Commit 16cc4a1f authored by Mark Andrews's avatar Mark Andrews

3012. [bug] Remove DNSKEY TTL change pairs before generating

                        signing records for any remaing DNSKEY changes.
                        [RT #22590]
parent 07cc7520
3012. [bug] Remove DNSKEY TTL change pairs before generating
signing records for any remaing DNSKEY changes.
[RT #22590]
3011. [func] Change the default query timeout from 30 seconds
to 10. Allow setting this in named.conf using the new
'resolver-query-timeout' option, which specifies a max
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.186 2010/12/18 01:56:19 each Exp $ */
/* $Id: update.c,v 1.187 2011/02/03 06:03:15 marka Exp $ */
#include <config.h>
......@@ -3371,8 +3371,7 @@ rollback_private(dns_db_t *db, dns_rdatatype_t privatetype,
* Extract the changes to be rolled back.
*/
for (tuple = ISC_LIST_HEAD(diff->tuples);
tuple != NULL;
tuple = next) {
tuple != NULL; tuple = next) {
next = ISC_LIST_NEXT(tuple, link);
......@@ -3419,7 +3418,7 @@ static isc_result_t
add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
dns_dbversion_t *ver, dns_diff_t *diff)
{
dns_difftuple_t *tuple, *newtuple = NULL;
dns_difftuple_t *tuple, *newtuple = NULL, *next;
dns_rdata_dnskey_t dnskey;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_boolean_t flag;
......@@ -3428,13 +3427,81 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
isc_uint16_t keyid;
unsigned char buf[5];
dns_name_t *name = dns_db_origin(db);
dns_diff_t temp_diff;
dns_diff_init(diff->mctx, &temp_diff);
/*
* Extract the DNSKEY tuples from the list.
*/
for (tuple = ISC_LIST_HEAD(diff->tuples);
tuple != NULL;
tuple = ISC_LIST_NEXT(tuple, link)) {
tuple != NULL; tuple = next) {
next = ISC_LIST_NEXT(tuple, link);
if (tuple->rdata.type != dns_rdatatype_dnskey)
continue;
ISC_LIST_UNLINK(diff->tuples, tuple, link);
ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
}
/*
* Extract TTL changes pairs, we don't need signing records for these.
*/
for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
tuple != NULL; tuple = next) {
if (tuple->op == DNS_DIFFOP_ADD) {
/*
* Walk the temp_diff list looking for the
* corresponding delete.
*/
next = ISC_LIST_HEAD(temp_diff.tuples);
while (next != NULL) {
unsigned char *next_data = next->rdata.data;
unsigned char *tuple_data = tuple->rdata.data;
if (next->op == DNS_DIFFOP_DEL &&
dns_name_equal(&tuple->name, &next->name) &&
next->rdata.length == tuple->rdata.length &&
!memcmp(next_data, tuple_data,
next->rdata.length)) {
ISC_LIST_UNLINK(temp_diff.tuples, next,
link);
ISC_LIST_APPEND(diff->tuples, next,
link);
break;
}
next = ISC_LIST_NEXT(next, link);
}
/*
* If we have not found a pair move onto the next
* tuple.
*/
if (next == NULL) {
next = ISC_LIST_NEXT(tuple, link);
continue;
}
/*
* Find the next tuple to be processed before
* unlinking then complete moving the pair to 'diff'.
*/
next = ISC_LIST_NEXT(tuple, link);
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
ISC_LIST_APPEND(diff->tuples, tuple, link);
} else
next = ISC_LIST_NEXT(tuple, link);
}
/*
* Process the remaining DNSKEY entries.
*/
for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
tuple != NULL;
tuple = ISC_LIST_HEAD(temp_diff.tuples)) {
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
ISC_LIST_APPEND(diff->tuples, tuple, link);
dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
if ((dnskey.flags &
(DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
......@@ -3475,7 +3542,9 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
INSIST(newtuple == NULL);
}
}
failure:
dns_diff_clear(&temp_diff);
return (result);
}
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.20 2010/12/07 02:53:33 marka Exp $
# $Id: clean.sh,v 1.21 2011/02/03 06:03:15 marka Exp $
#
# Clean up after zone transfer tests.
......@@ -31,6 +31,7 @@ rm -f */named.memstats
rm -f nsupdate.out
rm -f ns3/example.db.jnl ns3/example.db
rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test.
rm -f ns3/dnskey.test.db.signed.jnl ns3/dnskey.test.db ns3/dnskey.test.db.signed ns3/dsset-dnskey.test.
rm -f ns3/K*
rm -f dig.out.ns3.*
rm -f jp.out.ns3.*
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: dnskey.test.db.in,v 1.2 2011/02/03 06:03:15 marka Exp $
$TTL 10
dnskey.test. IN SOA dnskey.test. hostmaster.dnskey.test. 1 3600 900 2419200 3600
dnskey.test. IN NS dnskey.test.
dnskey.test. IN A 10.53.0.3
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.3 2010/12/07 23:47:02 tbox Exp $ */
/* $Id: named.conf,v 1.4 2011/02/03 06:03:15 marka Exp $ */
// NS1
......@@ -54,3 +54,9 @@ zone "nsec3param.test" {
allow-update { any; };
file "nsec3param.test.db.signed";
};
zone "dnskey.test" {
type master;
allow-update { any; };
file "dnskey.test.db.signed";
};
......@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.2 2010/12/07 02:53:34 marka Exp $
# $Id: sign.sh,v 1.3 2011/02/03 06:03:15 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -31,3 +31,14 @@ keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -3 - -H 1 -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
zone=dnskey.test.
infile=dnskey.test.db.in
zonefile=dnskey.test.db
keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.32 2010/12/07 02:53:34 marka Exp $
# $Id: tests.sh,v 1.33 2011/02/03 06:03:15 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -333,6 +333,24 @@ then
echo "I:failed"; status=1
fi
n=`expr $n + 1`
ret=0
echo "I:check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
@10.53.0.3 -p 5300 dnskey | \
sed -n 's/\(.*\)10.IN/update add \1600 IN/p' |
(echo server 10.53.0.3 5300; cat - ; echo send ) |
$NSUPDATE
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
@10.53.0.3 -p 5300 any > dig.out.ns3.$n
grep "600.*DNSKEY" dig.out.ns3.$n > /dev/null || ret=1
grep TYPE65534 dig.out.ns3.$n > dev/null && ret=1
if test $ret -ne 0
then
echo "I:failed"; status=1
fi
echo "I:exit status: $status"
exit $status
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment