3166. [bug] Upgrading a zone to support inline-signing failed. [RT #26014]

CHANGES

@@ -1,3 +1,6 @@
+3166.	[bug]		Upgrading a zone to support inline-signing failed.
+			[RT #26014]
+
 3165.	[bug]		dnssec-signzone could generate new signatures when
 			resigning, even when valid signatures were already
 			present. [RT #26025]

bin/named/zoneconf.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.183 2011/10/11 00:09:01 each Exp $ */
+/* $Id: zoneconf.c,v 1.184 2011/10/12 00:10:19 marka Exp $ */
 
 /*% */
 
@@ -1589,6 +1589,8 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 	const cfg_obj_t *obj = NULL;
 	const char *cfilename;
 	const char *zfilename;
+	dns_zone_t *raw = NULL;
+	isc_boolean_t has_raw;
 
 	zoptions = cfg_tuple_get(zconfig, "options");
 
@@ -1614,16 +1616,19 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 	       strcmp(cfilename, zfilename) == 0)))
 		return (ISC_FALSE);
 
+	dns_zone_getraw(zone, &raw);
+	if (raw != NULL) {
+		dns_zone_detach(&raw);
+		has_raw = ISC_TRUE;
+	} else
+		has_raw = ISC_FALSE;
+
 	obj = NULL;
-	(void)cfg_map_get(zoptions, "signing", &obj);
-	if (obj == NULL || !cfg_obj_asboolean(obj)) {
-		dns_zone_t *raw = NULL;
-		dns_zone_getraw(zone, &raw);
-		if (raw != NULL) {
-			dns_zone_detach(&raw);
-			return (ISC_FALSE);
-		}
-	}
+	(void)cfg_map_get(zoptions, "inline-signing", &obj);
+	if ((obj == NULL || !cfg_obj_asboolean(obj)) && has_raw)
+		return (ISC_FALSE);
+	if ((obj != NULL && cfg_obj_asboolean(obj)) && !has_raw)
+		return (ISC_FALSE);
 
 	return (ISC_TRUE);
 }

bin/tests/system/inline/clean.sh

@@ -12,16 +12,30 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $
+# $Id: clean.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
 
 rm -f */named.memstats
 rm -f */named.run
 rm -f */trusted.conf
 rm -f ns2/bits.db
+rm -f ns2/bits.db.jnl
 rm -f ns3/K*
 rm -f ns3/bits.bk
 rm -f ns3/bits.bk.jnl
 rm -f ns3/bits.bk.signed
 rm -f ns3/bits.bk.signed.jnl
+rm -f ns3/noixfr.bk
+rm -f ns3/noixfr.bk.jnl
+rm -f ns3/noixfr.bk.signed
+rm -f ns3/noixfr.bk.signed.jnl
+rm -f ns4/K*
 rm -f ns4/noixfr.db
+rm -f ns4/noixfr.db.jnl
+rm -f ns5/K*
+rm -f ns5/named.conf
+rm -f ns5/bits.bk
+rm -f ns5/bits.bk.jnl
+rm -f ns5/bits.bk.signed
+rm -f ns5/bits.bk.signed.jnl
 rm -f random.data
+rm -f dig.out.ns*.test*

bin/tests/system/inline/ns5/named.conf.post

@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf.post,v 1.2 2011/10/12 00:10:19 marka Exp $ */
+
+// NS5
+
+include "../../common/rndc.key";
+
+controls { inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; };
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	notify-delay 0;
+};
+
+zone "bits" {
+	type slave;
+	masters { 10.53.0.2; };
+	file "bits.bk";
+	auto-dnssec maintain;
+	inline-signing yes;
+};

bin/tests/system/inline/ns5/named.conf.pre

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf.pre,v 1.2 2011/10/12 00:10:20 marka Exp $ */
+
+// NS5
+
+include "../../common/rndc.key";
+
+controls { inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; };
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	notify-delay 0;
+};
+
+zone "bits" {
+	type slave;
+	masters { 10.53.0.2; };
+	file "bits.bk";
+};

bin/tests/system/inline/setup.sh

@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $
+# $Id: setup.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
 
 sh clean.sh
 
@@ -34,6 +34,8 @@ rm -f ns3/noixfr.bk.jnl
 rm -f ns3/noixfr.bk.signed
 rm -f ns3/noixfr.bk.signed.jnl
 
+cp ns5/named.conf.pre ns5/named.conf
+
 ../../../tools/genrandom 400 random.data
 
 (cd ns3; sh -e sign.sh)

bin/tests/system/inline/tests.sh

@@ -14,12 +14,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $
+# $Id: tests.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 DIGOPTS="+tcp +dnssec"
+RANDFILE=random.data
 
 status=0
 n=0
@@ -326,4 +327,27 @@ done
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:checking turning on of inline signing in a slave zone via reload ($n)"
+$DIG $DIGOPTS @10.53.0.5 -p 5300 +dnssec bits SOA > dig.out.ns5.test$n
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:setup broken"; fi
+status=`expr $status + $ret`
+cp ns5/named.conf.post ns5/named.conf
+(cd ns5; $KEYGEN -q -r ../$RANDFILE bits) > /dev/null 2>&1
+(cd ns5; $KEYGEN -q -r ../$RANDFILE -f KSK bits) > /dev/null 2>&1
+$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reload 2>&1 | sed 's/^/I:ns5 /'
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ret=0
+	$DIG $DIGOPTS @10.53.0.5 -p 5300 bits SOA > dig.out.ns5.test$n
+	grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+	grep "ANSWER: 2," dig.out.ns5.test$n > /dev/null || ret=1
+	if [ $ret = 0 ]; then break; fi
+	sleep 1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 exit $status

lib/dns/zone.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.633 2011/10/07 02:55:04 marka Exp $ */
+/* $Id: zone.c,v 1.634 2011/10/12 00:10:20 marka Exp $ */
 
 /*! \file */
 
@@ -412,6 +412,7 @@ struct dns_zone {
 #define DNS_ZONEFLG_THAW	0x08000000U
 #define DNS_ZONEFLG_LOADPENDING	0x10000000U	/*%< Loading scheduled */
 #define DNS_ZONEFLG_NODELAY	0x20000000U
+#define DNS_ZONEFLG_SENDSECURE  0x40000000U
 
 #define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
 #define DNS_ZONEKEY_OPTION(z,o) (((z)->keyopts & (o)) != 0)
@@ -709,6 +710,7 @@ static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
 static void zone_rekey(dns_zone_t *zone);
 static isc_boolean_t delsig_ok(dns_rdata_rrsig_t *rrsig_ptr,
 			       dst_key_t **keys, unsigned int nkeys);
+static isc_result_t zone_send_securedb(dns_zone_t *zone, dns_db_t *db);
 
 #define ENTER zone_debuglog(zone, me, 1, "enter")
 
@@ -3458,6 +3460,16 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 	return (result);
 }
 
+static void
+maybe_send_securedb(dns_zone_t *zone) {
+	LOCK_ZONE(zone->raw);
+	if (zone->raw->db != NULL)
+		zone_send_securedb(zone->raw, zone->raw->db);
+	else 
+		DNS_ZONE_SETFLAG(zone->raw, DNS_ZONEFLG_SENDSECURE);
+	UNLOCK_ZONE(zone->raw);
+}
+
 static isc_result_t
 zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	      isc_result_t result)
@@ -3493,6 +3505,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 					     "failed: %s",
 					     zone->masterfile,
 					     dns_result_totext(result));
+		} else if (zone->type == dns_zone_master &&
+			   zone->raw != NULL && result == ISC_R_FILENOTFOUND) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "no master file, requesting db");
+			maybe_send_securedb(zone);
 		} else {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "loading from master file %s failed: %s",
@@ -3797,6 +3814,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
 		DNS_ZONE_SETFLAG(zone,
 				 DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) &&
+		    zone->secure != NULL)
+			zone_send_securedb(zone, db);
 	}
 
 	result = ISC_R_SUCCESS;
@@ -12239,6 +12259,7 @@ zone_send_securedb(dns_zone_t *zone, dns_db_t *db) {
 	((struct secure_db *)e)->db = dummy;
 
 	isc_task_send(zone->secure->task, &e);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
 	return (ISC_R_SUCCESS);
 }