+4837. [bug] dns_update_signatures{inc} (add_sigs) was not
+ properly determining if there were active KSK and
+ ZSK keys for a algorithm when update-check-ksk is
+ true (default) leaving records unsigned. [RT #46743]
+
4836. [bug] Zones created using "rndc addzone" could
temporarily fail to inherit an "allow-transfer"
ACL that had been configured in the options
rm -f ns2/bits.db
rm -f ns2/bits.db.jnl
rm -f ns1/signer.out
+rm -f ns2/inactivezsk.db
+rm -f ns2/inactivezsk.db.jnl
rm -f ns2/retransfer.db
rm -f ns2/retransfer.db.jnl
rm -f ns2/retransfer3.db
rm -f ns3/expired.db.jnl
rm -f ns3/expired.db.signed
rm -f ns3/expired.db.signed.jnl
+rm -f ns3/inactivezsk.bk
+rm -f ns3/inactivezsk.bk.jnl
+rm -f ns3/inactivezsk.bk.signed
+rm -f ns3/inactivezsk.bk.signed.jnl
rm -f ns3/nsec3.db
rm -f ns3/nsec3.db.jnl
rm -f ns3/nsec3.db.signed
retransfer3. NS ns3.retransfer.
ns3.retransfer3. A 10.53.0.3
+
+inactivezsk. NS ns3.inactivezsk.
+ns3.inactivezsk. A 10.53.0.3
file "nsec3-loop.db";
notify no;
};
+
+zone "inactivezsk" {
+ type master;
+ file "inactivezsk.db";
+ allow-update { any; };
+};
auto-dnssec maintain;
file "retransfer3.bk";
};
+
+zone "inactivezsk" {
+ type slave;
+ masters { 10.53.0.2; };
+ inline-signing yes;
+ auto-dnssec maintain;
+ file "inactivezsk.bk";
+};
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+zone=inactivezsk
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
for s in a c d h k l m q z
do
zone=test-$s
touch ns2/trusted.conf
cp ns2/bits.db.in ns2/bits.db
+cp ns2/bits.db.in ns2/inactivezsk.db
cp ns2/bits.db.in ns2/retransfer.db
cp ns2/bits.db.in ns2/retransfer3.db
rm -f ns2/bits.db.jnl
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo "I:testing checking that inline signing works with inactive KSK ($n)"
+ret=0
+
+$DIG $DIGOPTS @10.53.0.3 -p 5300 soa inactivezsk > dig.out.ns3.pre.test$n || ret=1
+soa1=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n`
+
+$NSUPDATE << EOF
+server 10.53.0.2 5300
+update add added.inactivezsk 0 IN TXT added record
+send
+EOF
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ $DIG $DIGOPTS @10.53.0.3 -p 5300 soa inactivezsk > dig.out.ns3.post.test$n || ret=1
+ soa2=`awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n`
+ test ${soa1:-0} -ne ${soa2:-0} && break
+ sleep 1
+done
+test ${soa1:-0} -ne ${soa2:-0} || ret=1
+
+$DIG $DIGOPTS @10.53.0.3 -p 5300 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
+grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT 7 2" dig.out.ns3.test$n > /dev/null || ret=1
+grep "TXT 8 2" dig.out.ns3.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
[ $status -eq 0 ] || exit 1
if (!dst_key_isprivate(keys[i]))
continue;
+ if (dst_key_inactive(keys[i])) /* Should be redundant. */
+ continue;
if (check_ksk && !REVOKE(keys[i])) {
isc_boolean_t have_ksk, have_nonksk;
for (j = 0; j < nkeys; j++) {
if (j == i || ALG(keys[i]) != ALG(keys[j]))
continue;
+ if (!dst_key_isprivate(keys[j]))
+ continue;
+ if (dst_key_inactive(keys[j])) /* SBR */
+ continue;
if (REVOKE(keys[j]))
continue;
if (KSK(keys[j]))
projects / thirdparty / bind9.git / commitdiff
