Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
BIND
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
600
Issues
600
List
Boards
Labels
Service Desk
Milestones
Merge Requests
111
Merge Requests
111
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
ISC Open Source Projects
BIND
Commits
832ab79d
Commit
832ab79d
authored
Jan 28, 2016
by
Mark Andrews
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
4305. [bug] dnssec-signzone was not removing unnecessary rrsigs
from the zone's apex. [RT #41483]
parent
9d85a773
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
99 additions
and
2 deletions
+99
-2
CHANGES
CHANGES
+3
-0
bin/dnssec/dnssec-signzone.c
bin/dnssec/dnssec-signzone.c
+12
-2
bin/tests/system/dnssec/clean.sh
bin/tests/system/dnssec/clean.sh
+2
-0
bin/tests/system/dnssec/signer/remove.db.in
bin/tests/system/dnssec/signer/remove.db.in
+22
-0
bin/tests/system/dnssec/signer/remove2.db.in
bin/tests/system/dnssec/signer/remove2.db.in
+20
-0
bin/tests/system/dnssec/tests.sh
bin/tests/system/dnssec/tests.sh
+40
-0
No files found.
CHANGES
View file @
832ab79d
4305. [bug] dnssec-signzone was not removing unnecessary rrsigs
from the zone's apex. [RT #41483]
4304. [port] xfer system test failed as 'tail -n +value' is not
portable. [RT #41315]
...
...
bin/dnssec/dnssec-signzone.c
View file @
832ab79d
...
...
@@ -1106,6 +1106,10 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
dns_diff_clear
(
&
add
);
}
/*
* See if the node contains any non RRSIG/NSEC records and report to
* caller. Clean out extranous RRSIG records for node.
*/
static
inline
isc_boolean_t
active_node
(
dns_dbnode_t
*
node
)
{
dns_rdatasetiter_t
*
rdsiter
=
NULL
;
...
...
@@ -1785,9 +1789,12 @@ nsecify(void) {
continue
;
}
if
(
dns_name_equal
(
name
,
gorigin
))
if
(
dns_name_equal
(
name
,
gorigin
))
{
remove_records
(
node
,
dns_rdatatype_nsec3param
,
ISC_TRUE
);
/* Clean old rrsigs at apex. */
(
void
)
active_node
(
node
);
}
if
(
is_delegation
(
gdb
,
gversion
,
gorigin
,
name
,
node
,
&
nsttl
))
{
zonecut
=
dns_fixedname_name
(
&
fzonecut
);
...
...
@@ -2232,8 +2239,11 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
continue
;
}
if
(
dns_name_equal
(
name
,
gorigin
))
if
(
dns_name_equal
(
name
,
gorigin
))
{
remove_records
(
node
,
dns_rdatatype_nsec
,
ISC_TRUE
);
/* Clean old rrsigs at apex. */
(
void
)
active_node
(
node
);
}
result
=
dns_dbiterator_next
(
dbiter
);
nextnode
=
NULL
;
...
...
bin/tests/system/dnssec/clean.sh
View file @
832ab79d
...
...
@@ -92,3 +92,5 @@ rm -f signer/example.db.changed
rm
-f
signer/nsec3param.out
rm
-f
signer/signer.out.
*
rm
-f
signing.out
*
rm
-f
signer/
*
.signed.pre
*
rm
-f
signer/
*
.signed.post
*
bin/tests/system/dnssec/signer/remove.db.in
0 → 100644
View file @
832ab79d
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.2 2010/06/03 06:29:03 marka Exp $
$TTL 60
remove. 60 IN SOA remove. . 0 0 0 0 0
remove. 60 IN NS remove.
remove. 60 IN A 1.2.3.4
remove. 60 IN AAAA ::ffff:1.2.3.4
remove. 60 IN MX 0 remove.
$INCLUDE remove.db.signed
bin/tests/system/dnssec/signer/remove2.db.in
0 → 100644
View file @
832ab79d
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.2 2010/06/03 06:29:03 marka Exp $
$TTL 60
remove. 60 IN SOA remove. . 0 0 0 0 0
remove. 60 IN NS remove.
remove. 60 IN A 1.2.3.4
$INCLUDE remove.db.signed
bin/tests/system/dnssec/tests.sh
View file @
832ab79d
...
...
@@ -3217,5 +3217,45 @@ n=`expr $n + 1`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:check that RRSIGs are correctly removed from apex when RRset is removed NSEC (
$n
)"
ret
=
0
# generate signed zone with MX and AAAA records at apex.
(
cd
signer
$KEYGEN
-q
-3
-fK
remove
>
/dev/null
$KEYGEN
-q
-3
remove
>
/dev/null
echo
>
remove.db.signed
$SIGNER
-S
-o
remove
-D
-f
remove.db.signed remove.db.in
>
signer.out.1.
$n
2>&1
)
grep
-w
MX signer/remove.db.signed
>
/dev/null
||
{
ret
=
1
;
cp
signer/remove.db.signed.pre
$n
;
}
# re-generate signed zone without MX and AAAA records at apex.
(
cd
signer
$SIGNER
-S
-o
remove
-D
-f
remove.db.signed remove2.db.in
>
signer.out.2.
$n
2>&1
)
grep
-w
MX signer/remove.db.signed
>
/dev/null
&&
{
ret
=
1
;
cp
signer/remove.db.signed.post
$n
;
}
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:check that RRSIGs are correctly removed from apex when RRset is removed NSEC3k (
$n
)"
ret
=
0
# generate signed zone with MX and AAAA records at apex.
(
cd
signer
echo
>
remove.db.signed
$SIGNER
-3
-
-S
-o
remove
-D
-f
remove.db.signed remove.db.in
>
signer.out.1.
$n
2>&1
)
grep
-w
MX signer/remove.db.signed
>
/dev/null
||
{
ret
=
1
;
cp
signer/remove.db.signed.pre
$n
;
}
# re-generate signed zone without MX and AAAA records at apex.
(
cd
signer
$SIGNER
-3
-
-S
-o
remove
-D
-f
remove.db.signed remove2.db.in
>
signer.out.2.
$n
2>&1
)
grep
-w
MX signer/remove.db.signed
>
/dev/null
&&
{
ret
=
1
;
cp
signer/remove.db.signed.post
$n
;
}
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:exit status:
$status
"
exit
$status
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment