4453. [bug] Prefetching of DS records failed to update their

                        RRSIGs. [RT #42865]

CHANGES

 	--- 9.11.0rc1 released ---
 
+4453.	[bug]		Prefetching of DS records failed to update their 
+			RRSIGs. [RT #42865]
+
 4452.	[bug]		The default key manager policy file is now
 			<sysdir>/dnssec-policy.conf (usually
 			/etc/dnssec-policy.conf). [RT #43064]

bin/tests/system/resolver/clean.sh

@@ -21,9 +21,12 @@ rm -f dig.*.prime.*
 rm -f ns4/tld.db
 rm -f ns6/K*
 rm -f ns6/example.net.db.signed ns6/example.net.db
+rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
+rm -f ns6/dsset-ds.example.net.
 rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl
 rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
 rm -f ns7/server.db ns7/server.db.jnl ns7/named.conf
 rm -f resolve.out
 rm -f .digrc
 rm -f ns*/named.lock
+rm -f ns5/trusted.conf

bin/tests/system/resolver/ns4/root.db

@@ -19,3 +19,5 @@ a.root-servers.nil.	A	10.53.0.4
 all-cnames		NS	cname.tld
 delegation-only.	NS	ns.delegation-only.
 ns.delegation-only.	A	10.53.0.6
+example.net.		NS	ns.example.net.
+ns.example.net.		A	10.53.0.6

bin/tests/system/resolver/ns5/named.conf

@@ -46,3 +46,5 @@ zone "child.server" {
 zone "delegation-only" {
        type delegation-only;
 };
+
+include "trusted.conf";

bin/tests/system/resolver/ns6/ds.example.net.db.in

+; Copyright (C) 2010, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+; $Id: example.net.db.in,v 1.3 2010/11/17 23:47:08 tbox Exp $
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+@	IN NS	ns
+ns	IN A	10.53.0.6

bin/tests/system/resolver/ns6/example.net.db.in

@@ -14,4 +14,7 @@ ns	IN A	10.53.0.6
 mail	IN A	10.53.0.6
 fetch 10 IN TXT A short ttl
 non-zero 10 IN TXT A short ttl
-zero 0 IN TXT A zero ttl
+zero 0  IN TXT	A zero ttl
+$TTL 10
+ds 	IN NS	ns.ds
+ns.ds	IN A	10.53.0.6

bin/tests/system/resolver/ns6/keygen.sh

@@ -11,7 +11,7 @@
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
-zone=example.net
+zone=ds.example.net
 zonefile="${zone}.db"
 infile="${zonefile}.in"
 cp $infile $zonefile
@@ -19,3 +19,23 @@ ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
 cat $ksk.key $zsk.key >> $zonefile
 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+zone=example.net
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
+cat $ksk.key $zsk.key dsset-ds.example.net. >> $zonefile
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+# Configure a trusted key statement (used by delve)
+cat $ksk.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+    "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > ../ns5/trusted.conf

bin/tests/system/resolver/ns6/named.conf

@@ -41,6 +41,12 @@ zone "example.net" {
 	allow-update { any; };
 };
 
+zone "ds.example.net" {
+	type master;
+	file "ds.example.net.db.signed";
+	allow-update { any; };
+};
+
 zone "to-be-removed.tld" {
 	type master;
 	file "to-be-removed.tld.db";

bin/tests/system/resolver/tests.sh

@@ -422,6 +422,27 @@ test ${ttl:-0} -gt ${ttl2:-1} || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:check prefetch of validated DS's RRSIG TTL is updated (${n})"
+ret=0
+$DIG +dnssec @10.53.0.5 -p 5300 ds.example.net ds > dig.out.1.${n} || ret=1
+ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 - 2 }' dig.out.1.${n}`
+# sleep so we are in prefetch range
+sleep ${ttl1:-0}
+# trigger prefetch
+$DIG @10.53.0.5 -p 5300 ds.example.net ds > dig.out.2.${n} || ret=1
+ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 }' dig.out.2.${n}`
+sleep 1
+# check that prefetch occured
+$DIG @10.53.0.5 -p 5300 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1
+dsttl=`awk '$4 == "DS" i&& $7 == "1" { print $2 }' dig.out.3.${n}`
+sigttl=`awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}`
+test ${dsttl:-0} -gt ${ttl2:-1} || ret=1
+test ${sigttl:-0} -gt ${ttl2:-1} || ret=1
+test ${dsttl:-0} -eq ${sigttl:-1} || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo "I:check prefetch disabled (${n})"
 ret=0

lib/dns/resolver.c

@@ -5028,7 +5028,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 			eresult = DNS_R_NCACHENXRRSET;
 	} else if (vevent->sigrdataset != NULL) {
 		result = dns_db_addrdataset(fctx->cache, node, NULL, now,
-					    vevent->sigrdataset, 0,
+					    vevent->sigrdataset, options,
 					    asigrdataset);
 		if (result != ISC_R_SUCCESS &&
 		    result != DNS_R_UNCHANGED)
@@ -5497,8 +5497,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			 * Mark the rdataset as being prefetch eligible.
 			 */
 			if (rdataset->ttl > fctx->res->view->prefetch_eligible)
-				rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
-
+				rdataset->attributes |=
+					DNS_RDATASETATTR_PREFETCH;
 
 			/*
 			 * Cache this rdataset/sigrdataset pair as