Commit a6f0e9c9 authored by Mukund Sivaraman's avatar Mukund Sivaraman
Browse files

Add NTA persistence (#37087)

4034.   [func]          When added, negative trust anchors (NTA) are now
                        saved to files (viewname.nta), in order to
                        persist across restarts of the named server.
                        [RT #37087]
parent fae13836
4034. [func] When added, negative trust anchors (NTA) are now
saved to files (viewname.nta), in order to
persist across restarts of the named server.
[RT #37087]
4033. [bug] Missing out of memory check in request.c:req_send.
[RT #38311]
......
......@@ -272,6 +272,18 @@ ns_server_togglequerylog(ns_server_t *server, char *args);
* but can also be used as a toggle for backward comptibility.)
*/
/*%
* Save the current NTAs for all views to files.
*/
isc_result_t
ns_server_saventa(ns_server_t *server);
/*%
* Load NTAs for all views from files.
*/
isc_result_t
ns_server_loadnta(ns_server_t *server);
/*%
* Dump the current statistics to the statistics file.
*/
......
......@@ -6620,6 +6620,8 @@ run_server(isc_task_t *task, isc_event_t *event) {
isc_hash_init();
CHECKFATAL(load_zones(server, ISC_TRUE), "loading zones");
(void) ns_server_loadnta(server);
}
void
......@@ -6660,6 +6662,8 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
cfg_parser_destroy(&ns_g_parser);
cfg_parser_destroy(&ns_g_addparser);
(void) ns_server_saventa(server);
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = view_next) {
......@@ -10190,7 +10194,7 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
strcmp(view->name, viewname) != 0)
continue;
if (view->nta_lifetime == 0 || view->nta_recheck == 0)
if (view->nta_lifetime == 0)
continue;
if (!ttlset)
......@@ -10207,7 +10211,7 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
result = dns_view_flushnode(view, ntaname, ISC_TRUE);
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"flush tree '%s' in cache view '%s': %s",
nametext, view->name,
isc_result_totext(result));
......@@ -10228,7 +10232,7 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
CHECK(putstr(text, tbuf));
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"added NTA '%s' (%d sec) in view '%s'",
nametext, ntattl, view->name);
} else {
......@@ -10240,12 +10244,22 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
CHECK(putstr(text, view->name));
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"removed NTA '%s' in view %s",
nametext, view->name);
}
result = dns_view_saventa(view);
if (result != ISC_R_SUCCESS) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"error writing NTA file "
"for view '%s': %s",
view->name, isc_result_totext(result));
}
CHECK(putnull(text));
}
cleanup:
......@@ -10259,3 +10273,50 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
dns_ntatable_detach(&ntatable);
return (result);
}
isc_result_t
ns_server_saventa(ns_server_t *server) {
dns_view_t *view;
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
isc_result_t result = dns_view_saventa(view);
if (result != ISC_R_SUCCESS) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"error writing NTA file "
"for view '%s': %s",
view->name, isc_result_totext(result));
}
}
return (ISC_R_SUCCESS);
}
isc_result_t
ns_server_loadnta(ns_server_t *server) {
dns_view_t *view;
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
isc_result_t result = dns_view_loadnta(view);
if ((result != ISC_R_SUCCESS) &&
(result != ISC_R_FILENOTFOUND) &&
(result != ISC_R_NOTFOUND))
{
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"error loading NTA file "
"for view '%s': %s",
view->name, isc_result_totext(result));
}
}
return (ISC_R_SUCCESS);
}
......@@ -606,7 +606,7 @@
<para>
Sets a DNSSEC negative trust anchor (NTA)
for <option>domain</option>, with a lifetime of
<option>lifetime</option>. The default lifetime is
<option>duration</option>. The default lifetime is
configured in <filename>named.conf</filename> via the
<option>nta-lifetime</option> option, and defaults to
one hour. The lifetime cannot exceed one week.
......@@ -620,8 +620,17 @@
configured trust anchors), <command>named</command> will
abort the DNSSEC validation process and treat the data as
insecure rather than bogus. This continues until the
NTA's lifetime is elapsed, or until the server is
restarted (NTAs do not persist across restarts).
NTA's lifetime is elapsed.
</para>
<para>
NTAs persist across restarts of the named server.
The NTAs for a view are saved in a file called
<filename><replaceable>name</replaceable>.nta</filename>,
where <replaceable>name</replaceable> is the
name of the view, or if it contains characters
that are incompatible with use as a file name, a
cryptographic hash generated from the name
of the view.
</para>
<para>
An existing NTA can be removed by using the
......
......@@ -82,3 +82,4 @@ rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
rm -f ns3/dnskey-unknown.example.db
rm -f ns3/dnskey-unknown.example.db.tmp
rm -f ns*/named.lock
rm -f ns*/*.nta
#!/usr/bin/perl -w
use strict;
use Time::Piece;
use Time::Seconds;
exit 1 if (scalar(@ARGV) != 2);
my $actual = Time::Piece->strptime($ARGV[0], '%d-%b-%Y %H:%M:%S.000 %z');
my $expected = Time::Piece->strptime($ARGV[1], '%s') + ONE_WEEK;
my $diff = abs($actual - $expected);
print($diff . "\n");
......@@ -1663,6 +1663,7 @@ grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1
$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed - checking initial state"; fi
......@@ -1693,9 +1694,12 @@ ret=0
#
$DIG $DIGOPTS a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1
$DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1
$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1
$DIG $DIGOPTS a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1
......@@ -1721,12 +1725,14 @@ echo "I: waiting for NTA rechecks/expirations"
#
$PERL -e 'my $delay = '$start' + 8 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
$DIG $DIGOPTS b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1
$DIG $DIGOPTS b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1
$DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed - checking that default nta's were lifted due to recheck"; fi
status=`expr $status + $ret`
......@@ -1738,11 +1744,17 @@ ret=0
# lifetime of 10s, so it should revert to SERVFAIL now.
#
$PERL -e 'my $delay = '$start' + 11 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
# check nta table
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n._11
lines=`wc -l < rndc.out.ns4.test$n._11`
[ "$lines" -eq 2 ] || ret=1
$DIG $DIGOPTS b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1
$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1
$DIG $DIGOPTS c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed - checking that default nta's were lifted due to lifetime"; fi
......@@ -1755,6 +1767,7 @@ ret=0
$PERL -e 'my $delay = '$start' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
# check correct behavior after bogus.example expiry
$DIG $DIGOPTS d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1
$DIG $DIGOPTS c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1
......@@ -1763,8 +1776,9 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.3
lines=`wc -l < rndc.out.ns4.test$n.3`
[ "$lines" -eq 0 ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed - that all nta's have been lifted"; fi
if [ $ret != 0 ]; then echo "I:failed - checking that all nta's have been lifted"; fi
status=`expr $status + $ret`
ret=0
n=`expr $n + 1`
echo "I: testing NTA removals ($n)"
......@@ -1772,6 +1786,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta badds.example 2>&1 | sed '
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1
grep "badds.example: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1
$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1
grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove badds.example > rndc.out.ns4.test$n.2
grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1
......@@ -1786,6 +1801,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -r foo > rndc.out.ns4.test
grep "'nta' failed: not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
ret=0
n=`expr $n + 1`
echo "I: testing NTA with bogus lifetimes ($n)"
......@@ -1800,7 +1816,248 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -l 7d1h foo > rndc.out.ns4
grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
ret=0
#
# check NTA persistence across restarts
#
n=`expr $n + 1`
echo "I: testing NTA persistence across restarts ($n)"
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1
lines=`wc -l < rndc.out.ns4.test$n.1`
[ "$lines" -eq 0 ] || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 30s bogus.example 2>&1 | sed 's/^/I:ns4 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 10s badds.example 2>&1 | sed 's/^/I:ns4 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.2
lines=`wc -l < rndc.out.ns4.test$n.2`
[ "$lines" -eq 2 ] || ret=1
start=`$PERL -e 'print time()."\n";'`
if [ $ret != 0 ]; then echo "I:failed - NTA persistence: adding NTA's failed"; fi
status=`expr $status + $ret`
ret=0
echo "I:killing ns4 with SIGTERM"
cd ns4
kill -TERM `cat named.pid`
rm named.pid
cd ..
#
# ns4 has now shutdown. wait until t=14 when badds.example's NTA
# (lifetime=10s) would have expired, and then restart ns4.
#
echo "I:waiting till 14s have passed since NTAs were added before restarting ns4"
$PERL -e 'my $delay = '$start' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
if
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
then
echo "I:restarted server ns4"
else
echo "I:could not restart server ns4"
exit 1
fi
echo "I:sleeping for an additional 4 seconds for ns4 to fully startup"
sleep 4
#
# ns4 should be back up now. The NTA for bogus.example should still be
# valid, whereas badds.example should not have been added during named
# startup (as it had already expired).
#
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.3
lines=`wc -l < rndc.out.ns4.test$n.3`
[ "$lines" -eq 1 ] || ret=1
grep "bogus.example: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1
$DIG $DIGOPTS b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1
$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1
# cleanup
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove bogus.example > rndc.out.ns4.test$n.6
if [ $ret != 0 ]; then echo "I:failed - NTA persistence: restoring NTA failed"; fi
status=`expr $status + $ret`
ret=0
#
# check "regular" attribute in NTA file works as expected at named
# startup.
#
n=`expr $n + 1`
echo "I: testing loading regular attribute from NTA file ($n)"
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
lines=`wc -l < rndc.out.ns4.test$n.1`
[ "$lines" -eq 0 ] || ret=1
# initially, secure.example. validates with AD=1
$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1
echo "I:killing ns4 with SIGTERM"
cd ns4
kill -TERM `cat named.pid`
rm named.pid
cd ..
echo "I:sleeping for an additional 4 seconds for ns4 to fully shutdown"
sleep 4
#
# ns4 has now shutdown. add NTA for secure.example. directly into the
# _default.nta file with the regular attribute and some future timestamp.
#
year=`date +%Y`
future="`expr 20 + ${year}`0101010000"
echo "secure.example. regular $future" > ns4/_default.nta
start=`$PERL -e 'print time()."\n";'`
if
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
then
echo "I:restarted server ns4"
else
echo "I:could not restart server ns4"
exit 1
fi
# nta-recheck is configured as 7s, so at t=10 the NTAs for
# secure.example. should be lifted as it is not a forced NTA.
echo "I:waiting till 10s have passed after ns4 was restarted"
$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
# secure.example. should now return an AD=1 answer (still validates) as
# the NTA has been lifted.
$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1
# cleanup
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
if [ $ret != 0 ]; then echo "I:failed - NTA persistence: loading regular NTAs failed"; fi
status=`expr $status + $ret`
ret=0
#
# check "forced" attribute in NTA file works as expected at named
# startup.
#
n=`expr $n + 1`
echo "I: testing loading forced attribute from NTA file ($n)"
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
lines=`wc -l < rndc.out.ns4.test$n.1`
[ "$lines" -eq 0 ] || ret=1
# initially, secure.example. validates with AD=1
$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1
echo "I:killing ns4 with SIGTERM"
cd ns4
kill -TERM `cat named.pid`
rm named.pid
cd ..
echo "I:sleeping for an additional 4 seconds for ns4 to fully shutdown"
sleep 4
#
# ns4 has now shutdown. add NTA for secure.example. directly into the
# _default.nta file with the forced attribute and some future timestamp.
#
echo "secure.example. forced $future" > ns4/_default.nta
start=`$PERL -e 'print time()."\n";'`
if
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
then
echo "I:restarted server ns4"
else
echo "I:could not restart server ns4"
exit 1
fi
# nta-recheck is configured as 7s, but even at t=10 the NTAs for
# secure.example. should not be lifted as it is a forced NTA.
echo "I:waiting till 10s have passed after ns4 was restarted"
$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
# secure.example. should now return an AD=0 answer (non-authenticated)
# as the NTA is still there.
$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1
grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1
grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1
# cleanup
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
if [ $ret != 0 ]; then echo "I:failed - NTA persistence: loading forced NTAs failed"; fi
status=`expr $status + $ret`
ret=0
#
# check that NTA lifetime read from file is clamped to 1 week.
#
n=`expr $n + 1`
echo "I: testing loading out of bounds lifetime from NTA file ($n)"
echo "I:killing ns4 with SIGTERM"
cd ns4
kill -TERM `cat named.pid`
rm named.pid
cd ..
echo "I:sleeping for an additional 4 seconds for ns4 to fully shutdown"
sleep 4
#
# ns4 has now shutdown. add NTA for secure.example. directly into the
# _default.nta file with a lifetime well into the future.
#
echo "secure.example. forced $future" > ns4/_default.nta
added=`$PERL -e 'print time()."\n";'`
if
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
then
echo "I:restarted server ns4"
else
echo "I:could not restart server ns4"
exit 1
fi
echo "I:sleeping for an additional 4 seconds for ns4 to fully startup"
sleep 4
# dump the NTA to a file
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
lines=`wc -l < rndc.out.ns4.test$n.1`
[ "$lines" -eq 1 ] || ret=1
ts=`awk '{print $3" "$4}' < rndc.out.ns4.test$n.1`
# rndc nta outputs localtime, so append the timezone
ts_with_zone="$ts `date +%z`"
# ntadiff.pl computes $ts_with_zone - ($added + 1week)
d=`./ntadiff.pl "$ts_with_zone" "$added"`
echo "ts=$ts" > rndc.out.ns4.test$n.2
echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2
echo "d=$d" >> rndc.out.ns4.test$n.2
# diff from $added(now) + 1week to the clamped NTA lifetime should be
# less than a few seconds.
[ $d -lt 10 ] || ret=1
# cleanup
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null
if [ $ret != 0 ]; then echo "I:failed - NTA lifetime clamping failed"; fi
status=`expr $status + $ret`
ret=0
echo "I:completed NTA tests"
# Run a minimal update test if possible. This is really just
# a regression test for RT #2399; more tests should be added.
......
......@@ -5788,8 +5788,8 @@ options {
configured trust anchors), <command>named</command> will
abort the DNSSEC validation process and treat the data as
insecure rather than bogus. This continues until the
NTA's lifetime is elapsed, or until the server is
restarted (NTAs do not persist across restarts).
NTA's lifetime is elapsed. NTAs persist
across <command>named</command> restarts.
</para>
<para>
For convenience, TTL-style time unit suffixes can be
......
......@@ -83,48 +83,50 @@
<itemizedlist>
<listitem>
<para>
The serial number of a dynamically updatable zone can
now be set using
<command>rndc signing -serial <replaceable>number</replaceable> <replaceable>zonename</replaceable></command>.
This is particularly useful with <option>inline-signing</option>
zones that have been reset. Setting the serial number to a value
larger than that on the slaves will trigger an AXFR-style
The serial number of a dynamically updatable zone can
now be set using
<command>rndc signing -serial <replaceable>number</replaceable> <replaceable>zonename</replaceable></command>.
This is particularly useful with <option>inline-signing</option>
zones that have been reset. Setting the serial number to a value
larger than that on the slaves will trigger an AXFR-style
transfer.
</para>
</listitem>
<listitem>
<para>
When answering recursive queries, SERVFAIL responses can now be
cached by the server for a limited time; subsequent queries for
the same query name and type will return another SERVFAIL until
the cache times out. This reduces the frequency of retries
when a query is persistently failing, which can be a burden
on recursive serviers. The SERVFAIL cache timeout is controlled
by <option>servfail-ttl</option>, which defaults to 10 seconds
and has an upper limit of 30.
When answering recursive queries, SERVFAIL responses can now be
cached by the server for a limited time; subsequent queries for
the same query name and type will return another SERVFAIL until
the cache times out. This reduces the frequency of retries
when a query is persistently failing, which can be a burden
on recursive serviers. The SERVFAIL cache timeout is controlled
by <option>servfail-ttl</option>, which defaults to 10 seconds
and has an upper limit of 30.
</para>
</listitem>
<listitem>
<para>
The new <command>rndc nta</command> command can now be used to
set a "negative trust anchor" (NTA), disabling DNSSEC validation for
a specific domain; this can be used when responses from a domain
are known to be failing validation due to administrative error
rather than because of a spoofing attack. NTAs are strictly
temporary; by default they expire after one hour, but can be
configured to last up to one week. The default NTA lifetime
can be changed by setting the <option>nta-lifetime</option> in
<filename>named.conf</filename>.
The new <command>rndc nta</command> command can now be used to
set a "negative trust anchor" (NTA), disabling DNSSEC validation for
a specific domain; this can be used when responses from a domain
are known to be failing validation due to administrative error
rather than because of a spoofing attack. NTAs are strictly
temporary; by default they expire after one hour, but can be
configured to last up to one week. The default NTA lifetime
can be changed by setting the <option>nta-lifetime</option> in
<filename>named.conf</filename>. When added, NTAs are stored in a
file (<filename><replaceable>viewname</replaceable>.nta</filename>)
in order to persist across restarts of the named server.
</para>
</listitem>
<listitem>
<para>
The EDNS Client Subnet (ECS) option is now supported for
authoritative servers; if a query contains an ECS option then
ACLs containing <option>geoip</option> or <option>ecs</option>
elements can match against the the address encoded in the option.
This can be used to select a view for a query, so that different
answers can be provided depending on the client network.
authoritative servers; if a query contains an ECS option then
ACLs containing <option>geoip</option> or <option>ecs</option>
elements can match against the the address encoded in the option.
This can be used to select a view for a query, so that different
answers can be provided depending on the client network.
</para>
</listitem>