Compare commits
7 Commits
aydin/isc_
...
u/fanf2/fi
| Author | SHA1 | Date | |
|---|---|---|---|
|
b2636e871c | ||
|
|
85b4aed253 | ||
|
|
034d314f12 | ||
|
18914368c7 | ||
|
|
ebdc9fba3c | ||
|
|
cf5a999271 | ||
|
cae816080d |
4
CHANGES
4
CHANGES
@@ -1,3 +1,7 @@
|
||||
5447. [bug] The introduction of KASP support broke whether the
|
||||
second field of sig-validity-interval was treated as
|
||||
days or hours. (Thanks to Tony Finch.) [GL !3735]
|
||||
|
||||
5446. [bug] The validator could fail to accept a properly signed
|
||||
RRset if an unsupported algorithm appeared earlier in
|
||||
the DNSKEY RRset than a supported algorithm. It could
|
||||
|
||||
@@ -1592,11 +1592,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
|
||||
if (cfg_obj_isvoid(resign)) {
|
||||
seconds /= 4;
|
||||
} else if (!sigvalinsecs) {
|
||||
seconds = cfg_obj_asuint32(resign);
|
||||
uint32_t r = cfg_obj_asuint32(resign);
|
||||
if (seconds > 7 * 86400) {
|
||||
seconds *= 86400;
|
||||
seconds = r * 86400;
|
||||
} else {
|
||||
seconds *= 3600;
|
||||
seconds = r * 3600;
|
||||
}
|
||||
} else {
|
||||
seconds = cfg_obj_asuint32(resign);
|
||||
|
||||
165
bin/tests/system/dnssec/ns2/hours-vs-days.db.in
Normal file
165
bin/tests/system/dnssec/ns2/hours-vs-days.db.in
Normal file
@@ -0,0 +1,165 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300 ; 5 minutes
|
||||
@ IN SOA mname1. . (
|
||||
2000042407 ; serial
|
||||
20 ; refresh (20 seconds)
|
||||
20 ; retry (20 seconds)
|
||||
1814400 ; expire (3 weeks)
|
||||
3600 ; minimum (1 hour)
|
||||
)
|
||||
NS ns2
|
||||
NS ns3
|
||||
ns2 A 10.53.0.2
|
||||
ns3 A 10.53.0.3
|
||||
|
||||
a A 10.0.0.1
|
||||
b A 10.0.0.2
|
||||
d A 10.0.0.4
|
||||
|
||||
; Used for testing ANY queries
|
||||
foo TXT "testing"
|
||||
foo A 10.0.1.0
|
||||
|
||||
bad-cname CNAME a
|
||||
bad-dname DNAME @
|
||||
|
||||
; Used for testing CNAME queries
|
||||
cname1 CNAME cname1-target
|
||||
cname1-target TXT "testing cname"
|
||||
|
||||
cname2 CNAME cname2-target
|
||||
cname2-target TXT "testing cname"
|
||||
|
||||
; Used for testing DNAME queries
|
||||
dname1 DNAME dname1-target
|
||||
foo.dname1-target TXT "testing dname"
|
||||
|
||||
dname2 DNAME dname2-target
|
||||
foo.dname2-target TXT "testing dname"
|
||||
|
||||
; A secure subdomain
|
||||
secure NS ns3.secure
|
||||
ns3.secure A 10.53.0.3
|
||||
|
||||
; An insecure subdomain
|
||||
insecure NS ns.insecure
|
||||
ns.insecure A 10.53.0.3
|
||||
|
||||
; A secure subdomain we're going to inject bogus data into
|
||||
bogus NS ns.bogus
|
||||
ns.bogus A 10.53.0.3
|
||||
|
||||
; A subdomain with a corrupt DS
|
||||
badds NS ns.badds
|
||||
ns.badds A 10.53.0.3
|
||||
|
||||
; A dynamic secure subdomain
|
||||
dynamic NS dynamic
|
||||
dynamic A 10.53.0.3
|
||||
|
||||
; A insecure subdomain
|
||||
mustbesecure NS ns.mustbesecure
|
||||
ns.mustbesecure A 10.53.0.3
|
||||
|
||||
; A subdomain with expired signatures
|
||||
expired NS ns.expired
|
||||
ns.expired A 10.53.0.3
|
||||
|
||||
; A rfc2535 signed zone w/ CNAME
|
||||
rfc2535 NS ns.rfc2535
|
||||
ns.rfc2535 A 10.53.0.3
|
||||
|
||||
z A 10.0.0.26
|
||||
|
||||
keyless NS ns.keyless
|
||||
ns.keyless A 10.53.0.3
|
||||
|
||||
nsec3 NS ns.nsec3
|
||||
ns.nsec3 A 10.53.0.3
|
||||
|
||||
optout NS ns.optout
|
||||
ns.optout A 10.53.0.3
|
||||
|
||||
nsec3-unknown NS ns.nsec3-unknown
|
||||
ns.nsec3-unknown A 10.53.0.3
|
||||
|
||||
optout-unknown NS ns.optout-unknown
|
||||
ns.optout-unknown A 10.53.0.3
|
||||
|
||||
dnskey-unknown NS ns.dnskey-unknown
|
||||
ns.dnskey-unknown A 10.53.0.3
|
||||
|
||||
dnskey-unsupported NS ns.dnskey-unsupported
|
||||
ns.dnskey-unsupported A 10.53.0.3
|
||||
|
||||
dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown
|
||||
ns.dnskey-nsec3-unknown A 10.53.0.3
|
||||
|
||||
multiple NS ns.multiple
|
||||
ns.multiple A 10.53.0.3
|
||||
|
||||
*.wild A 10.0.0.27
|
||||
|
||||
rsasha256 NS ns.rsasha256
|
||||
ns.rsasha256 A 10.53.0.3
|
||||
|
||||
rsasha512 NS ns.rsasha512
|
||||
ns.rsasha512 A 10.53.0.3
|
||||
|
||||
kskonly NS ns.kskonly
|
||||
ns.kskonly A 10.53.0.3
|
||||
|
||||
update-nsec3 NS ns.update-nsec3
|
||||
ns.update-nsec3 A 10.53.0.3
|
||||
|
||||
auto-nsec NS ns.auto-nsec
|
||||
ns.auto-nsec A 10.53.0.3
|
||||
|
||||
auto-nsec3 NS ns.auto-nsec3
|
||||
ns.auto-nsec3 A 10.53.0.3
|
||||
|
||||
|
||||
below-cname CNAME some.where.else.
|
||||
|
||||
insecure.below-cname NS ns.insecure.below-cname
|
||||
ns.insecure.below-cname A 10.53.0.3
|
||||
|
||||
secure.below-cname NS ns.secure.below-cname
|
||||
ns.secure.below-cname A 10.53.0.3
|
||||
|
||||
ttlpatch NS ns.ttlpatch
|
||||
ns.ttlpatch A 10.53.0.3
|
||||
|
||||
split-dnssec NS ns.split-dnssec
|
||||
ns.split-dnssec A 10.53.0.3
|
||||
|
||||
split-smart NS ns.split-smart
|
||||
ns.split-smart A 10.53.0.3
|
||||
|
||||
upper NS ns.upper
|
||||
ns.upper A 10.53.0.3
|
||||
|
||||
LOWER NS NS.LOWER
|
||||
NS.LOWER A 10.53.0.3
|
||||
|
||||
expiring NS ns.expiring
|
||||
ns.expiring A 10.53.0.3
|
||||
|
||||
future NS ns.future
|
||||
ns.future A 10.53.0.3
|
||||
|
||||
managed-future NS ns.managed-future
|
||||
ns.managed-future A 10.53.0.3
|
||||
|
||||
revkey NS ns.revkey
|
||||
ns.revkey A 10.53.0.3
|
||||
|
||||
dname-at-apex-nsec3 NS ns3
|
||||
@@ -182,4 +182,13 @@ zone "corp" {
|
||||
file "corp.db";
|
||||
};
|
||||
|
||||
zone "hours-vs-days" {
|
||||
type master;
|
||||
file "hours-vs-days.db.signed";
|
||||
auto-dnssec maintain;
|
||||
/* validity 500 days, resign in 499 days */
|
||||
sig-validity-interval 500 499;
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
@@ -308,3 +308,11 @@ sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey"
|
||||
cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile"
|
||||
# Don't sign, let auto-dnssec maintain do it.
|
||||
mv $zonefile "$zonefile.signed"
|
||||
|
||||
zone=hours-vs-days
|
||||
infile=hours-vs-days.db.in
|
||||
zonefile=hours-vs-days.db
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
$SETTIME -P sync now "$key1" > /dev/null
|
||||
cat "$infile" > "$zonefile.signed"
|
||||
|
||||
@@ -4270,5 +4270,16 @@ n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking sig-validity-interval second field hours vs days ($n)"
|
||||
ret=0
|
||||
# zone configured with 'sig-validity-interval 500 499;'
|
||||
# 499 days in the future w/ a 20 minute runtime to now allowance
|
||||
min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];')
|
||||
dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n
|
||||
awk -v min=$min '$4 == "RRSIG" { if ($9 < min) { exit(1); } }' dig.out.ns2.test$n || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
||||
@@ -53,3 +53,7 @@ Bug Fixes
|
||||
unsupported algorithm appeared earlier in the DNSKEY RRset than a
|
||||
supported algorithm. It could also stop if it detected a malformed
|
||||
public key. [GL #1689]
|
||||
|
||||
- The introduction of KASP support broke whether the second field
|
||||
of sig-validity-interval was treated as days or hours. (Thanks to
|
||||
Tony Finch.) [GL !3735]
|
||||
|
||||
Reference in New Issue
Block a user