3133. [bug] Change #3114 was incomplete. [RT #24577]

diff --git a/CHANGES b/CHANGES
index ef524a54413582ddf21e20173cd608240d0882e8..0fd787eca5881ba0dd1b4379035555529d1c5864 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3133.  [bug]           Change #3114 was incomplete. [RT #24577]
+
 3132.  [tuning]        Expanded zone task table from 8 to 17 buckets,
                        added ZONE_TASKS define in zone.c to make it easier
                        to hand-tune this value. [RT #24406]

diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
index fa3c2508bf7dd072b23bf8103ff8b50176530e30..5c7fbd5cd623efd33c27042149cb72bf3f33e156 100644 (file)
--- a/bin/tests/system/autosign/clean.sh
+++ b/bin/tests/system/autosign/clean.sh
@@ -14,12 +14,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.7.16.2 2011/03/26 23:47:13 tbox Exp $
+# $Id: clean.sh,v 1.7.16.3 2011/07/08 01:45:58 each Exp $
 
 rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f active.key inact.key del.key unpub.key standby.key rev.key
 rm -f nopriv.key vanishing.key del1.key del2.key
-rm -f delayksk.key delayzsk.key
+rm -f delayksk.key delayzsk.key missingzsk.key inactivezsk.key
 rm -f nsupdate.out
 rm -f */core
 rm -f */example.bk
@@ -43,6 +43,7 @@ rm -f ns3/secure.example.db
 rm -f ns3/secure.nsec3.example.db
 rm -f ns3/secure.optout.example.db
 rm -f ns3/secure-to-insecure.example.db
+rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
 rm -f ns3/prepub.example.db
 rm -f ns3/prepub.example.db.in
 rm -f ns3/secure-to-insecure2.example.db

diff --git a/bin/tests/system/autosign/ns3/inaczsk.example.db.in b/bin/tests/system/autosign/ns3/inaczsk.example.db.in
new file mode 100644 (file)
index 0000000..e305aae
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/inaczsk.example.db.in
@@ -0,0 +1,31 @@
+; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: inaczsk.example.db.in,v 1.2.2.2 2011/07/08 01:45:58 each Exp $
+
+$TTL 300       ; 5 minutes
+@                      IN SOA  mname1. . (
+                               1          ; serial
+                               20         ; refresh (20 seconds)
+                               20         ; retry (20 seconds)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns
+ns                     A       10.53.0.3
+
+a                      A       10.0.0.1
+b                      A       10.0.0.2
+d                      A       10.0.0.4
+x                      CNAME   a

diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
index d1e950f8108ea113cfc023c5f7c7a4d43cfe6d4e..f24f18a2346712a56a88373c163b6cb0b3652df2 100644 (file)
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: keygen.sh,v 1.8.18.2 2011/03/26 23:47:13 tbox Exp $
+# $Id: keygen.sh,v 1.8.18.3 2011/07/08 01:45:58 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -215,3 +215,27 @@ ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone`
 echo $ksk > ../delayksk.key
 zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone`
 echo $zsk > ../delayzsk.key
+
+#
+# A zone with signatures that are already expired, and the private ZSK
+# is missing.
+#
+zone=nozsk.example
+zonefile="${zone}.db"
+$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
+zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
+$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1
+echo $zsk > ../missingzsk.key
+rm -f ${zsk}.private
+
+#
+# A zone with signatures that are already expired, and the private ZSK
+# is inactive.
+#
+zone=inaczsk.example
+zonefile="${zone}.db"
+$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
+zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
+$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1
+echo $zsk > ../inactivezsk.key
+$SETTIME -I now $zsk > /dev/null

diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf
index 25b06cb540019b1bd8f2ad84d6c612b42979290e..3a4949d9974164bc1db1b9f1407c17677293560e 100644 (file)
--- a/bin/tests/system/autosign/ns3/named.conf
+++ b/bin/tests/system/autosign/ns3/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7.18.2 2011/03/26 23:47:13 tbox Exp $ */
+/* $Id: named.conf,v 1.7.18.3 2011/07/08 01:45:58 each Exp $ */
 
 // NS3
 
@@ -191,4 +191,18 @@ zone "delay.example" {
        allow-update { any; };
        auto-dnssec maintain;
 };
+
+zone "nozsk.example" {
+       type master;
+       file "nozsk.example.db";
+       allow-update { any; };
+       auto-dnssec maintain;
+};
+
+zone "inaczsk.example" {
+       type master;
+       file "inaczsk.example.db";
+       allow-update { any; };
+       auto-dnssec maintain;
+};
 include "trusted.conf";

diff --git a/bin/tests/system/autosign/ns3/nozsk.example.db.in b/bin/tests/system/autosign/ns3/nozsk.example.db.in
new file mode 100644 (file)
index 0000000..2693128
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/nozsk.example.db.in
@@ -0,0 +1,31 @@
+; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nozsk.example.db.in,v 1.2.2.2 2011/07/08 01:45:58 each Exp $
+
+$TTL 300       ; 5 minutes
+@                      IN SOA  mname1. . (
+                               1          ; serial
+                               20         ; refresh (20 seconds)
+                               20         ; retry (20 seconds)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns
+ns                     A       10.53.0.3
+
+a                      A       10.0.0.1
+b                      A       10.0.0.2
+d                      A       10.0.0.4
+x                      CNAME   a

diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 08c2f60fe11089ee36d155b963c3c8cf0c6a8b42..afac3218a6c183a52b1398d45ff5e6523f928424 100644 (file)
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.12.18.13 2011/05/30 22:31:28 marka Exp $
+# $Id: tests.sh,v 1.12.18.14 2011/07/08 01:45:58 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -156,6 +156,42 @@ END
 echo "I:waiting for change to take effect"
 sleep 3
 
+echo "I:checking that expired RRSIGs from missing key are not deleted ($n)"
+ret=0
+missing=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < missingzsk.key`
+$JOURNALPRINT ns3/nozsk.example.db.jnl | \
+   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that expired RRSIGs from inactive key are not deleted ($n)"
+ret=0
+inactive=`sed 's/^K.*+007+0*\([0-9]\)/\1/' < inactivezsk.key`
+$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
+   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that non-replaceable RRSIGs are logged only once ($n)"
+ret=0
+loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
+[ "$loglines" -eq 1 ] || ret=1
+loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
+[ "$loglines" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# This test is above the rndc freeze/thaw calls because the apex node
+# will be resigned on thaw, increasing the serial number again.
+echo "I:checking serial is not incremented when signatures are unchanged ($n)"
+ret=0
+newserial=`$DIG $DIGOPTS +short soa nozsk.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
+[ "$newserial" -eq 2 ] || ret=1
+newserial=`$DIG $DIGOPTS +short soa inaczsk.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
+[ "$newserial" -eq 2 ] || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 # Send rndc freeze command to ns1, ns2 and ns3, to force the dynamically
 # signed zones to be dumped to their zone files
 echo "I:dumping zone files"
@@ -598,7 +634,7 @@ status=`expr $status + $ret`
 
 echo "I:checking that revoked key is present ($n)"
 ret=0
-id=`sed 's/^K.+007+0*//' < rev.key`
+id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
 id=`expr $id + 128 % 65536`
 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
@@ -608,7 +644,7 @@ status=`expr $status + $ret`
 
 echo "I:checking that revoked key self-signs ($n)"
 ret=0
-id=`sed 's/^K.+007+0*//' < rev.key`
+id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
 id=`expr $id + 128 % 65536`
 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
@@ -618,7 +654,7 @@ status=`expr $status + $ret`
 
 echo "I:checking for unpublished key ($n)"
 ret=0
-id=`sed 's/^K.+007+0*//' < unpub.key`
+id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < unpub.key`
 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -627,7 +663,7 @@ status=`expr $status + $ret`
 
 echo "I:checking that standby key does not sign records ($n)"
 ret=0
-ed=`sed 's/^K.+007+0*//' < standby.key`
+ed=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -636,7 +672,7 @@ status=`expr $status + $ret`
 
 echo "I:checking that deactivated key does not sign records  ($n)"
 ret=0
-id=`sed 's/^K.+007+0*//' < inact.key`
+id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < inact.key`
 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -645,7 +681,7 @@ status=`expr $status + $ret`
 
 echo "I:checking insertion of public-only key ($n)"
 ret=0
-id=`sed 's/^K.+007+0*//' < nopriv.key`
+id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < nopriv.key`
 file="ns1/`cat nopriv.key`.key"
 keydata=`grep DNSKEY $file`
 $NSUPDATE > /dev/null 2>&1 <<END       || status=1
@@ -664,7 +700,7 @@ status=`expr $status + $ret`
 
 echo "I:checking key deletion ($n)"
 ret=0
-id=`sed 's/^K.+007+0*//' < del.key`
+id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < del.key`
 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -680,7 +716,7 @@ send
 END
 sleep 2
 $DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
-egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
+egrep 'RRSIG' dig.out.ns3.test$n > /dev/null && ret=1
 egrep '(DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -694,7 +730,7 @@ $SETTIME -I now -D now $file > /dev/null
 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign secure-to-insecure2.example. 2>&1 | sed 's/^/I:ns3 /'
 sleep 2
 $DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
-egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
+egrep 'RRSIG' dig.out.ns3.test$n > /dev/null && ret=1
 egrep '(DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -734,9 +770,9 @@ rm -f $file
 echo "I:preparing ZSK roll"
 starttime=`$PERL -e 'print time(), "\n";'`
 oldfile=`cat active.key`
-oldid=`sed 's/^K.+007+0*//' < active.key`
+oldid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < active.key`
 newfile=`cat standby.key`
-newid=`sed 's/^K.+007+0*//' < standby.key`
+newid=`sed 's/^K.+007+0*\([0-9]\)/\1/' < standby.key`
 $SETTIME -K ns1 -I now+2s -D now+25 $oldfile > /dev/null
 $SETTIME -K ns1 -i 0 -S $oldfile $newfile > /dev/null
 
@@ -899,7 +935,7 @@ status=`expr $status + $ret`
 
 echo "I:checking private key file removal caused no immediate harm ($n)"
 ret=0
-id=`sed 's/^K.+007+0*//' < vanishing.key`
+id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < vanishing.key`
 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
 n=`expr $n + 1`

diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh
index 4b697a486ad282176e291239bb5e3cd2974c2da0..7e101dca73a3d755704a7c7994999312dc35a6f6 100644 (file)
--- a/bin/tests/system/metadata/tests.sh
+++ b/bin/tests/system/metadata/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.5.250.2 2011/03/21 23:46:58 tbox Exp $
+# $Id: tests.sh,v 1.5.250.3 2011/07/08 01:45:58 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -28,14 +28,14 @@ n=0
 echo "I:setting key timers"
 $SETTIME -A now+15s `cat rolling.key` > /dev/null
 
-inact=`sed 's/^K'${czone}'.+005+0*//' < inact.key`
-ksk=`sed 's/^K'${czone}'.+005+0*//' < ksk.key`
-pending=`sed 's/^K'${czone}'.+005+0*//' < pending.key`
-postrev=`sed 's/^K'${czone}'.+005+0*//' < postrev.key`
-prerev=`sed 's/^K'${czone}'.+005+0*//' < prerev.key`
-rolling=`sed 's/^K'${czone}'.+005+0*//' < rolling.key`
-standby=`sed 's/^K'${czone}'.+005+0*//' < standby.key`
-zsk=`sed 's/^K'${czone}'.+005+0*//' < zsk.key`
+inact=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < inact.key`
+ksk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < ksk.key`
+pending=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < pending.key`
+postrev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < postrev.key`
+prerev=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < prerev.key`
+rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key`
+standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key`
+zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key`
 
 ../../../tools/genrandom 400 $RANDFILE
 

diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh
index fd97a5f0dd60fd92ecba293ea07d2abcccc506be..0c0c4e0fecec91b3bf3e01cc981f0df1c4a5457b 100644 (file)
--- a/bin/tests/system/smartsign/tests.sh
+++ b/bin/tests/system/smartsign/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.6.70.2 2011/05/06 23:47:04 tbox Exp $
+# $Id: tests.sh,v 1.6.70.3 2011/07/08 01:45:58 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -72,19 +72,19 @@ pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
 echo I:signing parent zone
 pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1`
 
-czactive=`echo $czsk1 | sed 's/^K.*+005+0*//'`
-czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*//'`
-czpublished=`echo $czsk3 | sed 's/^K.*+005+0*//'`
-czinactive=`echo $czsk4 | sed 's/^K.*+005+0*//'`
-czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*//'`
-czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*//'`
-ckactive=`echo $cksk1 | sed 's/^K.*+005+0*//'`
-ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*//'`
-ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*//'`
+czactive=`echo $czsk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czpublished=`echo $czsk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czinactive=`echo $czsk4 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czpredecessor=`echo $czsk5 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+czsuccessor=`echo $czsk6 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+ckactive=`echo $cksk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
 ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)$/\1/'`
 
-pzid=`echo $pzsk | sed 's/^K.*+005+0*//'`
-pkid=`echo $pksk | sed 's/^K.*+005+0*//'`
+pzid=`echo $pzsk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
+pkid=`echo $pksk | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
 
 echo "I:checking dnssec-signzone output matches expectations"
 ret=0

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index c889b4ba81ca5b8acbfc2589ddf60a2e909de020..b04a515f7e7dff56d4a22f723bd9b1681cc13b5a 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.582.8.21 2011/07/06 19:02:40 each Exp $ */
+/* $Id: zone.c,v 1.582.8.22 2011/07/08 01:45:58 each Exp $ */
 
 /*! \file */
 
@@ -4572,21 +4572,30 @@ static isc_boolean_t
 delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys) {
        unsigned int i = 0;
 
+       /*
+        * It's okay to delete a signature if there is an active ZSK
+        * with the same algorithm
+        */
+       for (i = 0; i < nkeys; i++) {
+               if (rrsig_ptr->algorithm == dst_key_alg(keys[i]) &&
+                   (dst_key_isprivate(keys[i])) && !KSK(keys[i]))
+                       return (ISC_TRUE);
+       }
+
+       /*
+        * Failing that, it is *not* okay to delete a signature
+        * if the associated public key is still in the DNSKEY RRset
+        */
        for (i = 0; i < nkeys; i++) {
                if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
-                   (rrsig_ptr->keyid != dst_key_id(keys[i]))) {
-                       if ((dst_key_isprivate(keys[i])) && !KSK(keys[i])) {
-                               /*
-                                * Success - found a private key, which
-                                * means it is an active key and thus, it
-                                * is OK to delete the RRSIG
-                                */
-                               return (ISC_TRUE);
-                       }
-               }
+                   (rrsig_ptr->keyid == dst_key_id(keys[i])))
+                       return (ISC_FALSE);
        }
 
-       return (ISC_FALSE);
+       /*
+        * But if the key is gone, then go ahead.
+        */
+       return (ISC_TRUE);
 }
 
 /*
@@ -4604,7 +4613,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
        dns_rdata_t rdata = DNS_RDATA_INIT;
        unsigned int i;
        dns_rdata_rrsig_t rrsig;
-       isc_boolean_t found;
+       isc_boolean_t found, changed;
        isc_stdtime_t warn = 0, maybe = 0;
 
        dns_rdataset_init(&rdataset);
@@ -4630,6 +4639,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                goto failure;
        }
 
+       changed = ISC_FALSE;
        for (result = dns_rdataset_first(&rdataset);
             result == ISC_R_SUCCESS;
             result = dns_rdataset_next(&rdataset)) {
@@ -4638,54 +4648,57 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
                if (type != dns_rdatatype_dnskey) {
-                       if(delsig_ok(&rrsig, keys, nkeys)) {
+                       if (delsig_ok(&rrsig, keys, nkeys)) {
                                result = update_one_rr(db, ver, diff,
                                               DNS_DIFFOP_DELRESIGN, name,
                                               rdataset.ttl, &rdata);
                                if (incremental)
-                                       dns_db_resigned(db, &rdataset, ver);
+                                       changed = ISC_TRUE;
                                dns_rdata_reset(&rdata);
                                if (result != ISC_R_SUCCESS)
                                        break;
-                               continue;
                        } else {
                                /*
                                 * At this point, we've got an RRSIG,
                                 * which is signed by an inactive key.
                                 * An administrator needs to provide a new
                                 * key/alg, but until that time, we want to
-                                * keep the old RRSIG.  Resetting the timer
-                                * here will ensure that we don't
-                                * constantly recheck this expired record.
-                                *
-                                * Note: dns_db_setsigningtime() will
-                                * assert if called after dns_db_resigned().
+                                * keep the old RRSIG.  Marking the key as
+                                * offline will prevent us spinning waiting
+                                * for the private part.
                                 */
                                if (incremental) {
-                                       isc_stdtime_t recheck = now +
-                                               RESIGN_DELAY;
-                                       dns_db_setsigningtime(db, &rdataset,
-                                                             recheck);
+                                       result = offline(db, ver, diff, name,
+                                                        rdataset.ttl, &rdata);
+                                       changed = ISC_TRUE;
+                                       if (result != ISC_R_SUCCESS)
+                                               break;
                                }
 
                                /*
-                                * log the key id and algorithm of
+                                * Log the key id and algorithm of
                                 * the inactive key with no replacement
                                 */
-                               if((isc_log_getdebuglevel(dns_lctx) > 3) ||
-                                  (zone->log_key_expired_timer <= now)) {
+                               if (zone->log_key_expired_timer <= now) {
+                                       char origin[DNS_NAME_FORMATSIZE];
+                                       char algbuf[DNS_NAME_FORMATSIZE];
+                                       dns_name_format(&zone->origin, origin,
+                                                       sizeof(origin));
+                                       dns_secalg_format(rrsig.algorithm,
+                                                         algbuf,
+                                                         sizeof(algbuf));
                                        dns_zone_log(zone, ISC_LOG_WARNING,
-                                                    "del_sigs(): "
-                                                    "keyid: %u/algorithm: %u "
-                                                    "is not active and there "
-                                                    "is no replacement. "
-                                                    "Not deleting.",
-                                                    rrsig.keyid,
-                                                    rrsig.algorithm);
+                                                    "Key %s/%s/%d "
+                                                    "missing or inactive "
+                                                    "and has no replacement: "
+                                                    "retaining signatures.",
+                                                    origin, algbuf, 
+                                                    rrsig.keyid);
                                        zone->log_key_expired_timer = now +
                                                                        3600;
                                }
                        }
+                       continue;
                }
 
                /*
@@ -4728,6 +4741,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                                break;
                        }
                }
+
                /*
                 * If there is not a matching DNSKEY then
                 * delete the RRSIG.
@@ -4740,6 +4754,10 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                if (result != ISC_R_SUCCESS)
                        break;
        }
+
+       if (changed && (rdataset.attributes & DNS_RDATASETATTR_RESIGN) != 0)
+               dns_db_resigned(db, &rdataset, ver);
+
        dns_rdataset_disassociate(&rdataset);
        if (result == ISC_R_NOMORE)
                result = ISC_R_SUCCESS;
@@ -4981,6 +4999,13 @@ zone_resigninc(dns_zone_t *zone) {
                goto failure;
        }
 
+       /*
+        * Did we change anything in the zone?
+        */
+       if (ISC_LIST_EMPTY(sig_diff.tuples))
+               goto failure;
+
+       /* Increment SOA serial if we have made changes */
        result = increment_soa_serial(db, version, &sig_diff, zone->mctx);
        if (result != ISC_R_SUCCESS) {
                dns_zone_log(zone, ISC_LOG_ERROR,