+3632. [bug] Signature from newly inactive keys were not being
+ removed. [RT #32178]
+
3631. [bug] Remove spurious warning about missing signatures when
qtype is SIG. [RT #34600]
isc_result_t result;
const char *orig = str;
char *endp;
+ int n;
if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
return ((isc_stdtime_t) 0);
- if (strncmp(str, "now", 3) == 0) {
+ /*
+ * We accept times in the following formats:
+ * now([+-]offset)
+ * YYYYMMDD([+-]offset)
+ * YYYYMMDDhhmmss([+-]offset)
+ * [+-]offset
+ */
+ n = strspn(str, "0123456789");
+ if ((n == 8 || n == 14) &&
+ (str[n] == '\0' || str[n] == '-' || str[n] == '+'))
+ {
+ char timestr[15];
+
+ strlcpy(timestr, str, sizeof(timestr));
+ timestr[n] = 0;
+ if (n == 8)
+ strlcat(timestr, "000000", sizeof(timestr));
+ result = dns_time64_fromtext(timestr, &val);
+ if (result != ISC_R_SUCCESS)
+ fatal("time value %s is invalid: %s", orig,
+ isc_result_totext(result));
+ base = val;
+ str += n;
+ } else if (strncmp(str, "now", 3) == 0) {
base = now;
str += 3;
}
offset = strtol(str + 1, &endp, 0);
offset = time_units((isc_stdtime_t) offset, endp, orig);
val = base - offset;
- } else if (strlen(str) == 8U) {
- char timestr[15];
- sprintf(timestr, "%s000000", str);
- result = dns_time64_fromtext(timestr, &val);
- if (result != ISC_R_SUCCESS)
- fatal("time value %s is invalid: %s", orig,
- isc_result_totext(result));
- } else if (strlen(str) > 14U) {
- fatal("time value %s is invalid", orig);
} else {
- result = dns_time64_fromtext(str, &val);
- if (result != ISC_R_SUCCESS)
fatal("time value %s is invalid: %s", orig,
isc_result_totext(result));
}
rm -f ns4/managed-keys.bind*
rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
rm -f ns3/secure.below-cname.example.db
+rm -f ns3/publish-inactive.example.db
rm -f signer/example.db.after signer/example.db.before
rm -f signer/example.db.changed
rm -f signer/nsec3param.out
notify yes;
dnssec-enable yes;
dnssec-validation yes;
+ session-keyfile "session.key";
};
key rndc_key {
auto-dnssec maintain;
};
+zone "publish-inactive.example" {
+ type master;
+ file "publish-inactive.example.db";
+ auto-dnssec maintain;
+ update-policy local;
+};
+
include "trusted.conf";
--- /dev/null
+; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: insecure.example.db,v 1.9 2007/06/19 23:47:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
zone=inline.example.
kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
+
+#
+# publish a new key while deactivating another key at the same time.
+#
+zone=publish-inactive.example
+infile=publish-inactive.example.db.in
+zonefile=publish-inactive.example.db
+now=`date -u +%Y%m%d%H%M%S`
+kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
+kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -f KSK $zone`
+kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -f KSK $zone`
+zskname=`$KEYGEN -q -r $RANDFILE $zone`
+cp $infile $zonefile
+$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)"
+ret=0
+cnt=0
+while :
+do
+$DIG $DIGOPTS publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n
+keys=`awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l`
+test $keys -gt 2 && break
+cnt=`expr $cnt + 1`
+test $cnt -gt 120 && break
+sleep 1
+done
+test $keys -gt 2 || ret=1
+sigs=`grep RRSIG dig.out.ns3.test$n | wc -l`
+sigs=`expr $sigs + 0`
+n=`expr $n + 1`
+test $sigs -eq 2 || ret=1
+if test $ret != 0 ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
* If a key is marked inactive, skip it
*/
if (!key_active(keys[count], now)) {
+ dst_key_setinactive(pubkey, ISC_TRUE);
dst_key_free(&keys[count]);
keys[count] = pubkey;
pubkey = NULL;
key->times[i] = 0;
key->timeset[i] = ISC_FALSE;
}
+ key->inactive = ISC_FALSE;
key->magic = KEY_MAGIC;
return (key);
}
+isc_boolean_t
+dst_key_inactive(const dst_key_t *key) {
+
+ REQUIRE(VALID_KEY(key));
+
+ return (key->inactive);
+}
+
+void
+dst_key_setinactive(dst_key_t *key, isc_boolean_t inactive) {
+
+ REQUIRE(VALID_KEY(key));
+
+ key->inactive = inactive;
+}
+
/*%
* Reads a public key from disk
*/
isc_boolean_t timeset[DST_MAX_TIMES + 1]; /*%< data set? */
isc_stdtime_t nums[DST_MAX_NUMERIC + 1]; /*%< numeric metadata */
isc_boolean_t numset[DST_MAX_NUMERIC + 1]; /*%< data set? */
+ isc_boolean_t inactive; /*%< private key not present as it is
+ inactive */
int fmt_major; /*%< private key format, major version */
int fmt_minor; /*%< private key format, minor version */
unsigned int protocol, dns_rdataclass_t rdclass,
isc_mem_t *mctx, const char *keystr, dst_key_t **keyp);
+isc_boolean_t
+dst_key_inactive(const dst_key_t *key);
+/*%<
+ * Determines if the private key is missing due the key being deemed inactive.
+ *
+ * Requires:
+ * 'key' to be valid.
+ */
+
+void
+dst_key_setinactive(dst_key_t *key, isc_boolean_t inactive);
+/*%<
+ * Set key inactive state.
+ *
+ * Requires:
+ * 'key' to be valid.
+ */
ISC_LANG_ENDDECLS
for (i = 0; i < nkeys; i++) {
if (rrsig.keyid == dst_key_id(keys[i])) {
found = ISC_TRUE;
- if (!dst_key_isprivate(keys[i])) {
+ if (!dst_key_isprivate(keys[i]) &&
+ !dst_key_inactive(keys[i]))
+ {
/*
* The re-signing code in zone.c
* will mark this as offline.
dst_key_gettime
dst_key_getttl
dst_key_id
+dst_key_inactive
dst_key_isnullkey
dst_key_isprivate
dst_key_iszonekey
dst_key_secretsize
dst_key_setbits
dst_key_setflags
+dst_key_setinactive
dst_key_setprivateformat
dst_key_settime
dst_key_setttl
* We want the earliest offline expire time
* iff there is a new offline signature.
*/
- if (!dst_key_isprivate(keys[i])) {
+ if (!dst_key_inactive(keys[i]) &&
+ !dst_key_isprivate(keys[i]))
+ {
isc_int64_t timeexpire =
dns_time64_from32(rrsig.timeexpire);
if (warn != 0 && warn > timeexpire)
projects / thirdparty / bind9.git / commitdiff
