4453. [bug] Prefetching of DS records failed to update their

                        RRSIGs. [RT #42865]

(cherry picked from commit f431bf02a6d1df7eebc60dac5662b9c36098683c)

diff --git a/CHANGES b/CHANGES
index ff34e5dd65ae3cfd35dd62f3f657a53e2b9d582a..0743ef503af3ff82bd1159772d80a4ef95bdcf97 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
        --- 9.11.0rc1 released ---
 
+4453.  [bug]           Prefetching of DS records failed to update their 
+                       RRSIGs. [RT #42865]
+
 4452.  [bug]           The default key manager policy file is now
                        <sysdir>/dnssec-policy.conf (usually
                        /etc/dnssec-policy.conf). [RT #43064]

diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
index 4642cac3b79301521580d7e8809a83ba9516fc9b..c710f72aef585dfb020ce99b30d712d4761be900 100644 (file)
--- a/bin/tests/system/resolver/clean.sh
+++ b/bin/tests/system/resolver/clean.sh
@@ -21,9 +21,12 @@ rm -f dig.*.prime.*
 rm -f ns4/tld.db
 rm -f ns6/K*
 rm -f ns6/example.net.db.signed ns6/example.net.db
+rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
+rm -f ns6/dsset-ds.example.net.
 rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl
 rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
 rm -f ns7/server.db ns7/server.db.jnl ns7/named.conf
 rm -f resolve.out
 rm -f .digrc
 rm -f ns*/named.lock
+rm -f ns5/trusted.conf

diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
index 1194929a54de9a0fc25471e17e4fa096bb47a844..da9fd5c901a3c31ca38c334117a6a70b8fe7fbce 100644 (file)
--- a/bin/tests/system/resolver/ns4/root.db
+++ b/bin/tests/system/resolver/ns4/root.db
@@ -19,3 +19,5 @@ a.root-servers.nil.   A       10.53.0.4
 all-cnames             NS      cname.tld
 delegation-only.       NS      ns.delegation-only.
 ns.delegation-only.    A       10.53.0.6
+example.net.           NS      ns.example.net.
+ns.example.net.                A       10.53.0.6

diff --git a/bin/tests/system/resolver/ns5/named.conf b/bin/tests/system/resolver/ns5/named.conf
index af0f74e0b0b0f53994fea4c1c1986e5d42a950f4..179fa1eb4d462283748cbb3b0b54d955ab98e6df 100644 (file)
--- a/bin/tests/system/resolver/ns5/named.conf
+++ b/bin/tests/system/resolver/ns5/named.conf
@@ -46,3 +46,5 @@ zone "child.server" {
 zone "delegation-only" {
        type delegation-only;
 };
+
+include "trusted.conf";

diff --git a/bin/tests/system/resolver/ns6/ds.example.net.db.in b/bin/tests/system/resolver/ns6/ds.example.net.db.in
new file mode 100644 (file)
index 0000000..513d070
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/ds.example.net.db.in
@@ -0,0 +1,12 @@
+; Copyright (C) 2010, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+; $Id: example.net.db.in,v 1.3 2010/11/17 23:47:08 tbox Exp $
+
+$TTL 600
+@      IN SOA  ns hostmaster 1 1800 900 604800 600
+@      IN NS   ns
+ns     IN A    10.53.0.6

diff --git a/bin/tests/system/resolver/ns6/example.net.db.in b/bin/tests/system/resolver/ns6/example.net.db.in
index ed16f03e030fc1c3d35073d7f5dd49eecf85045b..e956573a7046b09d11b13d4616abc7a113073864 100644 (file)
--- a/bin/tests/system/resolver/ns6/example.net.db.in
+++ b/bin/tests/system/resolver/ns6/example.net.db.in
@@ -14,4 +14,7 @@ ns    IN A    10.53.0.6
 mail   IN A    10.53.0.6
 fetch 10 IN TXT A short ttl
 non-zero 10 IN TXT A short ttl
-zero 0 IN TXT A zero ttl
+zero 0  IN TXT A zero ttl
+$TTL 10
+ds     IN NS   ns.ds
+ns.ds  IN A    10.53.0.6

diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh
index 5573d83a665fd1c17659a2f351a59adf4494d07e..c1193d584f23dcf6136a95b336ed5434c268b7b0 100644 (file)
--- a/bin/tests/system/resolver/ns6/keygen.sh
+++ b/bin/tests/system/resolver/ns6/keygen.sh
@@ -11,7 +11,7 @@
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
-zone=example.net
+zone=ds.example.net
 zonefile="${zone}.db"
 infile="${zonefile}.in"
 cp $infile $zonefile
@@ -19,3 +19,23 @@ ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
 cat $ksk.key $zsk.key >> $zonefile
 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+zone=example.net
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
+cat $ksk.key $zsk.key dsset-ds.example.net. >> $zonefile
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+# Configure a trusted key statement (used by delve)
+cat $ksk.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+    "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > ../ns5/trusted.conf

diff --git a/bin/tests/system/resolver/ns6/named.conf b/bin/tests/system/resolver/ns6/named.conf
index 4b07dba7ce52a1daa5d5b4a4c37ff353d40c397c..17b623918ef1191f8df33fdfb66d167cf3be2a23 100644 (file)
--- a/bin/tests/system/resolver/ns6/named.conf
+++ b/bin/tests/system/resolver/ns6/named.conf
@@ -41,6 +41,12 @@ zone "example.net" {
        allow-update { any; };
 };
 
+zone "ds.example.net" {
+       type master;
+       file "ds.example.net.db.signed";
+       allow-update { any; };
+};
+
 zone "to-be-removed.tld" {
        type master;
        file "to-be-removed.tld.db";

diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 18a57195e598988f343cf31bbf629d26ca18922a..06bb7d7775217be8d687449ac86da06c43609b28 100755 (executable)
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -422,6 +422,27 @@ test ${ttl:-0} -gt ${ttl2:-1} || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:check prefetch of validated DS's RRSIG TTL is updated (${n})"
+ret=0
+$DIG +dnssec @10.53.0.5 -p 5300 ds.example.net ds > dig.out.1.${n} || ret=1
+ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 - 2 }' dig.out.1.${n}`
+# sleep so we are in prefetch range
+sleep ${ttl1:-0}
+# trigger prefetch
+$DIG @10.53.0.5 -p 5300 ds.example.net ds > dig.out.2.${n} || ret=1
+ttl1=`awk '$4 == "DS" && $7 == "1" { print $2 }' dig.out.2.${n}`
+sleep 1
+# check that prefetch occured
+$DIG @10.53.0.5 -p 5300 ds.example.net ds +dnssec > dig.out.3.${n} || ret=1
+dsttl=`awk '$4 == "DS" i&& $7 == "1" { print $2 }' dig.out.3.${n}`
+sigttl=`awk '$4 == "RRSIG" && $5 == "DS" { print $2 }' dig.out.3.${n}`
+test ${dsttl:-0} -gt ${ttl2:-1} || ret=1
+test ${sigttl:-0} -gt ${ttl2:-1} || ret=1
+test ${dsttl:-0} -eq ${sigttl:-1} || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo "I:check prefetch disabled (${n})"
 ret=0

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index f274048c6b17bfebd45ac115cbda5c85decf22ac..5b8698060b7bc4b2bd95846a605dc640c7cf230a 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5028,7 +5028,7 @@ validated(isc_task_t *task, isc_event_t *event) {
                        eresult = DNS_R_NCACHENXRRSET;
        } else if (vevent->sigrdataset != NULL) {
                result = dns_db_addrdataset(fctx->cache, node, NULL, now,
-                                           vevent->sigrdataset, 0,
+                                           vevent->sigrdataset, options,
                                            asigrdataset);
                if (result != ISC_R_SUCCESS &&
                    result != DNS_R_UNCHANGED)
@@ -5497,8 +5497,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                         * Mark the rdataset as being prefetch eligible.
                         */
                        if (rdataset->ttl > fctx->res->view->prefetch_eligible)
-                               rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
-
+                               rdataset->attributes |=
+                                       DNS_RDATASETATTR_PREFETCH;
 
                        /*
                         * Cache this rdataset/sigrdataset pair as