From: Evan Hunt <each@isc.org>
Date: Tue, 22 Mar 2016 19:12:32 +0000 (-0700)
Subject: [master] fix mkeys TTL 0 issue
X-Git-Tag: v9.11.0a1~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=132a57117978816eebf6f8c33b39bdcfcd62fd7a;p=thirdparty%2Fbind9.git

[master] fix mkeys TTL 0 issue

4337.	[bug]		The previous change exposed a latent flaw in
			key refresh queries for managed-keys when
			a cached DNSKEY had TTL 0. [RT #41986]
---

diff --git a/CHANGES b/CHANGES
index c93e9631de3..9ae68b39ca1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4337.	[bug]		The previous change exposed a latent flaw in
+			key refresh queries for managed-keys when
+			a cached DNSKEY had TTL 0. [RT #41986]
+
 4336.	[bug]		Don't emit records with zero ttl unless the records
 			were learnt with a zero ttl. [RT #41687]
 
diff --git a/bin/tests/system/mkeys/ns2/named.args b/bin/tests/system/mkeys/ns2/named.args
index ded06e551a7..a29041f6e37 100644
--- a/bin/tests/system/mkeys/ns2/named.args
+++ b/bin/tests/system/mkeys/ns2/named.args
@@ -1 +1 @@
--m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=3/10/15
+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/10/15
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index 106ef700c65..c251c1168f0 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -1199,6 +1199,12 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
  * Remove keys that match 'keyname' and 'dnskey' from the views trust
  * anchors.
  *
+ * (NOTE: If the configuration specifies that there should be a
+ * trust anchor at 'keyname', but no keys are left after this
+ * operation, that is an error.  We fail closed, inserting a NULL
+ * key so as to prevent validation until a legimitate key has been
+ * provided.)
+ *
  * Requires:
  * \li	'view' is valid.
  * \li	'keyname' is valid.
diff --git a/lib/dns/view.c b/lib/dns/view.c
index c28b2f9bf30..b4fcb043ee9 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -1937,6 +1937,7 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
 	result = dns_view_getsecroots(view, &sr);
 	if (result == ISC_R_SUCCESS) {
 		dns_keytable_deletekeynode(sr, key);
+		dns_keytable_marksecure(sr, keyname);
 		dns_keytable_detach(&sr);
 	}
 	dst_key_free(&key);
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index c5a2cc31617..cd5599802db 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9011,13 +9011,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 					 */
 					deletekey = ISC_TRUE;
 				} else if (keydata.removehd == 0) {
-					/* Remove from secroots */
+					/*
+					 * Remove key from secroots.
+					 */
 					dns_view_untrust(zone->view, keyname,
 							 &dnskey, mctx);
 
-					/* But ensure there's a null key */
-					fail_secure(zone, keyname);
-
 					/* If initializing, delete now */
 					if (keydata.addhd == 0)
 						deletekey = ISC_TRUE;
@@ -9326,7 +9325,8 @@ zone_refreshkeys(dns_zone_t *zone) {
 		result = dns_resolver_createfetch(zone->view->resolver,
 						  kname, dns_rdatatype_dnskey,
 						  NULL, NULL, NULL,
-						  DNS_FETCHOPT_NOVALIDATE,
+						  DNS_FETCHOPT_NOVALIDATE|
+						  DNS_FETCHOPT_UNSHARED,
 						  zone->task,
 						  keyfetch_done, kfetch,
 						  &kfetch->dnskeyset,