Commit 2f09e7c3 authored by Mark Andrews's avatar Mark Andrews
Browse files

3041. [bug] dnssec-signzone failed to generate new signatures on

                        ttl changes. [RT #23330]
parent 8a8d38eb
3041. [bug] dnssec-signzone failed to generate new signatures on
ttl changes. [RT #23330]
3040. [bug] Named failed to validate insecure zones where a node
with a CNAME existed between the trust anchor and the
top of the zone. [RT #23338]
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.262 2010/06/03 23:51:04 tbox Exp $ */
/* $Id: dnssec-signzone.c,v 1.263 2011/02/24 03:04:43 marka Exp $ */
/*! \file */
......@@ -486,32 +486,32 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
if (!expired)
keep = ISC_TRUE;
} else if (issigningkey(key)) {
if (!expired && setverifies(name, set, key->key,
&sigrdata)) {
if (!expired && rrsig.originalttl == set->ttl &&
setverifies(name, set, key->key, &sigrdata)) {
vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
wassignedby[key->index] = ISC_TRUE;
nowsignedby[key->index] = ISC_TRUE;
} else {
vbprintf(2, "\trrsig by %s dropped - %s\n",
sigstr,
expired ? "expired" :
"failed to verify");
sigstr, expired ? "expired" :
rrsig.originalttl != set->ttl ?
"ttl change" : "failed to verify");
wassignedby[key->index] = ISC_TRUE;
resign = ISC_TRUE;
}
} else if (iszonekey(key)) {
if (!expired && setverifies(name, set, key->key,
&sigrdata)) {
if (!expired && rrsig.originalttl == set->ttl &&
setverifies(name, set, key->key, &sigrdata)) {
vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
wassignedby[key->index] = ISC_TRUE;
nowsignedby[key->index] = ISC_TRUE;
} else {
vbprintf(2, "\trrsig by %s dropped - %s\n",
sigstr,
expired ? "expired" :
"failed to verify");
sigstr, expired ? "expired" :
rrsig.originalttl != set->ttl ?
"ttl change" : "failed to verify");
wassignedby[key->index] = ISC_TRUE;
}
} else if (!expired) {
......@@ -1387,6 +1387,13 @@ verifyset(dns_rdataset_t *rdataset, dns_name_t *name, dns_dbnode_t *node,
dns_rdataset_current(&sigrdataset, &rdata);
dns_rdata_tostruct(&rdata, &sig, NULL);
if (rdataset->ttl != sig.originalttl) {
dns_name_format(name, namebuf, sizeof(namebuf));
type_format(rdataset->type, typebuf, sizeof(typebuf));
fprintf(stderr, "TTL mismatch for %s %s keytag %u\n",
namebuf, typebuf, sig.keyid);
continue;
}
if ((set_algorithms[sig.algorithm] != 0) ||
(ksk_algorithms[sig.algorithm] == 0))
continue;
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.35 2011/02/23 11:30:34 marka Exp $
# $Id: clean.sh,v 1.36 2011/02/24 03:04:43 marka Exp $
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
......@@ -49,4 +49,5 @@ rm -f ns3/kskonly.example.db
rm -f ns4/named.conf
rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
rm -f ns3/secure.below-cname.example.db
rm -f signer/example.db.after signer/example.db.before
rm -f signer/example.db.changed
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.77 2011/02/23 11:30:35 marka Exp $
# $Id: tests.sh,v 1.78 2011/02/24 03:04:43 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -959,6 +959,24 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking that dnsssec-signzone updates originalttl on ttl changes ($n)"
ret=0
(
cd signer
RANDFILE=../random.data
zone=example
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
key2=`$KEYGEN -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone`
cat example.db.in $key1.key $key2.key > example.db
$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1
sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed
$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1
)
grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# Test that "rndc secroots" is able to dump trusted keys
echo "I:checking rndc secroots ($n)"
ret=0
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment