; +}; diff --git a/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in b/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in new file mode 100644 index 0000000000..fcb868873a --- /dev/null +++ b/bin/tests/system/resolver/ns6/to-be-removed.tld.db.in @@ -0,0 +1,33 @@ +; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: to-be-removed.tld.db.in,v 1.2 2012/02/09 20:54:46 marka Exp $ + +$TTL 600 +@ IN SOA ns hostmaster 1 1800 900 604800 600 +@ IN NS ns +ns IN A 10.53.0.6 +ns0 IN A 10.53.0.6 +ns1 IN A 10.53.0.6 +ns2 IN A 10.53.0.6 +ns3 IN A 10.53.0.6 +ns4 IN A 10.53.0.6 +ns5 IN A 10.53.0.6 +ns6 IN A 10.53.0.6 +ns7 IN A 10.53.0.6 +ns8 IN A 10.53.0.6 +ns9 IN A 10.53.0.6 +$TTL 1 +@ IN A 10.53.0.6 +www IN A 10.53.0.6 diff --git a/bin/tests/system/resolver/setup.sh b/bin/tests/system/resolver/setup.sh index d2b5e9f643..a81e40757e 100644 --- a/bin/tests/system/resolver/setup.sh +++ b/bin/tests/system/resolver/setup.sh @@ -14,9 +14,11 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.5 2011/03/13 23:47:35 tbox Exp $ +# $Id: setup.sh,v 1.6 2012/02/09 20:54:45 marka Exp $ ../../../tools/genrandom 400 random.data +cp ns4/tld1.db ns4/tld.db +cp ns6/to-be-removed.tld.db.in ns6/to-be-removed.tld.db cp ns7/server.db.in ns7/server.db (cd ns6 && sh keygen.sh) diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index 2cfe4a5345..765a265f6f 100644 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.20 2011/07/28 03:18:17 each Exp $ +# $Id: tests.sh,v 1.21 2012/02/09 20:54:45 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -264,6 +264,35 @@ $DIG @10.53.0.7 -p 5300 -x 172.20.1.1 > dig.ns4.out.19.${n} || ret=1 grep 'flags: qr rd ra;' dig.ns4.out.19.${n} > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; status=1; fi +n=`expr $n + 1` +echo "I:checking that removal of a delegation is honoured ($n)" +ret=0 +$DIG -p 5300 @10.53.0.5 www.to-be-removed.tld A > dig.ns5.prime.${n} +grep "status: NOERROR" dig.ns5.prime.${n} > /dev/null || { ret=1; echo "I: priming failed"; } +cp ns4/tld2.db ns4/tld.db +($RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reload tld 2>&1 ) | +sed -e '/reload queued/d' -e 's/^/I:ns4 /' +old= +for i in 0 1 2 3 4 5 6 7 8 9 +do + foo=0 + $DIG -p 5300 @10.53.0.5 ns$i.to-be-removed.tld A > /dev/null + $DIG -p 5300 @10.53.0.5 www.to-be-removed.tld A > dig.ns5.out.${n} + grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || foo=1 + [ $foo = 0 ] && break + $NSUPDATE << EOF +server 10.53.0.6 5300 +zone to-be-removed.tld +update add to-be-removed.tld 100 NS ns${i}.to-be-removed.tld +update delete to-be-removed.tld NS ns${old}.to-be-removed.tld +send +EOF + old=$i + sleep 1 +done +[ $ret = 0 ] && ret=$foo; +if [ $ret != 0 ]; then echo "I:failed"; status=1; fi + echo "I:exit status: $status" exit $status diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index a8f676ebbe..f7bd233bc9 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.326 2012/01/04 23:46:49 tbox Exp $ */ +/* $Id: rbtdb.c,v 1.327 2012/02/09 20:54:46 marka Exp $ */ /*! \file */ @@ -6126,6 +6126,19 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, addedrdataset); return (ISC_R_SUCCESS); } + /* + * If we have will be replacing a NS RRset force its TTL + * to be no more than the current NS RRset's TTL. This + * ensures the delegations that are withdrawn are honoured. + */ + if (IS_CACHE(rbtdb) && header->rdh_ttl > now && + header->type == dns_rdatatype_ns && + !header_nx && !newheader_nx && + header->trust <= newheader->trust) { + if (newheader->rdh_ttl > header->rdh_ttl) { + newheader->rdh_ttl = header->rdh_ttl; + } + } if (IS_CACHE(rbtdb) && header->rdh_ttl > now && (header->type == dns_rdatatype_a || header->type == dns_rdatatype_aaaa) &&