3277. [bug] Make sure automatic key maintenance is started

			when "auto-dnssec maintain" is turned on during
			"rndc reconfig". [RT #26805]

diff --git a/CHANGES b/CHANGES
index d9741258408384f9f0d0b49c133a476c097b30bd..f49cd34ca0b9b503ca4e4641c5c669d5cbee62eb 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3277.  [bug]           Make sure automatic key maintenance is started
+                       when "auto-dnssec maintain" is turned on during
+                       "rndc reconfig". [RT #26805]
+
 3276.  [bug]           win32: isc_socket_dup is not implemented. [RT #27696]
 
 3276.  [bug]           win32: ns_os_openfile failed to return NULL on

diff --git a/bin/named/server.c b/bin/named/server.c
index 03b45f95c5005c5b94ff96f090bd28aca82bb18b..d88888c0514997f0c514f09148247dadcc884676 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.638.4.1 2012/01/31 01:11:54 each Exp $ */
+/* $Id: server.c,v 1.638.4.2 2012/02/06 21:33:07 each Exp $ */
 
 /*! \file */
 
@@ -3488,6 +3488,12 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
         */
        CHECK(dns_view_addzone(view, zone));
 
+       /*
+        * Ensure that zone keys are reloaded on reconfig
+        */
+       if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0)
+               dns_zone_rekey(zone, ISC_FALSE);
+
  cleanup:
        if (zone != NULL)
                dns_zone_detach(&zone);

diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
index d5cbe2a86c39068ba91a56ccffea70f4fa5ea275..9a1f67f965a8efd7198e5d372e747b8d8d8a3226 100644 (file)
--- a/bin/tests/system/autosign/clean.sh
+++ b/bin/tests/system/autosign/clean.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.13 2011/10/30 23:05:13 each Exp $
+# $Id: clean.sh,v 1.13.94.1 2012/02/06 21:33:08 each Exp $
 
 rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f active.key inact.key del.key unpub.key standby.key rev.key
@@ -51,3 +51,4 @@ rm -f ns3/secure-to-insecure2.example.db
 rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
 rm -f ns3/ttl*.db
 rm -f signing.out.*
+rm -f ns3/*.nzf

diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
index 8f82da7de21dd80ae000c7a645309b26dff97295..c188b350eea11f82e5008c2e7b2140e3b53c0300 100644 (file)
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: keygen.sh,v 1.13 2011/07/08 01:43:26 each Exp $
+# $Id: keygen.sh,v 1.13.160.1 2012/02/06 21:33:08 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -285,3 +285,12 @@ zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1
 echo $zsk > ../inactivezsk.key
 $SETTIME -I now $zsk > /dev/null
+
+#
+# A zone that is set to 'auto-dnssec maintain' during a recofnig
+#
+zone=reconf.example
+zonefile="${zone}.db"
+cp secure.example.db.in $zonefile
+$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null

diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf
index 34b1f3882b0b08d777f569ff801f493b6c973182..21a400c5613ddcfbb46f45f8005cb38d43630733 100644 (file)
--- a/bin/tests/system/autosign/ns3/named.conf
+++ b/bin/tests/system/autosign/ns3/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.13 2011/07/08 01:43:26 each Exp $ */
+/* $Id: named.conf,v 1.13.160.1 2012/02/06 21:33:08 each Exp $ */
 
 // NS3
 
@@ -25,6 +25,7 @@ options {
        notify-source 10.53.0.3;
        transfer-source 10.53.0.3;
        port 5300;
+       session-keyfile "session.key";
        pid-file "named.pid";
        listen-on { 10.53.0.3; };
        listen-on-v6 { none; };
@@ -33,6 +34,7 @@ options {
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-loadkeys-interval 10;
+       allow-new-zones yes;
 };
 
 key rndc_key {

diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 5c3ba77f2d3342774dcf3e85d7c820302437539f..9767723108e7388a7024b9213985097b5d694bd3 100644 (file)
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.42.20.2 2012/02/02 23:47:06 tbox Exp $
+# $Id: tests.sh,v 1.42.20.3 2012/02/06 21:33:08 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1116,5 +1116,28 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:test turning on auto-dnssec during reconfig ($n)"
+ret=0
+# first create a zone that doesn't have auto-dnssec
+rm -f ns3/*.nzf
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 addzone reconf.example '{ type master; file "reconf.example.db"; };' 2>&1 | sed 's/^/I:ns3 /'
+rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
+[ "$rekey_calls" = 0 ] || ret=1
+# ...then we add auto-dnssec and reconfigure
+nzf=`ls ns3/*.nzf`
+echo 'zone reconf.example { type master; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' > $nzf
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /'
+for i in 0 1 2 3 4 5 6 7 8 9; do
+    lret=0
+    rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l`
+    [ "$rekey_calls" -gt 0 ] || lret=1
+    if [ "$lret" = 0 ]; then break; fi
+    sleep 1
+done
+n=`expr $n + 1`
+if [ "$lret" != 0 ]; then ret=$lret; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status