3203. [bug] Increase log level to 'info' for validation failures

			from expired or not-yet-valid RRSIGs. [RT #21796]

diff --git a/CHANGES b/CHANGES
index a5ff54b50ec1d136ec5f79bde4bec975f1e3af08..9ab76a6883071dfe753cb643934ff0861c07056d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3203.  [bug]           Increase log level to 'info' for validation failures
+                       from expired or not-yet-valid RRSIGs. [RT #21796]
+
 3200.  [doc]           Some rndc functions were undocumented or were
                        missing from 'rndc -h' output. [RT #25555]
 

diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index 03a41b1e95815a5cb9752ca1797ea52bedfbfe20..f105ffc1333b46e32ee3a1decde13256e1a41a4e 100644 (file)
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db.in,v 1.19.48.7 2011/02/23 12:48:21 marka Exp $
+; $Id: example.db.in,v 1.19.48.8 2011/11/04 05:33:27 each Exp $
 
 $TTL 300       ; 5 minutes
 @                      IN SOA  mname1. . (
@@ -73,6 +73,10 @@ dynamic                      A       10.53.0.3
 mustbesecure           NS      ns.mustbesecure
 ns.mustbesecure                A       10.53.0.3
 
+; A subdomain with expired signatures
+expired                        NS      ns.expired
+ns.expired             A       10.53.0.3
+
 ; A rfc2535 signed zone w/ CNAME
 rfc2535                        NS      ns.rfc2535
 ns.rfc2535             A       10.53.0.3

diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 5b3806692f8e570488c2708b4a1abda9fab188cb..c63d2e44820fd2ca492641890cf4a5ded6c99cbd 100644 (file)
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.30.48.16 2011/02/23 12:48:21 marka Exp $
+# $Id: sign.sh,v 1.30.48.17 2011/11/04 05:33:27 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -32,7 +32,7 @@ zonefile=example.db
 
 for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
     optout-unknown multiple rsasha256 rsasha512 update-nsec3 \
-    secure.below-cname
+    secure.below-cname expired
 do
        cp ../ns3/keyset-$subdomain.example. .
 done

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 9dfc67199e9fba668d9330f422754afea02d2975..2f56f24b9da68bcd74432f2b88711ab8fb298515 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.53.48.23 2011/10/26 05:35:19 marka Exp $
+# $Id: tests.sh,v 1.53.48.24 2011/11/04 05:33:27 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1080,6 +1080,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking expired signatures do not validate ($n)"
+ret=0
+$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.4 soa > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+grep "expired.example .*: RRSIG has expired" ns4/named.run > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)"
 ret=0
 (

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index b47b6a879c59bb505054110203ad231c4f8e9976..8bb53cd560e22012501204d56529f37cc50ed217 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.164.12.32 2011/10/20 23:45:14 tbox Exp $ */
+/* $Id: validator.c,v 1.164.12.33 2011/11/04 05:33:27 each Exp $ */
 
 #include <config.h>
 
@@ -1889,7 +1889,9 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
  again:
        result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
                                    key, ignore, val->view->mctx, rdata, wild);
-       if (result == DNS_R_SIGEXPIRED && val->view->acceptexpired) {
+       if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
+           val->view->acceptexpired)
+       {
                ignore = ISC_TRUE;
                goto again;
        }
@@ -1898,6 +1900,10 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
                              "accepted expired %sRRSIG (keyid=%u)",
                              (result == DNS_R_FROMWILDCARD) ?
                              "wildcard " : "", keyid);
+       else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE)
+               validator_log(val, ISC_LOG_INFO,
+                             "verify failed due to bad signature (keyid=%u): "
+                             "%s", keyid, isc_result_totext(result));
        else
                validator_log(val, ISC_LOG_DEBUG(3),
                              "verify rdataset (keyid=%u): %s",