Commit b5f4cc13 authored by Mark Andrews's avatar Mark Andrews

3641. [bug] Handle changes to sig-validity-interval settings

                        better. [RT #34625]
parent 8afea636
3641. [bug] Handle changes to sig-validity-interval settings
better. [RT #34625]
3640. [bug] ndots was not being checked when searching. Only
continue searching on NXDOMAIN responses. Add the
ability to specify ndots to nslookup. [RT #34711]
......
......@@ -950,7 +950,6 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
result = dns_db_newversion(db, &ver);
check_result(result, "dns_db_newversion");
dns_diff_init(mctx, &diff);
diff.resign = cycle;
for (result = dns_rdataset_first(&keyset);
result == ISC_R_SUCCESS;
......@@ -1038,7 +1037,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
*/
dns_diff_init(mctx, &del);
dns_diff_init(mctx, &add);
del.resign = add.resign = cycle;
rdsiter = NULL;
result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()");
......@@ -2084,7 +2082,6 @@ remove_duplicates(void) {
dns_name_t *name;
dns_diff_init(mctx, &diff);
diff.resign = cycle;
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
dns_rdataset_init(&rdataset);
......@@ -2555,7 +2552,6 @@ build_final_keylist() {
check_result(result, "dns_db_newversion");
dns_diff_init(mctx, &diff);
diff.resign = cycle;
/*
* Update keylist with information from from the key repository.
......@@ -2763,7 +2759,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
strcat(filename, namestr);
dns_diff_init(mctx, &diff);
diff.resign = cycle;
if (type == dns_rdatatype_dlv) {
dns_name_t tname;
......
......@@ -404,7 +404,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/*
......
......@@ -63,6 +63,7 @@ rm -f signer/nsec3param.out
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/split-smart.example.db
rm -f ns3/siginterval.example.db
rm -f ns3/inline.example.db.signed
rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
rm -f ns6/optout-tld.db
......@@ -70,3 +71,5 @@ rm -f nosign.before
rm -f signing.out*
rm -f canonical?.*
rm -f ns1/resolve.key
rm -f ns3/siginterval.conf
rm -f ns4/named_dump.db
......@@ -270,4 +270,6 @@ zone "publish-inactive.example" {
update-policy local;
};
include "siginterval.conf";
include "trusted.conf";
; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: upper.example.db.in,v 1.1.2.1 2012/01/17 08:31:00 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2012042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
@ NS ns
ns A 10.53.0.3
zone "siginterval.example" {
type master;
allow-update { any; };
sig-validity-interval 1 23;
auto-dnssec maintain;
file "siginterval.example.db";
};
zone "siginterval.example" {
type master;
allow-update { any; };
sig-validity-interval 35 28;
auto-dnssec maintain;
file "siginterval.example.db";
};
......@@ -451,3 +451,13 @@ kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
zskname=`$KEYGEN -q -r $RANDFILE $zone`
cp $infile $zonefile
$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# A zone which will change its sig-validity-interval
#
zone=siginterval.example
infile=siginterval.example.db.in
zonefile=siginterval.example.db
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
cp $infile $zonefile
......@@ -25,6 +25,7 @@ cd ns1 && sh sign.sh
echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed
cd ../ns3 && cp -f siginterval1.conf siginterval.conf
cd ../ns4 && cp -f named1.conf named.conf
cd ../ns5 && cp -f trusted.conf.bad trusted.conf
......@@ -2326,5 +2326,19 @@ test $sigs -eq 2 || ret=1
if test $ret != 0 ; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that increasing the sig-validity-interval resigning triggers re-signing"
before=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA`
cp ns3/siginterval2.conf ns3/siginterval.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /'
for i in 1 2 3 4 5 6 7 8 9 0
do
after=`$DIG axfr siginterval.example -p 5300 @10.53.0.3 | grep RRSIG.SOA`
test "$before" != "$after" && break
sleep 1
done
n=`expr $n + 1`
if test "$before" = "$after" ; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
......@@ -379,15 +379,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
diff->resign);
dns_db_setsigningtime(db, modified,
resign);
if (diff->resign == 0 &&
(op == DNS_DIFFOP_ADDRESIGN ||
op == DNS_DIFFOP_DELRESIGN))
isc_log_write(
DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"resign requested "
"with 0 resign "
"interval");
}
} else if (result == DNS_R_UNCHANGED) {
/*
......
......@@ -1277,7 +1277,6 @@ roll_forward(dns_journal_t *j, dns_db_t *db, unsigned int options,
REQUIRE(DNS_DB_VALID(db));
dns_diff_init(j->mctx, &diff);
diff.resign = resign;
/*
* Set up empty initial buffers for unchecked and checked
......
......@@ -300,7 +300,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/*
......
......@@ -232,7 +232,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/*
......@@ -1356,7 +1355,6 @@ dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_diff_init(diff->mctx, &affected);
dns_diff_init(diff->mctx, &sig_diff);
sig_diff.resign = dns_zone_getsigresigninginterval(zone);
dns_diff_init(diff->mctx, &nsec_diff);
dns_diff_init(diff->mctx, &nsec_mindiff);
......
......@@ -2061,8 +2061,7 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
result = dns_master_loadfileinc4(load->zone->masterfile,
dns_db_origin(load->db),
dns_db_origin(load->db),
load->zone->rdclass, options,
load->zone->sigresigninginterval,
load->zone->rdclass, options, 0,
&load->callbacks, task,
zone_loaddone, load,
&load->zone->lctx,
......@@ -2226,8 +2225,7 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
}
result = dns_master_loadfile4(zone->masterfile,
&zone->origin, &zone->origin,
zone->rdclass, options,
zone->sigresigninginterval,
zone->rdclass, options, 0,
&callbacks,
zone_registerinclude,
zone, zone->mctx,
......@@ -3227,7 +3225,7 @@ set_resigntime(dns_zone_t *zone) {
goto cleanup;
}
resign = rdataset.resign;
resign = rdataset.resign - zone->sigresigninginterval;
dns_rdataset_disassociate(&rdataset);
isc_random_get(&nanosecs);
nanosecs %= 1000000000;
......@@ -3632,7 +3630,6 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/*
......@@ -4100,8 +4097,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
else
options = 0;
result = dns_journal_rollforward2(zone->mctx, db, options,
zone->sigresigninginterval,
zone->journal);
0, zone->journal);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL &&
result != ISC_R_RANGE) {
......@@ -4431,7 +4427,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
dns_zone_log(zone, ISC_LOG_DEBUG(3),
"next resign: %s/%s in %d seconds",
namebuf, typebuf,
next.resign - timenow);
next.resign - timenow -
zone->sigresigninginterval);
dns_rdataset_disassociate(&next);
} else
dns_zone_log(zone, ISC_LOG_WARNING,
......@@ -5803,6 +5800,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
result = offline(db, ver, zonediff,
name, rdataset.ttl,
&rdata);
changed = ISC_TRUE;
break;
}
result = update_one_rr(db, ver, zonediff->diff,
......@@ -5971,7 +5969,6 @@ zone_resigninc(dns_zone_t *zone) {
dns_rdataset_init(&rdataset);
dns_fixedname_init(&fixed);
dns_diff_init(zone->mctx, &_sig_diff);
_sig_diff.resign = zone->sigresigninginterval;
zonediff_init(&zonediff, &_sig_diff);
/*
......@@ -6031,7 +6028,7 @@ zone_resigninc(dns_zone_t *zone) {
i = 0;
while (result == ISC_R_SUCCESS) {
resign = rdataset.resign;
resign = rdataset.resign - zone->sigresigninginterval;
covers = rdataset.covers;
dns_rdataset_disassociate(&rdataset);
......@@ -6900,7 +6897,6 @@ zone_nsec3chain(dns_zone_t *zone) {
dns_diff_init(zone->mctx, &nsec3_diff);
dns_diff_init(zone->mctx, &nsec_diff);
dns_diff_init(zone->mctx, &_sig_diff);
_sig_diff.resign = zone->sigresigninginterval;
zonediff_init(&zonediff, &_sig_diff);
ISC_LIST_INIT(cleanup);
......@@ -7746,7 +7742,6 @@ zone_sign(dns_zone_t *zone) {
dns_fixedname_init(&nextfixed);
nextname = dns_fixedname_name(&nextfixed);
dns_diff_init(zone->mctx, &_sig_diff);
_sig_diff.resign = zone->sigresigninginterval;
dns_diff_init(zone->mctx, &post_diff);
zonediff_init(&zonediff, &_sig_diff);
ISC_LIST_INIT(cleanup);
......@@ -8513,7 +8508,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
INSIST(result == ISC_R_SUCCESS);
dns_diff_init(mctx, &diff);
diff.resign = zone->sigresigninginterval;
CHECK(dns_db_newversion(kfetch->db, &ver));
......@@ -14083,7 +14077,10 @@ void
dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) {
REQUIRE(DNS_ZONE_VALID(zone));
LOCK_ZONE(zone);
zone->sigresigninginterval = interval;
set_resigntime(zone);
UNLOCK_ZONE(zone);
}
isc_uint32_t
......@@ -16370,7 +16367,6 @@ zone_rekey(dns_zone_t *zone) {
mctx = zone->mctx;
dns_diff_init(mctx, &diff);
dns_diff_init(mctx, &_sig_diff);
_sig_diff.resign = zone->sigresigninginterval;
zonediff_init(&zonediff, &_sig_diff);
CHECK(dns_zone_getdb(zone, &db));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment