[master] fix mkeys TTL 0 issue

author Evan Hunt <each@isc.org>

Tue, 22 Mar 2016 19:12:32 +0000 (12:12 -0700)

committer Evan Hunt <each@isc.org>

Tue, 22 Mar 2016 19:12:32 +0000 (12:12 -0700)
author Evan Hunt <each@isc.org>
Tue, 22 Mar 2016 19:12:32 +0000 (12:12 -0700)
committer Evan Hunt <each@isc.org>
Tue, 22 Mar 2016 19:12:32 +0000 (12:12 -0700)
diff --git a/CHANGES b/CHANGES

index c93e9631de363385322615b1f443a787172f45e7..9ae68b39ca1c0399debaef0a2ee06354b343d407 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4337.  [bug]           The previous change exposed a latent flaw in
+                       key refresh queries for managed-keys when
+                       a cached DNSKEY had TTL 0. [RT #41986]
+
  4336.  [bug]           Don't emit records with zero ttl unless the records
                         were learnt with a zero ttl. [RT #41687]
  
diff --git a/bin/tests/system/mkeys/ns2/named.args b/bin/tests/system/mkeys/ns2/named.args

index ded06e551a7628952116d86a383c655235f42898..a29041f6e3744cadf9d65f97365dec40608c3d9a 100644 (file)
--- a/bin/tests/system/mkeys/ns2/named.args
+++ b/bin/tests/system/mkeys/ns2/named.args
@@ -1 +1 @@
--m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=3/10/15
+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/10/15
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h

index 106ef700c65322ab26308b9d40d343808426cb4f..c251c1168f0ea4e861a3a6fa3ae9035e39500dd2 100644 (file)
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -1199,6 +1199,12 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
   * Remove keys that match 'keyname' and 'dnskey' from the views trust
   * anchors.
   *
+ * (NOTE: If the configuration specifies that there should be a
+ * trust anchor at 'keyname', but no keys are left after this
+ * operation, that is an error.  We fail closed, inserting a NULL
+ * key so as to prevent validation until a legimitate key has been
+ * provided.)
+ *
   * Requires:
   * \li 'view' is valid.
   * \li 'keyname' is valid.
diff --git a/lib/dns/view.c b/lib/dns/view.c

index c28b2f9bf301437f77534bbb941cf70d2653a4c5..b4fcb043ee9ac639006f66ae4bb4c2ca8c156708 100644 (file)
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -1937,6 +1937,7 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
         result = dns_view_getsecroots(view, &sr);
         if (result == ISC_R_SUCCESS) {
                 dns_keytable_deletekeynode(sr, key);
+               dns_keytable_marksecure(sr, keyname);
                 dns_keytable_detach(&sr);
         }
         dst_key_free(&key);
diff --git a/lib/dns/zone.c b/lib/dns/zone.c

index c5a2cc31617a412ca3aada02d70b33e22c23ca65..cd5599802db34df9c5429b2ecb37596dfd453401 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9011,13 +9011,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                                          */
                                         deletekey = ISC_TRUE;
                                 } else if (keydata.removehd == 0) {
-                                       /* Remove from secroots */
+                                       /*
+                                        * Remove key from secroots.
+                                        */
                                         dns_view_untrust(zone->view, keyname,
                                                          &dnskey, mctx);
  
-                                       /* But ensure there's a null key */
-                                       fail_secure(zone, keyname);
-
                                         /* If initializing, delete now */
                                         if (keydata.addhd == 0)
                                                 deletekey = ISC_TRUE;
@@ -9326,7 +9325,8 @@ zone_refreshkeys(dns_zone_t *zone) {
                 result = dns_resolver_createfetch(zone->view->resolver,
                                                   kname, dns_rdatatype_dnskey,
                                                   NULL, NULL, NULL,
-                                                 DNS_FETCHOPT_NOVALIDATE,
+                                                 DNS_FETCHOPT_NOVALIDATE|
+                                                 DNS_FETCHOPT_UNSHARED,
                                                   zone->task,
                                                   keyfetch_done, kfetch,
                                                   &kfetch->dnskeyset,
author	Evan Hunt <each@isc.org>
	Tue, 22 Mar 2016 19:12:32 +0000 (12:12 -0700)
committer	Evan Hunt <each@isc.org>
	Tue, 22 Mar 2016 19:12:32 +0000 (12:12 -0700)
CHANGES		patch \| blob \| blame \| history
bin/tests/system/mkeys/ns2/named.args		patch \| blob \| blame \| history
lib/dns/include/dns/view.h		patch \| blob \| blame \| history
lib/dns/view.c		patch \| blob \| blame \| history
lib/dns/zone.c		patch \| blob \| blame \| history