3020. [bug] auto-dnssec failed to correctly update the zone when
changing the DNSKEY RRset. [RT #23232]
This commit is contained in:
Mark Andrews
@@ -15,7 +15,7 @@
|
||||
* PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: zone.c,v 1.582.8.2 2011/02/07 00:14:30 marka Exp $ */
|
||||
/* $Id: zone.c,v 1.582.8.3 2011/02/15 22:06:26 marka Exp $ */
|
||||
|
||||
/*! \file */
|
||||
|
||||
@@ -13649,7 +13649,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
|
||||
|
||||
static isc_result_t
|
||||
sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_rdatatype_t type, dns_diff_t *diff)
|
||||
dns_diff_t *diff, dns_diff_t *sig_diff)
|
||||
{
|
||||
isc_result_t result;
|
||||
isc_stdtime_t now, inception, soaexpire;
|
||||
@@ -13673,23 +13673,15 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
|
||||
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
|
||||
|
||||
result = del_sigs(zone, db, ver, &zone->origin, type, diff,
|
||||
zone_keys, nkeys, now);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"sign_apex:del_sigs -> %s\n",
|
||||
dns_result_totext(result));
|
||||
goto failure;
|
||||
}
|
||||
|
||||
result = add_sigs(db, ver, &zone->origin, type, diff, zone_keys,
|
||||
nkeys, zone->mctx, inception, soaexpire,
|
||||
check_ksk, keyset_kskonly);
|
||||
result = update_sigs(diff, db, ver, zone_keys, nkeys, zone,
|
||||
inception, soaexpire, now, check_ksk,
|
||||
keyset_kskonly, sig_diff);
|
||||
|
||||
if (result != ISC_R_SUCCESS)
|
||||
dns_zone_log(zone, ISC_LOG_ERROR, "sign_apex:add_sigs -> %s\n",
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"sign_apex:update_sigs -> %s\n",
|
||||
dns_result_totext(result));
|
||||
failure:
|
||||
|
||||
for (i = 0; i < nkeys; i++)
|
||||
dst_key_free(&zone_keys[i]);
|
||||
return (result);
|
||||
@@ -13804,6 +13796,26 @@ signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_diff_t *diff)
|
||||
{
|
||||
dns_name_t *origin;
|
||||
isc_boolean_t build_nsec3;
|
||||
isc_result_t result;
|
||||
|
||||
origin = dns_db_origin(db);
|
||||
CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
|
||||
&build_nsec3));
|
||||
if (build_nsec3)
|
||||
CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone->minimum,
|
||||
ISC_FALSE, zone->privatetype, diff));
|
||||
CHECK(updatesecure(db, ver, origin, zone->minimum, ISC_TRUE, diff));
|
||||
|
||||
failure:
|
||||
return (result);
|
||||
}
|
||||
|
||||
static void
|
||||
zone_rekey(dns_zone_t *zone) {
|
||||
isc_result_t result;
|
||||
@@ -13813,7 +13825,7 @@ zone_rekey(dns_zone_t *zone) {
|
||||
dns_rdataset_t soaset, soasigs, keyset, keysigs;
|
||||
dns_dnsseckeylist_t dnskeys, keys, rmkeys;
|
||||
dns_dnsseckey_t *key;
|
||||
dns_diff_t diff;
|
||||
dns_diff_t diff, sig_diff;
|
||||
isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE;
|
||||
isc_boolean_t fullsign;
|
||||
dns_ttl_t ttl = 3600;
|
||||
@@ -13836,6 +13848,7 @@ zone_rekey(dns_zone_t *zone) {
|
||||
dir = dns_zone_getkeydirectory(zone);
|
||||
mctx = zone->mctx;
|
||||
dns_diff_init(mctx, &diff);
|
||||
dns_diff_init(mctx, &sig_diff);
|
||||
|
||||
CHECK(dns_zone_getdb(zone, &db));
|
||||
CHECK(dns_db_newversion(db, &ver));
|
||||
@@ -13904,14 +13917,12 @@ zone_rekey(dns_zone_t *zone) {
|
||||
dnskey_sane(zone, db, ver, &diff)) {
|
||||
CHECK(dns_diff_apply(&diff, db, ver));
|
||||
CHECK(clean_nsec3param(zone, db, ver, &diff));
|
||||
CHECK(sign_apex(zone, db, ver, dns_rdatatype_dnskey,
|
||||
&diff));
|
||||
CHECK(add_signing_records(db, zone->privatetype, ver,
|
||||
&diff));
|
||||
CHECK(increment_soa_serial(db, ver, &diff, mctx));
|
||||
CHECK(sign_apex(zone, db, ver, dns_rdatatype_soa,
|
||||
&diff));
|
||||
CHECK(zone_journal(zone, &diff, "zone_rekey"));
|
||||
CHECK(add_chains(zone, db, ver, &diff));
|
||||
CHECK(sign_apex(zone, db, ver, &diff, &sig_diff));
|
||||
CHECK(zone_journal(zone, &sig_diff, "zone_rekey"));
|
||||
commit = ISC_TRUE;
|
||||
}
|
||||
}
|
||||
@@ -13936,7 +13947,7 @@ zone_rekey(dns_zone_t *zone) {
|
||||
* Has a new key become active? If so, is it for
|
||||
* a new algorithm?
|
||||
*/
|
||||
for (tuple = ISC_LIST_HEAD(diff.tuples);
|
||||
for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
|
||||
tuple != NULL;
|
||||
tuple = ISC_LIST_NEXT(tuple, link)) {
|
||||
dns_rdata_dnskey_t dnskey;
|
||||
@@ -14015,7 +14026,7 @@ zone_rekey(dns_zone_t *zone) {
|
||||
* the full zone, but only with the newly-added
|
||||
* keys.
|
||||
*/
|
||||
for (tuple = ISC_LIST_HEAD(diff.tuples);
|
||||
for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
|
||||
tuple != NULL;
|
||||
tuple = ISC_LIST_NEXT(tuple, link)) {
|
||||
dns_rdata_dnskey_t dnskey;
|
||||
@@ -14056,7 +14067,7 @@ zone_rekey(dns_zone_t *zone) {
|
||||
* Cause the zone to add/delete NSEC3 chains for the
|
||||
* deferred NSEC3PARAM changes.
|
||||
*/
|
||||
for (tuple = ISC_LIST_HEAD(diff.tuples);
|
||||
for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
|
||||
tuple != NULL;
|
||||
tuple = ISC_LIST_NEXT(tuple, link)) {
|
||||
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
|
||||
@@ -14129,6 +14140,7 @@ zone_rekey(dns_zone_t *zone) {
|
||||
|
||||
failure:
|
||||
dns_diff_clear(&diff);
|
||||
dns_diff_clear(&sig_diff);
|
||||
|
||||
clear_keylist(&dnskeys, mctx);
|
||||
clear_keylist(&keys, mctx);
|
||||
|
||||
Reference in New Issue
Block a user