Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
ISC Open Source Projects
BIND
Commits
8aee1870
Commit
8aee1870
authored
Dec 07, 2010
by
Mark Andrews
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
2980. [bug] named didn't properly handle UPDATES that changed the
TTL of the NSEC3PARAM RRset. [RT #22363]
parent
631e4420
Changes
11
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
340 additions
and
79 deletions
+340
-79
CHANGES
CHANGES
+3
-0
bin/named/update.c
bin/named/update.c
+135
-73
bin/tests/system/conf.sh.in
bin/tests/system/conf.sh.in
+4
-2
bin/tests/system/nsupdate/clean.sh
bin/tests/system/nsupdate/clean.sh
+6
-1
bin/tests/system/nsupdate/ns3/example.db.in
bin/tests/system/nsupdate/ns3/example.db.in
+4
-0
bin/tests/system/nsupdate/ns3/named.conf
bin/tests/system/nsupdate/ns3/named.conf
+57
-0
bin/tests/system/nsupdate/ns3/nsec3param.test.db.in
bin/tests/system/nsupdate/ns3/nsec3param.test.db.in
+4
-0
bin/tests/system/nsupdate/ns3/sign.sh
bin/tests/system/nsupdate/ns3/sign.sh
+33
-0
bin/tests/system/nsupdate/setup.sh
bin/tests/system/nsupdate/setup.sh
+5
-1
bin/tests/system/nsupdate/tests.sh
bin/tests/system/nsupdate/tests.sh
+87
-1
lib/dns/nsec3.c
lib/dns/nsec3.c
+2
-1
No files found.
CHANGES
View file @
8aee1870
2980. [bug] named didn't properly handle UPDATES that changed the
TTL of the NSEC3PARAM RRset. [RT #22363]
2979. [bug] named could deadlock during shutdown if two
"rndc stop" commands were issued at the same
time. [RT #22108]
...
...
bin/named/update.c
View file @
8aee1870
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.18
2
2010/
05/18 01:39:41
marka Exp $ */
/* $Id: update.c,v 1.18
3
2010/
12/07 02:53:33
marka Exp $ */
#include <config.h>
...
...
@@ -1250,11 +1250,10 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
return
(
ISC_FALSE
);
INSIST
(
db_rr
->
length
>=
4
&&
update_rr
->
length
>=
4
);
/*
* Replace records added in this UPDATE request.
* Replace NSEC3PARAM records that only differ by the
* flags field.
*/
if
(
db_rr
->
data
[
0
]
==
update_rr
->
data
[
0
]
&&
(
db_rr
->
data
[
1
]
&
DNS_NSEC3FLAG_UPDATE
)
!=
0
&&
(
update_rr
->
data
[
1
]
&
DNS_NSEC3FLAG_UPDATE
)
!=
0
&&
memcmp
(
db_rr
->
data
+
2
,
update_rr
->
data
+
2
,
update_rr
->
length
-
2
)
==
0
)
return
(
ISC_TRUE
);
...
...
@@ -3110,6 +3109,8 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
isc_boolean_t
flag
;
dns_name_t
*
name
=
dns_zone_getorigin
(
zone
);
dns_rdatatype_t
privatetype
=
dns_zone_getprivatetype
(
zone
);;
isc_uint32_t
ttl
=
0
;
isc_boolean_t
ttl_good
=
ISC_FALSE
;
update_log
(
client
,
zone
,
ISC_LOG_DEBUG
(
3
),
"checking for NSEC3PARAM changes"
);
...
...
@@ -3132,53 +3133,143 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
ISC_LIST_APPEND
(
temp_diff
.
tuples
,
tuple
,
link
);
}
/*
* Extract TTL changes pairs, we don't need to convert these to
* delayed changes.
*/
for
(
tuple
=
ISC_LIST_HEAD
(
temp_diff
.
tuples
);
tuple
!=
NULL
;
tuple
=
next
)
{
if
(
tuple
->
op
==
DNS_DIFFOP_ADD
)
{
if
(
!
ttl_good
)
{
/*
* Any adds here will contain the final
* NSEC3PARAM RRset TTL.
*/
ttl
=
tuple
->
ttl
;
ttl_good
=
ISC_TRUE
;
}
/*
* Walk the temp_diff list looking for the
* corresponding delete.
*/
next
=
ISC_LIST_HEAD
(
temp_diff
.
tuples
);
while
(
next
!=
NULL
)
{
unsigned
char
*
next_data
=
next
->
rdata
.
data
;
unsigned
char
*
tuple_data
=
tuple
->
rdata
.
data
;
if
(
next
->
op
==
DNS_DIFFOP_DEL
&&
next
->
rdata
.
length
==
tuple
->
rdata
.
length
&&
!
memcmp
(
next_data
,
tuple_data
,
next
->
rdata
.
length
))
{
ISC_LIST_UNLINK
(
temp_diff
.
tuples
,
next
,
link
);
ISC_LIST_APPEND
(
diff
->
tuples
,
next
,
link
);
break
;
}
next
=
ISC_LIST_NEXT
(
next
,
link
);
}
/*
* If we have not found a pair move onto the next
* tuple.
*/
if
(
next
==
NULL
)
{
next
=
ISC_LIST_NEXT
(
tuple
,
link
);
continue
;
}
/*
* Find the next tuple to be processed before
* unlinking then complete moving the pair to 'diff'.
*/
next
=
ISC_LIST_NEXT
(
tuple
,
link
);
ISC_LIST_UNLINK
(
temp_diff
.
tuples
,
tuple
,
link
);
ISC_LIST_APPEND
(
diff
->
tuples
,
tuple
,
link
);
}
else
next
=
ISC_LIST_NEXT
(
tuple
,
link
);
}
/*
* Preserve any ongoing changes from a BIND 9.6.x upgrade.
*
* Any NSEC3PARAM records with flags other than OPTOUT named
* in managing and should not be touched so revert such changes
* taking into account any TTL change of the NSEC3PARAM RRset.
*/
for
(
tuple
=
ISC_LIST_HEAD
(
temp_diff
.
tuples
);
tuple
!=
NULL
;
tuple
=
next
)
{
next
=
ISC_LIST_NEXT
(
tuple
,
link
);
if
((
tuple
->
rdata
.
data
[
1
]
&
~
DNS_NSEC3FLAG_OPTOUT
)
!=
0
)
{
/*
* If we havn't had any adds then the tuple->ttl must
* be the original ttl and should be used for any
* future changes.
*/
if
(
!
ttl_good
)
{
ttl
=
tuple
->
ttl
;
ttl_good
=
ISC_TRUE
;
}
op
=
(
tuple
->
op
==
DNS_DIFFOP_DEL
)
?
DNS_DIFFOP_ADD
:
DNS_DIFFOP_DEL
;
CHECK
(
dns_difftuple_create
(
diff
->
mctx
,
op
,
name
,
ttl
,
&
tuple
->
rdata
,
&
newtuple
));
CHECK
(
do_one_tuple
(
&
newtuple
,
db
,
ver
,
diff
));
ISC_LIST_UNLINK
(
temp_diff
.
tuples
,
tuple
,
link
);
dns_diff_appendminimal
(
diff
,
&
tuple
);
}
}
/*
* We now have just the actual changes to the NSEC3PARAM RRset.
* Convert the adds to delayed adds and the deletions into delayed
* deletions.
*/
for
(
tuple
=
ISC_LIST_HEAD
(
temp_diff
.
tuples
);
tuple
!=
NULL
;
tuple
=
next
)
{
/*
* If we havn't had any adds then the tuple->ttl must be the
* original ttl and should be used for any future changes.
*/
if
(
!
ttl_good
)
{
ttl
=
tuple
->
ttl
;
ttl_good
=
ISC_TRUE
;
}
if
(
tuple
->
op
==
DNS_DIFFOP_ADD
)
{
/*
* Look for any deletes which match this ADD ignoring
* OPTOUT. We don't need to explictly remove them as
* they will be removed a side effect of processing
* the add.
*/
next
=
ISC_LIST_HEAD
(
temp_diff
.
tuples
);
while
(
next
!=
NULL
)
{
unsigned
char
*
next_data
=
next
->
rdata
.
data
;
unsigned
char
*
tuple_data
=
tuple
->
rdata
.
data
;
if
(
next_data
[
0
]
!=
tuple_data
[
0
]
||
/* Ignore flags. */
if
(
next
->
op
!=
DNS_DIFFOP_DEL
||
next
->
rdata
.
length
!=
tuple
->
rdata
.
length
||
next_data
[
0
]
!=
tuple_data
[
0
]
||
next_data
[
2
]
!=
tuple_data
[
2
]
||
next_data
[
3
]
!=
tuple_data
[
3
]
||
next_data
[
4
]
!=
tuple_data
[
4
]
||
!
memcmp
(
&
next_data
[
5
],
&
tuple_data
[
5
],
tuple_data
[
4
]))
{
memcmp
(
next_data
+
4
,
tuple_data
+
4
,
tuple
->
rdata
.
length
-
4
))
{
next
=
ISC_LIST_NEXT
(
next
,
link
);
continue
;
}
op
=
(
next
->
op
==
DNS_DIFFOP_DEL
)
?
DNS_DIFFOP_ADD
:
DNS_DIFFOP_DEL
;
CHECK
(
dns_difftuple_create
(
diff
->
mctx
,
op
,
name
,
next
->
ttl
,
&
next
->
rdata
,
&
newtuple
));
CHECK
(
do_one_tuple
(
&
newtuple
,
db
,
ver
,
diff
));
ISC_LIST_UNLINK
(
temp_diff
.
tuples
,
next
,
link
);
dns_diff_appendminimal
(
diff
,
&
next
);
next
=
ISC_LIST_
NEXT
(
tuple
,
link
);
ISC_LIST_APPEND
(
diff
->
tuples
,
next
,
link
);
next
=
ISC_LIST_
HEAD
(
temp_diff
.
tuples
);
}
INSIST
(
tuple
->
rdata
.
data
[
1
]
&
DNS_NSEC3FLAG_UPDATE
);
/*
* See if we already have a CREATE request in progress.
*/
dns_nsec3param_toprivate
(
&
tuple
->
rdata
,
&
rdata
,
privatetype
,
buf
,
sizeof
(
buf
));
buf
[
2
]
|=
DNS_NSEC3FLAG_CREATE
;
buf
[
2
]
&=
~
DNS_NSEC3FLAG_UPDATE
;
CHECK
(
rr_exists
(
db
,
ver
,
name
,
&
rdata
,
&
flag
));
if
(
!
flag
)
{
CHECK
(
dns_difftuple_create
(
diff
->
mctx
,
DNS_DIFFOP_ADD
,
name
,
tuple
->
ttl
,
&
rdata
,
name
,
0
,
&
rdata
,
&
newtuple
));
CHECK
(
do_one_tuple
(
&
newtuple
,
db
,
ver
,
diff
));
}
...
...
@@ -3194,20 +3285,20 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
if
(
flag
)
{
CHECK
(
dns_difftuple_create
(
diff
->
mctx
,
DNS_DIFFOP_DEL
,
name
,
tuple
->
ttl
,
&
rdata
,
name
,
0
,
&
rdata
,
&
newtuple
));
CHECK
(
do_one_tuple
(
&
newtuple
,
db
,
ver
,
diff
));
}
/*
* Remove the temporary add record.
* Find the next tuple to be processed and remove the
* temporary add record.
*/
next
=
ISC_LIST_NEXT
(
tuple
,
link
);
CHECK
(
dns_difftuple_create
(
diff
->
mctx
,
DNS_DIFFOP_DEL
,
name
,
tuple
->
ttl
,
&
tuple
->
rdata
,
&
newtuple
));
name
,
ttl
,
&
tuple
->
rdata
,
&
newtuple
));
CHECK
(
do_one_tuple
(
&
newtuple
,
db
,
ver
,
diff
));
next
=
ISC_LIST_NEXT
(
tuple
,
link
);
ISC_LIST_UNLINK
(
temp_diff
.
tuples
,
tuple
,
link
);
dns_diff_appendminimal
(
diff
,
&
tuple
);
dns_rdata_reset
(
&
rdata
);
...
...
@@ -3215,48 +3306,33 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
next
=
ISC_LIST_NEXT
(
tuple
,
link
);
}
/*
* Reverse any pending changes.
*/
for
(
tuple
=
ISC_LIST_HEAD
(
temp_diff
.
tuples
);
tuple
!=
NULL
;
tuple
=
next
)
{
next
=
ISC_LIST_NEXT
(
tuple
,
link
);
if
((
tuple
->
rdata
.
data
[
1
]
&
~
DNS_NSEC3FLAG_OPTOUT
)
!=
0
)
{
op
=
(
tuple
->
op
==
DNS_DIFFOP_DEL
)
?
DNS_DIFFOP_ADD
:
DNS_DIFFOP_DEL
;
CHECK
(
dns_difftuple_create
(
diff
->
mctx
,
op
,
name
,
tuple
->
ttl
,
&
tuple
->
rdata
,
&
newtuple
));
CHECK
(
do_one_tuple
(
&
newtuple
,
db
,
ver
,
diff
));
ISC_LIST_UNLINK
(
temp_diff
.
tuples
,
tuple
,
link
);
dns_diff_appendminimal
(
diff
,
&
tuple
);
}
}
/*
* Convert deletions into delayed deletions.
*/
for
(
tuple
=
ISC_LIST_HEAD
(
temp_diff
.
tuples
);
tuple
!=
NULL
;
tuple
=
next
)
{
INSIST
(
ttl_good
);
next
=
ISC_LIST_NEXT
(
tuple
,
link
);
/*
* See if we already have a REMOVE request in progress.
*/
dns_nsec3param_toprivate
(
&
tuple
->
rdata
,
&
rdata
,
privatetype
,
buf
,
sizeof
(
buf
));
buf
[
2
]
|=
DNS_NSEC3FLAG_REMOVE
;
dns_nsec3param_toprivate
(
&
tuple
->
rdata
,
&
rdata
,
privatetype
,
buf
,
sizeof
(
buf
));
buf
[
2
]
|=
DNS_NSEC3FLAG_REMOVE
|
DNS_NSEC3FLAG_NONSEC
;
CHECK
(
rr_exists
(
db
,
ver
,
name
,
&
rdata
,
&
flag
));
if
(
!
flag
)
{
buf
[
2
]
&=
~
DNS_NSEC3FLAG_NONSEC
;
CHECK
(
rr_exists
(
db
,
ver
,
name
,
&
rdata
,
&
flag
));
}
if
(
!
flag
)
{
CHECK
(
dns_difftuple_create
(
diff
->
mctx
,
DNS_DIFFOP_ADD
,
name
,
tuple
->
ttl
,
&
rdata
,
&
newtuple
));
name
,
0
,
&
rdata
,
&
newtuple
));
CHECK
(
do_one_tuple
(
&
newtuple
,
db
,
ver
,
diff
));
}
CHECK
(
dns_difftuple_create
(
diff
->
mctx
,
DNS_DIFFOP_ADD
,
name
,
tuple
->
ttl
,
&
tuple
->
rdata
,
&
newtuple
));
ttl
,
&
tuple
->
rdata
,
&
newtuple
));
CHECK
(
do_one_tuple
(
&
newtuple
,
db
,
ver
,
diff
));
ISC_LIST_UNLINK
(
temp_diff
.
tuples
,
tuple
,
link
);
dns_diff_appendminimal
(
diff
,
&
tuple
);
...
...
@@ -3435,7 +3511,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
unsigned
int
options
;
dns_difftuple_t
*
tuple
;
dns_rdata_dnskey_t
dnskey
;
unsigned
char
buf
[
DNS_NSEC3PARAM_BUFFERSIZE
];
isc_boolean_t
had_dnskey
;
dns_rdatatype_t
privatetype
=
dns_zone_getprivatetype
(
zone
);
...
...
@@ -3820,19 +3895,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
"flag"
);
continue
;
}
/*
* NSEC3CHAIN creation flag.
*/
INSIST
(
rdata
.
length
<=
sizeof
(
buf
));
memcpy
(
buf
,
rdata
.
data
,
rdata
.
length
);
buf
[
1
]
|=
DNS_NSEC3FLAG_UPDATE
;
rdata
.
data
=
buf
;
/*
* Force the TTL to zero for NSEC3PARAM records.
*/
ttl
=
0
;
}
if
((
options
&
DNS_ZONEOPT_CHECKWILDCARD
)
!=
0
&&
...
...
bin/tests/system/conf.sh.in
View file @
8aee1870
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: conf.sh.in,v 1.5
2
2010/1
1/16 01:37:36 sar
Exp $
# $Id: conf.sh.in,v 1.5
3
2010/1
2/07 02:53:33 marka
Exp $
#
# Common configuration data for system tests, to be sourced into
...
...
@@ -47,6 +47,7 @@ CHECKCONF=$TOP/bin/check/named-checkconf
PK11GEN
=
"
$TOP
/bin/pkcs11/pkcs11-keygen -s 0 -p 1234"
PK11LIST
=
"
$TOP
/bin/pkcs11/pkcs11-list -s 0 -p 1234"
PK11DEL
=
"
$TOP
/bin/pkcs11/pkcs11-destroy -s 0 -p 1234"
JOURNALPRINT
=
$TOP
/bin/tools/named-journalprint
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
...
...
@@ -72,4 +73,5 @@ else
fi
export
NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL
\
PERL SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6
PERL SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6
\
JOURNALPRINT
bin/tests/system/nsupdate/clean.sh
View file @
8aee1870
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.
19
2010/12/0
3
0
0:37
:33 marka Exp $
# $Id: clean.sh,v 1.
20
2010/12/0
7
0
2:53
:33 marka Exp $
#
# Clean up after zone transfer tests.
...
...
@@ -29,3 +29,8 @@ rm -f ns2/example.bk
rm
-f
ns2/update.bk
rm
-f
*
/named.memstats
rm
-f
nsupdate.out
rm
-f
ns3/example.db.jnl ns3/example.db
rm
-f
ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test.
rm
-f
ns3/K
*
rm
-f
dig.out.ns3.
*
rm
-f
jp.out.ns3.
*
bin/tests/system/nsupdate/ns3/example.db.in
0 → 100644
View file @
8aee1870
example. 10 IN SOA example. hostmaster.example. 1 3600 900 2419200 3600
example. 10 IN NS example.
example. 10 IN A 10.53.0.3
example. 10 IN NSEC3PARAM 1 1 0 -
bin/tests/system/nsupdate/ns3/named.conf
0 → 100644
View file @
8aee1870
/*
*
Copyright
(
C
)
2004
,
2006
,
2007
Internet
Systems
Consortium
,
Inc
. (
"ISC"
)
*
Copyright
(
C
)
2000
,
2001
Internet
Software
Consortium
.
*
*
Permission
to
use
,
copy
,
modify
,
and
/
or
distribute
this
software
for
any
*
purpose
with
or
without
fee
is
hereby
granted
,
provided
that
the
above
*
copyright
notice
and
this
permission
notice
appear
in
all
copies
.
*
*
THE
SOFTWARE
IS
PROVIDED
"AS IS"
AND
ISC
DISCLAIMS
ALL
WARRANTIES
WITH
*
REGARD
TO
THIS
SOFTWARE
INCLUDING
ALL
IMPLIED
WARRANTIES
OF
MERCHANTABILITY
*
AND
FITNESS
.
IN
NO
EVENT
SHALL
ISC
BE
LIABLE
FOR
ANY
SPECIAL
,
DIRECT
,
*
INDIRECT
,
OR
CONSEQUENTIAL
DAMAGES
OR
ANY
DAMAGES
WHATSOEVER
RESULTING
FROM
*
LOSS
OF
USE
,
DATA
OR
PROFITS
,
WHETHER
IN
AN
ACTION
OF
CONTRACT
,
NEGLIGENCE
*
OR
OTHER
TORTIOUS
ACTION
,
ARISING
OUT
OF
OR
IN
CONNECTION
WITH
THE
USE
OR
*
PERFORMANCE
OF
THIS
SOFTWARE
.
*/
/* $
Id
:
named
.
conf
,
v
1
.
2
2010
/
12
/
07
02
:
53
:
34
marka
Exp
$ */
//
NS1
controls
{ /*
empty
*/ };
options
{
query
-
source
address
10
.
53
.
0
.
3
;
notify
-
source
10
.
53
.
0
.
3
;
transfer
-
source
10
.
53
.
0
.
3
;
port
5300
;
pid
-
file
"named.pid"
;
listen
-
on
{
10
.
53
.
0
.
3
; };
listen
-
on
-
v6
{
none
; };
recursion
no
;
notify
yes
;
dnssec
-
enable
yes
;
dnssec
-
validation
yes
;
};
/*
zone
"."
{
type
master
;
file
"root.db.signed"
;
};
*/
//
include
"trusted.conf"
;
zone
"example"
{
type
master
;
allow
-
update
{
any
; };
file
"example.db"
;
};
zone
"nsec3param.test"
{
type
master
;
allow
-
update
{
any
; };
file
"nsec3param.test.db.signed"
;
};
bin/tests/system/nsupdate/ns3/nsec3param.test.db.in
0 → 100644
View file @
8aee1870
$TTL 10
nsec3param.test. IN SOA nsec3param.test. hostmaster.nsec3param.test. 1 3600 900 2419200 3600
nsec3param.test. IN NS nsec3param.test.
nsec3param.test. IN A 10.53.0.3
bin/tests/system/nsupdate/ns3/sign.sh
0 → 100644
View file @
8aee1870
#!/bin/sh -e
#
# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.2 2010/12/07 02:53:34 marka Exp $
SYSTEMTESTTOP
=
../..
.
$SYSTEMTESTTOP
/conf.sh
RANDFILE
=
../random.data
zone
=
nsec3param.test.
infile
=
nsec3param.test.db.in
zonefile
=
nsec3param.test.db
keyname1
=
`
$KEYGEN
-q
-r
$RANDFILE
-a
NSEC3RSASHA1
-b
1024
-n
zone
-f
KSK
$zone
`
keyname2
=
`
$KEYGEN
-q
-r
$RANDFILE
-a
NSEC3RSASHA1
-b
1024
-n
zone
$zone
`
cat
$infile
$keyname1
.key
$keyname2
.key
>
$zonefile
$SIGNER
-P
-3
-
-H
1
-r
$RANDFILE
-o
$zone
-k
$keyname1
$zonefile
$keyname2
>
/dev/null
bin/tests/system/nsupdate/setup.sh
View file @
8aee1870
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.1
4
200
9
/12/0
4
03:33
:15
marka Exp $
# $Id: setup.sh,v 1.1
5
20
1
0/12/0
7
0
2:5
3:33 marka Exp $
SYSTEMTESTTOP
=
..
.
$SYSTEMTESTTOP
/conf.sh
...
...
@@ -25,9 +25,11 @@ SYSTEMTESTTOP=..
#
rm
-f
ns1/
*
.jnl ns1/example.db ns2/
*
.jnl ns2/example.bk
rm
-f
ns3/example.db.jnl
cp
-f
ns1/example1.db ns1/example.db
sed
's/example.nil/other.nil/g'
ns1/example1.db
>
ns1/other.db
cp
-f
ns3/example.db.in ns3/example.db
# update_test.pl has its own zone file because it
# requires a specific NS record set.
...
...
@@ -48,3 +50,5 @@ EOF
../../../tools/genrandom 400 random.data
$DDNSCONFGEN
-q
-r
random.data
-z
example.nil
>
ns1/ddns.key
(
cd
ns3
;
sh
-e
sign.sh
)
bin/tests/system/nsupdate/tests.sh
View file @
8aee1870
...
...
@@ -15,12 +15,13 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.3
1
2010/12/0
3
0
0:37
:3
3
marka Exp $
# $Id: tests.sh,v 1.3
2
2010/12/0
7
0
2:53
:3
4
marka Exp $
SYSTEMTESTTOP
=
..
.
$SYSTEMTESTTOP
/conf.sh
status
=
0
n
=
0
# wait for zone transfer to complete
tries
=
0
...
...
@@ -223,6 +224,90 @@ fi
echo
"I:end RT #482 regression test"
n
=
`
expr
$n
+ 1
`
echo
"I:start NSEC3PARAM changes via UPDATE on a unsigned zone test (
$n
)"
ret
=
0
$NSUPDATE
<<
EOF
server 10.53.0.3 5300
update add example 3600 nsec3param 1 0 0 -
send
EOF
sleep
1
# the zone is not signed. The nsec3param records should be removed.
# this also proves that the server is still running.
$DIG
+tcp +noadd +nosea +nostat +noquest +nocmd +norec example.
\
@10.53.0.3 nsec3param
-p
5300
>
dig.out.ns3.
$n
||
ret
=
1
grep
"ANSWER: 0"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"flags:[^;]* aa[ ;]"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
if
[
$ret
!=
0
]
;
then
echo
"I: failed"
;
status
=
`
expr
$ret
+
$status
`
;
fi
n
=
`
expr
$n
+ 1
`
echo
"I:change the NSEC3PARAM ttl via update (
$n
)"
ret
=
0
$NSUPDATE
<<
EOF
server 10.53.0.3 5300
update add nsec3param.test 3600 NSEC3PARAM 1 0 1 -
send
EOF
sleep
1
$DIG
+tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.
\
@10.53.0.3 nsec3param
-p
5300
>
dig.out.ns3.
$n
||
ret
=
1
grep
"ANSWER: 1"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"3600.*NSEC3PARAM"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"flags:[^;]* aa[ ;]"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
if
[
$ret
!=
0
]
;
then
echo
"I: failed"
;
status
=
`
expr
$ret
+
$status
`
;
fi
n
=
`
expr
$n
+ 1
`
echo
"I:add a new the NSEC3PARAM via update (
$n
)"
ret
=
0
$NSUPDATE
<<
EOF
server 10.53.0.3 5300
update add nsec3param.test 3600 NSEC3PARAM 1 0 4 -
send
EOF
sleep
1
$DIG
+tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.
\
@10.53.0.3 nsec3param
-p
5300
>
dig.out.ns3.
$n
||
ret
=
1
grep
"ANSWER: 2"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"NSEC3PARAM 1 0 4 -"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"flags:[^;]* aa[ ;]"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
if
[
$ret
!=
0
]
;
then
echo
"I: failed"
;
status
=
`
expr
$ret
+
$status
`
;
fi
n
=
`
expr
$n
+ 1
`
echo
"I:add, delete and change the ttl of the NSEC3PARAM rrset via update (
$n
)"
ret
=
0
$NSUPDATE
<<
EOF
server 10.53.0.3 5300
update delete nsec3param.test NSEC3PARAM
update add nsec3param.test 7200 NSEC3PARAM 1 0 5 -
send
EOF
sleep
1
$DIG
+tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.
\
@10.53.0.3 nsec3param
-p
5300
>
dig.out.ns3.
$n
||
ret
=
1
grep
"ANSWER: 1"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"7200.*NSEC3PARAM 1 0 5 -"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"flags:[^;]* aa[ ;]"
dig.out.ns3.
$n
>
/dev/null
||
ret
=
1
$JOURNALPRINT
ns3/nsec3param.test.db.signed.jnl
>
jp.out.ns3.
$n
# intermediate TTL changes.
grep
"add nsec3param.test. 7200 IN NSEC3PARAM 1 0 4 -"
jp.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"add nsec3param.test. 7200 IN NSEC3PARAM 1 0 1 -"
jp.out.ns3.
$n
>
/dev/null
||
ret
=
1
# delayed adds and deletes.
grep
"add nsec3param.test. 0 IN TYPE65534 .# 6 000180000500"
jp.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"add nsec3param.test. 0 IN TYPE65534 .# 6 000140000100"
jp.out.ns3.
$n
>
/dev/null
||
ret
=
1
grep
"add nsec3param.test. 0 IN TYPE65534 .# 6 000140000400"
jp.out.ns3.
$n
>
/dev/null
||
ret
=
1
if
[
$ret
!=
0
]
;
then
echo
"I: failed"
;
status
=
`
expr
$ret
+
$status
`
;
fi
echo
"I:testing that rndc stop updates the master file"
$NSUPDATE
-k
ns1/ddns.key
<<
END
> /dev/null || status=1
server 10.53.0.1 5300
...
...
@@ -248,5 +333,6 @@ then
echo
"I:failed"
;
status
=
1
fi
echo
"I:exit status:
$status
"
exit
$status
lib/dns/nsec3.c
View file @
8aee1870
...
...
@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsec3.c,v 1.1
8
2010/
06
/0
2
0
0:38:29
marka Exp $ */
/* $Id: nsec3.c,v 1.1
9
2010/
12
/0
7
0
2:53:34
marka Exp $ */
#include <config.h>
...
...
@@ -1143,6 +1143,7 @@ dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
CHECK
(
do_one_tuple
(
&
tuple
,
db
,
ver
,
diff
));
INSIST
(
tuple
==
NULL
);
rdata
.
data
=
buf
;
buf
[
2
]
=
DNS_NSEC3FLAG_REMOVE
|
DNS_NSEC3FLAG_NONSEC
;