Add NTA persistence (#37087)

4034.   [func]          When added, negative trust anchors (NTA) are now
                        saved to files (viewname.nta), in order to
                        persist across restarts of the named server.
                        [RT #37087]

CHANGES

+4034.	[func]		When added, negative trust anchors (NTA) are now
+			saved to files (viewname.nta), in order to
+			persist across restarts of the named server.
+			[RT #37087]
+
 4033.	[bug]		Missing out of memory check in request.c:req_send.
 			[RT #38311]
 

bin/named/include/named/server.h

@@ -272,6 +272,18 @@ ns_server_togglequerylog(ns_server_t *server, char *args);
  * but can also be used as a toggle for backward comptibility.)
  */
 
+/*%
+ * Save the current NTAs for all views to files.
+ */
+isc_result_t
+ns_server_saventa(ns_server_t *server);
+
+/*%
+ * Load NTAs for all views from files.
+ */
+isc_result_t
+ns_server_loadnta(ns_server_t *server);
+
 /*%
  * Dump the current statistics to the statistics file.
  */

bin/named/server.c

@@ -6620,6 +6620,8 @@ run_server(isc_task_t *task, isc_event_t *event) {
 	isc_hash_init();
 
 	CHECKFATAL(load_zones(server, ISC_TRUE), "loading zones");
+
+	(void) ns_server_loadnta(server);
 }
 
 void
@@ -6660,6 +6662,8 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 	cfg_parser_destroy(&ns_g_parser);
 	cfg_parser_destroy(&ns_g_addparser);
 
+	(void) ns_server_saventa(server);
+
 	for (view = ISC_LIST_HEAD(server->viewlist);
 	     view != NULL;
 	     view = view_next) {
@@ -10190,7 +10194,7 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
 		    strcmp(view->name, viewname) != 0)
 			continue;
 
-		if (view->nta_lifetime == 0 || view->nta_recheck == 0)
+		if (view->nta_lifetime == 0)
 			continue;
 
 		if (!ttlset)
@@ -10207,7 +10211,7 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
 
 		result = dns_view_flushnode(view, ntaname, ISC_TRUE);
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 			      "flush tree '%s' in cache view '%s': %s",
 			      nametext, view->name,
 			      isc_result_totext(result));
@@ -10228,7 +10232,7 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
 			CHECK(putstr(text, tbuf));
 
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 				      "added NTA '%s' (%d sec) in view '%s'",
 				      nametext, ntattl, view->name);
 		} else {
@@ -10240,12 +10244,22 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
 			CHECK(putstr(text, view->name));
 
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 				      "removed NTA '%s' in view %s",
 				      nametext, view->name);
 		}
 
+		result = dns_view_saventa(view);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "error writing NTA file "
+				      "for view '%s': %s",
+				      view->name, isc_result_totext(result));
+		}
+
 		CHECK(putnull(text));
+
 	}
 
  cleanup:
@@ -10259,3 +10273,50 @@ ns_server_nta(ns_server_t *server, char *args, isc_buffer_t **text) {
 		dns_ntatable_detach(&ntatable);
 	return (result);
 }
+
+isc_result_t
+ns_server_saventa(ns_server_t *server) {
+	dns_view_t *view;
+
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		isc_result_t result = dns_view_saventa(view);
+
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "error writing NTA file "
+				      "for view '%s': %s",
+				      view->name, isc_result_totext(result));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_server_loadnta(ns_server_t *server) {
+	dns_view_t *view;
+
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		isc_result_t result = dns_view_loadnta(view);
+
+		if ((result != ISC_R_SUCCESS) &&
+		    (result != ISC_R_FILENOTFOUND) &&
+		    (result != ISC_R_NOTFOUND))
+		{
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "error loading NTA file "
+				      "for view '%s': %s",
+				      view->name, isc_result_totext(result));
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}

bin/rndc/rndc.docbook

@@ -606,7 +606,7 @@
           <para>
             Sets a DNSSEC negative trust anchor (NTA)
             for <option>domain</option>, with a lifetime of
-            <option>lifetime</option>.  The default lifetime is
+            <option>duration</option>.  The default lifetime is
             configured in <filename>named.conf</filename> via the
             <option>nta-lifetime</option> option, and defaults to
             one hour.  The lifetime cannot exceed one week.
@@ -620,8 +620,17 @@
             configured trust anchors), <command>named</command> will
             abort the DNSSEC validation process and treat the data as
             insecure rather than bogus.  This continues until the
-            NTA's lifetime is elapsed, or until the server is
-            restarted (NTAs do not persist across restarts).
+            NTA's lifetime is elapsed.
+          </para>
+          <para>
+            NTAs persist across restarts of the named server.
+            The NTAs for a view are saved in a file called
+            <filename><replaceable>name</replaceable>.nta</filename>,
+            where <replaceable>name</replaceable> is the
+            name of the view, or if it contains characters
+            that are incompatible with use as a file name, a
+            cryptographic hash generated from the name
+            of the view.
           </para>
           <para>
             An existing NTA can be removed by using the

bin/tests/system/dnssec/clean.sh

@@ -82,3 +82,4 @@ rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
 rm -f ns3/dnskey-unknown.example.db
 rm -f ns3/dnskey-unknown.example.db.tmp
 rm -f ns*/named.lock
+rm -f ns*/*.nta

bin/tests/system/dnssec/ntadiff.pl

+#!/usr/bin/perl -w
+
+use strict;
+use Time::Piece;
+use Time::Seconds;
+
+exit 1 if (scalar(@ARGV) != 2);
+
+my $actual = Time::Piece->strptime($ARGV[0], '%d-%b-%Y %H:%M:%S.000 %z');
+my $expected = Time::Piece->strptime($ARGV[1], '%s') + ONE_WEEK;
+my $diff = abs($actual - $expected);
+
+print($diff . "\n");

bin/tests/system/dnssec/tests.sh

@@ -1663,6 +1663,7 @@ grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null || ret=1
 $DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
 grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null || ret=1
 $DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1
 
 if [ $ret != 0 ]; then echo "I:failed - checking initial state"; fi
@@ -1693,9 +1694,12 @@ ret=0
 #
 $DIG $DIGOPTS a.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1
 grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1
 $DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1
 grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.5 > /dev/null && ret=1
 $DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.6 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.6 > /dev/null && ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.6 > /dev/null && ret=1
 $DIG $DIGOPTS a.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.7 || ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.7 > /dev/null && ret=1
@@ -1721,12 +1725,14 @@ echo "I: waiting for NTA rechecks/expirations"
 #
 $PERL -e 'my $delay =  '$start' + 8 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
 $DIG $DIGOPTS b.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.8 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.8 > /dev/null && ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.8 > /dev/null || ret=1
 $DIG $DIGOPTS b.fakenode.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.9 || ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.9 > /dev/null || ret=1
 grep "status: NXDOMAIN" dig.out.ns4.test$n.9 > /dev/null || ret=1
 $DIG $DIGOPTS badds.example. soa @10.53.0.4 > dig.out.ns4.test$n.10 || ret=1
 grep "status: SERVFAIL" dig.out.ns4.test$n.10 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.10 > /dev/null && ret=1
 
 if [ $ret != 0 ]; then echo "I:failed - checking that default nta's were lifted due to recheck"; fi
 status=`expr $status + $ret`
@@ -1738,11 +1744,17 @@ ret=0
 # lifetime of 10s, so it should revert to SERVFAIL now.
 #
 $PERL -e 'my $delay = '$start' + 11 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+# check nta table
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n._11
+lines=`wc -l < rndc.out.ns4.test$n._11`
+[ "$lines" -eq 2 ] || ret=1
 $DIG $DIGOPTS b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.11 || ret=1
 grep "status: SERVFAIL" dig.out.ns4.test$n.11 > /dev/null && ret=1
 $DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.12 || ret=1
 grep "status: SERVFAIL" dig.out.ns4.test$n.12 > /dev/null || ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.12 > /dev/null && ret=1
 $DIG $DIGOPTS c.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.13 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.13 > /dev/null && ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.13 > /dev/null || ret=1
 
 if [ $ret != 0 ]; then echo "I:failed - checking that default nta's were lifted due to lifetime"; fi
@@ -1755,6 +1767,7 @@ ret=0
 $PERL -e 'my $delay = '$start' + 21 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
 # check correct behavior after bogus.example expiry
 $DIG $DIGOPTS d.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.14 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.14 > /dev/null && ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.14 > /dev/null || ret=1
 $DIG $DIGOPTS c.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.15 || ret=1
 grep "status: SERVFAIL" dig.out.ns4.test$n.15 > /dev/null || ret=1
@@ -1763,8 +1776,9 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.3
 lines=`wc -l < rndc.out.ns4.test$n.3`
 [ "$lines" -eq 0 ] || ret=1
 n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed - that all nta's have been lifted"; fi
+if [ $ret != 0 ]; then echo "I:failed - checking that all nta's have been lifted"; fi
 status=`expr $status + $ret`
+ret=0
 
 n=`expr $n + 1`
 echo "I: testing NTA removals ($n)"
@@ -1772,6 +1786,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta badds.example 2>&1 | sed '
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1
 grep "badds.example: expiry" rndc.out.ns4.test$n.1 > /dev/null || ret=1
 $DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.1 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.1 > /dev/null && ret=1
 grep "^a.badds.example." dig.out.ns4.test$n.1 > /dev/null || ret=1
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove badds.example > rndc.out.ns4.test$n.2
 grep "Negative trust anchor removed: badds.example/_default" rndc.out.ns4.test$n.2 > /dev/null || ret=1
@@ -1786,6 +1801,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -r foo > rndc.out.ns4.test
 grep "'nta' failed: not found" rndc.out.ns4.test$n.6 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
+ret=0
 
 n=`expr $n + 1`
 echo "I: testing NTA with bogus lifetimes ($n)"
@@ -1800,7 +1816,248 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -l 7d1h foo > rndc.out.ns4
 grep "'nta' failed: out of range" rndc.out.ns4.test$n.3 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
+ret=0
+
+#
+# check NTA persistence across restarts
+#
+n=`expr $n + 1`
+echo "I: testing NTA persistence across restarts ($n)"
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1
+lines=`wc -l < rndc.out.ns4.test$n.1`
+[ "$lines" -eq 0 ] || ret=1
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 30s bogus.example 2>&1 | sed 's/^/I:ns4 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -f -l 10s badds.example 2>&1 | sed 's/^/I:ns4 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.2
+lines=`wc -l < rndc.out.ns4.test$n.2`
+[ "$lines" -eq 2 ] || ret=1
+start=`$PERL -e 'print time()."\n";'`
+
+if [ $ret != 0 ]; then echo "I:failed - NTA persistence: adding NTA's failed"; fi
+status=`expr $status + $ret`
+ret=0
+
+echo "I:killing ns4 with SIGTERM"
+cd ns4
+kill -TERM `cat named.pid`
+rm named.pid
+cd ..
+
+#
+# ns4 has now shutdown. wait until t=14 when badds.example's NTA
+# (lifetime=10s) would have expired, and then restart ns4.
+#
+echo "I:waiting till 14s have passed since NTAs were added before restarting ns4"
+$PERL -e 'my $delay = '$start' + 14 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+
+if
+        $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
+then
+        echo "I:restarted server ns4"
+else
+        echo "I:could not restart server ns4"
+        exit 1
+fi
+
+echo "I:sleeping for an additional 4 seconds for ns4 to fully startup"
+sleep 4
+
+#
+# ns4 should be back up now. The NTA for bogus.example should still be
+# valid, whereas badds.example should not have been added during named
+# startup (as it had already expired).
+#
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.3
+lines=`wc -l < rndc.out.ns4.test$n.3`
+[ "$lines" -eq 1 ] || ret=1
+grep "bogus.example: expiry" rndc.out.ns4.test$n.3 > /dev/null || ret=1
+$DIG $DIGOPTS b.bogus.example. a @10.53.0.4 > dig.out.ns4.test$n.4 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1
+$DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1
+
+# cleanup
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove bogus.example > rndc.out.ns4.test$n.6
+
+if [ $ret != 0 ]; then echo "I:failed - NTA persistence: restoring NTA failed"; fi
+status=`expr $status + $ret`
+ret=0
+
+#
+# check "regular" attribute in NTA file works as expected at named
+# startup.
+#
+n=`expr $n + 1`
+echo "I: testing loading regular attribute from NTA file ($n)"
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
+lines=`wc -l < rndc.out.ns4.test$n.1`
+[ "$lines" -eq 0 ] || ret=1
+# initially, secure.example. validates with AD=1
+$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1
+
+echo "I:killing ns4 with SIGTERM"
+cd ns4
+kill -TERM `cat named.pid`
+rm named.pid
+cd ..
+
+echo "I:sleeping for an additional 4 seconds for ns4 to fully shutdown"
+sleep 4
+
+#
+# ns4 has now shutdown. add NTA for secure.example. directly into the
+# _default.nta file with the regular attribute and some future timestamp.
+#
+year=`date +%Y`
+future="`expr 20 + ${year}`0101010000"
+echo "secure.example. regular $future" > ns4/_default.nta
+start=`$PERL -e 'print time()."\n";'`
+
+if
+        $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
+then
+        echo "I:restarted server ns4"
+else
+        echo "I:could not restart server ns4"
+        exit 1
+fi
+
+# nta-recheck is configured as 7s, so at t=10 the NTAs for
+# secure.example. should be lifted as it is not a forced NTA.
+echo "I:waiting till 10s have passed after ns4 was restarted"
+$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+
+# secure.example. should now return an AD=1 answer (still validates) as
+# the NTA has been lifted.
+$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null || ret=1
+
+# cleanup
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
+
+if [ $ret != 0 ]; then echo "I:failed - NTA persistence: loading regular NTAs failed"; fi
+status=`expr $status + $ret`
+ret=0
+
+#
+# check "forced" attribute in NTA file works as expected at named
+# startup.
+#
+n=`expr $n + 1`
+echo "I: testing loading forced attribute from NTA file ($n)"
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
+lines=`wc -l < rndc.out.ns4.test$n.1`
+[ "$lines" -eq 0 ] || ret=1
+# initially, secure.example. validates with AD=1
+$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.2 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.2 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.2 > /dev/null || ret=1
+
+echo "I:killing ns4 with SIGTERM"
+cd ns4
+kill -TERM `cat named.pid`
+rm named.pid
+cd ..
+
+echo "I:sleeping for an additional 4 seconds for ns4 to fully shutdown"
+sleep 4
+
+#
+# ns4 has now shutdown. add NTA for secure.example. directly into the
+# _default.nta file with the forced attribute and some future timestamp.
+#
+echo "secure.example. forced $future" > ns4/_default.nta
+start=`$PERL -e 'print time()."\n";'`
+
+if
+        $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
+then
+        echo "I:restarted server ns4"
+else
+        echo "I:could not restart server ns4"
+        exit 1
+fi
+
+# nta-recheck is configured as 7s, but even at t=10 the NTAs for
+# secure.example. should not be lifted as it is a forced NTA.
+echo "I:waiting till 10s have passed after ns4 was restarted"
+$PERL -e 'my $delay = '$start' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+
+# secure.example. should now return an AD=0 answer (non-authenticated)
+# as the NTA is still there.
+$DIG $DIGOPTS a.secure.example. a @10.53.0.4 > dig.out.ns4.test$n.3 || ret=1
+grep "status: SERVFAIL" dig.out.ns4.test$n.3 > /dev/null && ret=1
+grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.3 > /dev/null && ret=1
+
+# cleanup
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.4 2>/dev/null
+
+if [ $ret != 0 ]; then echo "I:failed - NTA persistence: loading forced NTAs failed"; fi
+status=`expr $status + $ret`
+ret=0
+
+#
+# check that NTA lifetime read from file is clamped to 1 week.
+#
+n=`expr $n + 1`
+echo "I: testing loading out of bounds lifetime from NTA file ($n)"
+
+echo "I:killing ns4 with SIGTERM"
+cd ns4
+kill -TERM `cat named.pid`
+rm named.pid
+cd ..
+
+echo "I:sleeping for an additional 4 seconds for ns4 to fully shutdown"
+sleep 4
+
+#
+# ns4 has now shutdown. add NTA for secure.example. directly into the
+# _default.nta file with a lifetime well into the future.
+#
+echo "secure.example. forced $future" > ns4/_default.nta
+added=`$PERL -e 'print time()."\n";'`
+
+if
+        $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
+then
+        echo "I:restarted server ns4"
+else
+        echo "I:could not restart server ns4"
+        exit 1
+fi
+
+echo "I:sleeping for an additional 4 seconds for ns4 to fully startup"
+sleep 4
+
+# dump the NTA to a file
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.1 2>/dev/null
+lines=`wc -l < rndc.out.ns4.test$n.1`
+[ "$lines" -eq 1 ] || ret=1
+ts=`awk '{print $3" "$4}' < rndc.out.ns4.test$n.1`
+# rndc nta outputs localtime, so append the timezone
+ts_with_zone="$ts `date +%z`"
+# ntadiff.pl computes $ts_with_zone - ($added + 1week)
+d=`./ntadiff.pl "$ts_with_zone" "$added"`
+echo "ts=$ts" > rndc.out.ns4.test$n.2
+echo "ts_with_zone=$ts_with_zone" >> rndc.out.ns4.test$n.2
+echo "d=$d" >> rndc.out.ns4.test$n.2
+# diff from $added(now) + 1week to the clamped NTA lifetime should be
+# less than a few seconds.
+[ $d -lt 10 ] || ret=1
+
+# cleanup
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove secure.example > rndc.out.ns4.test$n.3 2>/dev/null
+
+if [ $ret != 0 ]; then echo "I:failed - NTA lifetime clamping failed"; fi
+status=`expr $status + $ret`
+ret=0
 
+echo "I:completed NTA tests"
 
 # Run a minimal update test if possible.  This is really just
 # a regression test for RT #2399; more tests should be added.

doc/arm/Bv9ARM-book.xml

@@ -5788,8 +5788,8 @@ options {
 		  configured trust anchors), <command>named</command> will
 		  abort the DNSSEC validation process and treat the data as
 		  insecure rather than bogus.  This continues until the
-		  NTA's lifetime is elapsed, or until the server is
-		  restarted (NTAs do not persist across restarts).
+		  NTA's lifetime is elapsed. NTAs persist
+		  across <command>named</command> restarts.
 		</para>
 		<para>
 		  For convenience, TTL-style time unit suffixes can be

doc/arm/notes.xml

@@ -83,48 +83,50 @@
     <itemizedlist>
       <listitem>
 	<para>
-          The serial number of a dynamically updatable zone can
-          now be set using
-          <command>rndc signing -serial <replaceable>number</replaceable> <replaceable>zonename</replaceable></command>.
-          This is particularly useful with <option>inline-signing</option>
-          zones that have been reset.  Setting the serial number to a value
-          larger than that on the slaves will trigger an AXFR-style
+	  The serial number of a dynamically updatable zone can
+	  now be set using
+	  <command>rndc signing -serial <replaceable>number</replaceable> <replaceable>zonename</replaceable></command>.
+	  This is particularly useful with <option>inline-signing</option>
+	  zones that have been reset.  Setting the serial number to a value
+	  larger than that on the slaves will trigger an AXFR-style
 	  transfer.
 	</para>
       </listitem>
       <listitem>
 	<para>
-          When answering recursive queries, SERVFAIL responses can now be
-          cached by the server for a limited time; subsequent queries for
-          the same query name and type will return another SERVFAIL until
-          the cache times out.  This reduces the frequency of retries
-          when a query is persistently failing, which can be a burden
-          on recursive serviers.  The SERVFAIL cache timeout is controlled
-          by <option>servfail-ttl</option>, which defaults to 10 seconds
-          and has an upper limit of 30.
+	  When answering recursive queries, SERVFAIL responses can now be
+	  cached by the server for a limited time; subsequent queries for
+	  the same query name and type will return another SERVFAIL until
+	  the cache times out.  This reduces the frequency of retries
+	  when a query is persistently failing, which can be a burden
+	  on recursive serviers.  The SERVFAIL cache timeout is controlled
+	  by <option>servfail-ttl</option>, which defaults to 10 seconds
+	  and has an upper limit of 30.
 	</para>
       </listitem>
       <listitem>
 	<para>
-          The new <command>rndc nta</command> command can now be used to
-          set a "negative trust anchor" (NTA), disabling DNSSEC validation for
-          a specific domain; this can be used when responses from a domain
-          are known to be failing validation due to administrative error
-          rather than because of a spoofing attack. NTAs are strictly
-          temporary; by default they expire after one hour, but can be
-          configured to last up to one week.  The default NTA lifetime
-          can be changed by setting the <option>nta-lifetime</option> in
-          <filename>named.conf</filename>.
+	  The new <command>rndc nta</command> command can now be used to
+	  set a "negative trust anchor" (NTA), disabling DNSSEC validation for
+	  a specific domain; this can be used when responses from a domain
+	  are known to be failing validation due to administrative error
+	  rather than because of a spoofing attack. NTAs are strictly
+	  temporary; by default they expire after one hour, but can be
+	  configured to last up to one week.  The default NTA lifetime
+	  can be changed by setting the <option>nta-lifetime</option> in
+	  <filename>named.conf</filename>. When added, NTAs are stored in a
+	  file (<filename><replaceable>viewname</replaceable>.nta</filename>)
+	  in order to persist across restarts of the named server.
 	</para>
       </listitem>
       <listitem>
 	<para>
 	  The EDNS Client Subnet (ECS) option is now supported for
-          authoritative servers; if a query contains an ECS option then
-          ACLs containing <option>geoip</option> or <option>ecs</option>
-          elements can match against the the address encoded in the option.
-          This can be used to select a view for a query, so that different
-          answers can be provided depending on the client network.
+	  authoritative servers; if a query contains an ECS option then