-4605. [performance] (partial backport) Improve general query
- performance. Improves performance of owner case
- restoration, hash function, etc. Uses inline
- buffer implementation by default. [RT #45637]
+4840. [test] Add tests to cover fallback to using ZSK on inactive
+ KSK. [RT #46787]
+
4839. [bug] zone.c:zone_sign was not properly determining
if there were active KSK and ZSK keys for
4651. [test] Silence coverity warnings in tsig_test.c. [RT #45528]
+4605. [performance] (partial backport) Improve general query
+ performance. Improves performance of owner case
+ restoration, hash function, etc. Uses inline
+ buffer implementation by default. [RT #45637]
+
--- 9.11.2 released ---
--- 9.11.2rc2 released ---
rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
rm -f ns3/*.nzf
rm -f ns3/autonsec3.example.db
+rm -f ns3/inacksk2.example.db
+rm -f ns3/inacksk3.example.db
rm -f ns3/inaczsk2.example.db
rm -f ns3/inaczsk3.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
--- /dev/null
+; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
--- /dev/null
+; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
$DSFROMKEY $ksk.key > dsset-${zone}$TP
echo ns3/$ksk > ../sync.key
+#
+# A zone that has a published inactive key that is autosigned.
+#
+setup inacksk2.example
+cp $infile $zonefile
+ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
#
# A zone that has a published inactive key that is autosigned.
#
$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
+#
+# A zone that starts with a active KSK + ZSK and a inactive ZSK.
+#
+setup inacksk3.example
+cp $infile $zonefile
+$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
+
#
# A zone that starts with a active KSK + ZSK and a inactive ZSK.
#
setup inaczsk3.example
cp $infile $zonefile
-ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1204 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a NSEC3RSASHA1 -b 1204 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a NSEC3RSASHA1 -b 1204 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
auto-dnssec maintain;
};
+zone "inacksk2.example" {
+ type master;
+ file "inacksk2.example.db";
+ allow-update { any; };
+ dnssec-dnskey-kskonly yes;
+ auto-dnssec maintain;
+};
+
+zone "inacksk3.example" {
+ type master;
+ file "inacksk3.example.db";
+ allow-update { any; };
+ dnssec-dnskey-kskonly yes;
+ auto-dnssec maintain;
+};
+
zone "inaczsk2.example" {
type master;
file "inaczsk2.example.db";
$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
done
- for z in bar. example. inaczsk2.example. inaczsk3.example
+ for z in bar. example. inacksk2.example. inacksk3.example \
+ inaczsk2.example. inaczsk3.example
do
$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; else echo "I:done"; fi
status=`expr $status + $ret`
+#
+# Check that DNSKEY is initially signed with a KSK and not a ZSK.
+#
+echo "I:check that zone with active and inactive KSK and active ZSK is properly"
+echo "I: resigned after the active KSK is deleted - stage 1: Verify that DNSKEY"
+echo "I: is initially signed with a KSK and not a ZSK. ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
+
+zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
+ $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
+grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1
+
+pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
+grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
+
+count=`awk 'BEGIN { count = 0 }
+ $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
+ END {print count}' dig.out.ns3.test$n`
+test $count -eq 1 || ret=1
+
+count=`awk 'BEGIN { count = 0 }
+ $4 == "DNSKEY" { count++ }
+ END {print count}' dig.out.ns3.test$n`
+test $count -eq 3 || ret=1
+
+awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
+id=`awk "${awk}" dig.out.ns3.test$n`
+
+$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id}
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys inacksk3.example
+
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
#
# Check that zone is initially signed with a ZSK and not a KSK.
#
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:check that zone with inactive KSK and active ZSK is properly autosigned ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
+
+zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
+ $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' `
+pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
+grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
+
+kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
+ $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' `
+pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} "
+grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
+
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
ret=0
-$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.out
-grep "SOA 7 2" dig.out.ns3.out > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
+grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+#
+# Check that DNSKEY is now signed with the ZSK.
+#
+echo "I:check that zone with active and inactive KSK and active ZSK is properly"
+echo "I: resigned after the active KSK is deleted - stage 2: Verify that DNSKEY"
+echo "I: is now signed with the ZSK. ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
+
+zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
+ $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
+pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
+grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
+
+count=`awk 'BEGIN { count = 0 }
+ $4 == "RRSIG" && $5 == "DNSKEY" { count++ }
+ END {print count}' dig.out.ns3.test$n`
+test $count -eq 1 || ret=1
+
+count=`awk 'BEGIN { count = 0 }
+ $4 == "DNSKEY" { count++ }
+ END {print count}' dig.out.ns3.test$n`
+test $count -eq 2 || ret=1
+
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
rm -f ns2/bits.db
rm -f ns2/bits.db.jnl
rm -f ns1/signer.out
+rm -f ns2/inactiveksk.db
+rm -f ns2/inactiveksk.db.jnl
rm -f ns2/inactivezsk.db
rm -f ns2/inactivezsk.db.jnl
rm -f ns2/retransfer.db
rm -f ns3/expired.db.jnl
rm -f ns3/expired.db.signed
rm -f ns3/expired.db.signed.jnl
+rm -f ns3/inactiveksk.bk
+rm -f ns3/inactiveksk.bk.jnl
+rm -f ns3/inactiveksk.bk.signed
+rm -f ns3/inactiveksk.bk.signed.jnl
rm -f ns3/inactivezsk.bk
rm -f ns3/inactivezsk.bk.jnl
rm -f ns3/inactivezsk.bk.signed
retransfer3. NS ns3.retransfer.
ns3.retransfer3. A 10.53.0.3
+inactiveksk. NS ns3.inactiveksk.
+ns3.inactiveksk. A 10.53.0.3
+
inactivezsk. NS ns3.inactivezsk.
ns3.inactivezsk. A 10.53.0.3
notify no;
};
+zone "inactiveksk" {
+ type master;
+ file "inactiveksk.db";
+ allow-update { any; };
+};
+
zone "inactivezsk" {
type master;
file "inactivezsk.db";
file "retransfer3.bk";
};
+zone "inactiveksk" {
+ type slave;
+ masters { 10.53.0.2; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ dnssec-dnskey-kskonly yes;
+ file "inactiveksk.bk";
+};
+
zone "inactivezsk" {
type slave;
masters { 10.53.0.2; };
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+zone=inactiveksk
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 -f KSK $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
zone=inactivezsk
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
touch ns2/trusted.conf
cp ns2/bits.db.in ns2/bits.db
+cp ns2/bits.db.in ns2/inactiveksk.db
cp ns2/bits.db.in ns2/inactivezsk.db
cp ns2/bits.db.in ns2/retransfer.db
cp ns2/bits.db.in ns2/retransfer3.db
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo "I:testing that inline signing works with inactive KSK and active ZSK ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 -p 5300 axfr inactiveksk > dig.out.ns3.test$n
+
+#
+# check that DNSKEY is signed with ZSK for algorithm 7
+#
+awk='$4 == "DNSKEY" && $5 == 256 && $7 == 7 { print }'
+zskid=`awk "${awk}" dig.out.ns3.test$n |
+ $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' `
+grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
+awk='$4 == "DNSKEY" && $5 == 257 && $7 == 7 { print }'
+kskid=`awk "${awk}" dig.out.ns3.test$n |
+ $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' `
+grep "DNSKEY 7 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
+
+#
+# check that DNSKEY is signed with KSK for algorithm 8
+#
+awk='$4 == "DNSKEY" && $5 == 256 && $7 == 8 { print }'
+zskid=`awk "${awk}" dig.out.ns3.test$n |
+ $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' `
+grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
+awk='$4 == "DNSKEY" && $5 == 257 && $7 == 8 { print }'
+kskid=`awk "${awk}" dig.out.ns3.test$n |
+ $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' `
+grep "DNSKEY 8 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
