Log a message when a mirror zone becomes unusable

Log a message if a mirror zone becomes unusable for the resolver (most
usually due to the zone's expiration timer firing).  Ensure that
verification failures do not cause a mirror zone to be unloaded
(instead, its last successfully verified version should be served if it
is available).

diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh
index 970cb6a7d96c7dfa8adce2ac089efe891a1d5db1..ce35f67dc0ff5e13c15f0620578a264832c5f51a 100644 (file)
--- a/bin/tests/system/mirror/tests.sh
+++ b/bin/tests/system/mirror/tests.sh
@@ -142,7 +142,10 @@ fi
 # Ensure the new, bad version of the zone was not accepted.
 $DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret=1
 grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
-nextpart ns3/named.run | grep "No correct RSASHA256 signature for verify-ixfr SOA" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "No correct RSASHA256 signature for verify-ixfr SOA" > /dev/null || ret=1
+# Despite the verification failure for this IXFR, this mirror zone should still
+# be in use as its previous version should have been verified successfully.
+nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is no longer in use" > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
@@ -165,7 +168,7 @@ $DIG $DIGOPTS @10.53.0.3 +norec verify-ixfr SOA > dig.out.ns3.test$n 2>&1 || ret
 grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
 # The log message announcing the mirror zone coming into effect should not have
 # been logged this time since the mirror zone in question is expected to
-# already be in effect before this test case is checked.
+# already be in use before this test case is checked.
 nextpartpeek ns3/named.run | grep "verify-ixfr.*mirror zone is now in use" > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -380,7 +383,9 @@ nextpart ns3/named.run > /dev/null
 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mirror ns3
 # Ensure named attempts to retransfer the zone due to its expiry.
 wait_for_transfer initially-unavailable
-nextpart ns3/named.run | grep "initially-unavailable.*expired" > /dev/null || ret=1
+# Ensure the expected messages were logged.
+nextpartpeek ns3/named.run | grep "initially-unavailable.*expired" > /dev/null || ret=1
+nextpartpeek ns3/named.run | grep "initially-unavailable.*mirror zone is no longer in use" > /dev/null || ret=1
 # Query for a record in the expired zone.  Resolution should still succeed.
 $DIG $DIGOPTS @10.53.0.3 foo.initially-unavailable. A > dig.out.ns3.test$n 2>&1 || ret=1
 # Check response code and flags in the answer.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 77497fd91954c5b6118352b3209c58c531424a72..954245c999633397f224ebab1cf3c17d925710ea 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -10845,6 +10845,12 @@ zone_unload(dns_zone_t *zone) {
        ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
        DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
        DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+
+       if (zone->type == dns_zone_mirror) {
+               dns_zone_log(zone, ISC_LOG_INFO,
+                            "mirror zone is no longer in use; "
+                            "reverting to normal recursion");
+       }
 }
 
 void