mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-16 15:44:00 -04:00
Evan Hunt
parent
3da25108d0
commit
2d79f736cc
10 changed files with 239 additions and 75 deletions
2
CHANGES
2
CHANGES
|
|
@ -1,3 +1,5 @@
|
|||
3133. [bug] Change #3114 was incomplete. [RT #24577]
|
||||
|
||||
3132. [tuning] Expanded zone task table from 8 to 17 buckets,
|
||||
added ZONE_TASKS define in zone.c to make it easier
|
||||
to hand-tune this value. [RT #24406]
|
||||
|
|
|
|||
|
|
@ -14,12 +14,12 @@
|
|||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: clean.sh,v 1.7.16.2 2011/03/26 23:47:13 tbox Exp $
|
||||
# $Id: clean.sh,v 1.7.16.3 2011/07/08 01:45:58 each Exp $
|
||||
|
||||
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
|
||||
rm -f active.key inact.key del.key unpub.key standby.key rev.key
|
||||
rm -f nopriv.key vanishing.key del1.key del2.key
|
||||
rm -f delayksk.key delayzsk.key
|
||||
rm -f delayksk.key delayzsk.key missingzsk.key inactivezsk.key
|
||||
rm -f nsupdate.out
|
||||
rm -f */core
|
||||
rm -f */example.bk
|
||||
|
|
@ -43,6 +43,7 @@ rm -f ns3/secure.example.db
|
|||
rm -f ns3/secure.nsec3.example.db
|
||||
rm -f ns3/secure.optout.example.db
|
||||
rm -f ns3/secure-to-insecure.example.db
|
||||
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
|
||||
rm -f ns3/prepub.example.db
|
||||
rm -f ns3/prepub.example.db.in
|
||||
rm -f ns3/secure-to-insecure2.example.db
|
||||
|
|
|
|||
31
bin/tests/system/autosign/ns3/inaczsk.example.db.in
Normal file
31
bin/tests/system/autosign/ns3/inaczsk.example.db.in
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; Permission to use, copy, modify, and/or distribute this software for any
|
||||
; purpose with or without fee is hereby granted, provided that the above
|
||||
; copyright notice and this permission notice appear in all copies.
|
||||
;
|
||||
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: inaczsk.example.db.in,v 1.2.2.2 2011/07/08 01:45:58 each Exp $
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
1 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns
|
||||
ns A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
d A 10.0.0.4
|
||||
x CNAME a
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: keygen.sh,v 1.8.18.2 2011/03/26 23:47:13 tbox Exp $
|
||||
# $Id: keygen.sh,v 1.8.18.3 2011/07/08 01:45:58 each Exp $
|
||||
|
||||
SYSTEMTESTTOP=../..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
|
@ -215,3 +215,27 @@ ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone`
|
|||
echo $ksk > ../delayksk.key
|
||||
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone`
|
||||
echo $zsk > ../delayzsk.key
|
||||
|
||||
#
|
||||
# A zone with signatures that are already expired, and the private ZSK
|
||||
# is missing.
|
||||
#
|
||||
zone=nozsk.example
|
||||
zonefile="${zone}.db"
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1
|
||||
echo $zsk > ../missingzsk.key
|
||||
rm -f ${zsk}.private
|
||||
|
||||
#
|
||||
# A zone with signatures that are already expired, and the private ZSK
|
||||
# is inactive.
|
||||
#
|
||||
zone=inaczsk.example
|
||||
zonefile="${zone}.db"
|
||||
$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
|
||||
zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
|
||||
$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1
|
||||
echo $zsk > ../inactivezsk.key
|
||||
$SETTIME -I now $zsk > /dev/null
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: named.conf,v 1.7.18.2 2011/03/26 23:47:13 tbox Exp $ */
|
||||
/* $Id: named.conf,v 1.7.18.3 2011/07/08 01:45:58 each Exp $ */
|
||||
|
||||
// NS3
|
||||
|
||||
|
|
@ -191,4 +191,18 @@ zone "delay.example" {
|
|||
allow-update { any; };
|
||||
auto-dnssec maintain;
|
||||
};
|
||||
|
||||
zone "nozsk.example" {
|
||||
type master;
|
||||
file "nozsk.example.db";
|
||||
allow-update { any; };
|
||||
auto-dnssec maintain;
|
||||
};
|
||||
|
||||
zone "inaczsk.example" {
|
||||
type master;
|
||||
file "inaczsk.example.db";
|
||||
allow-update { any; };
|
||||
auto-dnssec maintain;
|
||||
};
|
||||
include "trusted.conf";
|
||||
|
|
|
|||
31
bin/tests/system/autosign/ns3/nozsk.example.db.in
Normal file
31
bin/tests/system/autosign/ns3/nozsk.example.db.in
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; Permission to use, copy, modify, and/or distribute this software for any
|
||||
; purpose with or without fee is hereby granted, provided that the above
|
||||
; copyright notice and this permission notice appear in all copies.
|
||||
;
|
||||
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
; PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
; $Id: nozsk.example.db.in,v 1.2.2.2 2011/07/08 01:45:58 each Exp $
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
1 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns
|
||||
ns A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
d A 10.0.0.4
|
||||
x CNAME a
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: tests.sh,v 1.12.18.13 2011/05/30 22:31:28 marka Exp $
|
||||
# $Id: tests.sh,v 1.12.18.14 2011/07/08 01:45:58 each Exp $
|
||||
|
||||
SYSTEMTESTTOP=..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
|
@ -156,6 +156,42 @@ END
|
|||
echo "I:waiting for change to take effect"
|
||||
sleep 3
|
||||
|
||||
echo "I:checking that expired RRSIGs from missing key are not deleted ($n)"
|
||||
ret=0
|
||||
missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key`
|
||||
$JOURNALPRINT ns3/nozsk.example.db.jnl | \
|
||||
awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that expired RRSIGs from inactive key are not deleted ($n)"
|
||||
ret=0
|
||||
inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key`
|
||||
$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
|
||||
awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:checking that non-replaceable RRSIGs are logged only once ($n)"
|
||||
ret=0
|
||||
loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
|
||||
[ "$loglines" -eq 1 ] || ret=1
|
||||
loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
|
||||
[ "$loglines" -eq 1 ] || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
# This test is above the rndc freeze/thaw calls because the apex node
|
||||
# will be resigned on thaw, increasing the serial number again.
|
||||
echo "I:checking serial is not incremented when signatures are unchanged ($n)"
|
||||
ret=0
|
||||
newserial=`$DIG $DIGOPTS +short soa nozsk.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
|
||||
[ "$newserial" -eq 2 ] || ret=1
|
||||
newserial=`$DIG $DIGOPTS +short soa inaczsk.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
|
||||
[ "$newserial" -eq 2 ] || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
# Send rndc freeze command to ns1, ns2 and ns3, to force the dynamically
|
||||
# signed zones to be dumped to their zone files
|
||||
echo "I:dumping zone files"
|
||||
|
|
@ -598,7 +634,7 @@ status=`expr $status + $ret`
|
|||
|
||||
echo "I:checking that revoked key is present ($n)"
|
||||
ret=0
|
||||
id=`sed 's/^K.+007+0*//' < rev.key`
|
||||
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
|
||||
id=`expr $id + 128 % 65536`
|
||||
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
|
||||
|
|
@ -608,7 +644,7 @@ status=`expr $status + $ret`
|
|||
|
||||
echo "I:checking that revoked key self-signs ($n)"
|
||||
ret=0
|
||||
id=`sed 's/^K.+007+0*//' < rev.key`
|
||||
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
|
||||
id=`expr $id + 128 % 65536`
|
||||
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
|
||||
|
|
@ -618,7 +654,7 @@ status=`expr $status + $ret`
|
|||
|
||||
echo "I:checking for unpublished key ($n)"
|
||||
ret=0
|
||||
id=`sed 's/^K.+007+0*//' < unpub.key`
|
||||
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key`
|
||||
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
|
|
@ -627,7 +663,7 @@ status=`expr $status + $ret`
|
|||
|
||||
echo "I:checking that standby key does not sign records ($n)"
|
||||
ret=0
|
||||
ed=`sed 's/^K.+007+0*//' < standby.key`
|
||||
ed=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
|
||||
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
|
|
@ -636,7 +672,7 @@ status=`expr $status + $ret`
|
|||
|
||||
echo "I:checking that deactivated key does not sign records ($n)"
|
||||
ret=0
|
||||
id=`sed 's/^K.+007+0*//' < inact.key`
|
||||
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key`
|
||||
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
|
|
@ -645,7 +681,7 @@ status=`expr $status + $ret`
|
|||
|
||||
echo "I:checking insertion of public-only key ($n)"
|
||||
ret=0
|
||||
id=`sed 's/^K.+007+0*//' < nopriv.key`
|
||||
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key`
|
||||
file="ns1/`cat nopriv.key`.key"
|
||||
keydata=`grep DNSKEY $file`
|
||||
$NSUPDATE > /dev/null 2>&1 <<END || status=1
|
||||
|
|
@ -664,7 +700,7 @@ status=`expr $status + $ret`
|
|||
|
||||
echo "I:checking key deletion ($n)"
|
||||
ret=0
|
||||
id=`sed 's/^K.+007+0*//' < del.key`
|
||||
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < del.key`
|
||||
$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
|
|
@ -680,7 +716,7 @@ send
|
|||
END
|
||||
sleep 2
|
||||
$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
||||
egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
|
||||
egrep 'RRSIG' dig.out.ns3.test$n > /dev/null && ret=1
|
||||
egrep '(DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
|
|
@ -694,7 +730,7 @@ $SETTIME -I now -D now $file > /dev/null
|
|||
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign secure-to-insecure2.example. 2>&1 | sed 's/^/I:ns3 /'
|
||||
sleep 2
|
||||
$DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
|
||||
egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
|
||||
egrep 'RRSIG' dig.out.ns3.test$n > /dev/null && ret=1
|
||||
egrep '(DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
|
|
@ -734,9 +770,9 @@ rm -f $file
|
|||
echo "I:preparing ZSK roll"
|
||||
starttime=`$PERL -e 'print time(), "\n";'`
|
||||
oldfile=`cat active.key`
|
||||
oldid=`sed 's/^K.+007+0*//' < active.key`
|
||||
oldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key`
|
||||
newfile=`cat standby.key`
|
||||
newid=`sed 's/^K.+007+0*//' < standby.key`
|
||||
newid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
|
||||
$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null
|
||||
$SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null
|
||||
|
||||
|
|
@ -899,7 +935,7 @@ status=`expr $status + $ret`
|
|||
|
||||
echo "I:checking private key file removal caused no immediate harm ($n)"
|
||||
ret=0
|
||||
id=`sed 's/^K.+007+0*//' < vanishing.key`
|
||||
id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key`
|
||||
$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: tests.sh,v 1.5.250.2 2011/03/21 23:46:58 tbox Exp $
|
||||
# $Id: tests.sh,v 1.5.250.3 2011/07/08 01:45:58 each Exp $
|
||||
|
||||
SYSTEMTESTTOP=..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
|
@ -28,14 +28,14 @@ n=0
|
|||
echo "I:setting key timers"
|
||||
$SETTIME -A now+15s `cat rolling.key` > /dev/null
|
||||
|
||||
inact=`sed 's/^K'${czone}'.+005+0*//' < inact.key`
|
||||
ksk=`sed 's/^K'${czone}'.+005+0*//' < ksk.key`
|
||||
pending=`sed 's/^K'${czone}'.+005+0*//' < pending.key`
|
||||
postrev=`sed 's/^K'${czone}'.+005+0*//' < postrev.key`
|
||||
prerev=`sed 's/^K'${czone}'.+005+0*//' < prerev.key`
|
||||
rolling=`sed 's/^K'${czone}'.+005+0*//' < rolling.key`
|
||||
standby=`sed 's/^K'${czone}'.+005+0*//' < standby.key`
|
||||
zsk=`sed 's/^K'${czone}'.+005+0*//' < zsk.key`
|
||||
inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key`
|
||||
ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key`
|
||||
pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key`
|
||||
postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key`
|
||||
prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key`
|
||||
rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key`
|
||||
standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key`
|
||||
zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key`
|
||||
|
||||
../../../tools/genrandom 400 $RANDFILE
|
||||
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: tests.sh,v 1.6.70.2 2011/05/06 23:47:04 tbox Exp $
|
||||
# $Id: tests.sh,v 1.6.70.3 2011/07/08 01:45:58 each Exp $
|
||||
|
||||
SYSTEMTESTTOP=..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
|
@ -72,19 +72,19 @@ pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
|
|||
echo I:signing parent zone
|
||||
pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1`
|
||||
|
||||
czactive=`echo $czsk1 | sed 's/^K.*+005+0*//'`
|
||||
czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*//'`
|
||||
czpublished=`echo $czsk3 | sed 's/^K.*+005+0*//'`
|
||||
czinactive=`echo $czsk4 | sed 's/^K.*+005+0*//'`
|
||||
czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*//'`
|
||||
czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*//'`
|
||||
ckactive=`echo $cksk1 | sed 's/^K.*+005+0*//'`
|
||||
ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*//'`
|
||||
ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*//'`
|
||||
czactive=`echo $czsk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
czpublished=`echo $czsk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
czinactive=`echo $czsk4 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
ckactive=`echo $cksk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)$/\1/'`
|
||||
|
||||
pzid=`echo $pzsk | sed 's/^K.*+005+0*//'`
|
||||
pkid=`echo $pksk | sed 's/^K.*+005+0*//'`
|
||||
pzid=`echo $pzsk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
pkid=`echo $pksk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
|
||||
|
||||
echo "I:checking dnssec-signzone output matches expectations"
|
||||
ret=0
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: zone.c,v 1.582.8.21 2011/07/06 19:02:40 each Exp $ */
|
||||
/* $Id: zone.c,v 1.582.8.22 2011/07/08 01:45:58 each Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
|
|
@ -4572,21 +4572,30 @@ static isc_boolean_t
|
|||
delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys) {
|
||||
unsigned int i = 0;
|
||||
|
||||
/*
|
||||
* It's okay to delete a signature if there is an active ZSK
|
||||
* with the same algorithm
|
||||
*/
|
||||
for (i = 0; i < nkeys; i++) {
|
||||
if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
|
||||
(rrsig_ptr->keyid != dst_key_id(keys[i]))) {
|
||||
if ((dst_key_isprivate(keys[i])) && !KSK(keys[i])) {
|
||||
/*
|
||||
* Success - found a private key, which
|
||||
* means it is an active key and thus, it
|
||||
* is OK to delete the RRSIG
|
||||
*/
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
}
|
||||
if (rrsig_ptr->algorithm == dst_key_alg(keys[i]) &&
|
||||
(dst_key_isprivate(keys[i])) && !KSK(keys[i]))
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
|
||||
return (ISC_FALSE);
|
||||
/*
|
||||
* Failing that, it is *not* okay to delete a signature
|
||||
* if the associated public key is still in the DNSKEY RRset
|
||||
*/
|
||||
for (i = 0; i < nkeys; i++) {
|
||||
if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
|
||||
(rrsig_ptr->keyid == dst_key_id(keys[i])))
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
|
||||
/*
|
||||
* But if the key is gone, then go ahead.
|
||||
*/
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
@ -4604,7 +4613,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
|
|||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
unsigned int i;
|
||||
dns_rdata_rrsig_t rrsig;
|
||||
isc_boolean_t found;
|
||||
isc_boolean_t found, changed;
|
||||
isc_stdtime_t warn = 0, maybe = 0;
|
||||
|
||||
dns_rdataset_init(&rdataset);
|
||||
|
|
@ -4630,6 +4639,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
|
|||
goto failure;
|
||||
}
|
||||
|
||||
changed = ISC_FALSE;
|
||||
for (result = dns_rdataset_first(&rdataset);
|
||||
result == ISC_R_SUCCESS;
|
||||
result = dns_rdataset_next(&rdataset)) {
|
||||
|
|
@ -4638,54 +4648,57 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
|
|||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
|
||||
if (type != dns_rdatatype_dnskey) {
|
||||
if(delsig_ok(&rrsig, keys, nkeys)) {
|
||||
if (delsig_ok(&rrsig, keys, nkeys)) {
|
||||
result = update_one_rr(db, ver, diff,
|
||||
DNS_DIFFOP_DELRESIGN, name,
|
||||
rdataset.ttl, &rdata);
|
||||
if (incremental)
|
||||
dns_db_resigned(db, &rdataset, ver);
|
||||
changed = ISC_TRUE;
|
||||
dns_rdata_reset(&rdata);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
break;
|
||||
continue;
|
||||
} else {
|
||||
/*
|
||||
* At this point, we've got an RRSIG,
|
||||
* which is signed by an inactive key.
|
||||
* An administrator needs to provide a new
|
||||
* key/alg, but until that time, we want to
|
||||
* keep the old RRSIG. Resetting the timer
|
||||
* here will ensure that we don't
|
||||
* constantly recheck this expired record.
|
||||
*
|
||||
* Note: dns_db_setsigningtime() will
|
||||
* assert if called after dns_db_resigned().
|
||||
* keep the old RRSIG. Marking the key as
|
||||
* offline will prevent us spinning waiting
|
||||
* for the private part.
|
||||
*/
|
||||
if (incremental) {
|
||||
isc_stdtime_t recheck = now +
|
||||
RESIGN_DELAY;
|
||||
dns_db_setsigningtime(db, &rdataset,
|
||||
recheck);
|
||||
result = offline(db, ver, diff, name,
|
||||
rdataset.ttl, &rdata);
|
||||
changed = ISC_TRUE;
|
||||
if (result != ISC_R_SUCCESS)
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* log the key id and algorithm of
|
||||
* Log the key id and algorithm of
|
||||
* the inactive key with no replacement
|
||||
*/
|
||||
if((isc_log_getdebuglevel(dns_lctx) > 3) ||
|
||||
(zone->log_key_expired_timer <= now)) {
|
||||
if (zone->log_key_expired_timer <= now) {
|
||||
char origin[DNS_NAME_FORMATSIZE];
|
||||
char algbuf[DNS_NAME_FORMATSIZE];
|
||||
dns_name_format(&zone->origin, origin,
|
||||
sizeof(origin));
|
||||
dns_secalg_format(rrsig.algorithm,
|
||||
algbuf,
|
||||
sizeof(algbuf));
|
||||
dns_zone_log(zone, ISC_LOG_WARNING,
|
||||
"del_sigs(): "
|
||||
"keyid: %u/algorithm: %u "
|
||||
"is not active and there "
|
||||
"is no replacement. "
|
||||
"Not deleting.",
|
||||
rrsig.keyid,
|
||||
rrsig.algorithm);
|
||||
"Key %s/%s/%d "
|
||||
"missing or inactive "
|
||||
"and has no replacement: "
|
||||
"retaining signatures.",
|
||||
origin, algbuf,
|
||||
rrsig.keyid);
|
||||
zone->log_key_expired_timer = now +
|
||||
3600;
|
||||
}
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
@ -4728,6 +4741,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
|
|||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* If there is not a matching DNSKEY then
|
||||
* delete the RRSIG.
|
||||
|
|
@ -4740,6 +4754,10 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
|
|||
if (result != ISC_R_SUCCESS)
|
||||
break;
|
||||
}
|
||||
|
||||
if (changed && (rdataset.attributes & DNS_RDATASETATTR_RESIGN) != 0)
|
||||
dns_db_resigned(db, &rdataset, ver);
|
||||
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
if (result == ISC_R_NOMORE)
|
||||
result = ISC_R_SUCCESS;
|
||||
|
|
@ -4981,6 +4999,13 @@ zone_resigninc(dns_zone_t *zone) {
|
|||
goto failure;
|
||||
}
|
||||
|
||||
/*
|
||||
* Did we change anything in the zone?
|
||||
*/
|
||||
if (ISC_LIST_EMPTY(sig_diff.tuples))
|
||||
goto failure;
|
||||
|
||||
/* Increment SOA serial if we have made changes */
|
||||
result = increment_soa_serial(db, version, &sig_diff, zone->mctx);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
|
|
|
|||
Loading…
Reference in a new issue