Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
7ace3277
Commit
7ace3277
authored
Aug 15, 2013
by
Mark Andrews
Browse files
3632. [bug] Signature from newly inactive keys were not being
removed. [RT #32178]
parent
5f630b94
Changes
14
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
7ace3277
3632. [bug] Signature from newly inactive keys were not being
removed. [RT #32178]
3631. [bug] Remove spurious warning about missing signatures when
qtype is SIG. [RT #34600]
...
...
bin/dnssec/dnssectool.c
View file @
7ace3277
...
...
@@ -319,11 +319,35 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
isc_result_t
result
;
const
char
*
orig
=
str
;
char
*
endp
;
int
n
;
if
((
str
[
0
]
==
'0'
||
str
[
0
]
==
'-'
)
&&
str
[
1
]
==
'\0'
)
return
((
isc_stdtime_t
)
0
);
if
(
strncmp
(
str
,
"now"
,
3
)
==
0
)
{
/*
* We accept times in the following formats:
* now([+-]offset)
* YYYYMMDD([+-]offset)
* YYYYMMDDhhmmss([+-]offset)
* [+-]offset
*/
n
=
strspn
(
str
,
"0123456789"
);
if
((
n
==
8
||
n
==
14
)
&&
(
str
[
n
]
==
'\0'
||
str
[
n
]
==
'-'
||
str
[
n
]
==
'+'
))
{
char
timestr
[
15
];
strlcpy
(
timestr
,
str
,
sizeof
(
timestr
));
timestr
[
n
]
=
0
;
if
(
n
==
8
)
strlcat
(
timestr
,
"000000"
,
sizeof
(
timestr
));
result
=
dns_time64_fromtext
(
timestr
,
&
val
);
if
(
result
!=
ISC_R_SUCCESS
)
fatal
(
"time value %s is invalid: %s"
,
orig
,
isc_result_totext
(
result
));
base
=
val
;
str
+=
n
;
}
else
if
(
strncmp
(
str
,
"now"
,
3
)
==
0
)
{
base
=
now
;
str
+=
3
;
}
...
...
@@ -338,18 +362,7 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
offset
=
strtol
(
str
+
1
,
&
endp
,
0
);
offset
=
time_units
((
isc_stdtime_t
)
offset
,
endp
,
orig
);
val
=
base
-
offset
;
}
else
if
(
strlen
(
str
)
==
8U
)
{
char
timestr
[
15
];
sprintf
(
timestr
,
"%s000000"
,
str
);
result
=
dns_time64_fromtext
(
timestr
,
&
val
);
if
(
result
!=
ISC_R_SUCCESS
)
fatal
(
"time value %s is invalid: %s"
,
orig
,
isc_result_totext
(
result
));
}
else
if
(
strlen
(
str
)
>
14U
)
{
fatal
(
"time value %s is invalid"
,
orig
);
}
else
{
result
=
dns_time64_fromtext
(
str
,
&
val
);
if
(
result
!=
ISC_R_SUCCESS
)
fatal
(
"time value %s is invalid: %s"
,
orig
,
isc_result_totext
(
result
));
}
...
...
bin/tests/system/dnssec/clean.sh
View file @
7ace3277
...
...
@@ -56,6 +56,7 @@ rm -f ns4/named.conf
rm
-f
ns4/managed-keys.bind
*
rm
-f
ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
rm
-f
ns3/secure.below-cname.example.db
rm
-f
ns3/publish-inactive.example.db
rm
-f
signer/example.db.after signer/example.db.before
rm
-f
signer/example.db.changed
rm
-f
signer/nsec3param.out
...
...
bin/tests/system/dnssec/ns3/named.conf
View file @
7ace3277
...
...
@@ -33,6 +33,7 @@ options {
notify
yes
;
dnssec
-
enable
yes
;
dnssec
-
validation
yes
;
session
-
keyfile
"session.key"
;
};
key
rndc_key
{
...
...
@@ -262,4 +263,11 @@ zone "inline.example" {
auto
-
dnssec
maintain
;
};
zone
"publish-inactive.example"
{
type
master
;
file
"publish-inactive.example.db"
;
auto
-
dnssec
maintain
;
update
-
policy
local
;
};
include
"trusted.conf"
;
bin/tests/system/dnssec/ns3/publish-inactive.example.db.in
0 → 100644
View file @
7ace3277
; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: insecure.example.db,v 1.9 2007/06/19 23:47:02 tbox Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
bin/tests/system/dnssec/ns3/sign.sh
View file @
7ace3277
...
...
@@ -437,3 +437,17 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>&- | \
zone
=
inline.example.
kskname
=
`
$KEYGEN
-q
-3
-r
$RANDFILE
-fk
$zone
`
zskname
=
`
$KEYGEN
-q
-3
-r
$RANDFILE
$zone
`
#
# publish a new key while deactivating another key at the same time.
#
zone
=
publish-inactive.example
infile
=
publish-inactive.example.db.in
zonefile
=
publish-inactive.example.db
now
=
`
date
-u
+%Y%m%d%H%M%S
`
kskname
=
`
$KEYGEN
-q
-r
$RANDFILE
-f
KSK
$zone
`
kskname
=
`
$KEYGEN
-P
$now
+90s
-A
$now
+3600s
-q
-r
$RANDFILE
-f
KSK
$zone
`
kskname
=
`
$KEYGEN
-I
$now
+90s
-q
-r
$RANDFILE
-f
KSK
$zone
`
zskname
=
`
$KEYGEN
-q
-r
$RANDFILE
$zone
`
cp
$infile
$zonefile
$SIGNER
-S
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null 2>&1
bin/tests/system/dnssec/tests.sh
View file @
7ace3277
...
...
@@ -2295,5 +2295,25 @@ n=`expr $n + 1`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:check simultaneous inactivation and publishing of dnskeys removes inactive signature (
$n
)"
ret
=
0
cnt
=
0
while
:
do
$DIG
$DIGOPTS
publish-inactive.example @10.53.0.3 dnskey
>
dig.out.ns3.test
$n
keys
=
`
awk
'$5 == 257 { print; }'
dig.out.ns3.test
$n
|
wc
-l
`
test
$keys
-gt
2
&&
break
cnt
=
`
expr
$cnt
+ 1
`
test
$cnt
-gt
120
&&
break
sleep
1
done
test
$keys
-gt
2
||
ret
=
1
sigs
=
`
grep
RRSIG dig.out.ns3.test
$n
|
wc
-l
`
sigs
=
`
expr
$sigs
+ 0
`
n
=
`
expr
$n
+ 1
`
test
$sigs
-eq
2
||
ret
=
1
if
test
$ret
!=
0
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:exit status:
$status
"
exit
$status
lib/dns/dnssec.c
View file @
7ace3277
...
...
@@ -764,6 +764,7 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
* If a key is marked inactive, skip it
*/
if
(
!
key_active
(
keys
[
count
],
now
))
{
dst_key_setinactive
(
pubkey
,
ISC_TRUE
);
dst_key_free
(
&
keys
[
count
]);
keys
[
count
]
=
pubkey
;
pubkey
=
NULL
;
...
...
lib/dns/dst_api.c
View file @
7ace3277
...
...
@@ -1354,10 +1354,27 @@ get_key_struct(dns_name_t *name, unsigned int alg,
key
->
times
[
i
]
=
0
;
key
->
timeset
[
i
]
=
ISC_FALSE
;
}
key
->
inactive
=
ISC_FALSE
;
key
->
magic
=
KEY_MAGIC
;
return
(
key
);
}
isc_boolean_t
dst_key_inactive
(
const
dst_key_t
*
key
)
{
REQUIRE
(
VALID_KEY
(
key
));
return
(
key
->
inactive
);
}
void
dst_key_setinactive
(
dst_key_t
*
key
,
isc_boolean_t
inactive
)
{
REQUIRE
(
VALID_KEY
(
key
));
key
->
inactive
=
inactive
;
}
/*%
* Reads a public key from disk
*/
...
...
lib/dns/dst_internal.h
View file @
7ace3277
...
...
@@ -126,6 +126,8 @@ struct dst_key {
isc_boolean_t
timeset
[
DST_MAX_TIMES
+
1
];
/*%< data set? */
isc_stdtime_t
nums
[
DST_MAX_NUMERIC
+
1
];
/*%< numeric metadata */
isc_boolean_t
numset
[
DST_MAX_NUMERIC
+
1
];
/*%< data set? */
isc_boolean_t
inactive
;
/*%< private key not present as it is
inactive */
int
fmt_major
;
/*%< private key format, major version */
int
fmt_minor
;
/*%< private key format, minor version */
...
...
lib/dns/include/dst/dst.h
View file @
7ace3277
...
...
@@ -935,6 +935,23 @@ dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
unsigned
int
protocol
,
dns_rdataclass_t
rdclass
,
isc_mem_t
*
mctx
,
const
char
*
keystr
,
dst_key_t
**
keyp
);
isc_boolean_t
dst_key_inactive
(
const
dst_key_t
*
key
);
/*%<
* Determines if the private key is missing due the key being deemed inactive.
*
* Requires:
* 'key' to be valid.
*/
void
dst_key_setinactive
(
dst_key_t
*
key
,
isc_boolean_t
inactive
);
/*%<
* Set key inactive state.
*
* Requires:
* 'key' to be valid.
*/
ISC_LANG_ENDDECLS
...
...
lib/dns/update.c
View file @
7ace3277
...
...
@@ -1211,7 +1211,9 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
for
(
i
=
0
;
i
<
nkeys
;
i
++
)
{
if
(
rrsig
.
keyid
==
dst_key_id
(
keys
[
i
]))
{
found
=
ISC_TRUE
;
if
(
!
dst_key_isprivate
(
keys
[
i
]))
{
if
(
!
dst_key_isprivate
(
keys
[
i
])
&&
!
dst_key_inactive
(
keys
[
i
]))
{
/*
* The re-signing code in zone.c
* will mark this as offline.
...
...
lib/dns/win32/libdns.def
View file @
7ace3277
...
...
@@ -1062,6 +1062,7 @@ dst_key_getprivateformat
dst_key_gettime
dst_key_getttl
dst_key_id
dst_key_inactive
dst_key_isnullkey
dst_key_isprivate
dst_key_iszonekey
...
...
@@ -1074,6 +1075,7 @@ dst_key_rid
dst_key_secretsize
dst_key_setbits
dst_key_setflags
dst_key_setinactive
dst_key_setprivateformat
dst_key_settime
dst_key_setttl
...
...
lib/dns/zone.c
View file @
7ace3277
...
...
@@ -5755,7 +5755,9 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
* We want the earliest offline expire time
* iff there is a new offline signature.
*/
if
(
!
dst_key_isprivate
(
keys
[
i
]))
{
if
(
!
dst_key_inactive
(
keys
[
i
])
&&
!
dst_key_isprivate
(
keys
[
i
]))
{
isc_int64_t
timeexpire
=
dns_time64_from32
(
rrsig
.
timeexpire
);
if
(
warn
!=
0
&&
warn
>
timeexpire
)
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment