Commit 132a5711 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] fix mkeys TTL 0 issue

4337.	[bug]		The previous change exposed a latent flaw in
			key refresh queries for managed-keys when
			a cached DNSKEY had TTL 0. [RT #41986]
parent 27def929
4337. [bug] The previous change exposed a latent flaw in
key refresh queries for managed-keys when
a cached DNSKEY had TTL 0. [RT #41986]
4336. [bug] Don't emit records with zero ttl unless the records
were learnt with a zero ttl. [RT #41687]
......
-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=3/10/15
-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/10/15
......@@ -1199,6 +1199,12 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
* Remove keys that match 'keyname' and 'dnskey' from the views trust
* anchors.
*
* (NOTE: If the configuration specifies that there should be a
* trust anchor at 'keyname', but no keys are left after this
* operation, that is an error. We fail closed, inserting a NULL
* key so as to prevent validation until a legimitate key has been
* provided.)
*
* Requires:
* \li 'view' is valid.
* \li 'keyname' is valid.
......
......@@ -1937,6 +1937,7 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
result = dns_view_getsecroots(view, &sr);
if (result == ISC_R_SUCCESS) {
dns_keytable_deletekeynode(sr, key);
dns_keytable_marksecure(sr, keyname);
dns_keytable_detach(&sr);
}
dst_key_free(&key);
......
......@@ -9011,13 +9011,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
*/
deletekey = ISC_TRUE;
} else if (keydata.removehd == 0) {
/* Remove from secroots */
/*
* Remove key from secroots.
*/
dns_view_untrust(zone->view, keyname,
&dnskey, mctx);
/* But ensure there's a null key */
fail_secure(zone, keyname);
/* If initializing, delete now */
if (keydata.addhd == 0)
deletekey = ISC_TRUE;
......@@ -9326,7 +9325,8 @@ zone_refreshkeys(dns_zone_t *zone) {
result = dns_resolver_createfetch(zone->view->resolver,
kname, dns_rdatatype_dnskey,
NULL, NULL, NULL,
DNS_FETCHOPT_NOVALIDATE,
DNS_FETCHOPT_NOVALIDATE|
DNS_FETCHOPT_UNSHARED,
zone->task,
keyfetch_done, kfetch,
&kfetch->dnskeyset,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment