commit 0f835f7eff5bbd45461b9b43276267ff3c953ece
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Fri Nov 13 10:23:42 2020 +0100
Fix inline resigning
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 564c084..5cd0b05 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -69,6 +69,8 @@ LWTEST=$TOP/bin/tests/system/lwresd/lwtest
MAKEJOURNAL=$TOP/bin/tests/makejournal
PIPEQUERIES=$TOP/bin/tests/system/pipelined/pipequeries
SAMPLEUPDATE=$TOP/lib/samples/sample-update
+DEFAULT_ALGORITHM=ECDSAP256SHA256
+DEFAULT_BITS=256
# we don't want a KRB5_CONFIG setting breaking the tests
KRB5_CONFIG=/dev/null
@@ -364,3 +366,5 @@ export SAMPLEUPDATE
export SIGNER
export SUBDIRS
export TESTSOCK6
+export DEFAULT_ALGORITHM
+export DEFAULT_BITS
diff --git a/bin/tests/system/inline/ns8/example.com.db.in b/bin/tests/system/inline/ns8/example.com.db.in
new file mode 100644
index 0000000..eb39aa7
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example.com.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns8 . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns8
+ns8 A 10.53.0.8
diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in
new file mode 100644
index 0000000..ea4876b
--- /dev/null
+++ b/bin/tests/system/inline/ns8/named.conf.in
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS8
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.8;
+ notify-source 10.53.0.8;
+ transfer-source 10.53.0.8;
+ port @PORT@;
+ pid-file "named.pid";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.8; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ try-tcp-refresh no;
+ notify-delay 0;
+ allow-new-zones yes;
+};
+
+zone "example01.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example01.com.db";
+};
+
+zone "example02.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example02.com.db";
+};
+
+zone "example03.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example03.com.db";
+};
+
+zone "example04.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example04.com.db";
+};
+
+zone "example05.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example05.com.db";
+};
+
+zone "example06.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example06.com.db";
+};
+
+zone "example07.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example07.com.db";
+};
+
+zone "example08.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example08.com.db";
+};
+
+zone "example09.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example09.com.db";
+};
+
+zone "example10.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example10.com.db";
+};
+
+zone "example11.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example11.com.db";
+};
+
+zone "example12.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example12.com.db";
+};
+
+zone "example13.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example13.com.db";
+};
+
+zone "example14.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example14.com.db";
+};
+
+zone "example15.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example15.com.db";
+};
+
+zone "example16.com" {
+ type master;
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "example16.com.db";
+};
diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh
new file mode 100644
index 0000000..5d36cb9
--- /dev/null
+++ b/bin/tests/system/inline/ns8/sign.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+for zone in example01.com example02.com example03.com example04.com \
+ example05.com example06.com example07.com example08.com \
+ example09.com example10.com example11.com example12.com \
+ example13.com example14.com example15.com example16.com
+do
+ rm -f K${zone}.+*+*.key
+ rm -f K${zone}.+*+*.private
+ keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+ keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone`
+ cp example.com.db.in ${zone}.db
+ $SIGNER -S -T 3600 -O raw -o ${zone} ${zone}.db > /dev/null 2>&1
+done
diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh
index 4dd4dd0..13dd6c7 100644
--- a/bin/tests/system/inline/setup.sh
+++ b/bin/tests/system/inline/setup.sh
@@ -49,7 +49,9 @@ copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.pre ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
(cd ns3; $SHELL -e sign.sh)
(cd ns1; $SHELL -e sign.sh)
(cd ns7; $SHELL -e sign.sh)
+(cd ns8; $SHELL -e sign.sh)
diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
index b517138..22fc1af 100755
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -1342,5 +1342,24 @@ grep "type: slave" rndc.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo_i "checking reload of touched inline zones ($n)"
+echo_ic "pre-reload 'next key event'"
+nextpart ns8/named.run > nextpart.pre$n.out
+count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l`
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+echo_ic "touch and reload"
+touch ns8/example??.com.db
+$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 5
+echo_ic "post-reload 'next key event'"
+nextpart ns8/named.run > nextpart.post$n.out
+count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l`
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 96c98d5..42a1811 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -3611,6 +3611,8 @@ set_resigntime(dns_zone_t *zone) {
isc_uint32_t nanosecs;
dns_db_t *db = NULL;
+ INSIST(LOCKED_ZONE(zone));
+
/* We only re-sign zones that can be dynamically updated */
if (zone->update_disabled)
return;
@@ -4958,6 +4960,14 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
{
DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
+ /*
+ * Re-start zone maintenance if it had been stalled
+ * due to DNS_ZONEFLG_LOADPENDING being set when
+ * zone_maintenance was called.
+ */
+ if (zone->secure->task != NULL) {
+ zone_settimer(zone->secure, &now);
+ }
}
return (result);
@@ -6672,14 +6682,15 @@ zone_resigninc(dns_zone_t *zone) {
if (version != NULL) {
dns_db_closeversion(db, &version, ISC_FALSE);
dns_db_detach(&db);
- } else if (db != NULL)
+ } else if (db != NULL) {
dns_db_detach(&db);
+ }
+
+ LOCK_ZONE(zone);
if (result == ISC_R_SUCCESS) {
set_resigntime(zone);
- LOCK_ZONE(zone);
zone_needdump(zone, DNS_DUMP_DELAY);
DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
- UNLOCK_ZONE(zone);
} else {
/*
* Something failed. Retry in 5 minutes.
@@ -6688,6 +6699,7 @@ zone_resigninc(dns_zone_t *zone) {
isc_interval_set(&ival, 300, 0);
isc_time_nowplusinterval(&zone->resigntime, &ival);
}
+ UNLOCK_ZONE(zone);
INSIST(version == NULL);
}
@@ -8177,7 +8189,9 @@ zone_nsec3chain(dns_zone_t *zone) {
nsec3chain = ISC_LIST_HEAD(cleanup);
}
+ LOCK_ZONE(zone);
set_resigntime(zone);
+ UNLOCK_ZONE(zone);
failure:
if (result != ISC_R_SUCCESS)
@@ -8841,14 +8855,14 @@ zone_sign(dns_zone_t *zone) {
signing = ISC_LIST_HEAD(cleanup);
}
+ LOCK_ZONE(zone);
set_resigntime(zone);
if (commit) {
- LOCK_ZONE(zone);
DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
zone_needdump(zone, DNS_DUMP_DELAY);
- UNLOCK_ZONE(zone);
}
+ UNLOCK_ZONE(zone);
failure:
/*
@@ -8885,6 +8899,7 @@ zone_sign(dns_zone_t *zone) {
} else if (db != NULL)
dns_db_detach(&db);
+ LOCK_ZONE(zone);
if (ISC_LIST_HEAD(zone->signing) != NULL) {
isc_interval_t interval;
if (zone->update_disabled || result != ISC_R_SUCCESS)
@@ -8892,8 +8907,10 @@ zone_sign(dns_zone_t *zone) {
else
isc_interval_set(&interval, 0, 10000000); /* 10 ms */
isc_time_nowplusinterval(&zone->signingtime, &interval);
- } else
+ } else {
isc_time_settoepoch(&zone->signingtime);
+ }
+ UNLOCK_ZONE(zone);
INSIST(version == NULL);
}
@@ -9983,7 +10000,7 @@ zone_maintenance(dns_zone_t *zone) {
const char me[] = "zone_maintenance";
isc_time_t now;
isc_result_t result;
- isc_boolean_t dumping;
+ isc_boolean_t dumping, viewok;
REQUIRE(DNS_ZONE_VALID(zone));
ENTER;
@@ -10001,8 +10018,12 @@ zone_maintenance(dns_zone_t *zone) {
* adb or resolver will be NULL, and we had better not try
* to do further maintenance on it.
*/
- if (zone->view == NULL || zone->view->adb == NULL)
+ LOCK_ZONE(zone);
+ viewok = (zone->view != NULL && zone->view->adb != NULL);
+ UNLOCK_ZONE(zone);
+ if (!viewok) {
return;
+ }
TIME_NOW(&now);
@@ -10195,8 +10216,14 @@ dns_zone_markdirty(dns_zone_t *zone) {
}
/* XXXMPA make separate call back */
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
set_resigntime(zone);
+ if (zone->task != NULL) {
+ isc_time_t now;
+ TIME_NOW(&now);
+ zone_settimer(zone, &now);
+ }
+ }
}
if (secure != NULL)
UNLOCK_ZONE(secure);
@@ -14418,6 +14445,11 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
zone->sourceserialset = ISC_TRUE;
zone_needdump(zone, DNS_DUMP_DELAY);
+ /*
+ * Set resign time to make sure it is set to the earliest
+ * signature expiration.
+ */
+ set_resigntime(zone);
TIME_NOW(&timenow);
zone_settimer(zone, &timenow);
UNLOCK_ZONE(zone);
@@ -14436,9 +14468,15 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
if (zone->rss_raw != NULL)
dns_zone_detach(&zone->rss_raw);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
+ LOCK_ZONE(zone);
+ set_resigntime(zone);
+ TIME_NOW(&timenow);
+ zone_settimer(zone, &timenow);
+ UNLOCK_ZONE(zone);
dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_serial: %s",
dns_result_totext(result));
+ }
if (tuple != NULL)
dns_difftuple_free(&tuple);
if (soatuple != NULL)
@@ -18096,10 +18134,11 @@ zone_rekey(dns_zone_t *zone) {
dns_db_closeversion(db, &ver, ISC_TRUE);
+ LOCK_ZONE(zone);
+
if (commit) {
dns_difftuple_t *tuple;
- LOCK_ZONE(zone);
DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
zone_needdump(zone, DNS_DUMP_DELAY);
@@ -18217,7 +18256,6 @@ zone_rekey(dns_zone_t *zone) {
* Schedule the next resigning event
*/
set_resigntime(zone);
- UNLOCK_ZONE(zone);
}
isc_time_settoepoch(&zone->refreshkeytime);
@@ -18231,11 +18269,9 @@ zone_rekey(dns_zone_t *zone) {
isc_time_t timethen;
isc_stdtime_t then;
- LOCK_ZONE(zone);
DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval,
&timethen);
zone->refreshkeytime = timethen;
- UNLOCK_ZONE(zone);
for (key = ISC_LIST_HEAD(dnskeys);
key != NULL;
@@ -18246,12 +18282,10 @@ zone_rekey(dns_zone_t *zone) {
continue;
DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
- LOCK_ZONE(zone);
if (isc_time_compare(&timethen,
&zone->refreshkeytime) < 0) {
zone->refreshkeytime = timethen;
}
- UNLOCK_ZONE(zone);
}
zone_settimer(zone, &timenow);
@@ -18259,6 +18293,7 @@ zone_rekey(dns_zone_t *zone) {
isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
}
+ UNLOCK_ZONE(zone);
done:
dns_diff_clear(&diff);
@@ -18293,8 +18328,10 @@ zone_rekey(dns_zone_t *zone) {
* Something went wrong; try again in ten minutes or
* after a key refresh interval, whichever is shorter.
*/
+ LOCK_ZONE(zone);
isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), 0);
isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
+ UNLOCK_ZONE(zone);
goto done;
}