4838. [bug] zone.c:add_sigs was not properly determining

                        if there were active KSK and ZSK keys for
                        a algorithm when update-check-ksk is true
                        (default) leaving records unsigned with one or
                        more DNSKEY algorithms. [RT #46754]

(cherry picked from commit 6fa2a0691e1d701b361611069ab97471b8cd29bd)

diff --git a/CHANGES b/CHANGES
index f8781ef698221f0d6a8b6b0b0ef474e4def68d49..e509e164a3425b3034148b4455575f5f4b4e086f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,15 @@
+4838.  [bug]           zone.c:add_sigs was not properly determining
+                       if there were active KSK and ZSK keys for
+                       a algorithm when update-check-ksk is true
+                       (default) leaving records unsigned with one or
+                       more DNSKEY algorithms. [RT #46754]
+
 4837.  [bug]           dns_update_signatures{inc} (add_sigs) was not
                        properly determining if there were active KSK and
                        ZSK keys for a algorithm when update-check-ksk is
-                       true (default) leaving records unsigned. [RT #46743]
+                       true (default) leaving records unsigned when there
+                       were multiple DNSKEY algorithms for the zone.
+                       [RT #46743]
 
 4836.  [bug]           Zones created using "rndc addzone" could
                        temporarily fail to inherit an "allow-transfer"

diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
index 45d7c4115fcad4a5bfed1e719b5e0732f60ab421..4a95ff39c547675de1abb825c687bff1d0453e66 100644 (file)
--- a/bin/tests/system/autosign/clean.sh
+++ b/bin/tests/system/autosign/clean.sh
@@ -13,19 +13,21 @@ rm -f */named.memstats
 rm -f */named.run
 rm -f activate-now-publish-1day.key
 rm -f active.key inact.key del.key unpub.key standby.key rev.key
-rm -f sync.key
 rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
 rm -f dig.out.*
 rm -f digcomp.out.test*
+rm -f digcomp.out.test*
 rm -f missingzsk.key inactivezsk.key
 rm -f nopriv.key vanishing.key del1.key del2.key
 rm -f ns*/named.lock
+rm -f ns*/named.lock
 rm -f ns1/root.db
 rm -f ns2/example.db
 rm -f ns2/private.secure.example.db ns2/bar.db
+rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
 rm -f ns3/*.nzf
 rm -f ns3/autonsec3.example.db
-rm -f ns3/sync.example.db
+rm -f ns3/inaczsk2.example.db
 rm -f ns3/kg.out ns3/s.out ns3/st.out
 rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
 rm -f ns3/nsec.example.db
@@ -46,10 +48,9 @@ rm -f ns3/secure-to-insecure2.example.db
 rm -f ns3/secure.example.db
 rm -f ns3/secure.nsec3.example.db
 rm -f ns3/secure.optout.example.db
+rm -f ns3/sync.example.db
 rm -f ns3/ttl*.db
 rm -f nsupdate.out
-rm -f signing.out.*
 rm -f settime.out.*
-rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
-rm -f digcomp.out.test*
-rm -f ns*/named.lock
+rm -f signing.out.*
+rm -f sync.key

diff --git a/bin/tests/system/autosign/ns3/inaczsk2.example.db.in b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in
new file mode 100644 (file)
index 0000000..8a7f25c
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/inaczsk2.example.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL 300       ; 5 minutes
+@                      IN SOA  mname1. . (
+                               1          ; serial
+                               20         ; refresh (20 seconds)
+                               20         ; retry (20 seconds)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns
+ns                     A       10.53.0.3
+
+a                      A       10.0.0.1
+b                      A       10.0.0.2
+d                      A       10.0.0.4
+x                      CNAME   a

diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
index a45355b217c703108f1d70f77553a9a7b3d2bc02..6f5a4f25833850b9aedc8573dcdfd639b5ea6f7e 100644 (file)
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -264,3 +264,12 @@ ksk=`$KEYGEN -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.ou
 $KEYGEN -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 echo ns3/$ksk > ../sync.key
+
+#
+# A zone that has a published inactive key that is autosigned.
+#
+setup inaczsk2.example
+cp $infile $zonefile
+ksk=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a NSEC3RSASHA1 -b 1024 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP

diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf
index b45de3d7f607d8cc546d3b386b806aac36e27940..a107d4ad90febb7ad5a56a08dd31ecdb0dc6bf01 100644 (file)
--- a/bin/tests/system/autosign/ns3/named.conf
+++ b/bin/tests/system/autosign/ns3/named.conf
@@ -243,4 +243,11 @@ zone "sync.example" {
        auto-dnssec maintain;
 };
 
+zone "inaczsk2.example" {
+       type master;
+       file "inaczsk2.example.db";
+       allow-update { any; };
+       auto-dnssec maintain;
+};
+
 include "trusted.conf";

diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index e22523d1e491faab6884306b79717b1b6d74f088..204cffcf6da75bf54ba494d3b14dee9e44505051 100644 (file)
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -72,7 +72,7 @@ do
                $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
                grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
        done
-       for z in bar. example.
+       for z in bar. example. inaczsk2.example.
        do 
                $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
                grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
@@ -1206,5 +1206,13 @@ if [ "$lret" != 0 ]; then ret=$lret; fi
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:check that zone with inactive zsk is properly autosigned ($n)"
+ret=0
+$DIG  $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.out
+grep "SOA 7 2" dig.out.ns3.out > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 210dbbaabf52b83d6f85327d1015d6d53a3472d4..bf45788520a82bd68d4c8ee3a060efd2928ddb57 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6371,6 +6371,8 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 
                if (!dst_key_isprivate(keys[i]))
                        continue;
+               if (dst_key_inactive(keys[i]))  /* Should be redundant. */
+                       continue;
 
                if (check_ksk && !REVOKE(keys[i])) {
                        isc_boolean_t have_ksk, have_nonksk;
@@ -6384,6 +6386,10 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                        for (j = 0; j < nkeys; j++) {
                                if (j == i || ALG(keys[i]) != ALG(keys[j]))
                                        continue;
+                               if (!dst_key_isprivate(keys[j]))
+                                       continue;
+                               if (dst_key_inactive(keys[j]))  /* SBR */
+                                       continue;
                                if (REVOKE(keys[j]))
                                        continue;
                                if (KSK(keys[j]))