From a8228d5f190d556ba6a3e25cc523ba936fbfe957 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 17 Mar 2022 14:43:18 +0000 Subject: [PATCH 1/6] Introduce the concept of broken catalog zones The DNS catalog zones draft version 5 document describes various situations when a catalog zones must be considered as "broken" and not be processed. Implement those checks in catz.c and add corresponding system tests. --- bin/tests/system/catz/clean.sh | 1 + .../system/catz/ns1/catalog-bad1.example.db | 13 +++ .../system/catz/ns1/catalog-bad2.example.db | 14 +++ .../system/catz/ns1/catalog-bad3.example.db | 15 +++ bin/tests/system/catz/ns1/named.conf.in | 30 +++++ bin/tests/system/catz/ns2/named1.conf.in | 27 +++++ bin/tests/system/catz/ns2/named2.conf.in | 18 +++ bin/tests/system/catz/tests.sh | 87 ++++++++++++++- lib/dns/catz.c | 105 +++++++++++++++--- 9 files changed, 291 insertions(+), 19 deletions(-) create mode 100644 bin/tests/system/catz/ns1/catalog-bad1.example.db create mode 100644 bin/tests/system/catz/ns1/catalog-bad2.example.db create mode 100644 bin/tests/system/catz/ns1/catalog-bad3.example.db diff --git a/bin/tests/system/catz/clean.sh b/bin/tests/system/catz/clean.sh index 783ed4e763..e293e7dc0c 100644 --- a/bin/tests/system/catz/clean.sh +++ b/bin/tests/system/catz/clean.sh @@ -19,6 +19,7 @@ rm -f ns*/named.run rm -f ns*/named.run.prev rm -f ns1/*dom*example.db rm -f ns2/__catz__*db +rm -f ns2/catalog-bad*.db rm -f ns2/named.conf.tmp rm -f ns3/dom2.example.db ns3/dom13.example.db ns3/dom14.example.db ns3/dom17.example.db ns3/dom18.example.db rm -f nsupdate.out.* diff --git a/bin/tests/system/catz/ns1/catalog-bad1.example.db b/bin/tests/system/catz/ns1/catalog-bad1.example.db new file mode 100644 index 0000000000..b8402de301 --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad1.example.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. diff --git a/bin/tests/system/catz/ns1/catalog-bad2.example.db b/bin/tests/system/catz/ns1/catalog-bad2.example.db new file mode 100644 index 0000000000..06b9121f13 --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad2.example.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "99" diff --git a/bin/tests/system/catz/ns1/catalog-bad3.example.db b/bin/tests/system/catz/ns1/catalog-bad3.example.db new file mode 100644 index 0000000000..0116697de3 --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad3.example.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "1" +version IN TXT "2" diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index 5a46d3984f..5cf799f1c6 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -61,6 +61,36 @@ zone "catalog4.example" { /* catalog5 is missing on purpose */ +# No "version" property +zone "catalog-bad1.example" { + type primary; + file "catalog-bad1.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; +}; + +# Unsupported "version" property +zone "catalog-bad2.example" { + type primary; + file "catalog-bad2.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; +}; + +# Two RRs in TXT RRset for the "version" property +zone "catalog-bad3.example" { + type primary; + file "catalog-bad3.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; +}; + key tsig_key. { secret "LSAnCU+Z"; algorithm hmac-md5; diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index ed7f87943b..8ff6f687a0 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -43,6 +43,15 @@ options { #T1 default-masters { 10.53.0.1; }; #T2 zone "catalog5.example" #T2 default-primaries { 10.53.0.1; }; + zone "catalog-bad1.example" + default-masters { 10.53.0.1; } + in-memory yes; + zone "catalog-bad2.example" + default-masters { 10.53.0.1; } + in-memory yes; + zone "catalog-bad3.example" + default-masters { 10.53.0.1; } + in-memory yes; }; }; @@ -83,6 +92,24 @@ zone "catalog4.example" { primaries { 10.53.0.1; }; }; +zone "catalog-bad1.example" { + type secondary; + file "catalog-bad1.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog-bad2.example" { + type secondary; + file "catalog-bad2.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog-bad3.example" { + type secondary; + file "catalog-bad3.example.db"; + primaries { 10.53.0.1; }; +}; + key tsig_key. { secret "LSAnCU+Z"; algorithm hmac-md5; diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in index 12884c6797..787d62b510 100644 --- a/bin/tests/system/catz/ns2/named2.conf.in +++ b/bin/tests/system/catz/ns2/named2.conf.in @@ -61,6 +61,24 @@ zone "catalog4.example" { primaries { 10.53.0.1; }; }; +zone "catalog-bad1.example" { + type secondary; + file "catalog-bad1.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog-bad2.example" { + type secondary; + file "catalog-bad2.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog-bad3.example" { + type secondary; + file "catalog-bad3.example.db"; + primaries { 10.53.0.1; }; +}; + key tsig_key. { secret "LSAnCU+Z"; algorithm hmac-md5; diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index 6785dd84e9..807fb14bc0 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -80,6 +80,36 @@ wait_for_no_zonefile() ( status=0 n=0 + +########################################################################## +n=$((n+1)) +echo_i "checking that catalog-bad1.example (with no version) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "catz: zone 'catalog-bad1.example' has no 'version' record" && +wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad1.example' is broken and will not be processed" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that catalog-bad2.example (with unsupported version) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "catz: zone 'catalog-bad2.example' unsupported version '99'" && +wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad2.example' is broken and will not be processed" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking that catalog-bad3.example (with two supported version records) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "catz: 'version' property TXT RRset contains more than one record, which is invalid" && +wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad3.example IN TXT (failure) - ignoring" && +wait_for_message ns2/named.run "catz: zone 'catalog-bad3.example' version is not set" && +wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad3.example' is broken and will not be processed" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + ########################################################################## echo_i "Testing adding/removing of domain in catalog zone" n=$((n+1)) @@ -145,6 +175,8 @@ wait_for_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) echo_i "update dom1.example. ($n)" ret=0 @@ -176,6 +208,8 @@ test -f ns2/zonedir/__catz___default_catalog1.example_dom1.example.db.jnl || ret if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) echo_i "update catalog zone serial ($n)" ret=0 @@ -202,6 +236,8 @@ retry_quiet 10 wait_for_soa_equal_20 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + n=$((n+1)) echo_i "update dom1.example. again ($n)" ret=0 @@ -259,6 +295,8 @@ wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + ########################################################################## echo_i "Testing various simple operations on domains, including using multiple catalog zones and garbage in zone" n=$((n+1)) @@ -296,6 +334,7 @@ ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update add 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update add coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "catalog2.example." update add b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. update add e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN NS foo.bar. update add trash.catalog1.example. 3600 IN A 1.2.3.4 @@ -322,10 +361,11 @@ END if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) - n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 +wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && +wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" && wait_for_message ns2/named.run "transfer of 'dom4.example/IN' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -338,7 +378,6 @@ wait_for_soa @10.53.0.2 dom4.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) - n=$((n+1)) echo_i "checking that dom3.example. is not served by primary ($n)" ret=0 @@ -365,8 +404,6 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && wait_for_message ns2/named.run "transfer of 'dom2.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" && wait_for_message ns2/named.run "transfer of 'dom3.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -381,6 +418,43 @@ status=$((status+ret)) nextpart ns2/named.run >/dev/null +# The member zone's PTR RRset must have only one record in it. +# Check that adding a second record to the RRset is caught and such a +# catalog zone is not processed. +n=$((n+1)) +echo_i "adding domain dom4-reused-label.example. to catalog2 zone, reusing a label ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update add de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4-reused-label.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "waiting for secondary to sync up, and checking that the reused label has been caught ($n)" +ret=0 +wait_for_message ns2/named.run "de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example IN PTR (failure)" && +wait_for_message ns2/named.run "catz: new catalog zone 'catalog2.example' is broken and will not be processed" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + +n=$((n+1)) +echo_i "deleting domain dom4-reused-label.example. from catalog2 zone ($n)" +ret=0 +$NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.3 ${PORT} + update delete de26b88d855397a03f77ff1162fd055d8b419584.zones.catalog2.example. 3600 IN PTR dom4-reused-label.example. + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + n=$((n+1)) echo_i "adding domain dom2.example. to catalog2 zone to test change of ownership ($n)" ret=0 @@ -615,6 +689,7 @@ ret=0 $NSUPDATE -d <> nsupdate.out.test$n 2>&1 || ret=1 server 10.53.0.1 ${PORT} update delete 636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN PTR dom2.example. + update delete coo.636722929740e507aaf27c502812fc395d30fb17.zones.catalog1.example. 3600 IN TXT "catalog2.example." update delete b901f492f3ebf6c1e5b597e51766f02f0479eb03.zones.catalog1.example. 3600 IN PTR dom3.example. update delete e721433b6160b450260d4f54b3ec8bab30cb3b83.zones.catalog1.example. 3600 IN NS foo.bar. update delete trash.catalog1.example. 3600 IN A 1.2.3.4 @@ -2083,7 +2158,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: unknown record in catalog zone - primaries.dom17.zones.catalog1.example IN A(failure) - ignoring" && +wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.dom17.zones.catalog1.example IN A (failure) - ignoring" && wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog1.example'" && wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog1.example'" && wait_for_message ns2/named.run "transfer of 'dom17.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" && @@ -2174,7 +2249,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "catz: unknown record in catalog zone - primaries.ext.dom18.zones.catalog2.example IN A(failure) - ignoring" && +wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.ext.dom18.zones.catalog2.example IN A (failure) - ignoring" && wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog2.example'" && wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog2.example'" && wait_for_message ns2/named.run "transfer of 'dom17.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" && diff --git a/lib/dns/catz.c b/lib/dns/catz.c index f3dbbc3989..3c9e60d060 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -94,6 +94,7 @@ struct dns_catz_zone { bool active; bool db_registered; + bool broken; isc_refcount_t refs; }; @@ -1065,6 +1066,15 @@ catz_process_coo(dns_catz_zone_t *zone, dns_label_t *mhash, return (ISC_R_FAILURE); } + if (dns_rdataset_count(value) != 1) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTER, ISC_LOG_WARNING, + "catz: 'coo' property PTR RRset contains " + "more than one record, which is invalid"); + zone->broken = true; + return (ISC_R_FAILURE); + } + result = dns_rdataset_first(value); if (result != ISC_R_SUCCESS) { return (result); @@ -1123,24 +1133,32 @@ catz_process_zones_entry(dns_catz_zone_t *zone, dns_rdataset_t *value, dns_rdata_ptr_t ptr; dns_catz_entry_t *entry = NULL; - /* - * We only take -first- value, as mhash must be - * different. - */ - if (value->type != dns_rdatatype_ptr) { + if (value->rdclass != dns_rdataclass_in || + value->type != dns_rdatatype_ptr) { + return (ISC_R_FAILURE); + } + + if (dns_rdataset_count(value) != 1) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTER, ISC_LOG_WARNING, + "catz: member zone PTR RRset contains " + "more than one record, which is invalid"); + zone->broken = true; return (ISC_R_FAILURE); } result = dns_rdataset_first(value); if (result != ISC_R_SUCCESS) { - return (ISC_R_FAILURE); + return (result); } dns_rdata_init(&rdata); dns_rdataset_current(value, &rdata); result = dns_rdata_tostruct(&rdata, &ptr, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (result != ISC_R_SUCCESS) { + return (result); + } result = isc_ht_find(zone->entries, mhash->base, mhash->length, (void **)&entry); @@ -1186,6 +1204,15 @@ catz_process_version(dns_catz_zone_t *zone, dns_rdataset_t *value) { return (ISC_R_FAILURE); } + if (dns_rdataset_count(value) != 1) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTER, ISC_LOG_WARNING, + "catz: 'version' property TXT RRset contains " + "more than one record, which is invalid"); + zone->broken = true; + return (ISC_R_FAILURE); + } + result = dns_rdataset_first(value); if (result != ISC_R_SUCCESS) { return (result); @@ -1195,7 +1222,9 @@ catz_process_version(dns_catz_zone_t *zone, dns_rdataset_t *value) { dns_rdataset_current(value, &rdata); result = dns_rdata_tostruct(&rdata, &rdatatxt, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + if (result != ISC_R_SUCCESS) { + return (result); + } result = dns_rdata_txt_first(&rdatatxt); if (result != ISC_R_SUCCESS) { @@ -1227,6 +1256,13 @@ catz_process_version(dns_catz_zone_t *zone, dns_rdataset_t *value) { cleanup: dns_rdata_freestruct(&rdatatxt); + if (result != ISC_R_SUCCESS) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTER, ISC_LOG_WARNING, + "catz: invalid record for the catalog " + "zone version property"); + zone->broken = true; + } return (result); } @@ -1670,6 +1706,14 @@ dns_catz_update_process(dns_catz_zones_t *catzs, dns_catz_zone_t *zone, REQUIRE(DNS_CATZ_ZONE_VALID(zone)); REQUIRE(ISC_MAGIC_VALID(src_name, DNS_NAME_MAGIC)); + if (rdataset->rdclass != dns_rdataclass_in) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTER, ISC_LOG_ERROR, + "catz: RR found which has a non-IN class"); + zone->broken = true; + return (ISC_R_FAILURE); + } + nrres = dns_name_fullcompare(src_name, &zone->name, &order, &nlabels); if (nrres == dns_namereln_equal) { if (rdataset->type == dns_rdatatype_soa) { @@ -2047,8 +2091,10 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { dns_rdatasetiter_t *rdsiter = NULL; dns_rdataset_t rdataset; char bname[DNS_NAME_FORMATSIZE]; + char cname[DNS_NAME_FORMATSIZE]; bool is_vers_processed = false; uint32_t vers; + uint32_t catz_vers; REQUIRE(DNS_DB_VALID(db)); REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); @@ -2125,13 +2171,13 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { result = dns_dbiterator_seek(it, name); if (result != ISC_R_SUCCESS) { dns_dbiterator_destroy(&it); - dns_catz_zone_detach(&newzone); dns_db_closeversion(db, &oldzone->dbversion, false); isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER, ISC_LOG_ERROR, "catz: zone '%s' has no 'version' record (%s)", bname, isc_result_totext(result)); - return; + newzone->broken = true; + goto final; } name = dns_fixedname_initname(&fixname); @@ -2177,7 +2223,6 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { result = dns_catz_update_process(catzs, newzone, name, &rdataset); if (result != ISC_R_SUCCESS) { - char cname[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; char classbuf[DNS_RDATACLASS_FORMATSIZE]; @@ -2191,8 +2236,8 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER, ISC_LOG_WARNING, - "catz: unknown record in catalog " - "zone - %s %s %s(%s) - ignoring", + "catz: invalid record in catalog " + "zone - %s %s %s (%s) - ignoring", cname, classbuf, typebuf, isc_result_totext(result)); } @@ -2218,6 +2263,40 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { ISC_LOG_DEBUG(3), "catz: update_from_db: iteration finished"); + /* + * Check catalog zone version compatibilites. + */ + catz_vers = (newzone->version == DNS_CATZ_VERSION_UNDEFINED) + ? oldzone->version + : newzone->version; + if (catz_vers == DNS_CATZ_VERSION_UNDEFINED) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTER, ISC_LOG_WARNING, + "catz: zone '%s' version is not set", bname); + newzone->broken = true; + } else if (catz_vers != 1 && catz_vers != 2) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTER, ISC_LOG_WARNING, + "catz: zone '%s' unsupported version " + "'%" PRIu32 "'", + bname, catz_vers); + newzone->broken = true; + } else { + oldzone->version = catz_vers; + } + +final: + if (newzone->broken) { + dns_name_format(name, cname, DNS_NAME_FORMATSIZE); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTER, ISC_LOG_ERROR, + "catz: new catalog zone '%s' is broken and " + "will not be processed", + bname); + dns_catz_zone_detach(&newzone); + return; + } + /* * Finally merge new zone into old zone. */ From 92d1e1e3471e633f2c25542d92df8dd4c14e62f5 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 23 Mar 2022 11:01:34 +0000 Subject: [PATCH 2/6] Add CHANGES note for [GL #3224] --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 4441960393..defd7b957f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5877. [func] Introduce the concept of broken catalog zones described + in the DNS catalog zones draft version 5 document. + [GL #3224] + 5876. [func] Add DNS Extended Errors when stale answers are returned from cache. [GL #2267] From dfd5a01eba909d57eef5e3478812c6f9255280e1 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 13 Apr 2022 13:56:37 +0000 Subject: [PATCH 3/6] Add a new warning message when processing view configuration When parsing the configuration file, log a warning message in configure_view() function when encountering a `catalog-zones` option in a view with non-IN rdata class. --- bin/named/server.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/bin/named/server.c b/bin/named/server.c index 2cb60e46c0..db8f1d29fb 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4132,6 +4132,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, rpz_configured = true; } + obj = NULL; + if (view->rdclass != dns_rdataclass_in && need_hints && + named_config_get(maps, "catalog-zones", &obj) == ISC_R_SUCCESS) + { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, + "'catalog-zones' option is only supported " + "for views with class IN"); + } + obj = NULL; if (view->rdclass == dns_rdataclass_in && need_hints && named_config_get(maps, "catalog-zones", &obj) == ISC_R_SUCCESS) From 247ae534a0868fcadb1b241407ba91b54191891f Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 13 Apr 2022 14:06:00 +0000 Subject: [PATCH 4/6] Add a system test to check catalog zones with non-IN rdata class fail According to DNS catalog zones draft version 5 document, the CLASS field of every RR in a catalog zone MUST be IN. Add a new check in the catz system test to verify that a non-IN class catalog zone (in this case CH) fails to load. BIND does not support having a non-IN class RR in an IN class zone, or non-IN class zone in an IN class view, so to verify that BIND respects the mentioned restriction we must try to add a non-IN class catalog zone and check that it didn't succeed. The `named` configuration files had to be restructured to put all the zones inside views, which also resulted in some corresponding changes in the tests.sh script. --- bin/tests/system/catz/clean.sh | 1 + .../system/catz/ns1/catalog-bad5.example.db | 14 ++ bin/tests/system/catz/ns1/named.conf.in | 126 +++++++++-------- bin/tests/system/catz/ns2/named1.conf.in | 127 +++++++++++------- bin/tests/system/catz/ns2/named2.conf.in | 108 ++++++++------- bin/tests/system/catz/tests.sh | 127 ++++++++++-------- 6 files changed, 296 insertions(+), 207 deletions(-) create mode 100644 bin/tests/system/catz/ns1/catalog-bad5.example.db diff --git a/bin/tests/system/catz/clean.sh b/bin/tests/system/catz/clean.sh index e293e7dc0c..fc4765c8b1 100644 --- a/bin/tests/system/catz/clean.sh +++ b/bin/tests/system/catz/clean.sh @@ -12,6 +12,7 @@ rm -f dig.out.* rm -f ns*/*.jnl rm -f ns*/*.nzf +rm -f ns*/*.mkeys rm -f ns*/named.lock rm -f ns*/named.memstats rm -f ns*/named.conf diff --git a/bin/tests/system/catz/ns1/catalog-bad5.example.db b/bin/tests/system/catz/ns1/catalog-bad5.example.db new file mode 100644 index 0000000000..b014d0a2d2 --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad5.example.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 CH NS invalid. +version CH TXT "2" diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index 5cf799f1c6..5bfac4694f 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -32,63 +32,83 @@ options { allow-transfer { any; }; }; -zone "catalog1.example" { - type primary; - file "catalog1.example.db"; - allow-transfer { any; }; - allow-update { any; }; - also-notify { 10.53.0.2; }; - notify explicit; +view "default" { + + zone "catalog1.example" { + type primary; + file "catalog1.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + /* catalog2 is provided by the ns3 primary */ + + zone "catalog3.example" { + type primary; + file "catalog3.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + zone "catalog4.example" { + type primary; + file "catalog4.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + /* catalog5 is missing on purpose */ + + # No "version" property + zone "catalog-bad1.example" { + type primary; + file "catalog-bad1.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + # Unsupported "version" property + zone "catalog-bad2.example" { + type primary; + file "catalog-bad2.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + + # Two RRs in TXT RRset for the "version" property + zone "catalog-bad3.example" { + type primary; + file "catalog-bad3.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + }; -zone "catalog3.example" { - type primary; - file "catalog3.example.db"; - allow-transfer { any; }; - allow-update { any; }; - also-notify { 10.53.0.2; }; - notify explicit; -}; +view "ch" ch { -zone "catalog4.example" { - type primary; - file "catalog4.example.db"; - allow-transfer { any; }; - allow-update { any; }; - also-notify { 10.53.0.2; }; - notify explicit; -}; + # Non-IN class catalog zone + zone "catalog-bad5.example" ch { + type primary; + file "catalog-bad5.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; -/* catalog5 is missing on purpose */ - -# No "version" property -zone "catalog-bad1.example" { - type primary; - file "catalog-bad1.example.db"; - allow-transfer { any; }; - allow-update { any; }; - also-notify { 10.53.0.2; }; - notify explicit; -}; - -# Unsupported "version" property -zone "catalog-bad2.example" { - type primary; - file "catalog-bad2.example.db"; - allow-transfer { any; }; - allow-update { any; }; - also-notify { 10.53.0.2; }; - notify explicit; -}; - -# Two RRs in TXT RRset for the "version" property -zone "catalog-bad3.example" { - type primary; - file "catalog-bad3.example.db"; - allow-transfer { any; }; - allow-update { any; }; - also-notify { 10.53.0.2; }; - notify explicit; }; key tsig_key. { diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index 8ff6f687a0..961b4c5712 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -28,6 +28,16 @@ options { notify no; recursion no; serial-query-rate 100; +}; + +/* + * The comment lines starting with "#Tn" markers below are designed to be + * uncommented by "tests.sh" when running the tests to perform some of required + * tests which need ns2 reconfgiuration. + */ + +view "default" { + catalog-zones { zone "catalog1.example" default-masters { 10.53.0.1; } @@ -53,61 +63,78 @@ options { default-masters { 10.53.0.1; } in-memory yes; }; + + # A faulty dlz configuration to check if named and catz survive a certain class + # of failed configuration attempts (see GL#3060). + # We use "dlz" because the dlz processing code is located in an ideal place in + # the view configuration function for the test to cover the view reverting code. +#T3 dlz "bad-dlz" { +#T3 database "dlopen bad-dlz.so example.org"; +#T3 }; + + zone "dom-existing.example" { + type primary; + file "dom-existing.example.db"; + }; + + zone "catalog1.example" { + type secondary; + file "catalog1.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog2.example" { + type secondary; + file "catalog2.example.db"; + primaries { 10.53.0.3; }; + }; + + zone "catalog3.example" { + type secondary; + file "catalog3.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog4.example" { + type secondary; + file "catalog4.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog-bad1.example" { + type secondary; + file "catalog-bad1.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog-bad2.example" { + type secondary; + file "catalog-bad2.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog-bad3.example" { + type secondary; + file "catalog-bad3.example.db"; + primaries { 10.53.0.1; }; + }; + }; -# A faulty dlz configuration to check if named and catz survive a certain class -# of failed configuration attempts (see GL#3060). -# We use "dlz" because the dlz processing code is located in an ideal place in -# the view configuration function for the test to cover the view reverting code. -#T3dlz "bad-dlz" { -#T3 database "dlopen bad-dlz.so example.org"; -#T3}; +view "ch" ch { -zone "dom-existing.example" { - type primary; - file "dom-existing.example.db"; -}; + catalog-zones { + zone "catalog-bad5.example" + default-masters { 10.53.0.1; } + in-memory yes; + }; -zone "catalog1.example" { - type secondary; - file "catalog1.example.db"; - primaries { 10.53.0.1; }; -}; + zone "catalog-bad5.example" ch { + type secondary; + file "catalog-bad5.example.db"; + primaries { 10.53.0.1; }; + }; -zone "catalog2.example" { - type secondary; - file "catalog2.example.db"; - primaries { 10.53.0.3; }; -}; - -zone "catalog3.example" { - type secondary; - file "catalog3.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog4.example" { - type secondary; - file "catalog4.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog-bad1.example" { - type secondary; - file "catalog-bad1.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog-bad2.example" { - type secondary; - file "catalog-bad2.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog-bad3.example" { - type secondary; - file "catalog-bad3.example.db"; - primaries { 10.53.0.1; }; }; key tsig_key. { diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in index 787d62b510..927aa04810 100644 --- a/bin/tests/system/catz/ns2/named2.conf.in +++ b/bin/tests/system/catz/ns2/named2.conf.in @@ -28,55 +28,73 @@ options { notify no; recursion no; serial-query-rate 100; +}; + +view "default" { + + # Removed catalog-zone option, otherwise this is + # identical to named1.conf.in + + zone "dom-existing.example" { + type primary; + file "dom-existing.example.db"; + }; + + zone "catalog1.example" { + type secondary; + file "catalog1.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog2.example" { + type secondary; + file "catalog2.example.db"; + primaries { 10.53.0.3; }; + }; + + zone "catalog3.example" { + type secondary; + file "catalog3.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog4.example" { + type secondary; + file "catalog4.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog-bad1.example" { + type secondary; + file "catalog-bad1.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog-bad2.example" { + type secondary; + file "catalog-bad2.example.db"; + primaries { 10.53.0.1; }; + }; + + zone "catalog-bad3.example" { + type secondary; + file "catalog-bad3.example.db"; + primaries { 10.53.0.1; }; + }; + +}; + +view "ch" ch { + # removed catalog-zone option, otherwise this is # identical to named1.conf.in -}; -zone "dom-existing.example" { - type primary; - file "dom-existing.example.db"; -}; + zone "catalog-bad5.example" ch { + type secondary; + file "catalog-bad5.example.db"; + primaries { 10.53.0.1; }; + }; -zone "catalog1.example" { - type secondary; - file "catalog1.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog2.example" { - type secondary; - file "catalog2.example.db"; - primaries { 10.53.0.3; }; -}; - -zone "catalog3.example" { - type secondary; - file "catalog3.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog4.example" { - type secondary; - file "catalog4.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog-bad1.example" { - type secondary; - file "catalog-bad1.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog-bad2.example" { - type secondary; - file "catalog-bad2.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog-bad3.example" { - type secondary; - file "catalog-bad3.example.db"; - primaries { 10.53.0.1; }; }; key tsig_key. { diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index 807fb14bc0..18e718c5e5 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -108,6 +108,15 @@ wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad3.example' is if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "checking that catalog-bad5.example (non-IN class) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "'catalog-zones' option is only supported for views with class IN" && +wait_for_message ns2/named.run "all zones loaded" || ret=1 +grep -F "catz: dns_catz_add_zone catalog-bad5.example" ns2/named.run && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + nextpart ns2/named.run >/dev/null ########################################################################## @@ -129,7 +138,7 @@ echo "foo 3600 IN TXT some content here" >> ns1/dom1.example.db echo "bar 3600 IN TXT some content here" >> ns1/dom1.example.db echo "xxx 3600 IN TXT some content here" >> ns1/dom1.example.db echo "yyy 3600 IN TXT some content here" >> ns1/dom1.example.db -rndccmd 10.53.0.1 addzone dom1.example. '{ type primary; file "dom1.example.db"; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 +rndccmd 10.53.0.1 addzone dom1.example. in default '{ type primary; file "dom1.example.db"; allow-update { any; }; notify explicit; also-notify { 10.53.0.2; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -157,7 +166,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom1.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom1.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom1.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -171,7 +180,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "checking that zone-directory is populated ($n)" ret=0 -wait_for_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1 +wait_for_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -204,7 +213,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "check that journal was created for cleanup test ($n)" ret=0 -test -f ns2/zonedir/__catz___default_catalog1.example_dom1.example.db.jnl || ret=1 +test -f ns2/zonedir/__catz__default_catalog1.example_dom1.example.db.jnl || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -276,7 +285,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom1.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom1.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -290,8 +299,8 @@ status=$((status+ret)) n=$((n+1)) echo_i "checking that zone-directory is emptied ($n)" ret=0 -wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db" || ret=1 -wait_for_no_zonefile "ns2/zonedir/__catz___default_catalog1.example_dom1.example.db.jnl" || ret=1 +wait_for_no_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db" || ret=1 +wait_for_no_zonefile "ns2/zonedir/__catz__default_catalog1.example_dom1.example.db.jnl" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -305,7 +314,7 @@ ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom2.example.db echo "@ IN NS invalid." >> ns1/dom2.example.db echo "@ IN A 192.0.2.1" >> ns1/dom2.example.db -rndccmd 10.53.0.1 addzone dom2.example. '{type primary; file "dom2.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom2.example. in default '{type primary; file "dom2.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -324,7 +333,7 @@ echo_i "adding domain dom4.example. to primary via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom4.example.db echo "@ IN NS invalid." >> ns1/dom4.example.db -rndccmd 10.53.0.1 addzone dom4.example. '{type primary; file "dom4.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom4.example. in default '{type primary; file "dom4.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -367,7 +376,7 @@ ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog1.example'" && wait_for_message ns2/named.run "catz: adding zone 'dom3.example' from catalog 'catalog1.example'" && wait_for_message ns2/named.run "catz: adding zone 'dom4.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom4.example/IN' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom4.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -390,7 +399,7 @@ echo_i "adding a domain dom3.example. to primary via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom3.example.db echo "@ IN NS invalid." >> ns1/dom3.example.db -rndccmd 10.53.0.1 addzone dom3.example. '{type primary; file "dom3.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 +rndccmd 10.53.0.1 addzone dom3.example. in default '{type primary; file "dom3.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -404,8 +413,8 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "transfer of 'dom2.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom3.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" && +wait_for_message ns2/named.run "transfer of 'dom3.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -530,7 +539,7 @@ ret=0 wait_for_message ns2/named.run "catz: zone 'dom2.example' change of ownership from 'catalog1.example' to 'catalog2.example'" && wait_for_message ns2/named.run "catz: deleting zone 'dom2.example' from catalog 'catalog1.example' - success" && wait_for_message ns2/named.run "catz: adding zone 'dom2.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom2.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom2.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -645,7 +654,7 @@ ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom-existing.example.db echo "@ IN NS invalid." >> ns1/dom-existing.example.db echo "@ IN A 192.0.2.1" >> ns1/dom-existing.example.db -rndccmd 10.53.0.1 addzone dom-existing.example. '{type primary; file "dom-existing.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 +rndccmd 10.53.0.1 addzone dom-existing.example. in default '{type primary; file "dom-existing.example.db"; also-notify { 10.53.0.2; }; notify explicit; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -738,7 +747,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom5.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom5.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom5.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -764,7 +773,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom5.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -795,7 +804,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom6.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom6.example/IN' from " > /dev/null || ret=1 +wait_for_message ns2/named.run "transfer of 'dom6.example/IN/default' from " > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -822,7 +831,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom6.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -889,12 +898,12 @@ echo_i "adding domains dom7.example. and dom8.example. to primary via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom7.example.db echo "@ IN NS invalid." >> ns1/dom7.example.db -rndccmd 10.53.0.1 addzone dom7.example. '{type primary; file "dom7.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom7.example. in default '{type primary; file "dom7.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom8.example.db echo "@ IN NS invalid." >> ns1/dom8.example.db -rndccmd 10.53.0.1 addzone dom8.example. '{type primary; file "dom8.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom8.example. in default '{type primary; file "dom8.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -923,7 +932,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom7.example' from catalog 'catalog1.example'" > /dev/null && -wait_for_message ns2/named.run "transfer of 'dom7.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom7.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -966,7 +975,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: update_from_db: new zone merged" && -wait_for_message ns2/named.run "transfer of 'dom8.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom8.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1055,7 +1064,7 @@ echo_i "adding a domain dom9.example. to primary via RNDC, with transfers allowe ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom9.example.db echo "@ IN NS invalid." >> ns1/dom9.example.db -rndccmd 10.53.0.1 addzone dom9.example. '{type primary; file "dom9.example.db"; allow-transfer { key tsig_key; }; };' || ret=1 +rndccmd 10.53.0.1 addzone dom9.example. in default '{type primary; file "dom9.example.db"; allow-transfer { key tsig_key; }; };' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1085,7 +1094,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom9.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom9.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom9.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1180,19 +1189,19 @@ do case "$special" in this.is.a.very.very.long.long.long.domain.that.will.cause.catalog.zones.to.generate.hash.instead.of.using.regular.filename.dom10.example) hash=825f48b1ce1b4cf5a041d20255a0c8e98d114858 - db=__catz__4d70696f2335687069467f11f5d5378c480383f97782e553fb2d04a7bb2a23ed.db + db=__catz__a35e0a044ff9f37436068e1e83e9b99fb9da51b0fe7b699bdb404f7755d68276.db ;; this.zone/domain.has.a.slash.dom10.example) hash=e64cc64c99bf52d0a77fb16dd7ed57cf925a36aa - db=__catz__46ba3e1b28d5955e5313d5fee61bedc78c71d08035aa7ea2f7bf0b8228ab3acc.db + db=__catz__765197c8050c794f4ec5bbf5dbdf64d0551459c08a91a4217768fcd16cd3b7ce.db ;; this.zone\\\\domain.has.backslash.dom10.example) hash=91e27e02153d38cf656a9b376d7747fbcd19f985 - db=__catz__b667f7ff802c0895e0506699951cff9a1cab68c5ef8546aa0d07425f244ed870.db + db=__catz__0f2f3beaf2ef70e0086063ae28a69444cdf3847cb85e668bfe52c89f7f756b29.db ;; this.zone:domain.has.a.colon.dom.10.example) hash=8b7238bf4c34045834c573ba4116557ebb24d33c - db=__catz__5c721f7872913a4e7fa8ad42589cce5dd6e551a4c9e6ab3f86e77c0bbc7c2ca6.db + db=__catz__ba75ab860533508a62b0937c5c6b8537e4186e4d5e7685161287260d07418251.db ;; esac @@ -1208,7 +1217,7 @@ do ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom10.example.db echo "@ IN NS invalid." >> ns1/dom10.example.db - rndccmd 10.53.0.1 addzone '"'"${special}"'"' '{type primary; file "dom10.example.db";};' || ret=1 + rndccmd 10.53.0.1 addzone '"'"${special}"'"' in default '{type primary; file "dom10.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1236,7 +1245,7 @@ END echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone '$special' from catalog 'catalog1.example'" && - wait_for_message ns2/named.run "transfer of '$special/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 + wait_for_message ns2/named.run "transfer of '$special/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1268,7 +1277,7 @@ END n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 - wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN: shutting down" || ret=1 + wait_for_message ns2/named.run "zone_shutdown: zone ${special}/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1302,7 +1311,7 @@ echo_i "Adding a domain dom11.example. to primary via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom11.example.db echo "@ IN NS invalid." >> ns1/dom11.example.db -rndccmd 10.53.0.1 addzone dom11.example. '{type primary; file "dom11.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom11.example. in default '{type primary; file "dom11.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1330,7 +1339,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1353,7 +1362,7 @@ echo_i "Adding a domain subdomain.of.dom11.example. to primary via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/subdomain.of.dom11.example.db echo "@ IN NS invalid." >> ns1/subdomain.of.dom11.example.db -rndccmd 10.53.0.1 addzone subdomain.of.dom11.example. '{type primary; file "subdomain.of.dom11.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone subdomain.of.dom11.example. in default '{type primary; file "subdomain.of.dom11.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1381,7 +1390,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'subdomain.of.dom11.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'subdomain.of.dom11.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1406,7 +1415,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom11.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1438,7 +1447,7 @@ status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone subdomain.of.dom11.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1463,7 +1472,7 @@ echo_i "Adding a domain dom12.example. to primary via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom12.example.db echo "@ IN NS invalid." >> ns1/dom12.example.db -rndccmd 10.53.0.1 addzone dom12.example. '{type primary; file "dom12.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom12.example. in default '{type primary; file "dom12.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1508,7 +1517,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom12.example' from catalog 'catalog4.example'" && -wait_for_message ns2/named.run "transfer of 'dom12.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom12.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1576,7 +1585,7 @@ ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom13.example.db echo "@ IN NS invalid." >> ns1/dom13.example.db echo "@ IN A 192.0.2.1" >> ns1/dom13.example.db -rndccmd 10.53.0.1 addzone dom13.example. '{type primary; file "dom13.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom13.example. in default '{type primary; file "dom13.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1623,7 +1632,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom13.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom13.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom13.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1734,7 +1743,7 @@ ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom14.example.db echo "@ IN NS invalid." >> ns1/dom14.example.db echo "@ IN A 192.0.2.1" >> ns1/dom14.example.db -rndccmd 10.53.0.1 addzone dom14.example. '{type primary; file "dom14.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom14.example. in default '{type primary; file "dom14.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1767,14 +1776,14 @@ nextpart ns2/named.run >/dev/null n=$((n+1)) echo_i "Adding domain dom14.example. with rndc with ns1 as primary ($n)" ret=0 -rndccmd 10.53.0.2 addzone dom14.example. '{type secondary; primaries {10.53.0.1;};};' || ret=1 +rndccmd 10.53.0.2 addzone dom14.example. in default '{type secondary; primaries {10.53.0.1;};};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 -wait_for_message ns2/named.run "transfer of 'dom14.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom14.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1858,7 +1867,7 @@ echo_i "Adding a domain dom15.example. to primary ns1 via RNDC ($n)" ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom15.example.db echo "@ IN NS invalid." >> ns1/dom15.example.db -rndccmd 10.53.0.1 addzone dom15.example. '{type primary; file "dom15.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom15.example. in default '{type primary; file "dom15.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1940,7 +1949,7 @@ ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom16.example.db echo "@ IN NS invalid." >> ns1/dom16.example.db echo "@ IN A 192.0.2.1" >> ns1/dom16.example.db -rndccmd 10.53.0.1 addzone dom16.example. '{type primary; file "dom16.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom16.example. in default '{type primary; file "dom16.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1969,7 +1978,7 @@ n=$((n+1)) echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: adding zone 'dom16.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom16.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom16.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1987,7 +1996,7 @@ nextpart ns2/named.run >/dev/null echo_i "Deleting dom16.example. from secondary ns2 via RNDC ($n)" ret=0 -rndccmd 10.53.0.2 delzone dom16.example. >/dev/null 2>&1 || ret=1 +rndccmd 10.53.0.2 delzone dom16.example. in default >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -2071,13 +2080,13 @@ ret=0 echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom17.example.db echo "@ IN NS invalid." >> ns1/dom17.example.db echo "@ IN A 192.0.2.1" >> ns1/dom17.example.db -rndccmd 10.53.0.1 addzone dom17.example. '{type primary; file "dom17.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom17.example. in default '{type primary; file "dom17.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" > ns1/dom18.example.db echo "@ IN NS invalid." >> ns1/dom18.example.db echo "@ IN A 192.0.2.1" >> ns1/dom18.example.db -rndccmd 10.53.0.1 addzone dom18.example. '{type primary; file "dom18.example.db";};' || ret=1 +rndccmd 10.53.0.1 addzone dom18.example. in default '{type primary; file "dom18.example.db";};' || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -2161,8 +2170,8 @@ ret=0 wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.dom17.zones.catalog1.example IN A (failure) - ignoring" && wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog1.example'" && wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog1.example'" && -wait_for_message ns2/named.run "transfer of 'dom17.example/IN' from 10.53.0.1#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom18.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" && +wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -2211,8 +2220,8 @@ echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog1.example' - success" && wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog1.example' - success" && -wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN: shutting down" && -wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" && +wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -2252,8 +2261,8 @@ ret=0 wait_for_message ns2/named.run "catz: invalid record in catalog zone - primaries.ext.dom18.zones.catalog2.example IN A (failure) - ignoring" && wait_for_message ns2/named.run "catz: adding zone 'dom17.example' from catalog 'catalog2.example'" && wait_for_message ns2/named.run "catz: adding zone 'dom18.example' from catalog 'catalog2.example'" && -wait_for_message ns2/named.run "transfer of 'dom17.example/IN' from 10.53.0.3#${PORT}: Transfer status: success" && -wait_for_message ns2/named.run "transfer of 'dom18.example/IN' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 +wait_for_message ns2/named.run "transfer of 'dom17.example/IN/default' from 10.53.0.3#${PORT}: Transfer status: success" && +wait_for_message ns2/named.run "transfer of 'dom18.example/IN/default' from 10.53.0.1#${EXTRAPORT1}: Transfer status: success" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -2302,8 +2311,8 @@ echo_i "waiting for secondary to sync up ($n)" ret=0 wait_for_message ns2/named.run "catz: deleting zone 'dom17.example' from catalog 'catalog2.example' - success" && wait_for_message ns2/named.run "catz: deleting zone 'dom18.example' from catalog 'catalog2.example' - success" && -wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN: shutting down" && -wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN: shutting down" || ret=1 +wait_for_message ns2/named.run "zone_shutdown: zone dom17.example/IN/default: shutting down" && +wait_for_message ns2/named.run "zone_shutdown: zone dom18.example/IN/default: shutting down" || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) From 5bfe655835490de9e198605618ae938c0a684a75 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 15 Apr 2022 15:34:19 +0000 Subject: [PATCH 5/6] Add new catz system test to check a version property with invalid type There is already a check for the missing version property case (catalog-bad1.example), and this new test should result in the same outcome, but differs in a way that there exists a version record in the zone, but it is of a wrong type (A instead of the expected TXT). --- bin/tests/system/catz/ns1/catalog-bad4.example.db | 14 ++++++++++++++ bin/tests/system/catz/ns1/named.conf.in | 9 +++++++++ bin/tests/system/catz/ns2/named1.conf.in | 14 ++++++++++++++ bin/tests/system/catz/ns2/named2.conf.in | 13 ++++++++++++- bin/tests/system/catz/tests.sh | 9 +++++++++ 5 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/catz/ns1/catalog-bad4.example.db diff --git a/bin/tests/system/catz/ns1/catalog-bad4.example.db b/bin/tests/system/catz/ns1/catalog-bad4.example.db new file mode 100644 index 0000000000..d04bab321c --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad4.example.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN A 10.53.0.1 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in index 5bfac4694f..142128131c 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in @@ -95,6 +95,15 @@ view "default" { notify explicit; }; + # Type A "version" property + zone "catalog-bad4.example" { + type primary; + file "catalog-bad4.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; }; view "ch" ch { diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index 961b4c5712..c52205aab3 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -62,6 +62,9 @@ view "default" { zone "catalog-bad3.example" default-masters { 10.53.0.1; } in-memory yes; + zone "catalog-bad4.example" + default-masters { 10.53.0.1; } + in-memory yes; }; # A faulty dlz configuration to check if named and catz survive a certain class @@ -101,24 +104,34 @@ view "default" { primaries { 10.53.0.1; }; }; + # No "version" property zone "catalog-bad1.example" { type secondary; file "catalog-bad1.example.db"; primaries { 10.53.0.1; }; }; + # Unsupported "version" property zone "catalog-bad2.example" { type secondary; file "catalog-bad2.example.db"; primaries { 10.53.0.1; }; }; + # Two RRs in TXT RRset for the "version" property zone "catalog-bad3.example" { type secondary; file "catalog-bad3.example.db"; primaries { 10.53.0.1; }; }; + # Type A "version" property + zone "catalog-bad4.example" { + type secondary; + file "catalog-bad4.example.db"; + primaries { 10.53.0.1; }; + }; + }; view "ch" ch { @@ -129,6 +142,7 @@ view "ch" ch { in-memory yes; }; + # Non-IN class catalog zone zone "catalog-bad5.example" ch { type secondary; file "catalog-bad5.example.db"; diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in index 927aa04810..89c15c71af 100644 --- a/bin/tests/system/catz/ns2/named2.conf.in +++ b/bin/tests/system/catz/ns2/named2.conf.in @@ -64,31 +64,42 @@ view "default" { primaries { 10.53.0.1; }; }; + # No "version" property zone "catalog-bad1.example" { type secondary; file "catalog-bad1.example.db"; primaries { 10.53.0.1; }; }; + # Unsupported "version" property zone "catalog-bad2.example" { type secondary; file "catalog-bad2.example.db"; primaries { 10.53.0.1; }; }; + # Two RRs in TXT RRset for the "version" property zone "catalog-bad3.example" { type secondary; file "catalog-bad3.example.db"; primaries { 10.53.0.1; }; }; + # Type A "version" property + zone "catalog-bad4.example" { + type secondary; + file "catalog-bad4.example.db"; + primaries { 10.53.0.1; }; + }; + }; view "ch" ch { - # removed catalog-zone option, otherwise this is + # Removed catalog-zone option, otherwise this is # identical to named1.conf.in + # Non-IN class catalog zone zone "catalog-bad5.example" ch { type secondary; file "catalog-bad5.example.db"; diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index 18e718c5e5..c973dc020c 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -108,6 +108,15 @@ wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad3.example' is if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "checking that catalog-bad4.example (with only spurious type A version record) has failed to load ($n)" +ret=0 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - version.catalog-bad4.example IN A (failure) - ignoring" && +wait_for_message ns2/named.run "catz: zone 'catalog-bad4.example' version is not set" && +wait_for_message ns2/named.run "catz: new catalog zone 'catalog-bad4.example' is broken and will not be processed" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + n=$((n+1)) echo_i "checking that catalog-bad5.example (non-IN class) has failed to load ($n)" ret=0 From 84d3aba4f3e87cd293e765b9ba5b070d4156cdce Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 15 Apr 2022 15:50:43 +0000 Subject: [PATCH 6/6] Remove reduntant checks of 'rdclass' in catz.c We check the `rdclass` to be of type IN in `dns_catz_update_process()` function, and all the other static functions where similar checks exist are called after (and in the result of) that function being called, so they are effectively redundant. --- lib/dns/catz.c | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/lib/dns/catz.c b/lib/dns/catz.c index 3c9e60d060..9d231906d8 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -1022,10 +1022,6 @@ catz_process_zones(dns_catz_zone_t *zone, dns_rdataset_t *value, REQUIRE(DNS_RDATASET_VALID(value)); REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC)); - if (value->rdclass != dns_rdataclass_in) { - return (ISC_R_FAILURE); - } - if (name->labels == 0) { return (ISC_R_FAILURE); } @@ -1061,8 +1057,7 @@ catz_process_coo(dns_catz_zone_t *zone, dns_label_t *mhash, return (ISC_R_FAILURE); } - if (value->rdclass != dns_rdataclass_in || - value->type != dns_rdatatype_ptr) { + if (value->type != dns_rdatatype_ptr) { return (ISC_R_FAILURE); } @@ -1133,8 +1128,7 @@ catz_process_zones_entry(dns_catz_zone_t *zone, dns_rdataset_t *value, dns_rdata_ptr_t ptr; dns_catz_entry_t *entry = NULL; - if (value->rdclass != dns_rdataclass_in || - value->type != dns_rdatatype_ptr) { + if (value->type != dns_rdatatype_ptr) { return (ISC_R_FAILURE); } @@ -1199,8 +1193,7 @@ catz_process_version(dns_catz_zone_t *zone, dns_rdataset_t *value) { REQUIRE(DNS_CATZ_ZONE_VALID(zone)); REQUIRE(DNS_RDATASET_VALID(value)); - if (value->rdclass != dns_rdataclass_in || - value->type != dns_rdatatype_txt) { + if (value->type != dns_rdatatype_txt) { return (ISC_R_FAILURE); } @@ -1299,10 +1292,6 @@ catz_process_primaries(dns_catz_zone_t *zone, dns_ipkeylist_t *ipkl, * - label and IN A/IN AAAA * - label and IN TXT - TSIG key name */ - if (value->rdclass != dns_rdataclass_in) { - return (ISC_R_FAILURE); - } - if (name->labels > 0) { isc_sockaddr_t sockaddr; size_t i; @@ -1466,8 +1455,7 @@ catz_process_apl(dns_catz_zone_t *zone, isc_buffer_t **aclbp, REQUIRE(DNS_RDATASET_VALID(value)); REQUIRE(dns_rdataset_isassociated(value)); - if (value->rdclass != dns_rdataclass_in || - value->type != dns_rdatatype_apl) { + if (value->type != dns_rdatatype_apl) { return (ISC_R_FAILURE); }