Commit 02286522 authored by Mark Andrews's avatar Mark Andrews

3166. [bug] Upgrading a zone to support inline-signing failed. ...

3166.   [bug]           Upgrading a zone to support inline-signing failed.                         [RT #26014]
parent 0e11ca0f
3166. [bug] Upgrading a zone to support inline-signing failed.
[RT #26014]
3165. [bug] dnssec-signzone could generate new signatures when
resigning, even when valid signatures were already
present. [RT #26025]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.183 2011/10/11 00:09:01 each Exp $ */
/* $Id: zoneconf.c,v 1.184 2011/10/12 00:10:19 marka Exp $ */
/*% */
......@@ -1589,6 +1589,8 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
const cfg_obj_t *obj = NULL;
const char *cfilename;
const char *zfilename;
dns_zone_t *raw = NULL;
isc_boolean_t has_raw;
zoptions = cfg_tuple_get(zconfig, "options");
......@@ -1614,16 +1616,19 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
strcmp(cfilename, zfilename) == 0)))
return (ISC_FALSE);
dns_zone_getraw(zone, &raw);
if (raw != NULL) {
dns_zone_detach(&raw);
has_raw = ISC_TRUE;
} else
has_raw = ISC_FALSE;
obj = NULL;
(void)cfg_map_get(zoptions, "signing", &obj);
if (obj == NULL || !cfg_obj_asboolean(obj)) {
dns_zone_t *raw = NULL;
dns_zone_getraw(zone, &raw);
if (raw != NULL) {
dns_zone_detach(&raw);
return (ISC_FALSE);
}
}
(void)cfg_map_get(zoptions, "inline-signing", &obj);
if ((obj == NULL || !cfg_obj_asboolean(obj)) && has_raw)
return (ISC_FALSE);
if ((obj != NULL && cfg_obj_asboolean(obj)) && !has_raw)
return (ISC_FALSE);
return (ISC_TRUE);
}
......@@ -12,16 +12,30 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $
# $Id: clean.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
rm -f */named.memstats
rm -f */named.run
rm -f */trusted.conf
rm -f ns2/bits.db
rm -f ns2/bits.db.jnl
rm -f ns3/K*
rm -f ns3/bits.bk
rm -f ns3/bits.bk.jnl
rm -f ns3/bits.bk.signed
rm -f ns3/bits.bk.signed.jnl
rm -f ns3/noixfr.bk
rm -f ns3/noixfr.bk.jnl
rm -f ns3/noixfr.bk.signed
rm -f ns3/noixfr.bk.signed.jnl
rm -f ns4/K*
rm -f ns4/noixfr.db
rm -f ns4/noixfr.db.jnl
rm -f ns5/K*
rm -f ns5/named.conf
rm -f ns5/bits.bk
rm -f ns5/bits.bk.jnl
rm -f ns5/bits.bk.signed
rm -f ns5/bits.bk.signed.jnl
rm -f random.data
rm -f dig.out.ns*.test*
/*
* Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf.post,v 1.2 2011/10/12 00:10:19 marka Exp $ */
// NS5
include "../../common/rndc.key";
controls { inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; };
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion no;
notify yes;
notify-delay 0;
};
zone "bits" {
type slave;
masters { 10.53.0.2; };
file "bits.bk";
auto-dnssec maintain;
inline-signing yes;
};
/*
* Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf.pre,v 1.2 2011/10/12 00:10:20 marka Exp $ */
// NS5
include "../../common/rndc.key";
controls { inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; };
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion no;
notify yes;
notify-delay 0;
};
zone "bits" {
type slave;
masters { 10.53.0.2; };
file "bits.bk";
};
......@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $
# $Id: setup.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
sh clean.sh
......@@ -34,6 +34,8 @@ rm -f ns3/noixfr.bk.jnl
rm -f ns3/noixfr.bk.signed
rm -f ns3/noixfr.bk.signed.jnl
cp ns5/named.conf.pre ns5/named.conf
../../../tools/genrandom 400 random.data
(cd ns3; sh -e sign.sh)
......@@ -14,12 +14,13 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $
# $Id: tests.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
DIGOPTS="+tcp +dnssec"
RANDFILE=random.data
status=0
n=0
......@@ -326,4 +327,27 @@ done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking turning on of inline signing in a slave zone via reload ($n)"
$DIG $DIGOPTS @10.53.0.5 -p 5300 +dnssec bits SOA > dig.out.ns5.test$n
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:setup broken"; fi
status=`expr $status + $ret`
cp ns5/named.conf.post ns5/named.conf
(cd ns5; $KEYGEN -q -r ../$RANDFILE bits) > /dev/null 2>&1
(cd ns5; $KEYGEN -q -r ../$RANDFILE -f KSK bits) > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /'
for i in 1 2 3 4 5 6 7 8 9 10
do
ret=0
$DIG $DIGOPTS @10.53.0.5 -p 5300 bits SOA > dig.out.ns5.test$n
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
exit $status
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.633 2011/10/07 02:55:04 marka Exp $ */
/* $Id: zone.c,v 1.634 2011/10/12 00:10:20 marka Exp $ */
/*! \file */
......@@ -412,6 +412,7 @@ struct dns_zone {
#define DNS_ZONEFLG_THAW 0x08000000U
#define DNS_ZONEFLG_LOADPENDING 0x10000000U /*%< Loading scheduled */
#define DNS_ZONEFLG_NODELAY 0x20000000U
#define DNS_ZONEFLG_SENDSECURE 0x40000000U
#define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
#define DNS_ZONEKEY_OPTION(z,o) (((z)->keyopts & (o)) != 0)
......@@ -709,6 +710,7 @@ static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
static void zone_rekey(dns_zone_t *zone);
static isc_boolean_t delsig_ok(dns_rdata_rrsig_t *rrsig_ptr,
dst_key_t **keys, unsigned int nkeys);
static isc_result_t zone_send_securedb(dns_zone_t *zone, dns_db_t *db);
#define ENTER zone_debuglog(zone, me, 1, "enter")
......@@ -3458,6 +3460,16 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
return (result);
}
static void
maybe_send_securedb(dns_zone_t *zone) {
LOCK_ZONE(zone->raw);
if (zone->raw->db != NULL)
zone_send_securedb(zone->raw, zone->raw->db);
else
DNS_ZONE_SETFLAG(zone->raw, DNS_ZONEFLG_SENDSECURE);
UNLOCK_ZONE(zone->raw);
}
static isc_result_t
zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
isc_result_t result)
......@@ -3493,6 +3505,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
"failed: %s",
zone->masterfile,
dns_result_totext(result));
} else if (zone->type == dns_zone_master &&
zone->raw != NULL && result == ISC_R_FILENOTFOUND) {
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"no master file, requesting db");
maybe_send_securedb(zone);
} else {
dns_zone_log(zone, ISC_LOG_ERROR,
"loading from master file %s failed: %s",
......@@ -3797,6 +3814,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
DNS_ZONE_SETFLAG(zone,
DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) &&
zone->secure != NULL)
zone_send_securedb(zone, db);
}
result = ISC_R_SUCCESS;
......@@ -12239,6 +12259,7 @@ zone_send_securedb(dns_zone_t *zone, dns_db_t *db) {
((struct secure_db *)e)->db = dummy;
isc_task_send(zone->secure->task, &e);
DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
return (ISC_R_SUCCESS);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment