From: Michał Kępień Date: Mon, 11 Mar 2019 11:04:42 +0000 (+0100) Subject: Fix NTA-related races X-Git-Tag: v9.14.1~34^2~4 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=95a765202ca68a09f66d1e24bf881a10b13a8db5;p=thirdparty%2Fbind9.git Fix NTA-related races Changes introduced by commit 6b8e4d6e695fc13b2d2a93437418a047b5adce81 were incomplete as not all time-sensitive checks were updated to match revised "nta-lifetime" and "nta-recheck" values. Prevent rare false positives by updating all NTA-related checks so that they work reliably with "nta-lifetime 12s;" and "nta-recheck 9s;". Update comments as well to prevent confusion. (cherry picked from commit 9a36a1bba34d178ee65d24d1dd71c7ae7953abf6) --- diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 81865b626e3..28dff275067 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1864,8 +1864,8 @@ echo_i "waiting for NTA rechecks/expirations" # # secure.example and badds.example used default nta-duration -# (configured as 10s in ns4/named1.conf), but nta recheck interval -# is configured to 7s, so at t=8 the NTAs for secure.example and +# (configured as 12s in ns4/named1.conf), but nta recheck interval +# is configured to 9s, so at t=10 the NTAs for secure.example and # fakenode.secure.example should both be lifted, but badds.example # should still be going. # @@ -1886,9 +1886,9 @@ status=$((status+ret)) ret=0 # -# bogus.example was set to expire in 20s, so at t=11 +# bogus.example was set to expire in 20s, so at t=13 # it should still be NTA'd, but badds.example used the default -# lifetime of 10s, so it should revert to SERVFAIL now. +# lifetime of 12s, so it should revert to SERVFAIL now. # # shellcheck disable=SC2016 $PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' @@ -2087,11 +2087,11 @@ else exit 1 fi -# nta-recheck is configured as 7s, so at t=10 the NTAs for +# nta-recheck is configured as 9s, so at t=12 the NTAs for # secure.example. should be lifted as it is not a forced NTA. -echo_i "waiting till 10s have passed after ns4 was restarted" +echo_i "waiting till 12s have passed after ns4 was restarted" # shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # secure.example. should now return an AD=1 answer (still validates) as # the NTA has been lifted. @@ -2143,11 +2143,11 @@ else exit 1 fi -# nta-recheck is configured as 7s, but even at t=10 the NTAs for +# nta-recheck is configured as 9s, but even at t=12 the NTAs for # secure.example. should not be lifted as it is a forced NTA. -echo_i "waiting till 10s have passed after ns4 was restarted" +echo_i "waiting till 12s have passed after ns4 was restarted" # shellcheck disable=SC2016 -$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' +$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);' # secure.example. should now return an AD=0 answer (non-authenticated) # as the NTA is still there.