From 2d79f736cc16eeb5918c4b6bd7ee8b3bc99967ed Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 8 Jul 2011 01:45:58 +0000 Subject: [PATCH] 3133. [bug] Change #3114 was incomplete. [RT #24577] --- CHANGES | 2 + bin/tests/system/autosign/clean.sh | 5 +- .../system/autosign/ns3/inaczsk.example.db.in | 31 ++++++ bin/tests/system/autosign/ns3/keygen.sh | 26 ++++- bin/tests/system/autosign/ns3/named.conf | 16 ++- .../system/autosign/ns3/nozsk.example.db.in | 31 ++++++ bin/tests/system/autosign/tests.sh | 62 +++++++++--- bin/tests/system/metadata/tests.sh | 18 ++-- bin/tests/system/smartsign/tests.sh | 24 ++--- lib/dns/zone.c | 99 ++++++++++++------- 10 files changed, 239 insertions(+), 75 deletions(-) create mode 100644 bin/tests/system/autosign/ns3/inaczsk.example.db.in create mode 100644 bin/tests/system/autosign/ns3/nozsk.example.db.in diff --git a/CHANGES b/CHANGES index ef524a5441..0fd787eca5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +3133. [bug] Change #3114 was incomplete. [RT #24577] + 3132. [tuning] Expanded zone task table from 8 to 17 buckets, added ZONE_TASKS define in zone.c to make it easier to hand-tune this value. [RT #24406] diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index fa3c2508bf..5c7fbd5cd6 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -14,12 +14,12 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.7.16.2 2011/03/26 23:47:13 tbox Exp $ +# $Id: clean.sh,v 1.7.16.3 2011/07/08 01:45:58 each Exp $ rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk rm -f active.key inact.key del.key unpub.key standby.key rev.key rm -f nopriv.key vanishing.key del1.key del2.key -rm -f delayksk.key delayzsk.key +rm -f delayksk.key delayzsk.key missingzsk.key inactivezsk.key rm -f nsupdate.out rm -f */core rm -f */example.bk @@ -43,6 +43,7 @@ rm -f ns3/secure.example.db rm -f ns3/secure.nsec3.example.db rm -f ns3/secure.optout.example.db rm -f ns3/secure-to-insecure.example.db +rm -f ns3/nozsk.example.db ns3/inaczsk.example.db rm -f ns3/prepub.example.db rm -f ns3/prepub.example.db.in rm -f ns3/secure-to-insecure2.example.db diff --git a/bin/tests/system/autosign/ns3/inaczsk.example.db.in b/bin/tests/system/autosign/ns3/inaczsk.example.db.in new file mode 100644 index 0000000000..e305aaed03 --- /dev/null +++ b/bin/tests/system/autosign/ns3/inaczsk.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: inaczsk.example.db.in,v 1.2.2.2 2011/07/08 01:45:58 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index d1e950f810..f24f18a234 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: keygen.sh,v 1.8.18.2 2011/03/26 23:47:13 tbox Exp $ +# $Id: keygen.sh,v 1.8.18.3 2011/07/08 01:45:58 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -215,3 +215,27 @@ ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone` echo $ksk > ../delayksk.key zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone` echo $zsk > ../delayzsk.key + +# +# A zone with signatures that are already expired, and the private ZSK +# is missing. +# +zone=nozsk.example +zonefile="${zone}.db" +$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null +zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1 +echo $zsk > ../missingzsk.key +rm -f ${zsk}.private + +# +# A zone with signatures that are already expired, and the private ZSK +# is inactive. +# +zone=inaczsk.example +zonefile="${zone}.db" +$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null +zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1 +echo $zsk > ../inactivezsk.key +$SETTIME -I now $zsk > /dev/null diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf index 25b06cb540..3a4949d997 100644 --- a/bin/tests/system/autosign/ns3/named.conf +++ b/bin/tests/system/autosign/ns3/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.7.18.2 2011/03/26 23:47:13 tbox Exp $ */ +/* $Id: named.conf,v 1.7.18.3 2011/07/08 01:45:58 each Exp $ */ // NS3 @@ -191,4 +191,18 @@ zone "delay.example" { allow-update { any; }; auto-dnssec maintain; }; + +zone "nozsk.example" { + type master; + file "nozsk.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "inaczsk.example" { + type master; + file "inaczsk.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns3/nozsk.example.db.in b/bin/tests/system/autosign/ns3/nozsk.example.db.in new file mode 100644 index 0000000000..2693128534 --- /dev/null +++ b/bin/tests/system/autosign/ns3/nozsk.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: nozsk.example.db.in,v 1.2.2.2 2011/07/08 01:45:58 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 08c2f60fe1..afac3218a6 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.12.18.13 2011/05/30 22:31:28 marka Exp $ +# $Id: tests.sh,v 1.12.18.14 2011/07/08 01:45:58 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -156,6 +156,42 @@ END echo "I:waiting for change to take effect" sleep 3 +echo "I:checking that expired RRSIGs from missing key are not deleted ($n)" +ret=0 +missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key` +$JOURNALPRINT ns3/nozsk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that expired RRSIGs from inactive key are not deleted ($n)" +ret=0 +inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key` +$JOURNALPRINT ns3/inaczsk.example.db.jnl | \ + awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that non-replaceable RRSIGs are logged only once ($n)" +ret=0 +loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l` +[ "$loglines" -eq 1 ] || ret=1 +loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l` +[ "$loglines" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +# This test is above the rndc freeze/thaw calls because the apex node +# will be resigned on thaw, increasing the serial number again. +echo "I:checking serial is not incremented when signatures are unchanged ($n)" +ret=0 +newserial=`$DIG $DIGOPTS +short soa nozsk.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'` +[ "$newserial" -eq 2 ] || ret=1 +newserial=`$DIG $DIGOPTS +short soa inaczsk.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'` +[ "$newserial" -eq 2 ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + # Send rndc freeze command to ns1, ns2 and ns3, to force the dynamically # signed zones to be dumped to their zone files echo "I:dumping zone files" @@ -598,7 +634,7 @@ status=`expr $status + $ret` echo "I:checking that revoked key is present ($n)" ret=0 -id=`sed 's/^K.+007+0*//' < rev.key` +id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key` id=`expr $id + 128 % 65536` $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1 @@ -608,7 +644,7 @@ status=`expr $status + $ret` echo "I:checking that revoked key self-signs ($n)" ret=0 -id=`sed 's/^K.+007+0*//' < rev.key` +id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key` id=`expr $id + 128 % 65536` $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 @@ -618,7 +654,7 @@ status=`expr $status + $ret` echo "I:checking for unpublished key ($n)" ret=0 -id=`sed 's/^K.+007+0*//' < unpub.key` +id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key` $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 n=`expr $n + 1` @@ -627,7 +663,7 @@ status=`expr $status + $ret` echo "I:checking that standby key does not sign records ($n)" ret=0 -ed=`sed 's/^K.+007+0*//' < standby.key` +ed=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key` $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 n=`expr $n + 1` @@ -636,7 +672,7 @@ status=`expr $status + $ret` echo "I:checking that deactivated key does not sign records ($n)" ret=0 -id=`sed 's/^K.+007+0*//' < inact.key` +id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key` $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1 n=`expr $n + 1` @@ -645,7 +681,7 @@ status=`expr $status + $ret` echo "I:checking insertion of public-only key ($n)" ret=0 -id=`sed 's/^K.+007+0*//' < nopriv.key` +id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key` file="ns1/`cat nopriv.key`.key" keydata=`grep DNSKEY $file` $NSUPDATE > /dev/null 2>&1 < dig.out.ns1.test$n || ret=1 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1 n=`expr $n + 1` @@ -680,7 +716,7 @@ send END sleep 2 $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1 +egrep 'RRSIG' dig.out.ns3.test$n > /dev/null && ret=1 egrep '(DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi @@ -694,7 +730,7 @@ $SETTIME -I now -D now $file > /dev/null $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign secure-to-insecure2.example. 2>&1 | sed 's/^/I:ns3 /' sleep 2 $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1 +egrep 'RRSIG' dig.out.ns3.test$n > /dev/null && ret=1 egrep '(DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi @@ -734,9 +770,9 @@ rm -f $file echo "I:preparing ZSK roll" starttime=`$PERL -e 'print time(), "\n";'` oldfile=`cat active.key` -oldid=`sed 's/^K.+007+0*//' < active.key` +oldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key` newfile=`cat standby.key` -newid=`sed 's/^K.+007+0*//' < standby.key` +newid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key` $SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null $SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null @@ -899,7 +935,7 @@ status=`expr $status + $ret` echo "I:checking private key file removal caused no immediate harm ($n)" ret=0 -id=`sed 's/^K.+007+0*//' < vanishing.key` +id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key` $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 n=`expr $n + 1` diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh index 4b697a486a..7e101dca73 100644 --- a/bin/tests/system/metadata/tests.sh +++ b/bin/tests/system/metadata/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.5.250.2 2011/03/21 23:46:58 tbox Exp $ +# $Id: tests.sh,v 1.5.250.3 2011/07/08 01:45:58 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -28,14 +28,14 @@ n=0 echo "I:setting key timers" $SETTIME -A now+15s `cat rolling.key` > /dev/null -inact=`sed 's/^K'${czone}'.+005+0*//' < inact.key` -ksk=`sed 's/^K'${czone}'.+005+0*//' < ksk.key` -pending=`sed 's/^K'${czone}'.+005+0*//' < pending.key` -postrev=`sed 's/^K'${czone}'.+005+0*//' < postrev.key` -prerev=`sed 's/^K'${czone}'.+005+0*//' < prerev.key` -rolling=`sed 's/^K'${czone}'.+005+0*//' < rolling.key` -standby=`sed 's/^K'${czone}'.+005+0*//' < standby.key` -zsk=`sed 's/^K'${czone}'.+005+0*//' < zsk.key` +inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key` +ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key` +pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key` +postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key` +prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key` +rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key` +standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key` +zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key` ../../../tools/genrandom 400 $RANDFILE diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index fd97a5f0dd..0c0c4e0fec 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.6.70.2 2011/05/06 23:47:04 tbox Exp $ +# $Id: tests.sh,v 1.6.70.3 2011/07/08 01:45:58 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -72,19 +72,19 @@ pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone` echo I:signing parent zone pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1` -czactive=`echo $czsk1 | sed 's/^K.*+005+0*//'` -czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*//'` -czpublished=`echo $czsk3 | sed 's/^K.*+005+0*//'` -czinactive=`echo $czsk4 | sed 's/^K.*+005+0*//'` -czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*//'` -czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*//'` -ckactive=`echo $cksk1 | sed 's/^K.*+005+0*//'` -ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*//'` -ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*//'` +czactive=`echo $czsk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +czpublished=`echo $czsk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +czinactive=`echo $czsk4 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +ckactive=`echo $cksk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'` ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)$/\1/'` -pzid=`echo $pzsk | sed 's/^K.*+005+0*//'` -pkid=`echo $pksk | sed 's/^K.*+005+0*//'` +pzid=`echo $pzsk | sed 's/^K.*+005+0*\([0-9]\)/\1/'` +pkid=`echo $pksk | sed 's/^K.*+005+0*\([0-9]\)/\1/'` echo "I:checking dnssec-signzone output matches expectations" ret=0 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index c889b4ba81..b04a515f7e 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.582.8.21 2011/07/06 19:02:40 each Exp $ */ +/* $Id: zone.c,v 1.582.8.22 2011/07/08 01:45:58 each Exp $ */ /*! \file */ @@ -4572,21 +4572,30 @@ static isc_boolean_t delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys) { unsigned int i = 0; + /* + * It's okay to delete a signature if there is an active ZSK + * with the same algorithm + */ for (i = 0; i < nkeys; i++) { - if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) && - (rrsig_ptr->keyid != dst_key_id(keys[i]))) { - if ((dst_key_isprivate(keys[i])) && !KSK(keys[i])) { - /* - * Success - found a private key, which - * means it is an active key and thus, it - * is OK to delete the RRSIG - */ - return (ISC_TRUE); - } - } + if (rrsig_ptr->algorithm == dst_key_alg(keys[i]) && + (dst_key_isprivate(keys[i])) && !KSK(keys[i])) + return (ISC_TRUE); } - return (ISC_FALSE); + /* + * Failing that, it is *not* okay to delete a signature + * if the associated public key is still in the DNSKEY RRset + */ + for (i = 0; i < nkeys; i++) { + if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) && + (rrsig_ptr->keyid == dst_key_id(keys[i]))) + return (ISC_FALSE); + } + + /* + * But if the key is gone, then go ahead. + */ + return (ISC_TRUE); } /* @@ -4604,7 +4613,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdata_t rdata = DNS_RDATA_INIT; unsigned int i; dns_rdata_rrsig_t rrsig; - isc_boolean_t found; + isc_boolean_t found, changed; isc_stdtime_t warn = 0, maybe = 0; dns_rdataset_init(&rdataset); @@ -4630,6 +4639,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, goto failure; } + changed = ISC_FALSE; for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(&rdataset)) { @@ -4638,54 +4648,57 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, RUNTIME_CHECK(result == ISC_R_SUCCESS); if (type != dns_rdatatype_dnskey) { - if(delsig_ok(&rrsig, keys, nkeys)) { + if (delsig_ok(&rrsig, keys, nkeys)) { result = update_one_rr(db, ver, diff, DNS_DIFFOP_DELRESIGN, name, rdataset.ttl, &rdata); if (incremental) - dns_db_resigned(db, &rdataset, ver); + changed = ISC_TRUE; dns_rdata_reset(&rdata); if (result != ISC_R_SUCCESS) break; - continue; } else { /* * At this point, we've got an RRSIG, * which is signed by an inactive key. * An administrator needs to provide a new * key/alg, but until that time, we want to - * keep the old RRSIG. Resetting the timer - * here will ensure that we don't - * constantly recheck this expired record. - * - * Note: dns_db_setsigningtime() will - * assert if called after dns_db_resigned(). + * keep the old RRSIG. Marking the key as + * offline will prevent us spinning waiting + * for the private part. */ if (incremental) { - isc_stdtime_t recheck = now + - RESIGN_DELAY; - dns_db_setsigningtime(db, &rdataset, - recheck); + result = offline(db, ver, diff, name, + rdataset.ttl, &rdata); + changed = ISC_TRUE; + if (result != ISC_R_SUCCESS) + break; } /* - * log the key id and algorithm of + * Log the key id and algorithm of * the inactive key with no replacement */ - if((isc_log_getdebuglevel(dns_lctx) > 3) || - (zone->log_key_expired_timer <= now)) { + if (zone->log_key_expired_timer <= now) { + char origin[DNS_NAME_FORMATSIZE]; + char algbuf[DNS_NAME_FORMATSIZE]; + dns_name_format(&zone->origin, origin, + sizeof(origin)); + dns_secalg_format(rrsig.algorithm, + algbuf, + sizeof(algbuf)); dns_zone_log(zone, ISC_LOG_WARNING, - "del_sigs(): " - "keyid: %u/algorithm: %u " - "is not active and there " - "is no replacement. " - "Not deleting.", - rrsig.keyid, - rrsig.algorithm); + "Key %s/%s/%d " + "missing or inactive " + "and has no replacement: " + "retaining signatures.", + origin, algbuf, + rrsig.keyid); zone->log_key_expired_timer = now + 3600; } } + continue; } /* @@ -4728,6 +4741,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, break; } } + /* * If there is not a matching DNSKEY then * delete the RRSIG. @@ -4740,6 +4754,10 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, if (result != ISC_R_SUCCESS) break; } + + if (changed && (rdataset.attributes & DNS_RDATASETATTR_RESIGN) != 0) + dns_db_resigned(db, &rdataset, ver); + dns_rdataset_disassociate(&rdataset); if (result == ISC_R_NOMORE) result = ISC_R_SUCCESS; @@ -4981,6 +4999,13 @@ zone_resigninc(dns_zone_t *zone) { goto failure; } + /* + * Did we change anything in the zone? + */ + if (ISC_LIST_EMPTY(sig_diff.tuples)) + goto failure; + + /* Increment SOA serial if we have made changes */ result = increment_soa_serial(db, version, &sig_diff, zone->mctx); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR,