[v9_9] fix mkeys TTL 0 issue

4337.	[bug]		The previous change exposed a latent flaw in
			key refresh queries for managed-keys when
			a cached DNSKEY had TTL 0. [RT #41986]

diff --git a/CHANGES b/CHANGES
index 613ba4a3712bd9950acf5db1e32f3827cdb6b8ad..ba6127a39ed7f4cbc2319c7d4058924d47664fa6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4337.  [bug]           The previous change exposed a latent flaw in
+                       key refresh queries for managed-keys when
+                       a cached DNSKEY had TTL 0. [RT #41986]
+
 4336.  [bug]           Don't emit records with zero ttl unless the records
                        were learnt with a zero ttl. [RT #41687]
 

diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index b9d6084f351ce5a87a671228b8c744f073776630..699596efbe2c51172caca83d7a303effd6f9b241 100644 (file)
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -1082,6 +1082,12 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
  * Remove keys that match 'keyname' and 'dnskey' from the views trust
  * anchors.
  *
+ * (NOTE: If the configuration specifies that there should be a
+ * trust anchor at 'keyname', but no keys are left after this
+ * operation, that is an error.  We fail closed, inserting a NULL
+ * key so as to prevent validation until a legimitate key has been
+ * provided.)
+ *
  * Requires:
  * \li 'view' is valid.
  * \li 'keyname' is valid.

diff --git a/lib/dns/view.c b/lib/dns/view.c
index da1136c075acaeb5b2d9cf452142f3bfb6e545a1..87ea8f66fc843ff7087dd964243f8b7aa654bfca 100644 (file)
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -1852,6 +1852,7 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
        result = dns_view_getsecroots(view, &sr);
        if (result == ISC_R_SUCCESS) {
                dns_keytable_deletekeynode(sr, key);
+               dns_keytable_marksecure(sr, keyname);
                dns_keytable_detach(&sr);
        }
        dst_key_free(&key);

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 5797ce57b790db12cef8b318c3d791c44dc0cf8f..490248a689101be87245d6488717ec1addcbe572 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -8543,13 +8543,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                                         */
                                        deletekey = ISC_TRUE;
                                } else if (keydata.removehd == 0) {
-                                       /* Remove from secroots */
+                                       /*
+                                        * Remove key from secroots.
+                                        */
                                        dns_view_untrust(zone->view, keyname,
                                                         &dnskey, mctx);
 
-                                       /* But ensure there's a null key */
-                                       fail_secure(zone, keyname);
-
                                        /* If initializing, delete now */
                                        if (keydata.addhd == 0)
                                                deletekey = ISC_TRUE;
@@ -8858,7 +8857,8 @@ zone_refreshkeys(dns_zone_t *zone) {
                result = dns_resolver_createfetch(zone->view->resolver,
                                                  kname, dns_rdatatype_dnskey,
                                                  NULL, NULL, NULL,
-                                                 DNS_FETCHOPT_NOVALIDATE,
+                                                 DNS_FETCHOPT_NOVALIDATE|
+                                                 DNS_FETCHOPT_UNSHARED,
                                                  zone->task,
                                                  keyfetch_done, kfetch,
                                                  &kfetch->dnskeyset,