+3203. [bug] Increase log level to 'info' for validation failures
+ from expired or not-yet-valid RRSIGs. [RT #21796]
+
3202. [bug] NOEDNS caching on timeout was too agressive.
[RT #26416]
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.30 2011/03/05 06:35:41 marka Exp $
+; $Id: example.db.in,v 1.31 2011/11/04 05:36:28 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
mustbesecure NS ns.mustbesecure
ns.mustbesecure A 10.53.0.3
+; A subdomain with expired signatures
+expired NS ns.expired
+ns.expired A 10.53.0.3
+
; A rfc2535 signed zone w/ CNAME
rfc2535 NS ns.rfc2535
ns.rfc2535 A 10.53.0.3
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.49 2011/03/21 20:31:22 marka Exp $
+# $Id: sign.sh,v 1.50 2011/11/04 05:36:28 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
auto-nsec auto-nsec3 secure.below-cname ttlpatch split-dnssec \
- split-smart
+ split-smart expired
do
cp ../ns3/dsset-$subdomain.example. .
done
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.42 2011/05/23 20:10:02 each Exp $
+# $Id: sign.sh,v 1.43 2011/11/04 05:36:28 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
kskname=`$KEYGEN -q -r $RANDFILE -fk $zone`
zskname=`$KEYGEN -q -r $RANDFILE $zone`
cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone -s -3h -e +1h $zonefile > /dev/null 2>&1
+$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
rm -f $kskname.* $zskname.*
#
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.101 2011/10/28 06:20:05 each Exp $
+# $Id: tests.sh,v 1.102 2011/11/04 05:36:28 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
ret=0
-$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns2.test$n || ret=1
-grep "RRSIG.SOA" dig.out.ns2.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
+grep "RRSIG.SOA" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+
+status=`expr $status + $ret`
+echo "I:checking expired signatures do not validate ($n)"
+ret=0
+$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "expired.example .*: RRSIG has expired" ns4/named.run > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.207 2011/10/20 23:46:51 tbox Exp $ */
+/* $Id: validator.c,v 1.208 2011/11/04 05:36:28 each Exp $ */
#include <config.h>
again:
result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
key, ignore, val->view->mctx, rdata, wild);
- if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
+ if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
+ val->view->acceptexpired)
+ {
ignore = ISC_TRUE;
goto again;
}
"accepted expired %sRRSIG (keyid=%u)",
(result == DNS_R_FROMWILDCARD) ?
"wildcard " : "", keyid);
+ else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE)
+ validator_log(val, ISC_LOG_INFO,
+ "verify failed due to bad signature (keyid=%u): "
+ "%s", keyid, isc_result_totext(result));
else
validator_log(val, ISC_LOG_DEBUG(3),
"verify rdataset (keyid=%u): %s",
projects / thirdparty / bind9.git / commitdiff
