[master] tag initializing keys so they can't be used for normal validation
4773. [bug] Keys specified in "managed-keys" statements can now only be used when validating key refresh queries during initialization of RFC 5011 key maintenance. If initialization fails, DNSSEC validation of normal queries will also fail. Previously, validation of normal queries could succeed using the initializing key, potentially masking problems with managed-keys. [RT #46077]
This commit is contained in:
Evan Hunt
@@ -37,7 +37,7 @@ ret=0
|
||||
(cd ns2; $NAMED -c named-alt2.conf -D ns2-extra-2 -X named.lock -m record,size,mctx -d 99 -g -U 4 >> named3.run 2>&1 & )
|
||||
sleep 2
|
||||
grep "another named process" ns2/named3.run > /dev/null || ret=1
|
||||
[ -s ns2/named3.pid ] && $KILL -15 `cat ns2/named3.pid`
|
||||
[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -47,55 +47,60 @@ ret=0
|
||||
(cd ns2; $NAMED -c named-alt3.conf -D ns2-extra-3 -m record,size,mctx -d 99 -g -U 4 >> named4.run 2>&1 & )
|
||||
sleep 2
|
||||
grep "another named process" ns2/named4.run > /dev/null && ret=1
|
||||
[ -s ns2/named4.pid ] && $KILL -15 `cat ns2/named4.pid`
|
||||
[ -s ns2/named2.pid ] && $KILL -15 `cat ns2/named2.pid`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)"
|
||||
ret=0
|
||||
cp -f ns2/named-alt4.conf ns2/named.conf
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
|
||||
grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
|
||||
sleep 1
|
||||
grep "[^-]directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
if [ ! "$CYGWIN" ]; then
|
||||
n=`expr $n + 1`
|
||||
echo "I: checking that named refuses to reconfigure if working directory is not writable ($n)"
|
||||
ret=0
|
||||
cp -f ns2/named-alt4.conf ns2/named.conf
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
|
||||
grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
|
||||
sleep 1
|
||||
grep "[^-]directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo "I: checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)"
|
||||
ret=0
|
||||
cp -f ns2/named-alt5.conf ns2/named.conf
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
|
||||
grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
|
||||
sleep 1
|
||||
grep "managed-keys-directory './nope' is not writable" ns2/named.run > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo "I: checking that named refuses to reconfigure if managed-keys-directory is not writable ($n)"
|
||||
ret=0
|
||||
cp -f ns2/named-alt5.conf ns2/named.conf
|
||||
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > rndc.out.$n 2>&1
|
||||
grep "failed: permission denied" rndc.out.$n > /dev/null 2>&1 || ret=1
|
||||
sleep 1
|
||||
grep "managed-keys-directory './nope' must be writable" ns2/named.run > /dev/null 2>&1 || ret=1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo "I: checking that named refuses to start if working directory is not writable ($n)"
|
||||
ret=0
|
||||
cd ns2
|
||||
$NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 &
|
||||
sleep 2
|
||||
grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1
|
||||
[ -s named4.pid ] && kill -15 `cat named4.pid` > /dev/null 2>&1
|
||||
cd ..
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
echo "I: kill existing named process"
|
||||
[ -s "ns2/named.pid" ] && kill -15 `cat ns2/named.pid`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo "I: checking that named refuses to start if managed-keys-directory is not writable ($n)"
|
||||
ret=0
|
||||
cd ns2
|
||||
$NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 &
|
||||
sleep 2
|
||||
grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1
|
||||
[ -s named5.pid ] && kill -15 `cat named5.pid` > /dev/null 2>&1
|
||||
cd ..
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo "I: checking that named refuses to start if working directory is not writable ($n)"
|
||||
ret=0
|
||||
cd ns2
|
||||
$NAMED -c named-alt4.conf -d 99 -g > named4.run 2>&1 &
|
||||
sleep 2
|
||||
grep "exiting (due to fatal error)" named4.run > /dev/null || ret=1
|
||||
cd ..
|
||||
[ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo "I: checking that named refuses to start if managed-keys-directory is not writable ($n)"
|
||||
ret=0
|
||||
cd ns2
|
||||
$NAMED -c named-alt5.conf -d 99 -g > named5.run 2>&1 &
|
||||
sleep 2
|
||||
grep "exiting (due to fatal error)" named5.run > /dev/null || ret=1
|
||||
cd ..
|
||||
[ -s named.pid ] && kill -15 `cat named.pid` > /dev/null 2>&1
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
fi
|
||||
|
||||
echo "I:exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
||||
Reference in New Issue
Block a user