2780. [bug] dnssec-keygen -A none didn't properly unset the

			activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]

diff --git a/CHANGES b/CHANGES
index 9be2e9470cda652c5299257fec365fc2be35602f..aedfea7da51d52ed471de6037ca3b34ccfa3d43b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,13 @@
+       --- 9.7.0b3 released ---
+
+2780.  [bug]           dnssec-keygen -A none didn't properly unset the
+                       activation date in all cases. [RT #20648]
+
+2779.  [bug]           Dynamic key revokation could fail. [RT #20644]
+
+2778.  [bug]           dnssec-signzone could fail when a key was revoked
+                       without deleting the unrevoked version. [RT #20638]
+
 2777.  [contrib]       DLZ MYSQL auto reconnect support discovery was wrong.
 
 2776.  [bug]           Change #2762 was not correct. [RT #20647]
@@ -11,8 +21,6 @@
 2773.  [bug]           In autosigned zones, the SOA could be signed
                        with the KSK. [RT #20628]
 
-       --- 9.7.0b3 released ---
-
 2772.  [security]      When validating, track whether pending data was from
                        the additional section or not and only return it if
                        validates as secure. [RT #20438]

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 918cf24ac2dae16f076db1b662eee775973befa6..d615e58d0688c210c866bdde46e9f0830ab277ad 100644 (file)
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.27 2009/11/21 17:51:49 fdupont Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.28 2009/11/23 02:55:40 each Exp $ */
 
 /*! \file */
 
@@ -461,12 +461,14 @@ main(int argc, char **argv) {
 
                if (setpub)
                        dst_key_settime(key, DST_TIME_PUBLISH, publish);
-               else if (!genonly)
+               else if (setact)
+                       dst_key_settime(key, DST_TIME_PUBLISH, activate);
+               else if (!genonly && !unsetpub)
                        dst_key_settime(key, DST_TIME_PUBLISH, now);
 
                if (setact)
                        dst_key_settime(key, DST_TIME_ACTIVATE, activate);
-               else if (!genonly)
+               else if (!genonly && !unsetact)
                        dst_key_settime(key, DST_TIME_ACTIVATE, now);
 
                if (setrev) {

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index b40d477a715c38b4778974b237e21dad5389aa04..70951707114fab78cb8fa956f0ae8a21e40309f0 100644 (file)
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.106 2009/10/28 00:27:10 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.107 2009/11/23 02:55:40 each Exp $ */
 
 /*! \file */
 
@@ -772,13 +772,16 @@ main(int argc, char **argv) {
 
                        if (setpub)
                                dst_key_settime(key, DST_TIME_PUBLISH, publish);
-                       else if (!genonly && !setact)
+                       else if (setact)
+                               dst_key_settime(key, DST_TIME_PUBLISH,
+                                               activate);
+                       else if (!genonly && !unsetpub)
                                dst_key_settime(key, DST_TIME_PUBLISH, now);
 
                        if (setact)
                                dst_key_settime(key, DST_TIME_ACTIVATE,
                                                activate);
-                       else if (!genonly && !setpub)
+                       else if (!genonly && !unsetact)
                                dst_key_settime(key, DST_TIME_ACTIVATE, now);
 
                        if (setrev) {

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 5c2deede3443c9b0437a61657aa405897ee74ed0..4bc1df205691a75c40e907ff955b1a191472f93d 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.253 2009/11/16 04:27:44 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.254 2009/11/23 02:55:40 each Exp $ */
 
 /*! \file */
 
@@ -2760,7 +2760,7 @@ static void
 build_final_keylist() {
        isc_result_t result;
        dns_dbversion_t *ver = NULL;
-       dns_diff_t del, add;
+       dns_diff_t diff;
        dns_dnsseckeylist_t matchkeys;
        char name[DNS_NAME_FORMATSIZE];
 
@@ -2777,31 +2777,24 @@ build_final_keylist() {
        result = dns_db_newversion(gdb, &ver);
        check_result(result, "dns_db_newversion");
 
-       dns_diff_init(mctx, &del);
-       dns_diff_init(mctx, &add);
+       dns_diff_init(mctx, &diff);
 
        /*
         * Update keylist with information from from the key repository.
         */
        dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
-                             &add, &del, ignore_kskflag, mctx, report);
+                             &diff, ignore_kskflag, mctx, report);
 
        dns_name_format(gorigin, name, sizeof(name));
 
-       result = dns_diff_applysilently(&del, gdb, ver);
+       result = dns_diff_applysilently(&diff, gdb, ver);
        if (result != ISC_R_SUCCESS)
-               fatal("failed to delete DNSKEYs at node '%s': %s",
-                     name, isc_result_totext(result));
-
-       result = dns_diff_applysilently(&add, gdb, ver);
-       if (result != ISC_R_SUCCESS)
-               fatal("failed to add DNSKEYs at node '%s': %s",
+               fatal("failed to update DNSKEY RRset at node '%s': %s",
                      name, isc_result_totext(result));
 
        dns_db_closeversion(gdb, &ver, ISC_TRUE);
 
-       dns_diff_clear(&del);
-       dns_diff_clear(&add);
+       dns_diff_clear(&diff);
 }
 
 static void

diff --git a/bin/named/update.c b/bin/named/update.c
index a31606a4a9373098e1ebbde5afcb23cfc2fb6c44..4fb9fb0df6ec8458bb4c1c9821ebbfd9019f2b48 100644 (file)
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.169 2009/11/18 21:22:31 each Exp $ */
+/* $Id: update.c,v 1.170 2009/11/23 02:55:41 each Exp $ */
 
 #include <config.h>
 
@@ -1883,8 +1883,8 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
                                  (isc_stdtime_t) 0, &rdataset, NULL));
        dns_db_detachnode(db, &node);
 
-#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) == 1)
-#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) == 1)
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
 #define ALG(x) dst_key_alg(x)
 
        /*

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index c629dcf19755276a44bf5af0acef7ef9610cb75b..9033c8b3861a04381b9634c2a7b4ad5c9e97af53 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.110 2009/11/17 05:46:53 each Exp $
+ * $Id: dnssec.c,v 1.111 2009/11/23 02:55:41 each Exp $
  */
 
 /*! \file */
@@ -1078,7 +1078,7 @@ get_hints(dns_dnsseckey_t *key) {
         *
         * If it hasn't already been done, we should also revoke it now.
         */
-       if (key->hint_publish && (revset && revoke < now)) {
+       if (key->hint_publish && (revset && revoke <= now)) {
                isc_uint32_t flags;
                key->hint_sign = ISC_TRUE;
                flags = dst_key_flags(key->key);
@@ -1384,7 +1384,7 @@ make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
 }
 
 static isc_result_t
-publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin,
+publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
            dns_ttl_t ttl, isc_mem_t *mctx, isc_boolean_t allzsk,
            void (*report)(const char *, ...))
 {
@@ -1418,7 +1418,7 @@ publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin,
        /* publish key */
        RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl,
                                    &dnskey, &tuple));
-       dns_diff_append(add, &tuple);
+       dns_diff_appendminimal(diff, &tuple);
        result = ISC_R_SUCCESS;
 
  failure:
@@ -1426,7 +1426,7 @@ publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin,
 }
 
 static isc_result_t
-remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin,
+remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
          dns_ttl_t ttl, isc_mem_t *mctx, const char *reason,
          void (*report)(const char *, ...))
 {
@@ -1443,7 +1443,7 @@ remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin,
        RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
        RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, &dnskey,
                                    &tuple));
-       dns_diff_append(del, &tuple);
+       dns_diff_appendminimal(diff, &tuple);
        result = ISC_R_SUCCESS;
 
  failure:
@@ -1459,9 +1459,8 @@ remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin,
 isc_result_t
 dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
                      dns_dnsseckeylist_t *removed, dns_name_t *origin,
-                     dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del,
-                     isc_boolean_t allzsk, isc_mem_t *mctx,
-                     void (*report)(const char *, ...))
+                     dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
+                     isc_mem_t *mctx, void (*report)(const char *, ...))
 {
        isc_result_t result;
        dns_dnsseckey_t *key, *key1, *key2, *next;
@@ -1476,7 +1475,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
             key = ISC_LIST_NEXT(key, link)) {
                if (key->source == dns_keysource_user &&
                    (key->hint_publish || key->force_publish)) {
-                       RETERR(publish_key(add, key, origin, ttl,
+                       RETERR(publish_key(diff, key, origin, ttl,
                                           mctx, allzsk, report));
                }
        }
@@ -1515,7 +1514,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 
                        if (key1->source != dns_keysource_zoneapex &&
                            (key1->hint_publish || key1->force_publish)) {
-                               RETERR(publish_key(add, key1, origin, ttl,
+                               RETERR(publish_key(diff, key1, origin, ttl,
                                                   mctx, allzsk, report));
                                if (key1->hint_sign || key1->force_sign)
                                        key1->first_sign = ISC_TRUE;
@@ -1526,7 +1525,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 
                /* Match found: remove or update it as needed */
                if (key1->hint_remove) {
-                       RETERR(remove_key(del, key2, origin, ttl, mctx,
+                       RETERR(remove_key(diff, key2, origin, ttl, mctx,
                                          "expired", report));
                        ISC_LIST_UNLINK(*keys, key2, link);
                        if (removed != NULL)
@@ -1541,7 +1540,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
                         * We need to remove the old version and pull
                         * in the new one.
                         */
-                       RETERR(remove_key(del, key2, origin, ttl, mctx,
+                       RETERR(remove_key(diff, key2, origin, ttl, mctx,
                                          "revoked", report));
                        ISC_LIST_UNLINK(*keys, key2, link);
                        if (removed != NULL)
@@ -1549,7 +1548,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
                        else
                                dns_dnsseckey_destroy(mctx, &key2);
 
-                       RETERR(publish_key(add, key1, origin, ttl,
+                       RETERR(publish_key(diff, key1, origin, ttl,
                                           mctx, allzsk, report));
                        ISC_LIST_UNLINK(*newkeys, key1, link);
                        ISC_LIST_APPEND(*keys, key1, link);

diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 2edc8efe71e43bbe88970b97fe5eb095bca51e91..bc2549b9582e3ed72c4d8199dc180c11a627072f 100644 (file)
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.39 2009/10/27 03:59:45 each Exp $ */
+/* $Id: dnssec.h,v 1.40 2009/11/23 02:55:41 each Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -290,19 +290,18 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 isc_result_t
 dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
                      dns_dnsseckeylist_t *removed, dns_name_t *origin,
-                     dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del,
-                     isc_boolean_t allzsk, isc_mem_t *mctx,
-                     void (*report)(const char *, ...));
+                     dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
+                     isc_mem_t *mctx, void (*report)(const char *, ...));
 /*%<
  * Update the list of keys in 'keys' with new key information in 'newkeys'.
  *
  * For each key in 'newkeys', see if it has a match in 'keys'.
  * - If not, and if the metadata says the key should be published:
- *   add it to 'keys', and place a dns_difftuple into 'add' so
+ *   add it to 'keys', and place a dns_difftuple into 'diff' so
  *   the key can be added to the DNSKEY set.  If the metadata says it
  *   should be active, set the first_sign flag.
  * - If so, and if the metadata says it should be removed:
- *   remove it from 'keys', and place a dns_difftuple into 'del' so
+ *   remove it from 'keys', and place a dns_difftuple into 'diff' so
  *   the key can be removed from the DNSKEY set.  if 'removed' is non-NULL,
  *   copy the key into that list; otherwise destroy it.
  * - Otherwise, make sure keys has current metadata.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 1473360003857f9338a9ebae2595e5e8ab41b9fe..aa4fbd01fabff97b646bcf7c1b396cd14e2e5ee3 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.530 2009/11/18 21:22:31 each Exp $ */
+/* $Id: zone.c,v 1.531 2009/11/23 02:55:41 each Exp $ */
 
 /*! \file */
 
@@ -4549,8 +4549,8 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                goto failure;
        }
 
-#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) == 1)
-#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) == 1)
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
 #define ALG(x) dst_key_alg(x)
 
        for (i = 0; i < nkeys; i++) {
@@ -13441,7 +13441,7 @@ zone_rekey(dns_zone_t *zone) {
        dns_rdataset_t soaset, soasigs, keyset, keysigs;
        dns_dnsseckeylist_t dnskeys, keys, oldkeys;
        dns_dnsseckey_t *key;
-       dns_diff_t add, del;
+       dns_diff_t diff;
        isc_boolean_t commit = ISC_FALSE;
        dns_ttl_t ttl = 3600;
        const char *dir;
@@ -13459,8 +13459,7 @@ zone_rekey(dns_zone_t *zone) {
        dns_rdataset_init(&keysigs);
        dir = dns_zone_getkeydirectory(zone);
        mctx = zone->mctx;
-       dns_diff_init(mctx, &add);
-       dns_diff_init(mctx, &del);
+       dns_diff_init(mctx, &diff);
        isc_stdtime_get(&now);
 
        CHECK(dns_zone_getdb(zone, &db));
@@ -13492,23 +13491,15 @@ zone_rekey(dns_zone_t *zone) {
                check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
 
                CHECK(dns_dnssec_updatekeys(&dnskeys, &keys, &oldkeys,
-                                           &zone->origin, ttl, &add, &del,
+                                           &zone->origin, ttl, &diff,
                                            ISC_TF(!check_ksk), mctx, logmsg));
-               if (!ISC_LIST_EMPTY(del.tuples)) {
+               if (!ISC_LIST_EMPTY(diff.tuples)) {
                        commit = ISC_TRUE;
-                       add_signing_records(db, zone->privatetype, ver, &del);
-                       dns_diff_apply(&del, db, ver);
-                       result = increment_soa_serial(db, ver, &del, mctx);
+                       add_signing_records(db, zone->privatetype, ver, &diff);
+                       dns_diff_apply(&diff, db, ver);
+                       result = increment_soa_serial(db, ver, &diff, mctx);
                        if (result == ISC_R_SUCCESS)
-                               zone_journal(zone, &del, "zone_rekey");
-               }
-               if (!ISC_LIST_EMPTY(add.tuples)) {
-                       commit = ISC_TRUE;
-                       add_signing_records(db, zone->privatetype, ver, &add);
-                       dns_diff_apply(&add, db, ver);
-                       result = increment_soa_serial(db, ver, &add, mctx);
-                       if (result == ISC_R_SUCCESS)
-                               zone_journal(zone, &add, "zone_rekey");
+                               zone_journal(zone, &diff, "zone_rekey");
 
                }
        }
@@ -13548,16 +13539,22 @@ zone_rekey(dns_zone_t *zone) {
                 * key metadata indicates there is a key change event
                 * scheduled in the future, set the key refresh timer.
                 */
+//HERE
+dns_zone_log(zone, ISC_LOG_NOTICE, "1");
                if (!DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
                        break;
+dns_zone_log(zone, ISC_LOG_NOTICE, "2");
 
                result = next_keyevent(key->key, &then);
                if (result != ISC_R_SUCCESS)
                        continue;
+dns_zone_log(zone, ISC_LOG_NOTICE, "3");
 
                isc_time_set(&timethen, then, 0);
                if (isc_time_isepoch(&zone->refreshkeytime) ||
                    isc_time_compare(&timethen, &zone->refreshkeytime) < 0) {
+//HERE
+dns_zone_log(zone, ISC_LOG_NOTICE, "setting refreshkeytime to %d\n", then);
                        zone->refreshkeytime = timethen;
                        zone_settimer(zone, &timenow);
                }
@@ -13566,8 +13563,7 @@ zone_rekey(dns_zone_t *zone) {
        result = ISC_R_SUCCESS;
 
  failure:
-       dns_diff_clear(&add);
-       dns_diff_clear(&del);
+       dns_diff_clear(&diff);
 
        clear_keylist(&dnskeys, mctx);
        clear_keylist(&keys, mctx);