Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
b5f4cc13
Commit
b5f4cc13
authored
Sep 04, 2013
by
Mark Andrews
Browse files
3641. [bug] Handle changes to sig-validity-interval settings
better. [RT #34625]
parent
8afea636
Changes
16
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
b5f4cc13
3641. [bug] Handle changes to sig-validity-interval settings
better. [RT #34625]
3640. [bug] ndots was not being checked when searching. Only
continue searching on NXDOMAIN responses. Add the
ability to specify ndots to nslookup. [RT #34711]
...
...
bin/dnssec/dnssec-signzone.c
View file @
b5f4cc13
...
...
@@ -950,7 +950,6 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
result
=
dns_db_newversion
(
db
,
&
ver
);
check_result
(
result
,
"dns_db_newversion"
);
dns_diff_init
(
mctx
,
&
diff
);
diff
.
resign
=
cycle
;
for
(
result
=
dns_rdataset_first
(
&
keyset
);
result
==
ISC_R_SUCCESS
;
...
...
@@ -1038,7 +1037,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
*/
dns_diff_init
(
mctx
,
&
del
);
dns_diff_init
(
mctx
,
&
add
);
del
.
resign
=
add
.
resign
=
cycle
;
rdsiter
=
NULL
;
result
=
dns_db_allrdatasets
(
gdb
,
node
,
gversion
,
0
,
&
rdsiter
);
check_result
(
result
,
"dns_db_allrdatasets()"
);
...
...
@@ -2084,7 +2082,6 @@ remove_duplicates(void) {
dns_name_t
*
name
;
dns_diff_init
(
mctx
,
&
diff
);
diff
.
resign
=
cycle
;
dns_fixedname_init
(
&
fname
);
name
=
dns_fixedname_name
(
&
fname
);
dns_rdataset_init
(
&
rdataset
);
...
...
@@ -2555,7 +2552,6 @@ build_final_keylist() {
check_result
(
result
,
"dns_db_newversion"
);
dns_diff_init
(
mctx
,
&
diff
);
diff
.
resign
=
cycle
;
/*
* Update keylist with information from from the key repository.
...
...
@@ -2763,7 +2759,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
strcat
(
filename
,
namestr
);
dns_diff_init
(
mctx
,
&
diff
);
diff
.
resign
=
cycle
;
if
(
type
==
dns_rdatatype_dlv
)
{
dns_name_t
tname
;
...
...
bin/named/update.c
View file @
b5f4cc13
...
...
@@ -404,7 +404,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init
(
diff
->
mctx
,
&
temp_diff
);
temp_diff
.
resign
=
diff
->
resign
;
ISC_LIST_APPEND
(
temp_diff
.
tuples
,
*
tuple
,
link
);
/*
...
...
bin/tests/system/dnssec/clean.sh
View file @
b5f4cc13
...
...
@@ -63,6 +63,7 @@ rm -f signer/nsec3param.out
rm
-f
ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm
-f
ns3/ttlpatch.example.db.patched
rm
-f
ns3/split-smart.example.db
rm
-f
ns3/siginterval.example.db
rm
-f
ns3/inline.example.db.signed
rm
-f
ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
rm
-f
ns6/optout-tld.db
...
...
@@ -70,3 +71,5 @@ rm -f nosign.before
rm
-f
signing.out
*
rm
-f
canonical?.
*
rm
-f
ns1/resolve.key
rm
-f
ns3/siginterval.conf
rm
-f
ns4/named_dump.db
bin/tests/system/dnssec/ns3/named.conf
View file @
b5f4cc13
...
...
@@ -270,4 +270,6 @@ zone "publish-inactive.example" {
update
-
policy
local
;
};
include
"siginterval.conf"
;
include
"trusted.conf"
;
bin/tests/system/dnssec/ns3/siginterval.example.db.in
0 → 100644
View file @
b5f4cc13
; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: upper.example.db.in,v 1.1.2.1 2012/01/17 08:31:00 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2012042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ NS ns
ns A 10.53.0.3
bin/tests/system/dnssec/ns3/siginterval1.conf
0 → 100644
View file @
b5f4cc13
zone
"siginterval.example"
{
type
master
;
allow
-
update
{
any
; };
sig
-
validity
-
interval
1
23
;
auto
-
dnssec
maintain
;
file
"siginterval.example.db"
;
};
bin/tests/system/dnssec/ns3/siginterval2.conf
0 → 100644
View file @
b5f4cc13
zone
"siginterval.example"
{
type
master
;
allow
-
update
{
any
; };
sig
-
validity
-
interval
35
28
;
auto
-
dnssec
maintain
;
file
"siginterval.example.db"
;
};
bin/tests/system/dnssec/ns3/sign.sh
View file @
b5f4cc13
...
...
@@ -451,3 +451,13 @@ kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
zskname
=
`
$KEYGEN
-q
-r
$RANDFILE
$zone
`
cp
$infile
$zonefile
$SIGNER
-S
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null 2>&1
#
# A zone which will change its sig-validity-interval
#
zone
=
siginterval.example
infile
=
siginterval.example.db.in
zonefile
=
siginterval.example.db
kskname
=
`
$KEYGEN
-q
-3
-r
$RANDFILE
-fk
$zone
`
zskname
=
`
$KEYGEN
-q
-3
-r
$RANDFILE
$zone
`
cp
$infile
$zonefile
bin/tests/system/dnssec/setup.sh
View file @
b5f4cc13
...
...
@@ -25,6 +25,7 @@ cd ns1 && sh sign.sh
echo
"a.bogus.example. A 10.0.0.22"
>>
../ns3/bogus.example.db.signed
cd
../ns3
&&
cp
-f
siginterval1.conf siginterval.conf
cd
../ns4
&&
cp
-f
named1.conf named.conf
cd
../ns5
&&
cp
-f
trusted.conf.bad trusted.conf
bin/tests/system/dnssec/tests.sh
View file @
b5f4cc13
...
...
@@ -2326,5 +2326,19 @@ test $sigs -eq 2 || ret=1
if
test
$ret
!=
0
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:check that increasing the sig-validity-interval resigning triggers re-signing"
before
=
`
$DIG
axfr siginterval.example
-p
5300 @10.53.0.3 |
grep
RRSIG.SOA
`
cp
ns3/siginterval2.conf ns3/siginterval.conf
$RNDC
-c
../common/rndc.conf
-s
10.53.0.3
-p
9953 reconfig 2>&1 |
sed
's/^/I:ns3 /'
for
i
in
1 2 3 4 5 6 7 8 9 0
do
after
=
`
$DIG
axfr siginterval.example
-p
5300 @10.53.0.3 |
grep
RRSIG.SOA
`
test
"
$before
"
!=
"
$after
"
&&
break
sleep
1
done
n
=
`
expr
$n
+ 1
`
if
test
"
$before
"
=
"
$after
"
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:exit status:
$status
"
exit
$status
lib/dns/diff.c
View file @
b5f4cc13
...
...
@@ -379,15 +379,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
diff
->
resign
);
dns_db_setsigningtime
(
db
,
modified
,
resign
);
if
(
diff
->
resign
==
0
&&
(
op
==
DNS_DIFFOP_ADDRESIGN
||
op
==
DNS_DIFFOP_DELRESIGN
))
isc_log_write
(
DIFF_COMMON_LOGARGS
,
ISC_LOG_WARNING
,
"resign requested "
"with 0 resign "
"interval"
);
}
}
else
if
(
result
==
DNS_R_UNCHANGED
)
{
/*
...
...
lib/dns/journal.c
View file @
b5f4cc13
...
...
@@ -1277,7 +1277,6 @@ roll_forward(dns_journal_t *j, dns_db_t *db, unsigned int options,
REQUIRE
(
DNS_DB_VALID
(
db
));
dns_diff_init
(
j
->
mctx
,
&
diff
);
diff
.
resign
=
resign
;
/*
* Set up empty initial buffers for unchecked and checked
...
...
lib/dns/nsec3.c
View file @
b5f4cc13
...
...
@@ -300,7 +300,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init
(
diff
->
mctx
,
&
temp_diff
);
temp_diff
.
resign
=
diff
->
resign
;
ISC_LIST_APPEND
(
temp_diff
.
tuples
,
*
tuple
,
link
);
/*
...
...
lib/dns/update.c
View file @
b5f4cc13
...
...
@@ -232,7 +232,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init
(
diff
->
mctx
,
&
temp_diff
);
temp_diff
.
resign
=
diff
->
resign
;
ISC_LIST_APPEND
(
temp_diff
.
tuples
,
*
tuple
,
link
);
/*
...
...
@@ -1356,7 +1355,6 @@ dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_diff_init
(
diff
->
mctx
,
&
affected
);
dns_diff_init
(
diff
->
mctx
,
&
sig_diff
);
sig_diff
.
resign
=
dns_zone_getsigresigninginterval
(
zone
);
dns_diff_init
(
diff
->
mctx
,
&
nsec_diff
);
dns_diff_init
(
diff
->
mctx
,
&
nsec_mindiff
);
...
...
lib/dns/zone.c
View file @
b5f4cc13
...
...
@@ -2061,8 +2061,7 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
result
=
dns_master_loadfileinc4
(
load
->
zone
->
masterfile
,
dns_db_origin
(
load
->
db
),
dns_db_origin
(
load
->
db
),
load
->
zone
->
rdclass
,
options
,
load
->
zone
->
sigresigninginterval
,
load
->
zone
->
rdclass
,
options
,
0
,
&
load
->
callbacks
,
task
,
zone_loaddone
,
load
,
&
load
->
zone
->
lctx
,
...
...
@@ -2226,8 +2225,7 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
}
result
=
dns_master_loadfile4
(
zone
->
masterfile
,
&
zone
->
origin
,
&
zone
->
origin
,
zone
->
rdclass
,
options
,
zone
->
sigresigninginterval
,
zone
->
rdclass
,
options
,
0
,
&
callbacks
,
zone_registerinclude
,
zone
,
zone
->
mctx
,
...
...
@@ -3227,7 +3225,7 @@ set_resigntime(dns_zone_t *zone) {
goto
cleanup
;
}
resign
=
rdataset
.
resign
;
resign
=
rdataset
.
resign
-
zone
->
sigresigninginterval
;
dns_rdataset_disassociate
(
&
rdataset
);
isc_random_get
(
&
nanosecs
);
nanosecs
%=
1000000000
;
...
...
@@ -3632,7 +3630,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init
(
diff
->
mctx
,
&
temp_diff
);
temp_diff
.
resign
=
diff
->
resign
;
ISC_LIST_APPEND
(
temp_diff
.
tuples
,
*
tuple
,
link
);
/*
...
...
@@ -4100,8 +4097,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
else
options
=
0
;
result
=
dns_journal_rollforward2
(
zone
->
mctx
,
db
,
options
,
zone
->
sigresigninginterval
,
zone
->
journal
);
0
,
zone
->
journal
);
if
(
result
!=
ISC_R_SUCCESS
&&
result
!=
ISC_R_NOTFOUND
&&
result
!=
DNS_R_UPTODATE
&&
result
!=
DNS_R_NOJOURNAL
&&
result
!=
ISC_R_RANGE
)
{
...
...
@@ -4431,7 +4427,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
dns_zone_log
(
zone
,
ISC_LOG_DEBUG
(
3
),
"next resign: %s/%s in %d seconds"
,
namebuf
,
typebuf
,
next
.
resign
-
timenow
);
next
.
resign
-
timenow
-
zone
->
sigresigninginterval
);
dns_rdataset_disassociate
(
&
next
);
}
else
dns_zone_log
(
zone
,
ISC_LOG_WARNING
,
...
...
@@ -5803,6 +5800,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
result
=
offline
(
db
,
ver
,
zonediff
,
name
,
rdataset
.
ttl
,
&
rdata
);
changed
=
ISC_TRUE
;
break
;
}
result
=
update_one_rr
(
db
,
ver
,
zonediff
->
diff
,
...
...
@@ -5971,7 +5969,6 @@ zone_resigninc(dns_zone_t *zone) {
dns_rdataset_init
(
&
rdataset
);
dns_fixedname_init
(
&
fixed
);
dns_diff_init
(
zone
->
mctx
,
&
_sig_diff
);
_sig_diff
.
resign
=
zone
->
sigresigninginterval
;
zonediff_init
(
&
zonediff
,
&
_sig_diff
);
/*
...
...
@@ -6031,7 +6028,7 @@ zone_resigninc(dns_zone_t *zone) {
i
=
0
;
while
(
result
==
ISC_R_SUCCESS
)
{
resign
=
rdataset
.
resign
;
resign
=
rdataset
.
resign
-
zone
->
sigresigninginterval
;
covers
=
rdataset
.
covers
;
dns_rdataset_disassociate
(
&
rdataset
);
...
...
@@ -6900,7 +6897,6 @@ zone_nsec3chain(dns_zone_t *zone) {
dns_diff_init
(
zone
->
mctx
,
&
nsec3_diff
);
dns_diff_init
(
zone
->
mctx
,
&
nsec_diff
);
dns_diff_init
(
zone
->
mctx
,
&
_sig_diff
);
_sig_diff
.
resign
=
zone
->
sigresigninginterval
;
zonediff_init
(
&
zonediff
,
&
_sig_diff
);
ISC_LIST_INIT
(
cleanup
);
...
...
@@ -7746,7 +7742,6 @@ zone_sign(dns_zone_t *zone) {
dns_fixedname_init
(
&
nextfixed
);
nextname
=
dns_fixedname_name
(
&
nextfixed
);
dns_diff_init
(
zone
->
mctx
,
&
_sig_diff
);
_sig_diff
.
resign
=
zone
->
sigresigninginterval
;
dns_diff_init
(
zone
->
mctx
,
&
post_diff
);
zonediff_init
(
&
zonediff
,
&
_sig_diff
);
ISC_LIST_INIT
(
cleanup
);
...
...
@@ -8513,7 +8508,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
INSIST
(
result
==
ISC_R_SUCCESS
);
dns_diff_init
(
mctx
,
&
diff
);
diff
.
resign
=
zone
->
sigresigninginterval
;
CHECK
(
dns_db_newversion
(
kfetch
->
db
,
&
ver
));
...
...
@@ -14083,7 +14077,10 @@ void
dns_zone_setsigresigninginterval
(
dns_zone_t
*
zone
,
isc_uint32_t
interval
)
{
REQUIRE
(
DNS_ZONE_VALID
(
zone
));
LOCK_ZONE
(
zone
);
zone
->
sigresigninginterval
=
interval
;
set_resigntime
(
zone
);
UNLOCK_ZONE
(
zone
);
}
isc_uint32_t
...
...
@@ -16370,7 +16367,6 @@ zone_rekey(dns_zone_t *zone) {
mctx
=
zone
->
mctx
;
dns_diff_init
(
mctx
,
&
diff
);
dns_diff_init
(
mctx
,
&
_sig_diff
);
_sig_diff
.
resign
=
zone
->
sigresigninginterval
;
zonediff_init
(
&
zonediff
,
&
_sig_diff
);
CHECK
(
dns_zone_getdb
(
zone
,
&
db
));
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment