4553. [bug] Named could deadlock there were multiple changes to

                        NSEC/NSEC3 parameters for a zone being processed at
                        the same time. [RT #42770]

(cherry picked from commit d2e1b47d4fc7f2e12ea91cc59dc5f951a9df5fbc)

diff --git a/CHANGES b/CHANGES
index 484a116d3902e7e0088019b3c86f9bf151aa1dc5..7186d4ea707f3a1f7cfeca1e4a939e96f71bd0a4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4553.  [bug]           Named could deadlock there were multiple changes to
+                       NSEC/NSEC3 parameters for a zone being processed at
+                       the same time. [RT #42770]
+
 4552.  [bug]           Named could trigger a assertion when sending notify
                        messages. [RT #44019]
 

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index a781e1de2df0cd6fc9424ea42a6e5fcbb264132d..51dd3966b186af88fb4fd8a4a1ded395d1ea77bf 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -140,6 +140,13 @@
 
   <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
     <itemizedlist>
+      <listitem>
+       <para>
+         Named could deadlock there were multiple changes to
+         NSEC/NSEC3 parameters for a zone being processed at the
+         same time. [RT #42770]
+       </para>
+      </listitem>
       <listitem>
        <para>
          Named could trigger a assertion when sending notify

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 5323b23be4f7e6a9215527e4629d64ee8e271a30..edb605f6819d52ad8006ec481a601edc8d980a08 100644 (file)
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -9266,6 +9266,9 @@ dbiterator_first(dns_dbiterator_t *iterator) {
 
        rbtdbiter->result = result;
 
+       if (result != ISC_R_SUCCESS)
+               ENSURE(!rbtdbiter->paused);
+
        return (result);
 }
 

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index b6b727cc5b264576a4e6d3e3861eef595908e85c..a1f637f6e19852407ee7a59c1ac484956794aba1 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -7475,6 +7475,9 @@ zone_nsec3chain(dns_zone_t *zone) {
                        nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
        }
 
+       if (nsec3chain != NULL)
+               goto skip_removals;
+
        /*
         * Process removals.
         */
@@ -7682,6 +7685,7 @@ zone_nsec3chain(dns_zone_t *zone) {
                first = ISC_TRUE;
        }
 
+ skip_removals:
        /*
         * We may need to update the NSEC/NSEC3 records for the zone apex.
         */
@@ -7744,9 +7748,6 @@ zone_nsec3chain(dns_zone_t *zone) {
                }
        }
 
-       if (nsec3chain != NULL)
-               dns_dbiterator_pause(nsec3chain->dbiterator);
-
        /*
         * Add / update signatures for the NSEC3 records.
         */
@@ -8460,6 +8461,14 @@ zone_sign(dns_zone_t *zone) {
        }
 
  failure:
+       /*
+        * Pause all dbiterators.
+        */
+       for (signing = ISC_LIST_HEAD(zone->signing);
+            signing != NULL;
+            signing = ISC_LIST_NEXT(signing, link))
+               dns_dbiterator_pause(signing->dbiterator);
+
        /*
         * Rollback the cleanup list.
         */
@@ -8472,11 +8481,6 @@ zone_sign(dns_zone_t *zone) {
                signing = ISC_LIST_HEAD(cleanup);
        }
 
-       for (signing = ISC_LIST_HEAD(zone->signing);
-            signing != NULL;
-            signing = ISC_LIST_NEXT(signing, link))
-               dns_dbiterator_pause(signing->dbiterator);
-
        dns_diff_clear(&_sig_diff);
 
        for (i = 0; i < nkeys; i++)