From: Wouter Wijngaards Date: Mon, 1 Mar 2010 10:26:42 +0000 (+0000) Subject: Skip RRSIGs on 5011 init. Make install makes all. X-Git-Tag: release-1.4.2~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67624a8ee0c6fc6b2102960086db8962ed8536d2;p=thirdparty%2Funbound.git Skip RRSIGs on 5011 init. Make install makes all. git-svn-id: file:///svn/unbound/trunk@1997 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/Makefile.in b/Makefile.in index f586a3713..d49b51a14 100644 --- a/Makefile.in +++ b/Makefile.in @@ -364,7 +364,7 @@ strip: $(STRIP) unbound-control$(EXEEXT) $(STRIP) unbound-host$(EXEEXT) -install: +install: all $(INSTALL) -m 755 -d $(DESTDIR)$(sbindir) $(INSTALL) -m 755 -d $(DESTDIR)$(mandir) $(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man8 diff --git a/doc/Changelog b/doc/Changelog index 685bcfd7a..02dfde6f3 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +1 March 2010: Wouter + - make install depends on make all. + - Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs. + 26 February 2010: Wouter - Fixup prototype for lexer cleanup in daemon code. - unbound-control list_stubs, list_forwards, list_local_zones and diff --git a/testdata/autotrust_init_sigs.rpl b/testdata/autotrust_init_sigs.rpl new file mode 100644 index 000000000..a8e09c790 --- /dev/null +++ b/testdata/autotrust_init_sigs.rpl @@ -0,0 +1,183 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + log-time-ascii: yes +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +; initial content (say from dig example.com DNSKEY > example.com.key) +AUTOTRUST_FILE example.com +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} +example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20070926134150 20070829134150 55582 example.com. sT5Se0rwBm0oAOcrX37oidl3zxK9QwvgAyOH+08Jq3V8KS4iPehBjNqXi9OITLgos4dHU/up4Z1BwgwTNYJIgg== ;{id = 55582} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20070926134150 20070829134150 30899 example.com. DnrdGYsSAjAX1z93FQvPL8eX66uS9ip7A21gPTkvGBDwDoNB8JTNdRlEyWeXlipatbcQoZeG8mo87Wgp9eT/PA== ;{id = 30899} +AUTOTRUST_END +CONFIG_END + +SCENARIO_BEGIN Test autotrust with initial trust anchor with RRSIGs + +; K-ROOT +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id copy_query +REPLY QR AA +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS k.root-servers.net. +SECTION ADDITIONAL +k.root-servers.net IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 3600 IN A 10.20.30.40 +www.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899} +SECTION AUTHORITY +example.com. 3600 IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899} +SECTION ADDITIONAL +ns.example.com. 3600 IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899} +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +; KSK 1 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} +; ZSK 1 +example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (ksk), size = 512b} +; signatures +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 30899 example.com. b/HK231jIQLX8IhlZfup3r0yhpXaasbPE6LzxoEVVvWaTZWcLmeV8jDIcn0qO7Yvs7bIJN20lwVAV0GcHH3hWQ== ;{id = 30899} +example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 55582 example.com. PCHme1QLoULxqjhg5tMlpR0qJlBfstEUVq18TtNoKQe9le1YhJ9caheXcTWoK+boLhXxg9u6Yyvq8FboQh0OjA== ;{id = 55582} + +ENTRY_END +RANGE_END + +; set date/time to Aug 24 09:46:40 (2009). +STEP 5 TIME_PASSES ELAPSE 1251100000 +STEP 6 ASSIGN t0 = ${time} +; get probe time and check it. 4800 is about 10% less than 5400. And more than +; the 3600 that a failure timeout would have. +STEP 7 ASSIGN probe = ${range 4800 ${timeout} 5400} + + +; the auto probing should have been done now. +STEP 8 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: 1251100000 ;;Mon Aug 24 09:46:40 2009 +;;last_success: 1251100000 ;;Mon Aug 24 09:46:40 2009 +;;next_probe_time: ${$t0 + $probe} ;;${ctime $t0 + $probe} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1251100000 ;;Mon Aug 24 09:46:40 2009 +FILE_END + + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 3600 IN A 10.20.30.40 +www.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899} +SECTION AUTHORITY +example.com. 3600 IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899} +SECTION ADDITIONAL +ns.example.com. 3600 IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899} +ENTRY_END + +; The autotrust anchor was probed due to the query. + +STEP 30 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: 1251100000 ;;Mon Aug 24 09:46:40 2009 +;;last_success: 1251100000 ;;Mon Aug 24 09:46:40 2009 +;;next_probe_time: ${$t0 + $probe} ;;${ctime $t0 + $probe} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1251100000 ;;Mon Aug 24 09:46:40 2009 +FILE_END + +; wait and see if autotrust probes (the unchanged) domain again. +STEP 40 TIME_PASSES EVAL ${$probe} + +STEP 50 TRAFFIC + +STEP 65 ASSIGN probe2 = ${range 4800 ${timeout} 5400} + +STEP 70 CHECK_AUTOTRUST example.com +FILE_BEGIN +; autotrust trust anchor file +;;id: example.com. 1 +;;last_queried: ${time} ;;${ctime ${time}} +;;last_success: ${time} ;;${ctime ${time}} +;;next_probe_time: ${$t0 + $probe + $probe2} ;;${ctime $t0 + $probe + $probe2} +;;query_failed: 0 +;;query_interval: 5400 +;;retry_time: 3600 +example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1251100000 ;;Mon Aug 24 09:46:40 2009 +FILE_END + +SCENARIO_END diff --git a/validator/autotrust.c b/validator/autotrust.c index fb21d0dac..56c83b264 100644 --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -431,16 +431,19 @@ add_trustanchor_frm_rr(struct val_anchors* anchors, ldns_rr* rr, * @param tp: trust point returned. * @param origin: what to use for @ * @param prev: previous rr name + * @param skip: if true, the result is NULL, but not an error, skip it. * @return new key in trust point. */ static struct autr_ta* add_trustanchor_frm_str(struct val_anchors* anchors, char* str, - struct trust_anchor** tp, ldns_rdf* origin, ldns_rdf** prev) + struct trust_anchor** tp, ldns_rdf* origin, ldns_rdf** prev, int* skip) { ldns_rr* rr; ldns_status lstatus; - if (!str_contains_data(str, ';')) + if (!str_contains_data(str, ';')) { + *skip = 1; return NULL; /* empty line */ + } if (LDNS_STATUS_OK != (lstatus = ldns_rr_new_frm_str(&rr, str, 0, origin, prev))) { @@ -448,6 +451,12 @@ add_trustanchor_frm_str(struct val_anchors* anchors, char* str, ldns_get_errorstr_by_id(lstatus)); return NULL; } + if(ldns_rr_get_type(rr) != LDNS_RR_TYPE_DNSKEY && + ldns_rr_get_type(rr) != LDNS_RR_TYPE_DS) { + ldns_rr_free(rr); + *skip = 1; + return NULL; /* only DS and DNSKEY allowed */ + } return add_trustanchor_frm_rr(anchors, rr, tp); } @@ -458,16 +467,17 @@ add_trustanchor_frm_str(struct val_anchors* anchors, char* str, * @param fname: filename * @param origin: $ORIGIN. * @param prev: passed to ldns. + * @param skip: if true, the result is NULL, but not an error, skip it. * @return false on failure, otherwise the tp read. */ static struct trust_anchor* load_trustanchor(struct val_anchors* anchors, char* str, const char* fname, - ldns_rdf* origin, ldns_rdf** prev) + ldns_rdf* origin, ldns_rdf** prev, int* skip) { struct autr_ta* ta = NULL; struct trust_anchor* tp = NULL; - ta = add_trustanchor_frm_str(anchors, str, &tp, origin, prev); + ta = add_trustanchor_frm_str(anchors, str, &tp, origin, prev, skip); if(!ta) return NULL; lock_basic_lock(&tp->lock); @@ -802,8 +812,10 @@ int autr_read_file(struct val_anchors* anchors, const char* nm) continue; /* empty lines allowed */ if(handle_origin(line, &origin)) continue; - if(!(tp2=load_trustanchor(anchors, line, nm, origin, &prev))) { - log_err("failed to load trust anchor from %s " + r = 0; + if(!(tp2=load_trustanchor(anchors, line, nm, origin, &prev, + &r))) { + if(!r) log_err("failed to load trust anchor from %s " "at line %i, skipping", nm, line_nr); /* try to do the rest */ continue;