Commit f431bf02 authored by Mark Andrews's avatar Mark Andrews

4453. [bug] Prefetching of DS records failed to update their

                        RRSIGs. [RT #42865]
parent a91ea57c
--- 9.11.0rc1 released ---
4453. [bug] Prefetching of DS records failed to update their
RRSIGs. [RT #42865]
4452. [bug] The default key manager policy file is now
<sysdir>/dnssec-policy.conf (usually
/etc/dnssec-policy.conf). [RT #43064]
......
......@@ -21,9 +21,12 @@ rm -f dig.*.prime.*
rm -f ns4/tld.db
rm -f ns6/K*
rm -f ns6/example.net.db.signed ns6/example.net.db
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
rm -f ns6/dsset-ds.example.net.
rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
rm -f ns7/server.db ns7/server.db.jnl ns7/named.conf
rm -f resolve.out
rm -f .digrc
rm -f ns*/named.lock
rm -f ns5/trusted.conf
......@@ -19,3 +19,5 @@ a.root-servers.nil. A 10.53.0.4
all-cnames NS cname.tld
delegation-only. NS ns.delegation-only.
ns.delegation-only. A 10.53.0.6
example.net. NS ns.example.net.
ns.example.net. A 10.53.0.6
......@@ -46,3 +46,5 @@ zone "child.server" {
zone "delegation-only" {
type delegation-only;
};
include "trusted.conf";
; Copyright (C) 2010, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: example.net.db.in,v 1.3 2010/11/17 23:47:08 tbox Exp $
$TTL 600
@ IN SOA ns hostmaster 1 1800 900 604800 600
@ IN NS ns
ns IN A 10.53.0.6
......@@ -14,4 +14,7 @@ ns IN A 10.53.0.6
mail IN A 10.53.0.6
fetch 10 IN TXT A short ttl
non-zero 10 IN TXT A short ttl
zero 0 IN TXT A zero ttl
zero 0 IN TXT A zero ttl
$TTL 10
ds IN NS ns.ds
ns.ds IN A 10.53.0.6
......@@ -11,7 +11,7 @@
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=example.net
zone=ds.example.net
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
......@@ -19,3 +19,23 @@ ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
cat $ksk.key $zsk.key >> $zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=example.net
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
cat $ksk.key $zsk.key dsset-ds.example.net. >> $zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
# Configure a trusted key statement (used by delve)
cat $ksk.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
trusted-keys {
"$dn" $flags $proto $alg "$key";
};
EOF
' > ../ns5/trusted.conf
......@@ -41,6 +41,12 @@ zone "example.net" {
allow-update { any; };
};
zone "ds.example.net" {
type master;
file "ds.example.net.db.signed";
allow-update { any; };
};
zone "to-be-removed.tld" {
type master;
file "to-be-removed.tld.db";
......
......@@ -422,6 +422,27 @@ test ${ttl:-0} -gt ${ttl2:-1} || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check prefetch of validated DS's RRSIG TTL is updated (${n})"
ret=0
$DIG +dnssec @10.53.0.5 -p 5300 ds.example.net ds > dig.out.1.${n} || ret=1
ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 - 2 }' dig.out.1.${n}`
# sleep so we are in prefetch range
sleep ${ttl1:-0}
# trigger prefetch
$DIG @10.53.0.5 -p 5300 ds.example.net ds > dig.out.2.${n} || ret=1
ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 }' dig.out.2.${n}`
sleep 1
# check that prefetch occured
$DIG @10.53.0.5 -p 5300 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1
dsttl=`awk '$4 == "DS" i&& $7 == "1" { print $2 }' dig.out.3.${n}`
sigttl=`awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}`
test ${dsttl:-0} -gt ${ttl2:-1} || ret=1
test ${sigttl:-0} -gt ${ttl2:-1} || ret=1
test ${dsttl:-0} -eq ${sigttl:-1} || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:check prefetch disabled (${n})"
ret=0
......
......@@ -5028,7 +5028,7 @@ validated(isc_task_t *task, isc_event_t *event) {
eresult = DNS_R_NCACHENXRRSET;
} else if (vevent->sigrdataset != NULL) {
result = dns_db_addrdataset(fctx->cache, node, NULL, now,
vevent->sigrdataset, 0,
vevent->sigrdataset, options,
asigrdataset);
if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED)
......@@ -5497,8 +5497,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
* Mark the rdataset as being prefetch eligible.
*/
if (rdataset->ttl > fctx->res->view->prefetch_eligible)
rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
rdataset->attributes |=
DNS_RDATASETATTR_PREFETCH;
/*
* Cache this rdataset/sigrdataset pair as
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment