ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

revert rt26429 due to incompatibilities with 9.6

Browse Source
This commit is contained in:
Evan Hunt
2012-07-25 22:22:16 -07:00
parent 0953cc2c36
commit 2f16faf485
19 changed files with 27 additions and 456 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,7 +1,3 @@
3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
approaching their expiry, so they don't remain
in caches after expiry. [RT #26429]
--- 9.6-ESV-R8b1 released ---
3354. [func] Improve OpenSSL error logging. [RT #29932]

23
bin/named/query.c
View File

@@ -25,7 +25,6 @@
#include <isc/hex.h>
#include <isc/mem.h>
#include <isc/serial.h>
#include <isc/stats.h>
#include <isc/util.h>
@@ -2334,12 +2333,12 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
*/
static void
mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset,
isc_uint32_t ttl, dns_rdataset_t *rdataset,
dns_rdataset_t *sigrdataset)
{
isc_result_t result;
dns_dbnode_t *node = NULL;
isc_stdtime_t now;
rdataset->trust = dns_trust_secure;
sigrdataset->trust = dns_trust_secure;
@@ -2349,10 +2348,17 @@ mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
result = dns_db_findnode(db, name, ISC_TRUE, &node);
if (result != ISC_R_SUCCESS)
return;
isc_stdtime_get(&now);
dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now,
client->view->acceptexpired);
/*
* Bound the validated ttls then minimise.
*/
if (sigrdataset->ttl > ttl)
sigrdataset->ttl = ttl;
if (rdataset->ttl > ttl)
rdataset->ttl = ttl;
if (rdataset->ttl > sigrdataset->ttl)
rdataset->ttl = sigrdataset->ttl;
else
sigrdataset->ttl = rdataset->ttl;
(void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
0, NULL);
@@ -2477,7 +2483,8 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
client->view->acceptexpired)) {
dst_key_free(&key);
dns_rdataset_disassociate(&keyrdataset);
mark_secure(client, db, name, &rrsig,
mark_secure(client, db, name,
rrsig.originalttl,
rdataset, sigrdataset);
return (ISC_TRUE);
}

3
bin/tests/system/dnssec/ns2/example.db.in
View File

@@ -125,6 +125,3 @@ ns.upper A 10.53.0.3
LOWER NS NS.LOWER
NS.LOWER A 10.53.0.3
expiring NS ns.expiring
ns.expiring A 10.53.0.3

3
bin/tests/system/dnssec/ns2/sign.sh
View File

@@ -32,8 +32,7 @@ zonefile=example.db
for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
optout-unknown multiple rsasha256 rsasha512 update-nsec3 \
secure.below-cname expired expiring upper lower
secure.below-cname expired upper lower
do
cp ../ns3/keyset-$subdomain.example. .
done

4
bin/tests/system/dnssec/ns3/expired.example.db.in
View File

@@ -23,9 +23,7 @@ $TTL 300 ; 5 minutes
3600 ; minimum (1 hour)
)
NS ns
MX 10 mx
ns A 10.53.0.3
mx A 10.0.0.30
a A 10.0.0.1
b A 10.0.0.2
@@ -45,5 +43,3 @@ ns.nosoa A 10.53.0.7
normalthenrrsig A 10.0.0.28
rrsigonly A 10.0.0.29

45
bin/tests/system/dnssec/ns3/expiring.example.db.in
View File

@@ -1,45 +0,0 @@
; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: expiring.example.db.in,v 1.2 2011/05/21 15:07:10 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
MX 10 mx
ns A 10.53.0.3
mx A 10.0.0.30
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17

14
bin/tests/system/dnssec/ns3/named.conf
View File

@@ -35,15 +35,6 @@ options {
dnssec-validation yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../common/root.hint";
@@ -207,9 +198,4 @@ zone "LOWER.EXAMPLE" {
file "lower.example.db.signed";
};
zone "expiring.example" {
type master;
file "expiring.example.db.signed";
};
include "trusted.conf";

14
bin/tests/system/dnssec/ns3/sign.sh
View File

@@ -311,17 +311,3 @@ kskname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 $zone`
zskname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -f KSK $zone`
cat $infile $kskname.key $zskname.key > $zonefile
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
#
# Zone with signatures about to expire, but no private key to replace them
#
zone="expiring.example."
infile="expiring.example.db.in"
zonefile="expiring.example.db"
signedfile="expiring.example.db.signed"
zskname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 $zone`
kskname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -f KSK $zone`
cat $infile $kskname.key $zskname.key > $zonefile
$SIGNER -P -r $RANDFILE -e +30 -o $zone $zonefile > /dev/null 2>&1
mv -f ${zskname}.private ${zskname}.private.moved
mv -f ${kskname}.private ${kskname}.private.moved

9
bin/tests/system/dnssec/ns4/named1.conf → bin/tests/system/dnssec/ns4/named.conf
View File

@@ -36,15 +36,6 @@ options {
dnssec-must-be-secure mustbesecure.example yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../common/root.hint";

51
bin/tests/system/dnssec/ns4/named2.conf
View File

@@ -1,51 +0,0 @@
/*
* Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
// NS4
controls { /* empty */ };
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
dnssec-accept-expired yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-md5;
};
controls {
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../common/root.hint";
};

2
bin/tests/system/dnssec/setup.sh
View File

@@ -19,8 +19,6 @@
../../genrandom 400 random.data
cp -f ns4/named1.conf ns4/named.conf
cd ns1 && sh sign.sh
echo "a.bogus.example. A 10.0.0.22" >>../ns3/bogus.example.db.signed

105
bin/tests/system/dnssec/tests.sh
View File

@@ -29,9 +29,6 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
# Check the example. domain
#HERE
if false; then
echo "I:checking that zone transfer worked ($n)"
for i in 1 2 3 4 5 6 7 8 9
do
@@ -1152,107 +1149,5 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
#HERE
fi
echo "I:testing TTL is capped at RRSIG expiry time ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze expiring.example 2>&1 | sed 's/^/I:ns3 /'
(
cd ns3
RANDFILE=../random.data
for file in K*.moved; do
mv $file `basename $file .moved`
done
$SIGNER -P -r $RANDFILE -N increment -e +60 -o expiring.example expiring.example.db > /dev/null 2>&1
) || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload expiring.example 2>&1 | sed 's/^/I:ns3 /'
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
$DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
$DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '{print $2}' dig.out.ns4.1.$n`
ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
for ttl in $ttls; do
[ $ttl -eq 300 ] || ret=1
done
for ttl in $ttls2; do
[ $ttl -le 60 ] || ret=1
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '{print $2}' dig.out.ns4.1.$n`
ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
for ttl in $ttls; do
[ $ttl -eq 300 ] || ret=1
done
for ttl in $ttls2; do
[ $ttl -le 60 ] || ret=1
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
cp ns4/named2.conf ns4/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
sleep 3
echo "I:testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
$DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
$DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '{print $2}' dig.out.ns4.1.$n`
ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
for ttl in $ttls; do
[ $ttl -eq 300 ] || ret=1
done
for ttl in $ttls2; do
[ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)"
ret=0
$DIG +noall +answer +dnssec +cd -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.1.$n
$DIG +noall +answer +dnssec -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '{print $2}' dig.out.ns4.1.$n`
ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
for ttl in $ttls; do
[ $ttl -eq 300 ] || ret=1
done
for ttl in $ttls2; do
[ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '{print $2}' dig.out.ns4.1.$n`
ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
for ttl in $ttls; do
[ $ttl -eq 300 ] || ret=1
done
for ttl in $ttls2; do
[ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

2
doc/private/SRCID
View File

@@ -1,4 +1,4 @@
# This file must follow /bin/sh rules. It is imported directly via
# configure.
#
SRCID="( 2012/07/26 03:15:00 UTC )"
SRCID="( 2012/07/24 07:15:01 UTC )"

20
lib/dns/include/dns/rdataset.h
View File

@@ -56,7 +56,6 @@
#include <isc/stdtime.h>
#include <dns/types.h>
#include <dns/rdatastruct.h>
ISC_LANG_BEGINDECLS
@@ -652,25 +651,6 @@ dns_rdataset_expire(dns_rdataset_t *rdataset);
* Mark the rdataset to be expired in the backing database.
*/
void
dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
isc_boolean_t acceptexpired);
/*%<
* Trim the ttl of 'rdataset' and 'sigrdataset' so that they will expire
* at or before 'rrsig->expiretime'. If 'acceptexpired' is true and the
* signature has expired or will expire in the next 120 seconds, limit
* the ttl to be no more than 120 seconds.
*
* The ttl is further limited by the original ttl as stored in 'rrsig'
* and the original ttl values of 'rdataset' and 'sigrdataset'.
*
* Requires:
* \li 'rdataset' is a valid rdataset.
* \li 'sigrdataset' is a valid rdataset.
* \li 'rrsig' is non NULL.
*/
const char *
dns_trust_totext(dns_trust_t trust);
/*

28
lib/dns/rdataset.c
View File

@@ -26,7 +26,6 @@
#include <isc/buffer.h>
#include <isc/mem.h>
#include <isc/random.h>
#include <isc/serial.h>
#include <isc/util.h>
#include <dns/name.h>
@@ -773,30 +772,3 @@ dns_rdataset_expire(dns_rdataset_t *rdataset) {
if (rdataset->methods->expire != NULL)
(rdataset->methods->expire)(rdataset);
}
void
dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
isc_boolean_t acceptexpired)
{
isc_uint32_t ttl = 0;
REQUIRE(DNS_RDATASET_VALID(rdataset));
REQUIRE(DNS_RDATASET_VALID(sigrdataset));
REQUIRE(rrsig != NULL);
/*
* If we accept expired RRsets keep them for no more than 120 seconds.
*/
if (acceptexpired &&
(isc_serial_le(rrsig->timeexpire, ((now + 120) & 0xffffffff)) ||
isc_serial_le(rrsig->timeexpire, now)))
ttl = 120;
else if (isc_serial_ge(rrsig->timeexpire, now))
ttl = rrsig->timeexpire - now;
ttl = ISC_MIN(ISC_MIN(rdataset->ttl, sigrdataset->ttl),
ISC_MIN(rrsig->originalttl, ttl));
rdataset->ttl = ttl;
sigrdataset->ttl = ttl;
}

10
lib/dns/tests/Makefile.in
View File

@@ -38,12 +38,11 @@ LIBS = @LIBS@ @ATFLIBS@
OBJS = dnstest.@O@
SRCS = dnstest.c master_test.c time_test.c dbiterator_test.c \
dbversion_test.c zonemgr_test.c nsec3_test.c rdataset_test.c
dbversion_test.c zonemgr_test.c nsec3_test.c
SUBDIRS =
TARGETS = master_test@EXEEXT@ time_test@EXEEXT@ dbiterator_test@EXEEXT@ \
dbversion_test@EXEEXT@ zonemgr_test@EXEEXT@ nsec3_test@EXEEXT@ \
rdataset_test@EXEEXT@
dbversion_test@EXEEXT@ zonemgr_test@EXEEXT@ nsec3_test@EXEEXT@
@BIND9_MAKE_RULES@
@@ -76,11 +75,6 @@ nsec3_test@EXEEXT@: nsec3_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
nsec3_test.@O@ dnstest.@O@ ${DNSLIBS} \
${ISCLIBS} ${LIBS}
rdataset_test@EXEEXT@: rdataset_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
rdataset_test.@O@ dnstest.@O@ ${DNSLIBS} \
${ISCLIBS} ${LIBS}
unit::
sh ${top_srcdir}/unit/unittest.sh

131
lib/dns/tests/rdataset_test.c
View File

@@ -1,131 +0,0 @@
/*
* Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
/*! \file */
#include <config.h>
#include <atf-c.h>
#include <unistd.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#include "dnstest.h"
/*
* Individual unit tests
*/
/* Successful load test */
ATF_TC(trimttl);
ATF_TC_HEAD(trimttl, tc) {
atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() loads a "
"valid master file and returns success");
}
ATF_TC_BODY(trimttl, tc) {
isc_result_t result;
dns_rdataset_t rdataset, sigrdataset;
dns_rdata_rrsig_t rrsig;
isc_stdtime_t ttltimenow, ttltimeexpire;
ttltimenow = 10000000;
ttltimeexpire = ttltimenow + 800;
UNUSED(tc);
dns_rdataset_init(&rdataset);
dns_rdataset_init(&sigrdataset);
result = dns_test_begin(NULL, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
rdataset.ttl = 900;
sigrdataset.ttl = 1000;
rrsig.timeexpire = ttltimeexpire;
rrsig.originalttl = 1000;
dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
ISC_TRUE);
ATF_REQUIRE_EQ(rdataset.ttl, 800);
ATF_REQUIRE_EQ(sigrdataset.ttl, 800);
rdataset.ttl = 900;
sigrdataset.ttl = 1000;
rrsig.timeexpire = ttltimenow - 200;
rrsig.originalttl = 1000;
dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
ISC_TRUE);
ATF_REQUIRE_EQ(rdataset.ttl, 120);
ATF_REQUIRE_EQ(sigrdataset.ttl, 120);
rdataset.ttl = 900;
sigrdataset.ttl = 1000;
rrsig.timeexpire = ttltimenow - 200;
rrsig.originalttl = 1000;
dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
ISC_FALSE);
ATF_REQUIRE_EQ(rdataset.ttl, 0);
ATF_REQUIRE_EQ(sigrdataset.ttl, 0);
sigrdataset.ttl = 900;
rdataset.ttl = 1000;
rrsig.timeexpire = ttltimeexpire;
rrsig.originalttl = 1000;
dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
ISC_TRUE);
ATF_REQUIRE_EQ(rdataset.ttl, 800);
ATF_REQUIRE_EQ(sigrdataset.ttl, 800);
sigrdataset.ttl = 900;
rdataset.ttl = 1000;
rrsig.timeexpire = ttltimenow - 200;
rrsig.originalttl = 1000;
dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
ISC_TRUE);
ATF_REQUIRE_EQ(rdataset.ttl, 120);
ATF_REQUIRE_EQ(sigrdataset.ttl, 120);
sigrdataset.ttl = 900;
rdataset.ttl = 1000;
rrsig.timeexpire = ttltimenow - 200;
rrsig.originalttl = 1000;
dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
ISC_FALSE);
ATF_REQUIRE_EQ(rdataset.ttl, 0);
ATF_REQUIRE_EQ(sigrdataset.ttl, 0);
dns_test_end();
}
/*
* Main
*/
ATF_TP_ADD_TCS(tp) {
ATF_TP_ADD_TC(tp, trimttl);
return (atf_no_error());
}

12
lib/dns/validator.c
View File

@@ -2032,13 +2032,17 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
validator_log(val, ISC_LOG_DEBUG(3),
"failed to verify rdataset");
else {
isc_uint32_t ttl;
isc_stdtime_t now;
isc_stdtime_get(&now);
dns_rdataset_trimttl(event->rdataset,
event->sigrdataset,
val->siginfo, now,
val->view->acceptexpired);
ttl = ISC_MIN(event->rdataset->ttl,
ISC_MIN(val->siginfo->originalttl,
val->siginfo->timeexpire - now));
if (val->keyset != NULL)
ttl = ISC_MIN(ttl, val->keyset->ttl);
event->rdataset->ttl = ttl;
event->sigrdataset->ttl = ttl;
}
if (val->keynode != NULL)

3
util/copyrights
View File

@@ -621,7 +621,6 @@
./bin/tests/system/dnssec/ns3/bogus.example.db.in ZONE 2000,2001,2004,2007
./bin/tests/system/dnssec/ns3/dynamic.example.db.in ZONE 2002,2004,2007
./bin/tests/system/dnssec/ns3/expired.example.db.in ZONE 2011,2012
./bin/tests/system/dnssec/ns3/expiring.example.db.in ZONE 2012
./bin/tests/system/dnssec/ns3/insecure.below-cname.example.db ZONE 2011,2012
./bin/tests/system/dnssec/ns3/insecure.example.db ZONE 2000,2001,2004,2007
./bin/tests/system/dnssec/ns3/insecure.nsec3.example.db ZONE 2008
@@ -648,7 +647,6 @@
./bin/tests/system/dnssec/ns3/update-nsec3.example.db.in ZONE 2011,2012
./bin/tests/system/dnssec/ns3/upper.example.db.in ZONE 2012
./bin/tests/system/dnssec/ns4/named.conf CONF-C 2000,2001,2004,2006,2007,2012
./bin/tests/system/dnssec/ns4/named3.conf CONF-C 2012
./bin/tests/system/dnssec/ns5/named.conf CONF-C 2000,2001,2004,2006,2007
./bin/tests/system/dnssec/ns5/trusted.conf.bad CONF-C 2000,2001,2004,2007
./bin/tests/system/dnssec/ns6/named.conf CONF-C 2004,2006,2007
@@ -1982,7 +1980,6 @@
./lib/dns/tests/dnstest.h C 2011,2012
./lib/dns/tests/master_test.c C 2011,2012
./lib/dns/tests/nsec3_test.c C 2012
./lib/dns/tests/rdataset_test.c C 2012
./lib/dns/tests/testdata/dbiterator/zone1.data ZONE 2011,2012
./lib/dns/tests/testdata/dbiterator/zone2.data X 2011
./lib/dns/tests/testdata/master/master1.data X 2011