Commit 16cc4a1f authored by Mark Andrews's avatar Mark Andrews
Browse files

3012. [bug] Remove DNSKEY TTL change pairs before generating

                        signing records for any remaing DNSKEY changes.
                        [RT #22590]
parent 07cc7520
3012. [bug] Remove DNSKEY TTL change pairs before generating
signing records for any remaing DNSKEY changes.
[RT #22590]
3011. [func] Change the default query timeout from 30 seconds 3011. [func] Change the default query timeout from 30 seconds
to 10. Allow setting this in named.conf using the new to 10. Allow setting this in named.conf using the new
'resolver-query-timeout' option, which specifies a max 'resolver-query-timeout' option, which specifies a max
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: update.c,v 1.186 2010/12/18 01:56:19 each Exp $ */ /* $Id: update.c,v 1.187 2011/02/03 06:03:15 marka Exp $ */
#include <config.h> #include <config.h>
...@@ -3371,8 +3371,7 @@ rollback_private(dns_db_t *db, dns_rdatatype_t privatetype, ...@@ -3371,8 +3371,7 @@ rollback_private(dns_db_t *db, dns_rdatatype_t privatetype,
* Extract the changes to be rolled back. * Extract the changes to be rolled back.
*/ */
for (tuple = ISC_LIST_HEAD(diff->tuples); for (tuple = ISC_LIST_HEAD(diff->tuples);
tuple != NULL; tuple != NULL; tuple = next) {
tuple = next) {
next = ISC_LIST_NEXT(tuple, link); next = ISC_LIST_NEXT(tuple, link);
...@@ -3419,7 +3418,7 @@ static isc_result_t ...@@ -3419,7 +3418,7 @@ static isc_result_t
add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
dns_dbversion_t *ver, dns_diff_t *diff) dns_dbversion_t *ver, dns_diff_t *diff)
{ {
dns_difftuple_t *tuple, *newtuple = NULL; dns_difftuple_t *tuple, *newtuple = NULL, *next;
dns_rdata_dnskey_t dnskey; dns_rdata_dnskey_t dnskey;
dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_t rdata = DNS_RDATA_INIT;
isc_boolean_t flag; isc_boolean_t flag;
...@@ -3428,13 +3427,81 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, ...@@ -3428,13 +3427,81 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
isc_uint16_t keyid; isc_uint16_t keyid;
unsigned char buf[5]; unsigned char buf[5];
dns_name_t *name = dns_db_origin(db); dns_name_t *name = dns_db_origin(db);
dns_diff_t temp_diff;
dns_diff_init(diff->mctx, &temp_diff);
/*
* Extract the DNSKEY tuples from the list.
*/
for (tuple = ISC_LIST_HEAD(diff->tuples); for (tuple = ISC_LIST_HEAD(diff->tuples);
tuple != NULL; tuple != NULL; tuple = next) {
tuple = ISC_LIST_NEXT(tuple, link)) {
next = ISC_LIST_NEXT(tuple, link);
if (tuple->rdata.type != dns_rdatatype_dnskey) if (tuple->rdata.type != dns_rdatatype_dnskey)
continue; continue;
ISC_LIST_UNLINK(diff->tuples, tuple, link);
ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
}
/*
* Extract TTL changes pairs, we don't need signing records for these.
*/
for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
tuple != NULL; tuple = next) {
if (tuple->op == DNS_DIFFOP_ADD) {
/*
* Walk the temp_diff list looking for the
* corresponding delete.
*/
next = ISC_LIST_HEAD(temp_diff.tuples);
while (next != NULL) {
unsigned char *next_data = next->rdata.data;
unsigned char *tuple_data = tuple->rdata.data;
if (next->op == DNS_DIFFOP_DEL &&
dns_name_equal(&tuple->name, &next->name) &&
next->rdata.length == tuple->rdata.length &&
!memcmp(next_data, tuple_data,
next->rdata.length)) {
ISC_LIST_UNLINK(temp_diff.tuples, next,
link);
ISC_LIST_APPEND(diff->tuples, next,
link);
break;
}
next = ISC_LIST_NEXT(next, link);
}
/*
* If we have not found a pair move onto the next
* tuple.
*/
if (next == NULL) {
next = ISC_LIST_NEXT(tuple, link);
continue;
}
/*
* Find the next tuple to be processed before
* unlinking then complete moving the pair to 'diff'.
*/
next = ISC_LIST_NEXT(tuple, link);
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
ISC_LIST_APPEND(diff->tuples, tuple, link);
} else
next = ISC_LIST_NEXT(tuple, link);
}
/*
* Process the remaining DNSKEY entries.
*/
for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
tuple != NULL;
tuple = ISC_LIST_HEAD(temp_diff.tuples)) {
ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
ISC_LIST_APPEND(diff->tuples, tuple, link);
dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
if ((dnskey.flags & if ((dnskey.flags &
(DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
...@@ -3475,7 +3542,9 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, ...@@ -3475,7 +3542,9 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
INSIST(newtuple == NULL); INSIST(newtuple == NULL);
} }
} }
failure: failure:
dns_diff_clear(&temp_diff);
return (result); return (result);
} }
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.20 2010/12/07 02:53:33 marka Exp $ # $Id: clean.sh,v 1.21 2011/02/03 06:03:15 marka Exp $
# #
# Clean up after zone transfer tests. # Clean up after zone transfer tests.
...@@ -31,6 +31,7 @@ rm -f */named.memstats ...@@ -31,6 +31,7 @@ rm -f */named.memstats
rm -f nsupdate.out rm -f nsupdate.out
rm -f ns3/example.db.jnl ns3/example.db rm -f ns3/example.db.jnl ns3/example.db
rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test. rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test.
rm -f ns3/dnskey.test.db.signed.jnl ns3/dnskey.test.db ns3/dnskey.test.db.signed ns3/dsset-dnskey.test.
rm -f ns3/K* rm -f ns3/K*
rm -f dig.out.ns3.* rm -f dig.out.ns3.*
rm -f jp.out.ns3.* rm -f jp.out.ns3.*
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: dnskey.test.db.in,v 1.2 2011/02/03 06:03:15 marka Exp $
$TTL 10
dnskey.test. IN SOA dnskey.test. hostmaster.dnskey.test. 1 3600 900 2419200 3600
dnskey.test. IN NS dnskey.test.
dnskey.test. IN A 10.53.0.3
...@@ -14,7 +14,7 @@ ...@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.3 2010/12/07 23:47:02 tbox Exp $ */ /* $Id: named.conf,v 1.4 2011/02/03 06:03:15 marka Exp $ */
// NS1 // NS1
...@@ -54,3 +54,9 @@ zone "nsec3param.test" { ...@@ -54,3 +54,9 @@ zone "nsec3param.test" {
allow-update { any; }; allow-update { any; };
file "nsec3param.test.db.signed"; file "nsec3param.test.db.signed";
}; };
zone "dnskey.test" {
type master;
allow-update { any; };
file "dnskey.test.db.signed";
};
...@@ -14,7 +14,7 @@ ...@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.2 2010/12/07 02:53:34 marka Exp $ # $Id: sign.sh,v 1.3 2011/02/03 06:03:15 marka Exp $
SYSTEMTESTTOP=../.. SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
...@@ -31,3 +31,14 @@ keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone` ...@@ -31,3 +31,14 @@ keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -3 - -H 1 -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null $SIGNER -P -3 - -H 1 -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
zone=dnskey.test.
infile=dnskey.test.db.in
zonefile=dnskey.test.db
keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.32 2010/12/07 02:53:34 marka Exp $ # $Id: tests.sh,v 1.33 2011/02/03 06:03:15 marka Exp $
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
...@@ -333,6 +333,24 @@ then ...@@ -333,6 +333,24 @@ then
echo "I:failed"; status=1 echo "I:failed"; status=1
fi fi
n=`expr $n + 1`
ret=0
echo "I:check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
@10.53.0.3 -p 5300 dnskey | \
sed -n 's/\(.*\)10.IN/update add \1600 IN/p' |
(echo server 10.53.0.3 5300; cat - ; echo send ) |
$NSUPDATE
$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
@10.53.0.3 -p 5300 any > dig.out.ns3.$n
grep "600.*DNSKEY" dig.out.ns3.$n > /dev/null || ret=1
grep TYPE65534 dig.out.ns3.$n > dev/null && ret=1
if test $ret -ne 0
then
echo "I:failed"; status=1
fi
echo "I:exit status: $status" echo "I:exit status: $status"
exit $status exit $status
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment