From: Evan Hunt Date: Mon, 6 Feb 2012 21:27:17 +0000 (+0000) Subject: 3277. [bug] Make sure automatic key maintenance is started X-Git-Tag: v9.6-ESV-R6rc2^2~18 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=9ab048a86662301dae850a2e9b91ce4e117555ec;p=thirdparty%2Fbind9.git 3277. [bug] Make sure automatic key maintenance is started when "auto-dnssec maintain" is turned on during "rndc reconfig". [RT #26805] --- diff --git a/CHANGES b/CHANGES index 1cdea9ce3e1..d52c1a61c99 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +3277. [bug] Make sure automatic key maintenance is started + when "auto-dnssec maintain" is turned on during + "rndc reconfig". [RT #26805] + 3276. [bug] win32: ns_os_openfile failed to return NULL on safe_open failure. [RT #27696] diff --git a/bin/named/server.c b/bin/named/server.c index 36026d080bd..ab9ec553100 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.556.8.47 2011/12/22 08:28:18 marka Exp $ */ +/* $Id: server.c,v 1.556.8.48 2012/02/06 21:27:17 each Exp $ */ /*! \file */ @@ -3064,6 +3064,12 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, */ CHECK(dns_view_addzone(view, zone)); + /* + * Ensure that zone keys are reloaded on reconfig + */ + if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) + dns_zone_rekey(zone, ISC_FALSE); + cleanup: if (zone != NULL) dns_zone_detach(&zone); diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index a273ed2c8c5..448c1401175 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.3.6.7 2011/07/08 01:46:41 each Exp $ +# $Id: clean.sh,v 1.3.6.8 2012/02/06 21:27:17 each Exp $ rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk rm -f active.key inact.key del.key unpub.key standby.key rev.key @@ -47,3 +47,4 @@ rm -f ns3/nozsk.example.db ns3/inaczsk.example.db rm -f ns3/prepub.example.db rm -f ns3/prepub.example.db.in rm -f ns3/secure-to-insecure2.example.db +rm -f ns3/*.nzf diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 0cbf01a4b22..7cb14a8eeb7 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: keygen.sh,v 1.3.6.8 2011/07/08 01:46:41 each Exp $ +# $Id: keygen.sh,v 1.3.6.9 2012/02/06 21:27:17 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -239,3 +239,12 @@ zsk=`$KEYGEN -q -3 -r $RANDFILE $zone` $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > /dev/null 2>&1 echo $zsk > ../inactivezsk.key $SETTIME -I now $zsk > /dev/null + +# +# A zone that is set to 'auto-dnssec maintain' during a recofnig +# +zone=reconf.example +zonefile="${zone}.db" +cp secure.example.db.in $zonefile +$KEYGEN -q -3 -r $RANDFILE -fk $zone > /dev/null +$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf index 09b35fd02ce..bf6127499f8 100644 --- a/bin/tests/system/autosign/ns3/named.conf +++ b/bin/tests/system/autosign/ns3/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.3.6.7 2011/07/08 01:46:41 each Exp $ */ +/* $Id: named.conf,v 1.3.6.8 2012/02/06 21:27:17 each Exp $ */ // NS3 @@ -25,6 +25,7 @@ options { notify-source 10.53.0.3; transfer-source 10.53.0.3; port 5300; + session-keyfile "session.key"; pid-file "named.pid"; listen-on { 10.53.0.3; }; listen-on-v6 { none; }; @@ -32,6 +33,7 @@ options { notify yes; dnssec-enable yes; dnssec-validation yes; + allow-new-zones yes; }; key rndc_key { diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 1014ba59230..7189b1cef4f 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.4.6.33 2012/02/02 23:46:09 tbox Exp $ +# $Id: tests.sh,v 1.4.6.34 2012/02/06 21:27:17 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -1004,6 +1004,29 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:test turning on auto-dnssec during reconfig ($n)" +ret=0 +# first create a zone that doesn't have auto-dnssec +rm -f ns3/*.nzf +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 addzone reconf.example '{ type master; file "reconf.example.db"; };' 2>&1 | sed 's/^/I:ns3 /' +rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` +[ "$rekey_calls" = 0 ] || ret=1 +# ...then we add auto-dnssec and reconfigure +nzf=`ls ns3/*.nzf` +echo 'zone reconf.example { type master; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' > $nzf +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reconfig 2>&1 | sed 's/^/I:ns3 /' +for i in 0 1 2 3 4 5 6 7 8 9; do + lret=0 + rekey_calls=`grep "zone reconf.example.*next key event" ns3/named.run | wc -l` + [ "$rekey_calls" -gt 0 ] || lret=1 + if [ "$lret" = 0 ]; then break; fi + sleep 1 +done +n=`expr $n + 1` +if [ "$lret" != 0 ]; then ret=$lret; fi +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status