+4331. [func] When loading managed signed zones detect if the
+ RRSIG's inception time is in the future and regenerate
+ the RRSIG immediately. [RT #41808]
+
4330. [protocol] Identify the PAD option as "PAD" when printing out
a message.
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
+rm -f ns3/managed-future.example.db
rm -f ns4/managed-keys.bind*
rm -f ns4/named.conf
rm -f ns4/named.conf ns5/named.conf
future NS ns.future
ns.future A 10.53.0.3
+
+managed-future NS ns.managed-future
+ns.managed-future A 10.53.0.3
dynamic keyless nsec3 optout nsec3-unknown optout-unknown \
multiple rsasha256 rsasha512 kskonly update-nsec3 auto-nsec \
auto-nsec3 secure.below-cname ttlpatch split-dnssec split-smart \
- expired expiring upper lower
-
+ expired expiring upper lower managed-future
do
cp ../ns3/dsset-$subdomain.example. .
done
--- /dev/null
+; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a A 10.0.0.3
+*.wild A 10.0.0.6
+insecure NS ns.insecure
+ns.insecure A 10.53.0.3
+secure NS ns.secure
+ns.secure A 10.53.0.3
+nsec3 NS ns.nsec3
+ns.nsec3 A 10.53.0.3
+optout NS ns.optout
+ns.optout A 10.53.0.3
+child NS ns2.example.
+insecure.empty NS ns.insecure.empty
+ns.insecure.empty A 10.53.0.3
+foo.*.empty-wild NS ns
file "future.example.db.signed";
};
+zone "managed-future.example" {
+ type master;
+ file "managed-future.example.db.signed";
+ allow-update { any; };
+};
+
include "siginterval.conf";
include "trusted.conf";
cat $infile $kskname.key $zskname.key >$zonefile
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
cp -f $kskname.key trusted-future.key
+
+#
+# A zone with future signatures.
+#
+zone=managed-future.example
+infile=managed-future.example.db.in
+zonefile=managed-future.example.db
+kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+zskname=`$KEYGEN -q -r $RANDFILE $zone`
+cat $infile $kskname.key $zskname.key >$zonefile
+$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+
echo "I:checking for AD in authoritative answer ($n)"
ret=0
$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:check that a named managed zone that was signed 'in-the-future' is re-signed when loaded"
+ret=0
+$DIG $DIGOPTS managed-future.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
isc_uint32_t references;
dns_incctx_t *inc;
isc_uint32_t resign;
+ isc_stdtime_t now;
};
struct dns_incctx {
lctx->zclass = zclass;
lctx->resign = resign;
lctx->result = ISC_R_SUCCESS;
+ isc_stdtime_get(&lctx->now);
dns_fixedname_init(&lctx->fixed_top);
lctx->top = dns_fixedname_name(&lctx->fixed_top);
const char *source = "";
unsigned long line = 0;
isc_boolean_t explicit_ttl;
- isc_stdtime_t now;
char classname1[DNS_RDATACLASS_FORMATSIZE];
char classname2[DNS_RDATACLASS_FORMATSIZE];
unsigned int options = 0;
ISC_LIST_INIT(glue_list);
ISC_LIST_INIT(current_list);
- isc_stdtime_get(&now);
/*
* Allocate target_size of buffer space. This is greater than twice
result = dns_rdata_tostruct(&rdata[rdcount], &sig,
NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (isc_serial_lt(sig.timeexpire, now)) {
+ if (isc_serial_lt(sig.timeexpire, lctx->now)) {
(*callbacks->warn)(callbacks,
"%s:%lu: "
"signature has expired",
}
static isc_uint32_t
-resign_fromlist(dns_rdatalist_t *this, isc_uint32_t resign) {
+resign_fromlist(dns_rdatalist_t *this, dns_loadctx_t *lctx) {
dns_rdata_t *rdata;
dns_rdata_rrsig_t sig;
isc_uint32_t when;
rdata = ISC_LIST_HEAD(this->rdata);
INSIST(rdata != NULL);
(void)dns_rdata_tostruct(rdata, &sig, NULL);
- when = sig.timeexpire - resign;
+ if (isc_serial_gt(sig.timesigned, lctx->now))
+ when = lctx->now;
+ else
+ when = sig.timeexpire - lctx->resign;
rdata = ISC_LIST_NEXT(rdata, link);
while (rdata != NULL) {
(void)dns_rdata_tostruct(rdata, &sig, NULL);
- if (sig.timeexpire - resign < when)
- when = sig.timeexpire - resign;
+ if (isc_serial_gt(sig.timesigned, lctx->now))
+ when = lctx->now;
+ else if (sig.timeexpire - lctx->resign < when)
+ when = sig.timeexpire - lctx->resign;
rdata = ISC_LIST_NEXT(rdata, link);
}
return (when);
if (dataset.type == dns_rdatatype_rrsig &&
(lctx->options & DNS_MASTER_RESIGN) != 0) {
dataset.attributes |= DNS_RDATASETATTR_RESIGN;
- dns_name_format(owner, namebuf, sizeof(namebuf));
- dataset.resign = resign_fromlist(this, lctx->resign);
+ dataset.resign = resign_fromlist(this, lctx);
}
result = ((*callbacks->add)(callbacks->add_private, owner,
&dataset));
projects / thirdparty / bind9.git / commitdiff
