Rekey immediately after rndc checkds/rollover

author Matthijs Mekking <matthijs@isc.org>

Wed, 17 Mar 2021 14:57:34 +0000 (15:57 +0100)

committer Matthijs Mekking <matthijs@isc.org>

Mon, 22 Mar 2021 10:58:26 +0000 (11:58 +0100)
author Matthijs Mekking <matthijs@isc.org>
Wed, 17 Mar 2021 14:57:34 +0000 (15:57 +0100)
committer Matthijs Mekking <matthijs@isc.org>
Mon, 22 Mar 2021 10:58:26 +0000 (11:58 +0100)
diff --git a/CHANGES b/CHANGES

index 313883173b9059c6b7438c8ae2c2ea4183213676..765a297a8c554d75cfa28c366fb2933bd75329f0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5607.  [bug]           Rekey after 'rndc dnssec -checkds' or 'rndc dnssec
+                       -rollover' command is received, because such a command
+                       may influence the next key event. [GL #2488]
+
  5606.  [bug]           CDS/CDNSKEY DELETE records were not removed when a zone
                         transitioned from secure to insecure. "named-checkzone"
                         should not complain if such records exist in an
diff --git a/bin/named/server.c b/bin/named/server.c

index ef05daec98fe0f91d5fbc41780f9a0f5c6253ac3..8ec8b4343a9c2e0dab8ad5014e7eec88f697fa98 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15122,6 +15122,12 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
  
                 switch (result) {
                 case ISC_R_SUCCESS:
+                       /*
+                        * Rekey after checkds command because the next key
+                        * event may have changed.
+                        */
+                       dns_zone_rekey(zone, false);
+
                         if (use_keyid) {
                                 char tagbuf[6];
                                 snprintf(tagbuf, sizeof(tagbuf), "%u", keyid);
@@ -15166,6 +15172,12 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
  
                 switch (result) {
                 case ISC_R_SUCCESS:
+                       /*
+                        * Rekey after rollover command because the next key
+                        * event may have changed.
+                        */
+                       dns_zone_rekey(zone, false);
+
                         if (use_keyid) {
                                 char tagbuf[6];
                                 snprintf(tagbuf, sizeof(tagbuf), "%u", keyid);
diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh

index 863facc648340b7e09afa2aa67713e36c7fea4fa..a619c0e6a9b2de22cf179e97626dd9ca83190695 100644 (file)
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -1037,25 +1037,6 @@ check_cdslog() {
         status=$((status+ret))
  }
  
-#
-# Utility to call after 'rndc dnssec -checkds|-rollover'.
-#
-_loadkeys_on() {
-       _server=$1
-       _dir=$2
-       _zone=$3
-
-       nextpart $_dir/named.run > /dev/null
-       _rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
-
-       if [ "${DYNAMIC}" = "yes" ]; then
-               wait_for_log 20 "zone ${_zone}/IN: next key event" $_dir/named.run || return 1
-       else
-               # inline-signing zone adds "(signed)"
-               wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
-       fi
-}
-
  # Tell named that the DS for the key in given zone has been seen in the
  # parent (this does not actually has to be true, we just issue the command
  # to make named believe it can continue with the rollover).
@@ -1085,10 +1066,6 @@ rndc_checkds() {
  
         _rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || _log_error "rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} failed"
  
-       if [ "$ret" -eq 0 ]; then
-                _loadkeys_on $_server $_dir $_zone || _log_error "loadkeys zone ${_zone} failed ($n)"
-       fi
-
         test "$ret" -eq 0 || echo_i "failed"
         status=$((status+ret))
  }
@@ -1113,8 +1090,6 @@ rndc_rollover() {
  
         _rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || _log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
  
-       _loadkeys_on $_server $_dir $_zone || _log_error "loadkeys zone ${_zone} failed ($n)"
-
         test "$ret" -eq 0 || echo_i "failed"
         status=$((status+ret))
  }
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst

index 2ebdff3f27fc4536c7af1535d9a5e68656e6afe3..96d83f53633f01e7836c423f9f3f6fc1c2781e0f 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -39,6 +39,10 @@ Feature Changes
  Bug Fixes
  ~~~~~~~~~
  
+- When calling ``rndc dnssec -rollover`` or ``rndc checkds -checkds``,
+  ``named`` now updates the keys immediately, avoiding unnecessary rollover
+  delays. [#2488]
+
  - Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed.
    This has been fixed. [GL #2523]
author	Matthijs Mekking <matthijs@isc.org>
	Wed, 17 Mar 2021 14:57:34 +0000 (15:57 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Mon, 22 Mar 2021 10:58:26 +0000 (11:58 +0100)
CHANGES		patch \| blob \| blame \| history
bin/named/server.c		patch \| blob \| blame \| history
bin/tests/system/kasp.sh		patch \| blob \| blame \| history
doc/notes/notes-current.rst		patch \| blob \| blame \| history