+3041. [bug] dnssec-signzone failed to generate new signatures on
+ ttl changes. [RT #23330]
+
3040. [bug] Named failed to validate insecure zones where a node
with a CNAME existed between the trust anchor and the
top of the zone. [RT #23338]
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.177.18.29 2009/07/21 06:44:32 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.177.18.30 2011/02/24 04:06:38 marka Exp $ */
/*! \file */
if (!expired)
keep = ISC_TRUE;
} else if (issigningkey(key)) {
- if (!expired && setverifies(name, set, key, &sigrdata))
- {
+ if (!expired && rrsig.originalttl == set->ttl &&
+ setverifies(name, set, key, &sigrdata)) {
vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
wassignedby[key->position] = ISC_TRUE;
nowsignedby[key->position] = ISC_TRUE;
} else {
vbprintf(2, "\trrsig by %s dropped - %s\n",
- sigstr,
- expired ? "expired" :
- "failed to verify");
+ sigstr, expired ? "expired" :
+ rrsig.originalttl != set->ttl ?
+ "ttl change" : "failed to verify");
wassignedby[key->position] = ISC_TRUE;
resign = ISC_TRUE;
}
} else if (iszonekey(key)) {
- if (!expired && setverifies(name, set, key, &sigrdata))
- {
+ if (!expired && rrsig.originalttl == set->ttl &&
+ setverifies(name, set, key, &sigrdata)) {
vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
wassignedby[key->position] = ISC_TRUE;
nowsignedby[key->position] = ISC_TRUE;
} else {
vbprintf(2, "\trrsig by %s dropped - %s\n",
- sigstr,
- expired ? "expired" :
- "failed to verify");
+ sigstr, expired ? "expired" :
+ rrsig.originalttl != set->ttl ?
+ "ttl change" : "failed to verify");
wassignedby[key->position] = ISC_TRUE;
}
} else if (!expired) {
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.15.18.2 2005/06/24 00:08:12 marka Exp $
+# $Id: clean.sh,v 1.15.18.3 2011/02/24 04:06:39 marka Exp $
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp*
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f dig.out.*
rm -f random.data
rm -f ns2/dlv.db
+rm -f signer/example.db.after signer/example.db.before
+rm -f signer/example.db.changed
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.154.2 2011/02/24 04:06:39 marka Exp $
+$TTL 60
+example. 60 IN SOA example. . 0 0 0 0 0
+example. 60 IN NS example.
+example. 60 IN A 1.2.3.4
+; out of zone record
+; out-of-zone. 60 IN A 1.2.3.4
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.44.18.10 2011/02/23 13:15:38 marka Exp $
+# $Id: tests.sh,v 1.44.18.11 2011/02/24 04:06:39 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking that dnsssec-signzone updates originalttl on ttl changes ($n)"
+ret=0
+(
+cd signer
+RANDFILE=../random.data
+zone=example
+key1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key2=`$KEYGEN -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone`
+cat example.db.in $key1.key $key2.key > example.db
+$SIGNER -o example -f example.db.before example.db > /dev/null 2>&1
+sed 's/60.IN.SOA./50 IN SOA /' example.db.before > example.db.changed
+$SIGNER -o example -f example.db.after example.db.changed > /dev/null 2>&1
+)
+grep "SOA 5 1 50" signer/example.db.after > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
#
# private.secure.example is served by the same server as its
# grand parent and there is not a secure delegation from secure.example
projects / thirdparty / bind9.git / commitdiff
