Skip to content

GitLab

B
BIND

dnssec: do not publish CDS records when -Psync is in the future 

This is a bug I encountered when trying to schedule an algorithm
rollover. My plan, for a zone whose maximum TTL is 48h, was to sign
with the new algorithm and schedule a change of CDS records for more
than 48 hours in the future, roughly like this:

    $ dnssec-keygen -a 13 -fk -Psync now+50h $zone
    $ dnssec-keygen -a 13 $zone
    $ dnssec-settime -Dsync now+50h $zone_ksk_old

However the algorithm 13 CDS was published immediately, which could
have made the zone bogus.

To reveal the bug using the `smartsign` test, this change just adds a
KSK with all its times in the future, so it should not affect the
existing checks at all. But the final check (that there are no CDS or
CDSNSKEY records after -Dsync) fails with the old `syncpublish()`
logic, because the future key's sync records appear early. With the
new `syncpublish()` logic the future key does not affect the test, as
expected, and it now passes.
73 jobs for !2893 with u/fanf2/Psync-future in 15 minutes and 42 seconds (queued for 4 seconds)
latest detached
29d2ea6c
1 related merge request: !2893 dnssec: do not publish CDS records when -Psync is in the future
Status Job ID Name Coverage
  Precheck
passed #562980
amd64 linux
🐞:sid:amd64

00:03:55

passed #562978
amd64 linux
autoreconf:sid:amd64

00:00:33

passed #562979
amd64 linux
misc:sid:amd64

00:00:18

 
  Build
passed #562995
amd64 linux
asan:sid:amd64

00:04:56

passed #563002
amd64 freebsd
clang:freebsd11.3:amd64

00:01:06

passed #563003
amd64 freebsd
clang:freebsd12.0:amd64

00:00:58

passed #563004
amd64 openbsd
clang:openbsd6.5:amd64

00:05:15

passed #562999
amd64 linux
clang:stretch:amd64

00:03:39

passed #563000
i386 linux
clang:stretch:i386

00:03:30

passed #562981
amd64 linux
gcc:alpine3.11:amd64

00:02:05

passed #562994
amd64 linux
gcc:bionic:amd64

00:02:25

passed #562987
amd64 linux
gcc:buster:amd64

00:03:05

passed #562982
amd64 linux
gcc:centos6:amd64

00:02:35

passed #562983
amd64 linux
gcc:centos7:amd64

00:01:51

passed #562984
amd64 linux
gcc:centos8:amd64

00:03:00

passed #562992
amd64 linux
gcc:fedora31:amd64

00:02:28

passed #562985
amd64 linux
gcc:jessie:amd64

00:03:05

passed #562988
amd64 linux
gcc:sid:amd64

00:04:42

passed #562990
i386 linux
gcc:sid:i386

00:03:18

passed #562986
amd64 linux
gcc:stretch:amd64

00:03:20

passed #562991
amd64 linux
gcc:tumbleweed:amd64

00:02:13

passed #562993
amd64 linux
gcc:xenial:amd64

00:02:25

passed #563006
amd64 windows
msvc:windows:amd64

00:02:40

passed #562998
amd64 linux
mutexatomics:sid:amd64

00:02:27

passed #563005
amd64 linux
nolibtool:sid:amd64

00:03:40

passed #562989
amd64 linux
oot:sid:amd64

00:02:59

passed #563001
amd64 linux
pkcs11:sid:amd64

00:03:10

passed #562997
amd64 linux
rwlock:sid:amd64

00:03:24

passed #562996
amd64 linux
tsan:buster:amd64

00:03:04

 
  Unit
passed #563020
amd64 linux
unit:asan:sid:amd64

00:04:32

passed #563025
amd64 freebsd
unit:clang:freebsd11.3:amd64

00:00:29

passed #563026
amd64 freebsd
unit:clang:freebsd12.0:amd64

00:01:07

passed #563023
amd64 linux
unit:clang:stretch:amd64

00:00:58

passed #563007
amd64 linux
unit:gcc:alpine3.11:amd64

00:02:49

passed #563019
amd64 linux
unit:gcc:bionic:amd64

00:00:50

passed #563013
amd64 linux
unit:gcc:buster:amd64

00:01:24

passed #563008
amd64 linux
unit:gcc:centos6:amd64

00:00:58

passed #563009
amd64 linux
unit:gcc:centos7:amd64

00:00:57

passed #563010
amd64 linux
unit:gcc:centos8:amd64

00:00:54

passed #563017
amd64 linux
unit:gcc:fedora31:amd64

00:01:31

passed #563011
amd64 linux
unit:gcc:jessie:amd64

00:00:32

passed #563014
amd64 linux
unit:gcc:sid:amd64

00:01:21

passed #563015
i386 linux
unit:gcc:sid:i386

00:01:56

passed #563012
amd64 linux
unit:gcc:stretch:amd64

00:00:54

passed #563016
amd64 linux
unit:gcc:tumbleweed:amd64

00:01:25

passed #563018
amd64 linux
unit:gcc:xenial:amd64

00:00:42

passed #563027
amd64 linux
unit:nolibtool:sid:amd64

00:02:00

passed #563024
amd64 linux
unit:pkcs11:sid:amd64

00:01:30

passed #563022
amd64 linux
unit:rwlock:sid:amd64

00:01:31

failed #563021
amd64 linux allowed to fail
unit:tsan:buster:amd64

00:04:26

 
  System
passed #563041
amd64 linux
system:asan:sid:amd64

00:09:34

passed #563045
amd64 freebsd
system:clang:freebsd11.3:amd64

00:08:32

passed #563046
amd64 freebsd
system:clang:freebsd12.0:amd64

00:08:32

passed #563028
amd64 linux
system:gcc:alpine3.11:amd64

00:09:47

passed #563040
amd64 linux
system:gcc:bionic:amd64

00:09:08

passed #563034
amd64 linux
system:gcc:buster:amd64

00:08:15

passed #563029
amd64 linux
system:gcc:centos6:amd64

00:08:02

passed #563030
amd64 linux
system:gcc:centos7:amd64

00:07:56

passed #563031
amd64 linux
system:gcc:centos8:amd64

00:07:55

passed #563038
amd64 linux
system:gcc:fedora31:amd64

00:08:45

passed #563032
amd64 linux
system:gcc:jessie:amd64

00:07:24

passed #563035
amd64 linux
system:gcc:sid:amd64

00:08:17

passed #563036
i386 linux
system:gcc:sid:i386

00:08:43

passed #563033
amd64 linux
system:gcc:stretch:amd64

00:07:57

passed #563037
amd64 linux
system:gcc:tumbleweed:amd64

00:08:22

passed #563039
amd64 linux
system:gcc:xenial:amd64

00:07:39

passed #563047
amd64 linux
system:nolibtool:sid:amd64

00:08:27

passed #563044
amd64 linux
system:pkcs11:sid:amd64

00:08:24

passed #563043
amd64 linux
system:rwlock:sid:amd64

00:08:47

failed #563042
amd64 linux allowed to fail
system:tsan:buster:amd64

00:11:50

 
  Docs
passed #563048
amd64 linux
docs:sid:amd64

00:01:06

 
  Postcheck
passed #563050
amd64 linux
cppcheck:gcc:sid:amd64

00:03:07

passed #563049
amd64 linux
scan-build:buster:amd64

00:12:02

 
Name Stage Failure
failed
system:tsan:buster:amd64 System 
No job log
failed
unit:tsan:buster:amd64 Unit 
No job log