Use RRSIG original TTL in validated RRset TTL [RT #23332]

664917be · Francis Dupont · 5ba60596 · 664917be · 664917be · 664917be
Commit 664917be authored Feb 28, 2011 by Francis Dupont
--- a/CHANGES
+++ b/CHANGES
+3046.	[bug]		Use RRSIG original TTL to compute validated RRset
+			and RRSIG TTL. [RT #23332]
+
 3045.	[test]		Move the testsock.pl sleep to autosign test suite.
 			[RT #23400]


--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: clean.sh,v 1.36 2011/02/24 03:04:43 marka Exp $
+# $Id: clean.sh,v 1.37 2011/02/28 14:21:34 fdupont Exp $

 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
 rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
@@ -51,3 +51,5 @@ rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
 rm -f ns3/secure.below-cname.example.db
 rm -f signer/example.db.after signer/example.db.before
 rm -f signer/example.db.changed
+rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
+rm -f ns3/ttlpatch.example.db.patched
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: example.db.in,v 1.28 2011/02/23 11:30:35 marka Exp $
+; $Id: example.db.in,v 1.29 2011/02/28 14:21:35 fdupont Exp $

 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -125,3 +125,6 @@ ns.insecure.below-cname	A	10.53.0.3

 secure.below-cname	NS	ns.secure.below-cname
 ns.secure.below-cname	A	10.53.0.3
+
+ttlpatch		NS	ns.ttlpatch
+ns.ttlpatch		A	10.53.0.3
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.45 2011/02/23 11:30:35 marka Exp $
+# $Id: sign.sh,v 1.46 2011/02/28 14:21:35 fdupont Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -32,7 +32,7 @@ zonefile=example.db

 for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
    optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
-    auto-nsec auto-nsec3 secure.below-cname
+    auto-nsec auto-nsec3 secure.below-cname ttlpatch
 do
 	cp ../ns3/dsset-$subdomain.example. .
 done

--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.43 2011/02/23 11:30:35 marka Exp $ */
+/* $Id: named.conf,v 1.44 2011/02/28 14:21:35 fdupont Exp $ */

 // NS3

@@ -202,4 +202,9 @@ zone "secure.below-cname.example" {
 	file "secure.below-cname.example.db.signed";
 };

+zone "ttlpatch.example" {
+	type master;
+	file "ttlpatch.example.db.patched";
+};
+
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.37 2011/02/23 11:30:35 marka Exp $
+# $Id: sign.sh,v 1.38 2011/02/28 14:21:35 fdupont Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -325,3 +325,18 @@ zonefile=secure.below-cname.example.db
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $keyname.key >$zonefile
 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+#
+# Patched TTL test zone.
+#
+zone=ttlpatch.example.
+infile=ttlpatch.example.db.in
+zonefile=ttlpatch.example.db
+signedfile=ttlpatch.example.db.signed
+patchedfile=ttlpatch.example.db.patched
+
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
+sed 's/300/3600/' $signedfile > $patchedfile
--- a/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in
+++ b/bin/tests/system/dnssec/ns3/ttlpatch.example.db.in
+; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2000, 2001  Internet Software Consortium.
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: ttlpatch.example.db.in,v 1.2 2011/02/28 14:21:35 fdupont Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: tests.sh,v 1.78 2011/02/24 03:04:43 marka Exp $
+# $Id: tests.sh,v 1.79 2011/02/28 14:21:35 fdupont Exp $

 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -977,6 +977,18 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+echo "I:checking validated data are not cached longer than originalttl ($n)"
+ret=0
+$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +ttl +noauth a.ttlpatch.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "3600.IN" dig.out.ns3.test$n > /dev/null || ret=1
+grep "300.IN" dig.out.ns3.test$n > /dev/null && ret=1
+grep "300.IN" dig.out.ns4.test$n > /dev/null || ret=1
+grep "3600.IN" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 # Test that "rndc secroots" is able to dump trusted keys
 echo "I:checking rndc secroots ($n)"
 ret=0

--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: validator.c,v 1.198 2011/02/21 23:37:31 marka Exp $ */
+/* $Id: validator.c,v 1.199 2011/02/28 14:21:35 fdupont Exp $ */

 #include <config.h>

@@ -2058,7 +2058,8 @@ validate(dns_validator_t *val, isc_boolean_t resume) {

 			isc_stdtime_get(&now);
 			ttl = ISC_MIN(event->rdataset->ttl,
-				      val->siginfo->timeexpire - now);
+				      ISC_MIN(val->siginfo->originalttl,
+					      val->siginfo->timeexpire - now));
 			event->rdataset->ttl = ttl;
 			event->sigrdataset->ttl = ttl;
 		}

--- a/util/copyrights
+++ b/util/copyrights
@@ -784,6 +784,7 @@
 ./bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in	ZONE	2008
 ./bin/tests/system/dnssec/ns3/secure.optout.example.db.in	ZONE	2008
 ./bin/tests/system/dnssec/ns3/sign.sh		SH	2000,2001,2002,2004,2006,2007,2008,2009,2010,2011
+./bin/tests/system/dnssec/ns3/ttlpatch.example.db.in	ZONE	2011
 ./bin/tests/system/dnssec/ns3/update-nsec3.example.db.in	ZONE	2011
 ./bin/tests/system/dnssec/ns4/.cvsignore	X	2000,2001
 ./bin/tests/system/dnssec/ns4/named.conf	CONF-C	2000,2001,2004,2006,2007,2010