Commit 832ab79d authored by Mark Andrews's avatar Mark Andrews

4305. [bug] dnssec-signzone was not removing unnecessary rrsigs

                        from the zone's apex. [RT #41483]
parent 9d85a773
4305. [bug] dnssec-signzone was not removing unnecessary rrsigs
from the zone's apex. [RT #41483]
4304. [port] xfer system test failed as 'tail -n +value' is not
portable. [RT #41315]
......
......@@ -1106,6 +1106,10 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
dns_diff_clear(&add);
}
/*
* See if the node contains any non RRSIG/NSEC records and report to
* caller. Clean out extranous RRSIG records for node.
*/
static inline isc_boolean_t
active_node(dns_dbnode_t *node) {
dns_rdatasetiter_t *rdsiter = NULL;
......@@ -1785,9 +1789,12 @@ nsecify(void) {
continue;
}
if (dns_name_equal(name, gorigin))
if (dns_name_equal(name, gorigin)) {
remove_records(node, dns_rdatatype_nsec3param,
ISC_TRUE);
/* Clean old rrsigs at apex. */
(void)active_node(node);
}
if (is_delegation(gdb, gversion, gorigin, name, node, &nsttl)) {
zonecut = dns_fixedname_name(&fzonecut);
......@@ -2232,8 +2239,11 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
continue;
}
if (dns_name_equal(name, gorigin))
if (dns_name_equal(name, gorigin)) {
remove_records(node, dns_rdatatype_nsec, ISC_TRUE);
/* Clean old rrsigs at apex. */
(void)active_node(node);
}
result = dns_dbiterator_next(dbiter);
nextnode = NULL;
......
......@@ -92,3 +92,5 @@ rm -f signer/example.db.changed
rm -f signer/nsec3param.out
rm -f signer/signer.out.*
rm -f signing.out*
rm -f signer/*.signed.pre*
rm -f signer/*.signed.post*
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.2 2010/06/03 06:29:03 marka Exp $
$TTL 60
remove. 60 IN SOA remove. . 0 0 0 0 0
remove. 60 IN NS remove.
remove. 60 IN A 1.2.3.4
remove. 60 IN AAAA ::ffff:1.2.3.4
remove. 60 IN MX 0 remove.
$INCLUDE remove.db.signed
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.2 2010/06/03 06:29:03 marka Exp $
$TTL 60
remove. 60 IN SOA remove. . 0 0 0 0 0
remove. 60 IN NS remove.
remove. 60 IN A 1.2.3.4
$INCLUDE remove.db.signed
......@@ -3217,5 +3217,45 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that RRSIGs are correctly removed from apex when RRset is removed NSEC ($n)"
ret=0
# generate signed zone with MX and AAAA records at apex.
(
cd signer
$KEYGEN -q -3 -fK remove > /dev/null
$KEYGEN -q -3 remove > /dev/null
echo > remove.db.signed
$SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
)
grep -w MX signer/remove.db.signed > /dev/null || { ret=1 ; cp signer/remove.db.signed.pre$n; }
# re-generate signed zone without MX and AAAA records at apex.
(
cd signer
$SIGNER -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1
)
grep -w MX signer/remove.db.signed > /dev/null && { ret=1 ; cp signer/remove.db.signed.post$n; }
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that RRSIGs are correctly removed from apex when RRset is removed NSEC3k ($n)"
ret=0
# generate signed zone with MX and AAAA records at apex.
(
cd signer
echo > remove.db.signed
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
)
grep -w MX signer/remove.db.signed > /dev/null || { ret=1 ; cp signer/remove.db.signed.pre$n; }
# re-generate signed zone without MX and AAAA records at apex.
(
cd signer
$SIGNER -3 - -S -o remove -D -f remove.db.signed remove2.db.in > signer.out.2.$n 2>&1
)
grep -w MX signer/remove.db.signed > /dev/null && { ret=1 ; cp signer/remove.db.signed.post$n; }
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment