Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
f431bf02
Commit
f431bf02
authored
Aug 25, 2016
by
Mark Andrews
Browse files
4453. [bug] Prefetching of DS records failed to update their
RRSIGs. [RT #42865]
parent
a91ea57c
Changes
10
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
f431bf02
--- 9.11.0rc1 released ---
4453. [bug] Prefetching of DS records failed to update their
RRSIGs. [RT #42865]
4452. [bug] The default key manager policy file is now
<sysdir>/dnssec-policy.conf (usually
/etc/dnssec-policy.conf). [RT #43064]
...
...
bin/tests/system/resolver/clean.sh
View file @
f431bf02
...
...
@@ -21,9 +21,12 @@ rm -f dig.*.prime.*
rm
-f
ns4/tld.db
rm
-f
ns6/K
*
rm
-f
ns6/example.net.db.signed ns6/example.net.db
rm
-f
ns6/ds.example.net.db.signed ns6/ds.example.net.db
rm
-f
ns6/dsset-ds.example.net.
rm
-f
ns6/dsset-example.net. ns6/example.net.db.signed.jnl
rm
-f
ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
rm
-f
ns7/server.db ns7/server.db.jnl ns7/named.conf
rm
-f
resolve.out
rm
-f
.digrc
rm
-f
ns
*
/named.lock
rm
-f
ns5/trusted.conf
bin/tests/system/resolver/ns4/root.db
View file @
f431bf02
...
...
@@ -19,3 +19,5 @@ a.root-servers.nil. A 10.53.0.4
all-cnames NS cname.tld
delegation-only. NS ns.delegation-only.
ns.delegation-only. A 10.53.0.6
example.net. NS ns.example.net.
ns.example.net. A 10.53.0.6
bin/tests/system/resolver/ns5/named.conf
View file @
f431bf02
...
...
@@ -46,3 +46,5 @@ zone "child.server" {
zone
"delegation-only"
{
type
delegation
-
only
;
};
include
"trusted.conf"
;
bin/tests/system/resolver/ns6/ds.example.net.db.in
0 → 100644
View file @
f431bf02
; Copyright (C) 2010, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: example.net.db.in,v 1.3 2010/11/17 23:47:08 tbox Exp $
$TTL 600
@ IN SOA ns hostmaster 1 1800 900 604800 600
@ IN NS ns
ns IN A 10.53.0.6
bin/tests/system/resolver/ns6/example.net.db.in
View file @
f431bf02
...
...
@@ -14,4 +14,7 @@ ns IN A 10.53.0.6
mail IN A 10.53.0.6
fetch 10 IN TXT A short ttl
non-zero 10 IN TXT A short ttl
zero 0 IN TXT A zero ttl
zero 0 IN TXT A zero ttl
$TTL 10
ds IN NS ns.ds
ns.ds IN A 10.53.0.6
bin/tests/system/resolver/ns6/keygen.sh
View file @
f431bf02
...
...
@@ -11,7 +11,7 @@
SYSTEMTESTTOP
=
../..
.
$SYSTEMTESTTOP
/conf.sh
zone
=
example.net
zone
=
ds.
example.net
zonefile
=
"
${
zone
}
.db"
infile
=
"
${
zonefile
}
.in"
cp
$infile
$zonefile
...
...
@@ -19,3 +19,23 @@ ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
zsk
=
`
$KEYGEN
-q
-3
-r
$RANDFILE
$zone
`
cat
$ksk
.key
$zsk
.key
>>
$zonefile
$SIGNER
-P
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null 2>&1
zone
=
example.net
zonefile
=
"
${
zone
}
.db"
infile
=
"
${
zonefile
}
.in"
cp
$infile
$zonefile
ksk
=
`
$KEYGEN
-q
-3
-r
$RANDFILE
-fk
$zone
`
zsk
=
`
$KEYGEN
-q
-3
-r
$RANDFILE
$zone
`
cat
$ksk
.key
$zsk
.key dsset-ds.example.net.
>>
$zonefile
$SIGNER
-P
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null 2>&1
# Configure a trusted key statement (used by delve)
cat
$ksk
.key |
grep
-v
'^; '
|
$PERL
-n
-e
'
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
trusted-keys {
"$dn" $flags $proto $alg "$key";
};
EOF
'
>
../ns5/trusted.conf
bin/tests/system/resolver/ns6/named.conf
View file @
f431bf02
...
...
@@ -41,6 +41,12 @@ zone "example.net" {
allow
-
update
{
any
; };
};
zone
"ds.example.net"
{
type
master
;
file
"ds.example.net.db.signed"
;
allow
-
update
{
any
; };
};
zone
"to-be-removed.tld"
{
type
master
;
file
"to-be-removed.tld.db"
;
...
...
bin/tests/system/resolver/tests.sh
View file @
f431bf02
...
...
@@ -422,6 +422,27 @@ test ${ttl:-0} -gt ${ttl2:-1} || ret=1
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
n
=
`
expr
$n
+ 1
`
echo
"I:check prefetch of validated DS's RRSIG TTL is updated (
${
n
}
)"
ret
=
0
$DIG
+dnssec @10.53.0.5
-p
5300 ds.example.net ds
>
dig.out.1.
${
n
}
||
ret
=
1
ttl1
=
`
awk
'$4 == "DS" && $7 == "1" { print $2 - 2 }'
dig.out.1.
${
n
}
`
# sleep so we are in prefetch range
sleep
${
ttl1
:-
0
}
# trigger prefetch
$DIG
@10.53.0.5
-p
5300 ds.example.net ds
>
dig.out.2.
${
n
}
||
ret
=
1
ttl1
=
`
awk
'$4 == "DS" && $7 == "1" { print $2 }'
dig.out.2.
${
n
}
`
sleep
1
# check that prefetch occured
$DIG
@10.53.0.5
-p
5300 ds.example.net ds +dnssec
>
dig.out.3.
${
n
}
||
ret
=
1
dsttl
=
`
awk
'$4 == "DS" i&& $7 == "1" { print $2 }'
dig.out.3.
${
n
}
`
sigttl
=
`
awk
'$4 == "RRSIG" && $5 == "DS" { print $2 }'
dig.out.3.
${
n
}
`
test
${
dsttl
:-
0
}
-gt
${
ttl2
:-
1
}
||
ret
=
1
test
${
sigttl
:-
0
}
-gt
${
ttl2
:-
1
}
||
ret
=
1
test
${
dsttl
:-
0
}
-eq
${
sigttl
:-
1
}
||
ret
=
1
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
n
=
`
expr
$n
+ 1
`
echo
"I:check prefetch disabled (
${
n
}
)"
ret
=
0
...
...
lib/dns/resolver.c
View file @
f431bf02
...
...
@@ -5028,7 +5028,7 @@ validated(isc_task_t *task, isc_event_t *event) {
eresult
=
DNS_R_NCACHENXRRSET
;
}
else
if
(
vevent
->
sigrdataset
!=
NULL
)
{
result
=
dns_db_addrdataset
(
fctx
->
cache
,
node
,
NULL
,
now
,
vevent
->
sigrdataset
,
0
,
vevent
->
sigrdataset
,
options
,
asigrdataset
);
if
(
result
!=
ISC_R_SUCCESS
&&
result
!=
DNS_R_UNCHANGED
)
...
...
@@ -5497,8 +5497,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
* Mark the rdataset as being prefetch eligible.
*/
if
(
rdataset
->
ttl
>
fctx
->
res
->
view
->
prefetch_eligible
)
rdataset
->
attributes
|=
DNS_RDATASETATTR_PREFETCH
;
rdataset
->
attributes
|=
DNS_RDATASETATTR_PREFETCH
;
/*
* Cache this rdataset/sigrdataset pair as
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment