Commit 39f2d1a9 authored by Evan Hunt's avatar Evan Hunt
Browse files

3102. [func] New 'dnssec-loadkeys-interval' option configures

			how often, in minutes, to check the key repository
			for updates when using automatic key maintenance.
			Default is every 60 minutes (formerly hard-coded
			to 12 hours). [RT #23744]

3101.	[bug]		Zones using automatic key maintenance could fail
			to check the key repository for updates. [RT #23744]
parent a1813ce2
3102. [func] New 'dnssec-loadkeys-interval' option configures
how often, in minutes, to check the key repository
for updates when using automatic key maintenance.
Default is every 60 minutes (formerly hard-coded
to 12 hours). [RT #23744]
3101. [bug] Zones using automatic key maintenance could fail
to check the key repository for updates. [RT #23744]
3100. [security] Certain response policy zone configurations could
trigger an INSIST when receiving a query of type
RRSIG. [RT #24280]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.116 2011/02/23 03:08:08 marka Exp $ */
/* $Id: config.c,v 1.117 2011/04/29 21:37:14 each Exp $ */
/*! \file */
......@@ -210,6 +210,7 @@ options {\n\
zero-no-soa-ttl yes;\n\
update-check-ksk yes;\n\
dnssec-dnskey-kskonly no;\n\
dnssec-loadkeys-interval 60;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
};\n\
"
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.174 2011/03/11 06:11:21 marka Exp $ */
/* $Id: zoneconf.c,v 1.175 2011/04/29 21:37:14 each Exp $ */
/*% */
......@@ -1229,6 +1229,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
obj = NULL;
result = ns_config_get(maps, "dnssec-loadkeys-interval", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
RETERR(dns_zone_setrefreshkeyinterval(zone,
cfg_obj_asuint32(obj)));
} else if (ztype == dns_zone_slave) {
RETERR(configure_zone_acl(zconfig, vconfig, config,
allow_update_forwarding, ac, zone,
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.5 2010/01/18 23:48:40 tbox Exp $ */
/* $Id: named.conf,v 1.6 2011/04/29 21:37:14 each Exp $ */
// NS2
......@@ -32,6 +32,7 @@ options {
notify yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-loadkeys-interval 30;
};
key rndc_key {
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.10 2011/03/25 23:53:02 each Exp $ */
/* $Id: named.conf,v 1.11 2011/04/29 21:37:14 each Exp $ */
// NS3
......@@ -32,6 +32,7 @@ options {
notify yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-loadkeys-interval 10;
};
key rndc_key {
......
......@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.20 2011/03/25 23:53:02 each Exp $
# $Id: tests.sh,v 1.21 2011/04/29 21:37:14 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -879,6 +879,43 @@ grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
n=`expr $n + 1`
if [ $lret != 0 ]; then echo "I:not yet implemented"; fi
echo "I:checking key event timers are always set ($n)"
# this is a regression test for a bug in which the next key event could
# be scheduled for the present moment, and then never fire. check for
# visible evidence of this error in the logs:
awk '/next key event/ {if ($1 == $8 && $2 == $9) exit 1}' */named.run || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# this confirms that key events are never scheduled more than
# 'dnssec-loadkeys-interval' minutes in the future, and that the
# last event scheduled is precisely that far in the future.
check_interval () {
awk '/next key event/ {print $2 ":" $9}' $1/named.run |
awk -F: -vinterval=$2 '
{
if ($6 == 0)
$6 = 25;
x = ($6+ $5*60 + $4*3600) - ($3 + $2*60 + $1*3600);
if (x != int(x))
x = int(x + 1);
if (x > interval)
exit (1);
}
END { if (x != interval) exit(1) }'
return $?
}
echo "I:checking automatic key reloading interval ($n)"
ret=0
check_interval ns1 3600 || ret=1
check_interval ns2 1800 || ret=1
check_interval ns3 600 || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.484 2011/04/06 04:20:58 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.485 2011/04/29 21:37:14 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -5060,6 +5060,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
<optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
......@@ -6884,6 +6885,26 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>dnssec-loadkeys-interval</command></term>
<listitem>
<para>
When a zone is configured with <command>auto-dnssec
maintain;</command> its key repository must be checked
periodically to see if any new keys have been added
or any existing keys' timing metadata has been updated
(see <xref linkend="man.dnssec-keygen"/> and
<xref linkend="man.dnssec-settime"/>). The
<command>dnssec-loadkeys-interval</command> option
sets the frequency of autoatic repository checks, in
minutes. The default is <literal>60</literal> (1 hour),
the minimum is <literal>1</literal> (1 minute), and the
maximum is <literal>1440</literal> (24 hours); any higher
value is silently reduced.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>try-tcp-refresh</command></term>
<listitem>
......@@ -10024,6 +10045,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
<optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
......@@ -11119,7 +11141,12 @@ example.com. NS ns2.example.net.
<command>named</command> to load keys from the key
repository and schedule key maintenance events to occur
in the future, but it does not sign the full zone
immediately.
immediately. Note: once keys have been loaded for a
zone the first time, the repository will be searched
for changes periodically, regardless of whether
<command>rndc loadkeys</command> is used. The recheck
interval is defined by
<command>dnssec-loadkeys-interval</command>.)
</para>
<para>
<command>auto-dnssec create;</command> includes the
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.128 2011/03/11 17:19:05 each Exp $ */
/* $Id: check.c,v 1.129 2011/04/29 21:37:15 each Exp $ */
/*! \file */
......@@ -1307,6 +1307,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
REDIRECTZONE },
{ "update-check-ksk", MASTERZONE },
{ "dnssec-dnskey-kskonly", MASTERZONE },
{ "dnssec-loadkeys-interval", MASTERZONE },
{ "auto-dnssec", MASTERZONE },
{ "try-tcp-refresh", SLAVEZONE | STREDIRECTZONE },
{ "server-addresses", STATICSTUBZONE },
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.h,v 1.186 2011/03/21 18:38:40 each Exp $ */
/* $Id: zone.h,v 1.187 2011/04/29 21:37:15 each Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
......@@ -1871,6 +1871,18 @@ dns_zone_isdynamic(dns_zone_t *zone, isc_boolean_t ignore_freeze);
* \li 'zone' to be valid.
*/
isc_result_t
dns_zone_setrefreshkeyinterval(dns_zone_t *zone, isc_uint32_t interval);
/*%
* Sets the frequency, in minutes, with which the key repository will be
* checked to see if the keys for this zone have been updated. Any value
* higher than 1440 minutes (24 hours) will be silently reduced. A
* value of zero will return an out-of-range error.
*
* Requires:
* \li 'zone' to be valid.
*/
ISC_LANG_ENDDECLS
#endif /* DNS_ZONE_H */
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.601 2011/03/25 23:53:02 each Exp $ */
/* $Id: zone.c,v 1.602 2011/04/29 21:37:15 each Exp $ */
/*! \file */
......@@ -207,6 +207,7 @@ struct dns_zone {
isc_time_t signingtime;
isc_time_t nsec3chaintime;
isc_time_t refreshkeytime;
isc_uint32_t refreshkeyinterval;
isc_uint32_t refreshkeycount;
isc_uint32_t refresh;
isc_uint32_t retry;
......@@ -770,6 +771,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
isc_time_settoepoch(&zone->signingtime);
isc_time_settoepoch(&zone->nsec3chaintime);
isc_time_settoepoch(&zone->refreshkeytime);
zone->refreshkeyinterval = 0;
zone->refreshkeycount = 0;
zone->refresh = DNS_ZONE_DEFAULTREFRESH;
zone->retry = DNS_ZONE_DEFAULTRETRY;
......@@ -14172,48 +14174,52 @@ zone_rekey(dns_zone_t *zone) {
UNLOCK_ZONE(zone);
}
/*
* If we are doing automatic key maintenance and the key metadata
* indicates there is a key change event scheduled in the future,
* set the key refresh timer.
*/
isc_stdtime_get(&now);
TIME_NOW(&timenow);
isc_time_settoepoch(&zone->refreshkeytime);
for (key = ISC_LIST_HEAD(dnskeys);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
isc_stdtime_t then;
/*
* If we're doing key maintenance, set the key refresh timer to
* the next scheduled key event or to 'dnssec-loadkeys-interval'
* seconds in the future, whichever is sooner.
*/
if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) {
isc_time_t timethen;
isc_stdtime_t then;
/*
* If we are doing automatic key maintenance and the
* key metadata indicates there is a key change event
* scheduled in the future, set the key refresh timer.
*/
if (!DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
break;
LOCK_ZONE(zone);
DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval,
&timethen);
zone->refreshkeytime = timethen;
UNLOCK_ZONE(zone);
then = now;
result = next_keyevent(key->key, &then);
if (result != ISC_R_SUCCESS)
continue;
for (key = ISC_LIST_HEAD(dnskeys);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
then = now;
result = next_keyevent(key->key, &then);
if (result != ISC_R_SUCCESS)
continue;
DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
LOCK_ZONE(zone);
if (isc_time_isepoch(&zone->refreshkeytime) ||
isc_time_compare(&timethen, &zone->refreshkeytime) < 0) {
zone->refreshkeytime = timethen;
zone_settimer(zone, &timenow);
DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
LOCK_ZONE(zone);
if (isc_time_compare(&timethen,
&zone->refreshkeytime) < 0) {
zone->refreshkeytime = timethen;
}
UNLOCK_ZONE(zone);
}
UNLOCK_ZONE(zone);
}
/*
* If no key event is scheduled, we should still check the key
* repository for updates every so often. (Currently this is
* hard-coded to 12 hours, but it could be configurable.)
*/
if (isc_time_isepoch(&zone->refreshkeytime))
DNS_ZONE_TIME_ADD(&timenow, (3600 * 12), &zone->refreshkeytime);
zone_settimer(zone, &timenow);
isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
}
failure:
dns_diff_clear(&diff);
......@@ -14306,3 +14312,16 @@ dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db)
UNLOCK_ZONE(zone);
return result;
}
isc_result_t
dns_zone_setrefreshkeyinterval(dns_zone_t *zone, isc_uint32_t interval) {
REQUIRE(DNS_ZONE_VALID(zone));
if (interval == 0)
return (ISC_R_RANGE);
/* Maximum value: 24 hours (3600 minutes) */
if (interval > (24 * 60))
interval = (24 * 60);
/* Multiply by 60 for seconds */
zone->refreshkeyinterval = interval * 60;
return (ISC_R_SUCCESS);
}
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.134 2011/03/11 06:11:27 marka Exp $ */
/* $Id: namedconf.c,v 1.135 2011/04/29 21:37:15 each Exp $ */
/*! \file */
......@@ -1341,6 +1341,7 @@ zone_clauses[] = {
{ "check-wildcard", &cfg_type_boolean, 0 },
{ "dialup", &cfg_type_dialuptype, 0 },
{ "dnssec-dnskey-kskonly", &cfg_type_boolean, 0 },
{ "dnssec-loadkeys-interval", &cfg_type_uint32, 0 },
{ "dnssec-secure-to-insecure", &cfg_type_boolean, 0 },
{ "forward", &cfg_type_forwardtype, 0 },
{ "forwarders", &cfg_type_portiplist, 0 },
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment