From: Mark Andrews Date: Tue, 25 Oct 2011 01:54:22 +0000 (+0000) Subject: 3177. [func] 'rndc keydone', remove the indicator record that X-Git-Tag: v9.9.0b1~2^3~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b1c6de5456a5287b442de5620282902da39a4968;p=thirdparty%2Fbind9.git 3177. [func] 'rndc keydone', remove the indicator record that named has finished signing the zone with the corresponding key. [RT #26206] --- diff --git a/CHANGES b/CHANGES index aeefe843f0f..f844d749d2c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +3177. [func] 'rndc keydone', remove the indicator record that + named has finished signing the zone with the + corresponding key. [RT #26206] + 3176. [doc] Corrected example code and added a README to the sample external DLZ module in contrib/dlz/example. [RT #26215] diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 118f8693383..3d6be2905f0 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-dsfromkey.c,v 1.23 2011/09/03 05:51:29 each Exp $ */ +/* $Id: dnssec-dsfromkey.c,v 1.24 2011/10/25 01:54:18 marka Exp $ */ /*! \file */ @@ -62,6 +62,7 @@ static dns_rdataclass_t rdclass; static dns_fixedname_t fixed; static dns_name_t *name = NULL; static isc_mem_t *mctx = NULL; +static isc_uint32_t ttl; static isc_result_t initname(char *setname) { @@ -294,6 +295,9 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside, isc_buffer_usedregion(&nameb, &r); printf("%.*s ", (int)r.length, r.base); + if (ttl != 0U) + printf("%u ", ttl); + isc_buffer_usedregion(&classb, &r); printf("%.*s", (int)r.length, r.base); @@ -329,6 +333,7 @@ usage(void) { fprintf(stderr, " -l: add lookaside zone and print DLV records\n"); fprintf(stderr, " -s: read keyset from keyset- file\n"); fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n"); + fprintf(stderr, " -T TTL\n"); fprintf(stderr, " -f file: read keyset from zone file\n"); fprintf(stderr, " -A: when used with -f, " "include all keys in DS set, not just KSKs\n"); @@ -368,7 +373,7 @@ main(int argc, char **argv) { isc_commandline_errprint = ISC_FALSE; while ((ch = isc_commandline_parse(argc, argv, - "12Aa:c:d:Ff:K:l:sv:h")) != -1) { + "12Aa:c:d:Ff:K:l:sT:v:h")) != -1) { switch (ch) { case '1': dtype = DNS_DSDIGEST_SHA1; @@ -408,6 +413,9 @@ main(int argc, char **argv) { case 's': usekeyset = ISC_TRUE; break; + case 'T': + ttl = atol(isc_commandline_argument); + break; case 'v': verbose = strtol(isc_commandline_argument, &endp, 0); if (*endp != '\0') diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook index 4e3b9b65680..a43eadc9f47 100644 --- a/bin/dnssec/dnssec-dsfromkey.docbook +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + August 26, 2009 @@ -52,6 +52,7 @@ + keyfile @@ -64,6 +65,7 @@ + @@ -113,6 +115,15 @@ + + -T TTL + + + Specifies the TTL of the DS records. + + + + -K directory diff --git a/bin/named/control.c b/bin/named/control.c index 3e5de3e7b46..006aba21156 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.c,v 1.44 2011/08/02 20:36:11 each Exp $ */ +/* $Id: control.c,v 1.45 2011/10/25 01:54:18 marka Exp $ */ /*! \file */ @@ -205,6 +205,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { result = ns_server_add_zone(ns_g_server, command); } else if (command_compare(command, NS_COMMAND_DELZONE)) { result = ns_server_del_zone(ns_g_server, command); + } else if (command_compare(command, NS_COMMAND_KEYDONE)) { + result = ns_server_keydone(ns_g_server, command); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h index 3d451e95f77..31ca427de5c 100644 --- a/bin/named/include/named/control.h +++ b/bin/named/include/named/control.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.h,v 1.34 2011/08/02 20:36:12 each Exp $ */ +/* $Id: control.h,v 1.35 2011/10/25 01:54:19 marka Exp $ */ #ifndef NAMED_CONTROL_H #define NAMED_CONTROL_H 1 @@ -64,6 +64,7 @@ #define NS_COMMAND_ADDZONE "addzone" #define NS_COMMAND_DELZONE "delzone" #define NS_COMMAND_SYNC "sync" +#define NS_COMMAND_KEYDONE "keydone" isc_result_t ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp); diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h index 92e6d22422d..332bef738ca 100644 --- a/bin/named/include/named/server.h +++ b/bin/named/include/named/server.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.h,v 1.113 2011/08/02 20:36:12 each Exp $ */ +/* $Id: server.h,v 1.114 2011/10/25 01:54:19 marka Exp $ */ #ifndef NAMED_SERVER_H #define NAMED_SERVER_H 1 @@ -342,4 +342,10 @@ ns_server_add_zone(ns_server_t *server, char *args); isc_result_t ns_server_del_zone(ns_server_t *server, char *args); +/*% + * Deletes the matching key done private record from the zone. + */ +isc_result_t +ns_server_keydone(ns_server_t *server, char *args); + #endif /* NAMED_SERVER_H */ diff --git a/bin/named/server.c b/bin/named/server.c index c46d4ee3151..18fa5317b36 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.622 2011/10/14 05:38:49 marka Exp $ */ +/* $Id: server.c,v 1.623 2011/10/25 01:54:19 marka Exp $ */ /*! \file */ @@ -5912,7 +5912,7 @@ next_token(char **stringp, const char *delim) { */ static isc_result_t zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep, - const char **zonename) + const char **zonename, isc_boolean_t skip) { char *input, *ptr; const char *zonetxt; @@ -5928,10 +5928,12 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep, input = args; - /* Skip the command name. */ - ptr = next_token(&input, " \t"); - if (ptr == NULL) - return (ISC_R_UNEXPECTEDEND); + if (skip) { + /* Skip the command name. */ + ptr = next_token(&input, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + } /* Look for the zone name. */ zonetxt = next_token(&input, " \t"); @@ -5999,7 +6001,7 @@ ns_server_retransfercommand(ns_server_t *server, char *args) { dns_zone_t *zone = NULL; dns_zonetype_t type; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) @@ -6023,7 +6025,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) { dns_zonetype_t type; const char *msg = NULL; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) { @@ -6083,7 +6085,7 @@ ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) { dns_zone_t *zone = NULL; const unsigned char msg[] = "zone notify queued"; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) @@ -6108,7 +6110,7 @@ ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) { const unsigned char msg2[] = "not a slave or stub zone"; dns_zonetype_t type; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) @@ -7216,7 +7218,7 @@ ns_server_rekey(ns_server_t *server, char *args) { if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0) fullsign = ISC_TRUE; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) @@ -7283,7 +7285,7 @@ ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) { (void) next_token(&args, " \t"); } - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); @@ -7359,7 +7361,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args, isc_boolean_t frozen; const char *msg = NULL; - result = zone_from_args(server, args, &zone, NULL); + result = zone_from_args(server, args, &zone, NULL, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) { @@ -7687,7 +7689,7 @@ ns_server_del_zone(ns_server_t *server, char *args) { FILE *ifp = NULL, *ofp = NULL; /* Parse parameters */ - CHECK(zone_from_args(server, args, &zone, &zonename)); + CHECK(zone_from_args(server, args, &zone, &zonename, ISC_TRUE)); if (result != ISC_R_SUCCESS) return (result); if (zone == NULL) { @@ -7855,3 +7857,47 @@ newzone_cfgctx_destroy(void **cfgp) { isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg)); *cfgp = NULL; } + +/* + * Act on a "keydone" command from the command channel. + */ +isc_result_t +ns_server_keydone(ns_server_t *server, char *args) { + isc_result_t result; + dns_zone_t *zone = NULL; + const char *ptr = NULL; + + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + + ptr = next_token(&args, " \t"); + if (ptr == NULL) + return (ISC_R_UNEXPECTEDEND); + /* + * Is the rdata sane? + */ + if (strspn(ptr, "0123456789ABCDEFabcdef") != 10U || + strncmp(ptr, "00", 2) == 0 || strcmp(ptr + 6, "0001") != 0) + return (DNS_R_SYNTAX); + + /* + * Find the zone. + */ + result = zone_from_args(server, args, &zone, NULL, ISC_FALSE); + if (result != ISC_R_SUCCESS) + return (result); + if (zone == NULL) + return(ISC_R_NOTFOUND); + + if (dns_zone_gettype(zone) != dns_zone_master) { + result = DNS_R_NOTMASTER; + goto cleanup; + } + + result = dns_zone_keydone(zone, ptr); + + cleanup: + dns_zone_detach(&zone); + return (result); +} diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index 668d2ca801b..b39c5fbb3b6 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.c,v 1.134 2011/03/21 15:39:05 each Exp $ */ +/* $Id: rndc.c,v 1.135 2011/10/25 01:54:19 marka Exp $ */ /*! \file */ @@ -154,6 +154,9 @@ command is one of the following:\n\ Add zone to given view. Requires new-zone-file option.\n\ delzone [\"file\"] zone [class [view]]\n\ Removes zone from given view. Requires new-zone-file option.\n\ + keydone rdata zone [class [view]]\n\ + Remove the private record with the corresponding rdata from\n\ + the given zone.\n\ \n\ * == not yet implemented\n\ Version: %s\n", diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh index f0374c98313..bca624b4a01 100644 --- a/bin/tests/system/inline/clean.sh +++ b/bin/tests/system/inline/clean.sh @@ -12,11 +12,15 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.3 2011/10/12 00:10:19 marka Exp $ +# $Id: clean.sh,v 1.4 2011/10/25 01:54:19 marka Exp $ rm -f */named.memstats rm -f */named.run rm -f */trusted.conf +rm -f ns1/K* +rm -f ns1/dsset-* +rm -f ns1/root.db +rm -f ns1/root.db.signed rm -f ns2/bits.db rm -f ns2/bits.db.jnl rm -f ns3/K* diff --git a/bin/tests/system/inline/ns1/named.conf b/bin/tests/system/inline/ns1/named.conf index 6f379b36d67..b86396239d1 100644 --- a/bin/tests/system/inline/ns1/named.conf +++ b/bin/tests/system/inline/ns1/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2 2011/08/30 23:46:52 tbox Exp $ */ +/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */ // NS1 @@ -39,4 +39,4 @@ zone "." { file "root.db.signed"; }; -// include "trusted.conf"; +include "trusted.conf"; diff --git a/bin/tests/system/inline/ns1/root.db.in b/bin/tests/system/inline/ns1/root.db.in new file mode 100644 index 00000000000..cb62f429344 --- /dev/null +++ b/bin/tests/system/inline/ns1/root.db.in @@ -0,0 +1,35 @@ +; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2000, 2001 Internet Software Consortium. +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: root.db.in,v 1.2 2011/10/25 01:54:20 marka Exp $ + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +bits. NS ns3.bits. +ns3.bits. A 10.53.0.3 +bits. NS ns4.bits. +ns4.bits. A 10.53.0.4 + +noixfr. NS ns3.noixfr. +ns3.noixfr. A 10.53.0.3 diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh new file mode 100644 index 00000000000..3f25d618aff --- /dev/null +++ b/bin/tests/system/inline/ns1/sign.sh @@ -0,0 +1,41 @@ +#!/bin/sh -e +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.2 2011/10/25 01:54:20 marka Exp $ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=. +rm -f K.+*+*.key +rm -f K.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$SIGNER -S -x -T 1200 -o ${zone} root.db + +cat ${keyname}.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < trusted.conf + +cp trusted.conf ../ns6/trusted.conf diff --git a/bin/tests/system/inline/ns3/named.conf b/bin/tests/system/inline/ns3/named.conf index a17c07e17d8..dbf747f4fff 100644 --- a/bin/tests/system/inline/ns3/named.conf +++ b/bin/tests/system/inline/ns3/named.conf @@ -14,11 +14,13 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.2 2011/08/30 23:46:52 tbox Exp $ */ +/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */ -// NS2 +// NS3 -controls { /* empty */ }; +include "../../common/rndc.key"; + +controls { inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; }; options { query-source address 10.53.0.3; diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh index cf0095c6265..7625cd094f8 100644 --- a/bin/tests/system/inline/ns3/sign.sh +++ b/bin/tests/system/inline/ns3/sign.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $ +# $Id: sign.sh,v 1.3 2011/10/25 01:54:20 marka Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -26,9 +26,11 @@ rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db zone=noixfr rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db diff --git a/bin/tests/system/inline/ns6/named.conf b/bin/tests/system/inline/ns6/named.conf new file mode 100644 index 00000000000..b7108ad7062 --- /dev/null +++ b/bin/tests/system/inline/ns6/named.conf @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2 2011/10/25 01:54:21 marka Exp $ */ + +// NS6 + +include "../../common/rndc.key"; + +controls { inet 10.53.0.6 port 9953 allow { any; } keys { rndc_key; }; }; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion yes; + notify yes; + notify-delay 0; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh index 83ade8cea5c..5dd3285ee37 100644 --- a/bin/tests/system/inline/setup.sh +++ b/bin/tests/system/inline/setup.sh @@ -12,10 +12,13 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.3 2011/10/12 00:10:19 marka Exp $ +# $Id: setup.sh,v 1.4 2011/10/25 01:54:19 marka Exp $ sh clean.sh +cp ns1/root.db.in ns1/root.db +rm -f ns1/root.db.signed + touch ns2/trusted.conf cp ns2/bits.db.in ns2/bits.db rm -f ns2/bits.db.jnl @@ -39,3 +42,4 @@ cp ns5/named.conf.pre ns5/named.conf ../../../tools/genrandom 400 random.data (cd ns3; sh -e sign.sh) +(cd ns1; sh -e sign.sh) diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh index 72ba25e53f4..24d21449a55 100644 --- a/bin/tests/system/inline/tests.sh +++ b/bin/tests/system/inline/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.3 2011/10/12 00:10:19 marka Exp $ +# $Id: tests.sh,v 1.4 2011/10/25 01:54:20 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -34,7 +34,7 @@ do $DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1 - records=`grep "TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001" dig.out.ns3.test$n | wc -l` + records=`grep 'TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001$' dig.out.ns3.test$n | wc -l` [ $records = 2 ] || ret=1 if [ $ret = 0 ]; then break; fi sleep 1 @@ -42,6 +42,75 @@ done if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:checking removal of private type record via 'rndc keydone' ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n +records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n` +for record in $records +do + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" bits || ret=1 + break; # We only want to remove 1 record for now. +done 2>&1 |sed 's/^/I:ns3 /' + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n + grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking private type was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n +grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking removal of remaining private type record via 'rndc keydone' ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n +records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n` +for record in $records +do + $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" bits || ret=1 +done 2>&1 |sed 's/^/I:ns3 /' + +for i in 1 2 3 4 5 6 7 8 9 10 +do + ans=0 + $DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n + grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ans=1 + grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1 + [ $ans = 1 ] || break + sleep 1 +done +[ $ans = 0 ] || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking negative private type response was properly signed ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n +grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1 + +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + $NSUPDATE << EOF zone bits server 10.53.0.2 5300 @@ -195,7 +264,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo "I:restart bump in the wire signer server ($n)" ret=0 -$PERL ../start.pl --noclean . ns3 || ret=1 +$PERL ../start.pl --noclean --restart . ns3 || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 218abcfc364..a77f99d10ca 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -1555,6 +1555,28 @@ zone "eng.example.com" { + + keydone + rdata + zone + class + view + + + + Remove the sig-signing-type record + which matches the rdata + (in hexadecimal) from the specified zone. Only + rdata that + indicate that named has finished signing the zone + with the corresponding key will be removed. (i.e. + the first two characters are not "00", the + last four characters are "0001" and the total + length is 10 hexadecimal characters. + + + + @@ -8704,6 +8726,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; It is expected that this parameter may be removed in a future version once there is a standard type. + + These records can be removed from the zone once named + has completed signing the zone with the matching key + using nsupdate or + rndc keydone. + rndc keydone is the only supported + way to remove these records from + inline-signing zones. + diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h index 723f9ca2752..3ff3576f1a5 100644 --- a/lib/dns/include/dns/events.h +++ b/lib/dns/include/dns/events.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: events.h,v 1.59 2011/09/02 21:15:36 each Exp $ */ +/* $Id: events.h,v 1.60 2011/10/25 01:54:22 marka Exp $ */ #ifndef DNS_EVENTS_H #define DNS_EVENTS_H 1 @@ -77,6 +77,7 @@ #define DNS_EVENT_ZONESECURESERIAL (ISC_EVENTCLASS_DNS + 47) #define DNS_EVENT_ZONESECUREDB (ISC_EVENTCLASS_DNS + 48) #define DNS_EVENT_ZONELOAD (ISC_EVENTCLASS_DNS + 49) +#define DNS_EVENT_KEYDONE (ISC_EVENTCLASS_DNS + 50) #define DNS_EVENT_FIRSTEVENT (ISC_EVENTCLASS_DNS + 0) #define DNS_EVENT_LASTEVENT (ISC_EVENTCLASS_DNS + 65535) diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 714b88bedb7..c4efe075fd0 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.h,v 1.194 2011/09/06 22:29:33 smann Exp $ */ +/* $Id: zone.h,v 1.195 2011/10/25 01:54:22 marka Exp $ */ #ifndef DNS_ZONE_H #define DNS_ZONE_H 1 @@ -1978,6 +1978,9 @@ dns_zone_link(dns_zone_t *zone, dns_zone_t *raw); void dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw); +isc_result_t +dns_zone_keydone(dns_zone_t *zone, const char *data); + ISC_LANG_ENDDECLS #endif /* DNS_ZONE_H */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index c53bb6d65df..4a326d16178 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.636 2011/10/20 21:20:02 marka Exp $ */ +/* $Id: zone.c,v 1.637 2011/10/25 01:54:22 marka Exp $ */ /*! \file */ @@ -23,6 +23,7 @@ #include #include +#include #include #include #include @@ -30,9 +31,9 @@ #include #include #include -#include #include #include +#include #include #include #include @@ -15319,3 +15320,144 @@ dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) { dns_zone_attach(zone->raw, raw); UNLOCK(&zone->lock); } + +struct keydone { + isc_event_t event; + unsigned int data[5]; +}; + +static void +keydone(isc_task_t *task, isc_event_t *event) { + const char *me = "keydone"; + isc_boolean_t commit = ISC_FALSE; + isc_result_t result; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_dbversion_t *oldver = NULL, *newver = NULL; + dns_zone_t *zone; + dns_db_t *db = NULL; + dns_dbnode_t *node = NULL; + dns_rdataset_t rdataset; + dns_diff_t diff; + isc_boolean_t have_rr = ISC_FALSE; + struct keydone *keydone = (struct keydone *)event; + dns_update_log_t log = { update_log_cb, NULL }; + + UNUSED(task); + + zone = event->ev_arg; + INSIST(DNS_ZONE_VALID(zone)); + + ENTER; + + dns_rdataset_init(&rdataset); + dns_diff_init(zone->mctx, &diff); + + ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); + if (zone->db != NULL) { + dns_db_attach(zone->db, &db); + dns_db_currentversion(db, &oldver); + result = dns_db_newversion(db, &newver); + if (result != ISC_R_SUCCESS) { + dns_zone_log(zone, ISC_LOG_ERROR, + "keydone:dns_db_newversion -> %s\n", + dns_result_totext(result)); + goto failure; + } + } + ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); + if (db == NULL) + goto failure; + + result = dns_db_getoriginnode(db, &node); + if (result != ISC_R_SUCCESS) + goto failure; + + result = dns_db_findrdataset(db, node, newver, zone->privatetype, + dns_rdatatype_none, 0, &rdataset, NULL); + if (result == ISC_R_NOTFOUND) { + INSIST(!dns_rdataset_isassociated(&rdataset)); + goto failure; + } + if (result != ISC_R_SUCCESS) { + INSIST(!dns_rdataset_isassociated(&rdataset)); + goto failure; + } + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdataset_current(&rdataset, &rdata); + if (rdata.length != 5 || + memcmp(rdata.data, keydone->data, 5) != 0) { + dns_rdata_reset(&rdata); + continue; + } + CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL, + &zone->origin, rdataset.ttl, &rdata)); + dns_rdata_reset(&rdata); + } + + if (!ISC_LIST_EMPTY(diff.tuples)) { + /* Write changes to journal file. */ + CHECK(update_soa_serial(db, newver, &diff, zone->mctx, + zone->updatemethod)); + CHECK(dns_update_signatures(&log, zone, db, oldver, newver, + &diff, zone->sigvalidityinterval)); + CHECK(zone_journal(zone, &diff, NULL, "keydone")); + commit = ISC_TRUE; + + LOCK_ZONE(zone); + DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); + zone_needdump(zone, 30); + UNLOCK_ZONE(zone); + } + + failure: + if (dns_rdataset_isassociated(&rdataset)) + dns_rdataset_disassociate(&rdataset); + if (db != NULL) { + if (node != NULL) + dns_db_detachnode(db, &node); + if (oldver != NULL) + dns_db_closeversion(db, &oldver, ISC_FALSE); + if (newver != NULL) + dns_db_closeversion(db, &newver, commit); + dns_db_detach(&db); + } + dns_diff_clear(&diff); + isc_event_free(&event); + dns_zone_idetach(&zone); +} + +isc_result_t +dns_zone_keydone(dns_zone_t *zone, const char *data) { + isc_result_t result; + isc_event_t *e; + isc_buffer_t b; + dns_zone_t *dummy = NULL; + + REQUIRE(DNS_ZONE_VALID(zone)); + + LOCK_ZONE(zone); + + e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_KEYDONE, keydone, + zone, sizeof(struct keydone)); + if (e == NULL) { + result = ISC_R_NOMEMORY; + goto failure; + } + + isc_buffer_init(&b, ((struct keydone*)e)->data, + sizeof(((struct keydone*)e)->data)); + result = isc_hex_decodestring(data, &b); + if (result != ISC_R_SUCCESS) + goto failure; + + zone_iattach(zone, &dummy); + isc_task_send(zone->task, &e); + + failure: + if (e != NULL) + isc_event_free(&e); + UNLOCK_ZONE(zone); + return (result); +}