[v9_9] 5011 fixes

4056.	[bug]		Fixed several small bugs in automatic trust anchor
			management, including a memory leak and a possible
			loss of key state information. [RT #38458]

bin/tests/system/dnssec/clean.sh

@@ -16,7 +16,8 @@
 # PERFORMANCE OF THIS SOFTWARE.
 
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
-rm -f */trusted.conf */managed.conf */tmp* */*.jnl */*.bk
+rm -f */trusted.conf */managed.conf */revoked.conf
+rm -f */tmp* */*.jnl */*.bk */*.jbk
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
 rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
 rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
@@ -50,7 +51,7 @@ rm -f signer/*.db
 rm -f signer/signer.out.*
 rm -f ns2/algroll.db
 rm -f ns3/kskonly.example.db
-rm -f ns4/named.conf
+rm -f ns4/named.conf ns5/named.conf
 rm -f ns4/managed-keys.bind*
 rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
 rm -f ns3/secure.below-cname.example.db
@@ -79,3 +80,4 @@ rm -f ns3/dnskey-nsec3-unknown.example.db
 rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
 rm -f ns3/dnskey-unknown.example.db
 rm -f ns3/dnskey-unknown.example.db.tmp
+rm -f named.secroots.test*

bin/tests/system/dnssec/ns3/sign.sh

@@ -15,8 +15,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.43 2011/11/04 05:36:28 each Exp $
-
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
@@ -505,5 +503,5 @@ zonefile=future.example.db
 kskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 zskname=`$KEYGEN -q -r $RANDFILE $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile # > /dev/null 2>&1
+$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 cp -f $kskname.key trusted-future.key

bin/tests/system/dnssec/ns5/named1.conf

@@ -15,8 +15,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.25 2007/06/18 23:47:28 tbox Exp $ */
-
 // NS5
 
 controls { /* empty */ };
@@ -35,6 +33,16 @@ options {
 	dnssec-validation yes;
 };
 
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
+};
+
+
 zone "." {
 	type hint;
 	file "../../common/root.hint";

bin/tests/system/dnssec/ns5/named2.conf

@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+// NS5
+
+controls { /* empty */ };
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; 127.0.0.1; };
+	listen-on-v6 { none; };
+	recursion yes;
+};
+
+view root {
+        match-destinations { 127.0.0.1; };
+
+        zone "." {
+                type master;
+                file "root.db.signed";
+        };
+};
+
+view other {
+include "revoked.conf";
+
+        zone "." {
+                type static-stub;
+                server-addresses { 127.0.0.1; };
+        };
+};

bin/tests/system/dnssec/ns5/sign.sh

@@ -0,0 +1,42 @@
+#!/bin/sh -e
+#
+# Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+zone=.
+infile=../ns1/root.db.in
+zonefile=root.db.signed
+
+keyname=`$KEYGEN -r $RANDFILE -qfk $zone`
+
+# copy the KSK out first, then revoke it
+cat $keyname.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+managed-keys {
+    "$dn" initial-key $flags $proto $alg "$key";
+};
+EOF
+' > revoked.conf
+
+$SETTIME -R now ${keyname}.key > /dev/null
+
+# create a current set of keys, and sign the root zone
+$KEYGEN -r $RANDFILE -q $zone > /dev/null
+$KEYGEN -r $RANDFILE -qfk $zone > /dev/null
+$SIGNER -S -r $RANDFILE -o $zone -f $zonefile $infile > /dev/null 2>&1

bin/tests/system/dnssec/setup.sh

@@ -28,4 +28,8 @@ echo "a.bogus.example.	A	10.0.0.22" >>../ns3/bogus.example.db.signed
 
 cd ../ns3 && cp -f siginterval1.conf siginterval.conf
 cd ../ns4 && cp -f named1.conf named.conf
-cd ../ns5 && cp -f trusted.conf.bad trusted.conf
+cd ../ns5 && {
+    cp -f trusted.conf.bad trusted.conf
+    cp -f named1.conf named.conf
+    $SHELL sign.sh
+}

bin/tests/system/dnssec/tests.sh

@@ -15,8 +15,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
-
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
@@ -1530,9 +1528,10 @@ echo "I:checking rndc secroots ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots 2>&1 | sed 's/^/I:ns1 /'
 keyid=`cat ns1/managed.key.id`
-linecount=`grep "./RSAMD5/$keyid ; trusted" ns4/named.secroots | wc -l`
+cp ns4/named.secroots named.secroots.test$n
+linecount=`grep "./RSAMD5/$keyid ; trusted" named.secroots.test$n | wc -l`
 [ "$linecount" -eq 1 ] || ret=1
-linecount=`cat ns4/named.secroots | wc -l`
+linecount=`cat named.secroots.test$n | wc -l`
 [ "$linecount" -eq 5 ] || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -2299,10 +2298,11 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I:check KEYDATA records are printed in human readable form in key zone ($n)"
-# force the zone to be written out
+# force the managed-keys zone to be written out
 $PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns4
 ret=0
 grep KEYDATA ns4/managed-keys.bind > /dev/null || ret=1
+grep "next refresh:" ns4/managed-keys.bind > /dev/null || ret=1
 # restart the server
 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns4
 n=`expr $n + 1`
@@ -2504,5 +2504,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking initialization with a revoked managed key ($n)"
+ret=0
+cp ns5/named2.conf ns5/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.5 -p 9953 reconfig 2>&1 | sed 's/^/I:ns5 /'
+sleep 3
+$DIG $DIGOPTS +dnssec -p 5300 @10.53.0.5 SOA . > dig.out.ns5.test$n
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status