Commit b7e40659 authored by Evan Hunt's avatar Evan Hunt

[master] rebuild resigning heaps when loading map files

3597.	[bug]		Ensure automatic-resigning heaps are reconstructed
			when loading zones in map format. [RT #33381]
parent 8f1e2789
3597. [bug] Ensure automatic-resigning heaps are reconstructed
when loading zones in map format. [RT #33381]
3596. [port] Updated win32 build documentation, added
dnssec-verify. [RT #22067]
......
......@@ -306,8 +306,8 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
}
tuple = NULL;
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, ttl, &trdata,
&tuple);
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN,
name, ttl, &trdata, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(add, &tuple);
}
......@@ -602,24 +602,23 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
vbprintf(2, "\tfixing ttl %s\n", sigstr);
tuple = NULL;
result = dns_difftuple_create(mctx,
DNS_DIFFOP_DEL,
name, sigset.ttl,
&sigrdata,
&tuple);
DNS_DIFFOP_DELRESIGN,
name, sigset.ttl,
&sigrdata, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(del, &tuple);
result = dns_difftuple_create(mctx,
DNS_DIFFOP_ADD,
name, ttl,
&sigrdata,
&tuple);
DNS_DIFFOP_ADDRESIGN,
name, ttl,
&sigrdata, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(add, &tuple);
}
} else {
tuple = NULL;
vbprintf(2, "removing signature by %s\n", sigstr);
result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
result = dns_difftuple_create(mctx,
DNS_DIFFOP_DELRESIGN,
name, sigset.ttl,
&sigrdata, &tuple);
check_result(result, "dns_difftuple_create");
......@@ -951,6 +950,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
result = dns_db_newversion(db, &ver);
check_result(result, "dns_db_newversion");
dns_diff_init(mctx, &diff);
diff.resign = cycle;
for (result = dns_rdataset_first(&keyset);
result == ISC_R_SUCCESS;
......@@ -963,7 +963,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
dsbuf, &ds);
check_result(result, "dns_ds_buildrdata");
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name,
ttl, &ds, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(&diff, &tuple);
......@@ -973,7 +973,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
dsbuf, &ds);
check_result(result, "dns_ds_buildrdata");
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name,
ttl, &ds, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(&diff, &tuple);
......@@ -1038,6 +1038,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
*/
dns_diff_init(mctx, &del);
dns_diff_init(mctx, &add);
del.resign = add.resign = cycle;
rdsiter = NULL;
result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()");
......@@ -2060,10 +2061,9 @@ rrset_remove_duplicates(dns_name_t *name, dns_rdataset_t *rdataset,
dns_rdataset_current(&tmprdataset, &rdata2);
if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
result = dns_difftuple_create(mctx,
DNS_DIFFOP_DEL,
name,
rdataset->ttl,
&rdata2, &tuple);
DNS_DIFFOP_DELRESIGN,
name, rdataset->ttl,
&rdata2, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(diff, &tuple);
}
......@@ -2084,6 +2084,7 @@ remove_duplicates(void) {
dns_name_t *name;
dns_diff_init(mctx, &diff);
diff.resign = cycle;
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
dns_rdataset_init(&rdataset);
......@@ -2554,6 +2555,7 @@ build_final_keylist() {
check_result(result, "dns_db_newversion");
dns_diff_init(mctx, &diff);
diff.resign = cycle;
/*
* Update keylist with information from from the key repository.
......@@ -2761,6 +2763,7 @@ writeset(const char *prefix, dns_rdatatype_t type) {
strcat(filename, namestr);
dns_diff_init(mctx, &diff);
diff.resign = cycle;
if (type == dns_rdatatype_dlv) {
dns_name_t tname;
......@@ -2817,7 +2820,8 @@ writeset(const char *prefix, dns_rdatatype_t type) {
check_result(result, "dns_ds_buildrdata");
if (type == dns_rdatatype_dlv)
ds.type = dns_rdatatype_dlv;
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
result = dns_difftuple_create(mctx,
DNS_DIFFOP_ADDRESIGN,
name, 0, &ds, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(&diff, &tuple);
......@@ -2829,11 +2833,13 @@ writeset(const char *prefix, dns_rdatatype_t type) {
check_result(result, "dns_ds_buildrdata");
if (type == dns_rdatatype_dlv)
ds.type = dns_rdatatype_dlv;
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
result = dns_difftuple_create(mctx,
DNS_DIFFOP_ADDRESIGN,
name, 0, &ds, &tuple);
} else
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
result = dns_difftuple_create(mctx,
DNS_DIFFOP_ADDRESIGN,
gorigin, zone_soa_min_ttl,
&rdata, &tuple);
check_result(result, "dns_difftuple_create");
......
......@@ -21,7 +21,7 @@ rm -f ns1/example.db.raw*
rm -f ns1/example.db.compat
rm -f ns1/example.db.serial.raw
rm -f ns1/large.db ns1/large.db.raw
rm -f ns1/example.db.map
rm -f ns1/example.db.map ns1/signed.db.map
rm -f dig.out.*
rm -f dig.out
rm -f */named.memstats
......@@ -32,3 +32,6 @@ rm -f ns2/db-*
rm -f ns2/large.bk
rm -f ns3/example.db.map ns3/dynamic.db.map
rm -f baseline.txt text.1 text.2 raw.1 raw.2 map.1 map.2 map.5 text.5 badmap
rm -f ns1/Ksigned.* ns1/dsset-signed. ns1/signed.db.signed
rm -f random.data
rm -f rndc.out
......@@ -14,6 +14,10 @@
# $Id$
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=../random.data
../named-compilezone -D -F raw -o example.db.raw example \
example.db > /dev/null 2>&1
../named-compilezone -D -F map -o ../ns3/example.db.map example \
......@@ -30,3 +34,7 @@
../named-compilezone -D -F map -o example.db.map example-map \
example.db > /dev/null 2>&1
$KEYGEN -q -r $RANDFILE signed > /dev/null 2>&1
$KEYGEN -q -r $RANDFILE -fk signed > /dev/null 2>&1
$SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1
../named-compilezone -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1
......@@ -30,6 +30,15 @@ options {
dnssec-enable yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
};
zone "example" {
type master;
masterfile-format raw;
......@@ -66,3 +75,12 @@ zone "large" {
masterfile-format raw;
allow-transfer { any; };
};
zone "signed" {
type master;
file "signed.db.map";
masterfile-format map;
allow-transfer { any; };
update-policy local;
auto-dnssec maintain;
};
; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 1D
@ IN SOA ns hostmaster (
1
3600
1800
1814400
3
)
NS ns
ns A 10.53.0.1
mx MX 10 mail
a A 10.53.0.1
A 10.53.0.2
aaaa AAAA 2001:db8::53
cname CNAME cname-target
dname DNAME dname-target
txt TXT "this is text"
......@@ -16,6 +16,9 @@
rm -f named-compilezone
ln -s $CHECKZONE named-compilezone
../../../tools/genrandom 400 random.data
rm -f ns1/example.db.raw
cp ns1/example.db ns2/
cp ns2/formerly-text.db.in ns2/formerly-text.db
......
......@@ -255,5 +255,24 @@ stomp badmap 2897 5 127
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:checking map format zone is scheduled for resigning (compilezone)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 zonestatus signed > rndc.out 2>&1 || ret=1
grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:checking map format zone is scheduled for resigning (signzone)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 freeze signed > rndc.out 2>&1 || ret=1
cd ns1
$SIGNER -S -O map -f signed.db.map -o signed signed.db > /dev/null 2>&1
cd ..
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload signed > rndc.out 2>&1 || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 zonestatus signed > rndc.out 2>&1 || ret=1
grep 'next resign' rndc.out > /dev/null 2>&1 || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
......@@ -158,7 +158,9 @@ typedef isc_result_t (*dns_rbtdatawriter_t)(FILE *file,
typedef isc_result_t (*dns_rbtdatafixer_t)(dns_rbtnode_t *rbtnode,
void *base, size_t offset,
isc_uint64_t *crc);
void *arg, isc_uint64_t *crc);
typedef void (*dns_rbtdeleter_t)(void *, void *);
/*****
***** Chain Info
......@@ -256,7 +258,7 @@ typedef struct dns_rbtnodechain {
***** Public interfaces.
*****/
isc_result_t
dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
dns_rbt_create(isc_mem_t *mctx, dns_rbtdeleter_t deleter,
void *deleter_arg, dns_rbt_t **rbtp);
/*%<
* Initialize a red-black tree of trees.
......@@ -710,8 +712,8 @@ dns_rbt_serialize_tree(FILE *file, dns_rbt_t *rbt,
isc_result_t
dns_rbt_deserialize_tree(void *base_address, size_t filesize,
off_t header_offset, isc_mem_t *mctx,
void (*deleter)(void *, void *), void *deleter_arg,
dns_rbtdatafixer_t datafixer,
dns_rbtdeleter_t deleter, void *deleter_arg,
dns_rbtdatafixer_t datafixer, void *fixer_arg,
dns_rbtnode_t **originp, dns_rbt_t **rbtp);
/*%<
* Read a RBT structure and its data from a file.
......
......@@ -2999,7 +2999,6 @@ commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
if (dataset.type == dns_rdatatype_rrsig &&
(lctx->options & DNS_MASTER_RESIGN) != 0) {
dataset.attributes |= DNS_RDATASETATTR_RESIGN;
dns_name_format(owner, namebuf, sizeof(namebuf));
dataset.resign = resign_fromlist(this, lctx->resign);
}
result = ((*callbacks->add)(callbacks->add_private, owner,
......
......@@ -370,7 +370,8 @@ deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp);
static isc_result_t
treefix(dns_rbt_t *rbt, void *base, size_t size,
dns_rbtnode_t *n, dns_name_t *name,
dns_rbtdatafixer_t datafixer, isc_uint64_t *crc);
dns_rbtdatafixer_t datafixer, void *fixer_arg,
isc_uint64_t *crc);
static isc_result_t
deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node);
......@@ -694,7 +695,8 @@ dns_rbt_serialize_tree(FILE *file, dns_rbt_t *rbt,
static isc_result_t
treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
dns_name_t *name, dns_rbtdatafixer_t datafixer, isc_uint64_t *crc)
dns_name_t *name, dns_rbtdatafixer_t datafixer,
void *fixer_arg, isc_uint64_t *crc)
{
isc_result_t result = ISC_R_SUCCESS;
dns_fixedname_t fixed;
......@@ -772,16 +774,16 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
/* a change in the order (from left, right, down) will break hashing*/
if (n->left != NULL)
CHECK(treefix(rbt, base, filesize, n->left, name,
datafixer, crc));
datafixer, fixer_arg, crc));
if (n->right != NULL)
CHECK(treefix(rbt, base, filesize, n->right, name,
datafixer, crc));
datafixer, fixer_arg, crc));
if (n->down != NULL)
CHECK(treefix(rbt, base, filesize, n->down, fullname,
datafixer, crc));
datafixer, fixer_arg, crc));
if (datafixer != NULL && n->data != NULL)
CHECK(datafixer(n, base, filesize, crc));
CHECK(datafixer(n, base, filesize, fixer_arg, crc));
rbt->nodecount++;
node_data = (unsigned char *) n + sizeof(dns_rbtnode_t);
......@@ -807,9 +809,8 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
isc_result_t
dns_rbt_deserialize_tree(void *base_address, size_t filesize,
off_t header_offset, isc_mem_t *mctx,
void (*deleter)(void *, void *),
void *deleter_arg,
dns_rbtdatafixer_t datafixer,
dns_rbtdeleter_t deleter, void *deleter_arg,
dns_rbtdatafixer_t datafixer, void *fixer_arg,
dns_rbtnode_t **originp, dns_rbt_t **rbtp)
{
isc_result_t result = ISC_R_SUCCESS;
......@@ -861,7 +862,7 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
rehash(rbt, header->nodecount);
CHECK(treefix(rbt, base_address, filesize, rbt->root,
dns_rootname, datafixer, &crc));
dns_rootname, datafixer, fixer_arg, &crc));
isc_crc64_final(&crc);
#ifdef DEBUG
......@@ -895,7 +896,7 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
* Initialize a red/black tree of trees.
*/
isc_result_t
dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
dns_rbt_create(isc_mem_t *mctx, dns_rbtdeleter_t deleter,
void *deleter_arg, dns_rbt_t **rbtp)
{
#ifdef DNS_RBT_USEHASH
......
......@@ -7005,8 +7005,10 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
static isc_result_t
rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
isc_uint64_t *crc)
void *arg, isc_uint64_t *crc)
{
isc_result_t result;
dns_rbtdb_t *rbtdb = (dns_rbtdb_t *) arg;
rdatasetheader_t *header;
unsigned char *limit = ((unsigned char *) base) + filesize;
unsigned char *p;
......@@ -7028,6 +7030,14 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
header->is_mmapped = 1;
header->node = rbtnode;
header->node_is_relative = 0;
if (rbtdb != NULL && RESIGN(header) && header->resign != 0) {
int idx = header->node->locknum;
result = isc_heap_insert(rbtdb->heaps[idx], header);
if (result != ISC_R_SUCCESS)
return (result);
}
if (header->next != NULL) {
size_t cooked = dns_rbt_serialize_align(size);
if ((uintptr_t)header->next !=
......@@ -7090,8 +7100,8 @@ deserialize(void *arg, FILE *f, off_t offset) {
result = dns_rbt_deserialize_tree(base, filesize,
(size_t) header->tree,
rbtdb->common.mctx,
delete_callback,
rbtdb, rbt_datafixer,
delete_callback, rbtdb,
rbt_datafixer, rbtdb,
&rbtdb->origin_node,
&temporary_rbt);
if (temporary_rbt != NULL) {
......@@ -7110,8 +7120,8 @@ deserialize(void *arg, FILE *f, off_t offset) {
result = dns_rbt_deserialize_tree(base, filesize,
(size_t) header->nsec,
rbtdb->common.mctx,
delete_callback,
rbtdb, rbt_datafixer,
delete_callback, rbtdb,
rbt_datafixer, rbtdb,
NULL, &temporary_rbt);
if (temporary_rbt != NULL) {
dns_rbt_destroy(&rbtdb->nsec);
......@@ -7126,8 +7136,8 @@ deserialize(void *arg, FILE *f, off_t offset) {
result = dns_rbt_deserialize_tree(base, filesize,
(size_t) header->nsec3,
rbtdb->common.mctx,
delete_callback,
rbtdb, rbt_datafixer,
delete_callback, rbtdb,
rbt_datafixer, rbtdb,
NULL, &temporary_rbt);
if (temporary_rbt != NULL) {
dns_rbt_destroy(&rbtdb->nsec3);
......
......@@ -140,12 +140,15 @@ write_data(FILE *file, unsigned char *datap, isc_uint32_t serial,
}
static isc_result_t
fix_data(dns_rbtnode_t *p, void *base, size_t max, isc_uint64_t *crc) {
fix_data(dns_rbtnode_t *p, void *base, size_t max, void *arg,
isc_uint64_t *crc)
{
data_holder_t *data = p->data;
size_t size;
UNUSED(base);
UNUSED(max);
UNUSED(arg);
REQUIRE(crc != NULL);
REQUIRE(p != NULL);
......@@ -350,8 +353,8 @@ ATF_TC_BODY(serialize, tc) {
close(fd);
result = dns_rbt_deserialize_tree(base, filesize, 0, mctx,
delete_data, NULL,
fix_data, NULL, &rbt_deserialized);
delete_data, NULL, fix_data, NULL,
NULL, &rbt_deserialized);
/* Test to make sure we have a valid tree */
ATF_REQUIRE(result == ISC_R_SUCCESS);
......@@ -427,7 +430,7 @@ ATF_TC_BODY(deserialize_corrupt, tc) {
result = dns_rbt_deserialize_tree(base, filesize, 0, mctx,
delete_data, NULL,
fix_data, NULL,
&rbt_deserialized);
NULL, &rbt_deserialized);
printf("%d: %s\n", i, isc_result_totext(result));
/* Test to make sure we have a valid tree */
......
......@@ -1954,7 +1954,7 @@ static unsigned int
get_master_options(dns_zone_t *zone) {
unsigned int options;
options = DNS_MASTER_ZONE;
options = DNS_MASTER_ZONE | DNS_MASTER_RESIGN;
if (zone->type == dns_zone_slave ||
(zone->type == dns_zone_redirect && zone->masters == NULL))
options |= DNS_MASTER_SLAVE;
......@@ -1974,10 +1974,6 @@ get_master_options(dns_zone_t *zone) {
options |= DNS_MASTER_CHECKMXFAIL;
if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD))
options |= DNS_MASTER_CHECKWILDCARD;
if (inline_secure(zone) || (zone->type == dns_zone_master &&
((zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl)) ||
zone->ssutable != NULL)))
options |= DNS_MASTER_RESIGN;
return (options);
}
......@@ -3122,6 +3118,15 @@ set_resigntime(dns_zone_t *zone) {
isc_result_t result;
isc_uint32_t nanosecs;
/* We only re-sign zones that can be dynamically updated */
if (zone->update_disabled)
return;
if (!inline_secure(zone) && (zone->type != dns_zone_master ||
(zone->ssutable == NULL &&
(zone->update_acl == NULL || dns_acl_isnone(zone->update_acl)))))
return;
dns_rdataset_init(&rdataset);
dns_fixedname_init(&fixed);
result = dns_db_getsigningtime(zone->db, &rdataset,
......@@ -3130,6 +3135,7 @@ set_resigntime(dns_zone_t *zone) {
isc_time_settoepoch(&zone->resigntime);
return;
}
resign = rdataset.resign;
dns_rdataset_disassociate(&rdataset);
isc_random_get(&nanosecs);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment