Commit 9a020198 authored by Evan Hunt's avatar Evan Hunt
Browse files

3264. [bug] Automatic regeneration of signatures in an

			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]
parent d2b0ea35
3264. [bug] Automatic regeneration of signatures in an
inline-signing zone could stall when the server
was restarted. [RT #27344]
3263. [bug] "rndc sync" did not affect the unsigned side of an
inline-signing zone. [RT #27337]
3262. [bug] Signed responses were handled incorrectly by RPZ.
[RT #27316]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.634 2011/12/22 12:58:13 marka Exp $ */
/* $Id: server.c,v 1.635 2012/01/10 18:13:36 each Exp $ */
/*! \file */
......@@ -7256,8 +7256,15 @@ static isc_result_t
synczone(dns_zone_t *zone, void *uap) {
isc_boolean_t cleanup = *(isc_boolean_t *)uap;
isc_result_t result;
dns_zone_t *raw = NULL;
char *journal;
dns_zone_getraw(zone, &raw);
if (raw != NULL) {
synczone(raw, uap);
dns_zone_detach(&raw);
}
result = dns_zone_flush(zone);
if (result != ISC_R_SUCCESS)
cleanup = ISC_FALSE;
......@@ -7266,6 +7273,7 @@ synczone(dns_zone_t *zone, void *uap) {
if (journal != NULL)
(void)isc_file_remove(journal);
}
return (result);
}
......
......@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.8 2011/12/22 07:32:40 each Exp $
# $Id: clean.sh,v 1.9 2012/01/10 18:13:36 each Exp $
rm -f */named.memstats
rm -f */named.run
......@@ -45,6 +45,10 @@ rm -f ns3/updated.db
rm -f ns3/updated.db.jnl
rm -f ns3/updated.db.signed
rm -f ns3/updated.db.signed.jnl
rm -f ns3/expired.db
rm -f ns3/expired.db.jnl
rm -f ns3/expired.db.signed
rm -f ns3/expired.db.signed.jnl
rm -f ns4/K*
rm -f ns4/noixfr.db
rm -f ns4/noixfr.db.jnl
......
......@@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db.in,v 1.5 2011/12/22 07:32:40 each Exp $
; $Id: root.db.in,v 1.6 2012/01/10 18:13:37 each Exp $
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
......@@ -41,3 +41,6 @@ ns3.dynamic. A 10.53.0.3
updated. NS ns3.updated.
ns3.updated. A 10.53.0.3
expired. NS ns3.expired.
ns3.expired. A 10.53.0.3
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.5 2011/12/22 07:32:40 each Exp $ */
/* $Id: named.conf,v 1.6 2012/01/10 18:13:37 each Exp $ */
// NS3
......@@ -78,3 +78,11 @@ zone "updated" {
allow-update { none; };
file "updated.db";
};
zone "expired" {
type master;
inline-signing yes;
auto-dnssec maintain;
allow-update { any; };
file "expired.db";
};
......@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.5 2011/12/22 07:32:40 each Exp $
# $Id: sign.sh,v 1.6 2012/01/10 18:13:37 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -57,3 +57,12 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
cp master2.db.in updated.db
# signatures are expired and should be regenerated on startup
zone=expired
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
$SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
......@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.8 2011/12/22 07:32:40 each Exp $
# $Id: setup.sh,v 1.9 2012/01/10 18:13:36 each Exp $
sh clean.sh
......@@ -23,29 +23,10 @@ touch ns2/trusted.conf
cp ns2/bits.db.in ns2/bits.db
rm -f ns2/bits.db.jnl
rm -f ns3/bits.bk
rm -f ns3/bits.bk.jnl
rm -f ns3/bits.bk.signed
rm -f ns3/bits.bk.signed.jnl
rm -f ns3/noixfr.bk
rm -f ns3/noixfr.bk.jnl
rm -f ns3/noixfr.bk.signed
rm -f ns3/noixfr.bk.signed.jnl
rm -f ns3/master.db
rm -f ns3/master.db.jnl
rm -f ns3/master.db.signed
rm -f ns3/master.db.signed.jnl
rm -f ns3/dynamic.db
rm -f ns3/dynamic.db.jnl
rm -f ns3/dynamic.db.signed
rm -f ns3/dynamic.db.signed.jnl
cp ns3/master.db.in ns3/master.db
cp ns3/master.db.in ns3/dynamic.db
cp ns3/master.db.in ns3/updated.db
cp ns3/master.db.in ns3/expired.db
touch ns4/trusted.conf
cp ns4/noixfr.db.in ns4/noixfr.db
......
......@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.11 2011/12/22 07:32:40 each Exp $
# $Id: tests.sh,v 1.12 2012/01/10 18:13:36 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -40,6 +40,15 @@ done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking expired signatures are updated on load ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 -p 5300 +noall +answer +dnssec expired SOA > dig.out.ns3.test$n
expiry=`awk '$4 == "RRSIG" { print $9 }' dig.out.ns3.test$n`
[ "$expiry" = "20110101000000" ] && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking removal of private type record via 'rndc signing -clear' ($n)"
ret=0
......@@ -638,4 +647,15 @@ done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check rndc sync removes both signed and unsigned journals ($n)"
ret=0
[ -e ns3/dynamic.db.jnl ] || ret=1
[ -e ns3/dynamic.db.signed.jnl ] || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sync -clean dynamic 2>&1 || ret=1
[ -e ns3/dynamic.db.jnl ] && ret=1
[ -e ns3/dynamic.db.signed.jnl ] && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
exit $status
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.659 2011/12/22 23:46:20 tbox Exp $ */
/* $Id: zone.c,v 1.660 2012/01/10 18:13:37 each Exp $ */
/*! \file */
......@@ -1795,9 +1795,9 @@ get_master_options(dns_zone_t *zone) {
options |= DNS_MASTER_CHECKMXFAIL;
if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD))
options |= DNS_MASTER_CHECKWILDCARD;
if (zone->type == dns_zone_master &&
if (inline_secure(zone) || (zone->type == dns_zone_master &&
((zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl)) ||
zone->ssutable != NULL))
zone->ssutable != NULL)))
options |= DNS_MASTER_RESIGN;
return (options);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment