upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-26 00:30:05 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

[master] Minor improvements to code handling managed keys

Browse source 
4812.	[bug]		Minor improvements to stability and consistency of code
			handling managed keys. [RT #46468]
This commit is contained in:
Michał Kępień 2017-11-09 15:18:39 +01:00
parent b231ddc65d
commit 312c84c73a
5 changed files with 18 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -1,3 +1,6 @@
4812. [bug] Minor improvements to stability and consistency of code
handling managed keys. [RT #46468]
4811. [bug] Revert api changes to use <isc/buffer.h> inline
macros. Provide a alternative mechanism to turn
on the use of inline macros when building BIND.

4
bin/named/server.c
View file

@ -14455,10 +14455,10 @@ mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) {
else if (revoked)
snprintf(buf, sizeof(buf),
"\n\ttrust revoked");
else if (kd.addhd < now)
else if (kd.addhd <= now)
snprintf(buf, sizeof(buf),
"\n\ttrusted since: %s", tbuf);
else if (kd.addhd >= now)
else if (kd.addhd > now)
snprintf(buf, sizeof(buf),
"\n\ttrust pending: %s", tbuf);
CHECK(putstr(text, buf));

36
bin/tests/system/mkeys/tests.sh
View file

@ -131,11 +131,6 @@ echo "I: check new trust anchor can be added ($n)"
ret=0
standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
mkeys_loadkeys_on 1
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent the refresh from not being initiated due to all
# acceptance timers being equal to current timestamp.
sleep 1
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
# there should be two keys listed now
@ -337,12 +332,6 @@ n=`expr $n + 1`
echo "I: check that standby key is now trusted ($n)"
ret=0
wait_for_log "Returned from key fetch in keyfetch_done()" ns2/named.run
# Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure status is checked at a different
# timestamp to prevent false negatives caused by the add hold-down time for the
# standby key being equal to current time ("trust pending") instead of in the
# past ("trusted since").
sleep 1
mkeys_status_on 2 > rndc.out.$n 2>&1
# two keys listed
count=`grep -c "keyid: " rndc.out.$n`
@ -423,13 +412,9 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I: wait 21 seconds for key add/remove holddowns to expire ($n)"
echo "I: wait 20 seconds for key add/remove holddowns to expire ($n)"
ret=0
# Wait for "month" plus 1 second. If we only wait for "month" and the previous
# two tests fit into a single second, we will get a false negative caused by
# the add hold-down time for the second standby key being equal to current time
# ("trust pending") instead of in the past ("trusted since").
sleep 21
sleep 20
mkeys_refresh_on 2
mkeys_status_on 2 > rndc.out.$n 2>&1
# two keys listed
@ -526,18 +511,11 @@ $SETTIME -R none -D none -K ns1 $standby1 > /dev/null
$SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>&-
cp -f ns1/root.db.signed ns1/root.db.tmp
BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg=="
# We need to prevent two different races here:
#
# 1. Less than a second may have passed since ns1 was started. If we call
# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by
# the subsequent "rndc reload ." call on platforms which do not set the
# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
# equal to master file modification time.
#
# 2. Less than a second may have passed since the last time ns2 received a
# ./DNSKEY response from ns1. Ensure keys are refreshed at a different
# timestamp to prevent the refresh from not being initiated due to all
# acceptance timers being equal to current timestamp.
# Less than a second may have passed since ns1 was started. If we call
# dnssec-signzone immediately, ns1/root.db.signed will not be reloaded by the
# subsequent "rndc reload ." call on platforms which do not set the
# "nanoseconds" field of isc_time_t, due to zone load time being seemingly
# equal to master file modification time.
sleep 1
sed -e "/ $rkeyid \./s, \. .*$, . $BADSIG," signer.out.$n > ns1/root.db.signed
mkeys_reload_on 1

2
contrib/scripts/check5011.pl
View file

@ -43,7 +43,7 @@ sub printstatus ($) {
my $a = shift;
if ($a->{removehd} ne "19700101000000") {
printf " untrusted and to be removed at %s\n", ext8601 $a->{removehd};
} elsif ($a->{addhd} lt $now) {
} elsif ($a->{addhd} le $now) {
printf " trusted\n";
} else {
printf " waiting for %s\n", ext8601 $a->{addhd};

10
lib/dns/zone.c
View file

@ -9722,7 +9722,7 @@ zone_refreshkeys(dns_zone_t *zone) {
}
/* Acceptance timer expired? */
if (kd.addhd < now)
if (kd.addhd <= now)
timer = kd.addhd;
/* Or do we just need to refresh the keyset? */
@ -9824,12 +9824,10 @@ zone_refreshkeys(dns_zone_t *zone) {
isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
timebuf);
if (!fetching)
DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
}
UNLOCK_ZONE(zone);
if (!fetching)
DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
dns_diff_clear(&diff);
if (ver != NULL) {
@ -9838,6 +9836,8 @@ zone_refreshkeys(dns_zone_t *zone) {
}
dns_db_detach(&db);
UNLOCK_ZONE(zone);
INSIST(ver == NULL);
}