Commit b0e79dff authored by Daniel Salzman's avatar Daniel Salzman

Merge branch 'no_sign_empty_update' into 'master'

Fix signing of delegations

See merge request !972
parents 622b540b 5458c5b2
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> /* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -27,6 +27,7 @@ ...@@ -27,6 +27,7 @@
#include "knot/dnssec/zone-keys.h" #include "knot/dnssec/zone-keys.h"
#include "knot/dnssec/zone-nsec.h" #include "knot/dnssec/zone-nsec.h"
#include "knot/dnssec/zone-sign.h" #include "knot/dnssec/zone-sign.h"
#include "knot/zone/adjust.h"
static int sign_init(zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_roll_flags_t roll_flags, static int sign_init(zone_contents_t *zone, zone_sign_flags_t flags, zone_sign_roll_flags_t roll_flags,
kdnssec_ctx_t *ctx, zone_sign_reschedule_t *reschedule) kdnssec_ctx_t *ctx, zone_sign_reschedule_t *reschedule)
...@@ -178,6 +179,11 @@ int knot_dnssec_zone_sign(zone_update_t *update, ...@@ -178,6 +179,11 @@ int knot_dnssec_zone_sign(zone_update_t *update,
goto done; goto done;
} }
result = zone_adjust_contents(update->new_cont, adjust_cb_flags, NULL);
if (result != KNOT_EOK) {
return result;
};
result = knot_zone_create_nsec_chain(update, &keyset, &ctx); result = knot_zone_create_nsec_chain(update, &keyset, &ctx);
if (result != KNOT_EOK) { if (result != KNOT_EOK) {
log_zone_error(zone_name, "DNSSEC, failed to create NSEC%s chain (%s)", log_zone_error(zone_name, "DNSSEC, failed to create NSEC%s chain (%s)",
...@@ -254,6 +260,11 @@ int knot_dnssec_sign_update(zone_update_t *update, zone_sign_reschedule_t *resch ...@@ -254,6 +260,11 @@ int knot_dnssec_sign_update(zone_update_t *update, zone_sign_reschedule_t *resch
goto done; goto done;
} }
result = zone_adjust_update(update, adjust_cb_flags, NULL);
if (result != KNOT_EOK) {
goto done;
}
knot_time_t expire_at = 0; knot_time_t expire_at = 0;
result = knot_zone_sign_update(update, &keyset, &ctx, &expire_at); result = knot_zone_sign_update(update, &keyset, &ctx, &expire_at);
if (result != KNOT_EOK) { if (result != KNOT_EOK) {
......
...@@ -27,7 +27,6 @@ ...@@ -27,7 +27,6 @@
#include "knot/dnssec/key_records.h" #include "knot/dnssec/key_records.h"
#include "knot/dnssec/rrset-sign.h" #include "knot/dnssec/rrset-sign.h"
#include "knot/dnssec/zone-sign.h" #include "knot/dnssec/zone-sign.h"
#include "knot/zone/adjust.h"
#include "libknot/libknot.h" #include "libknot/libknot.h"
#include "contrib/dynarray.h" #include "contrib/dynarray.h"
#include "contrib/macros.h" #include "contrib/macros.h"
...@@ -1163,11 +1162,6 @@ int knot_zone_sign_update(zone_update_t *update, ...@@ -1163,11 +1162,6 @@ int knot_zone_sign_update(zone_update_t *update,
int ret = KNOT_EOK; int ret = KNOT_EOK;
ret = zone_adjust_update(update, adjust_cb_flags_and_additionals, adjust_cb_nsec3_flags);
if (ret != KNOT_EOK) {
return ret;
}
/* Check if the UPDATE changed DNSKEYs or NSEC3PARAM. /* Check if the UPDATE changed DNSKEYs or NSEC3PARAM.
* If so, we have to sign the whole zone. */ * If so, we have to sign the whole zone. */
const bool full_sign = apex_dnssec_changed(update); const bool full_sign = apex_dnssec_changed(update);
......
example.com. 3 SOA dns1.example.com. hostmaster.example.com. 2010111227 21600 3600 604800 3
example.com. 0 NS dns1.example.com.
example.com. 2 MX 10 mail.example.com.
dns1.example.com. 4 A 192.0.2.1
dns1.example.com. 3 AAAA 2001:db8::1
foo.example.com. 5 A 192.0.2.4
mail.example.com. 3 A 192.0.2.3
mail.example.com. 1 AAAA 2001:db8::3
deleg.example.com. 6 NS dns1.example.com.
deleg2.ent.example.com. 7 NS dns1.example.com.
abcd.example.com. 9 A 192.0.3.4
#!/usr/bin/env python3
'''Test for no re-signing if the zone is properly signed.'''
from dnstest.utils import *
from dnstest.test import Test
t = Test()
master = t.server("knot")
zone = t.zone("example.com.", storage=".")
t.link(zone, master, ixfr=True, journal_content="all")
master.dnssec(zone).enable = True
t.start()
serial = master.zone_wait(zone)
master.random_ddns(zone, allow_empty=False)
serial = master.zone_wait(zone, serial)
master.stop()
t.sleep(1)
master.start()
new_serial = master.zone_wait(zone)
if new_serial != serial:
set_err("zone got re-signed")
t.stop()
...@@ -717,11 +717,16 @@ class Server(object): ...@@ -717,11 +717,16 @@ class Server(object):
else: else:
self.zones[zone.name].zfile.upd_file(storage=storage, version=version) self.zones[zone.name].zfile.upd_file(storage=storage, version=version)
def random_ddns(self, zone): def random_ddns(self, zone, allow_empty=True):
zone = zone_arg_check(zone) zone = zone_arg_check(zone)
up = self.update(zone) up = self.update(zone)
self.zones[zone.name].zfile.gen_rnd_ddns(up)
while True:
changes = self.zones[zone.name].zfile.gen_rnd_ddns(up)
if allow_empty or changes > 0:
break
up.send("NOERROR") up.send("NOERROR")
def add_module(self, zone, module): def add_module(self, zone, module):
......
...@@ -249,6 +249,7 @@ class ZoneFile(object): ...@@ -249,6 +249,7 @@ class ZoneFile(object):
def gen_rnd_ddns(self, ddns): def gen_rnd_ddns(self, ddns):
'''Walk zonefile, randomly mark some records to be removed by ddns and some added''' '''Walk zonefile, randomly mark some records to be removed by ddns and some added'''
changes = 0
with open(self.path, 'r') as file: with open(self.path, 'r') as file:
for fline in file: for fline in file:
line = fline.split(None, 3) line = fline.split(None, 3)
...@@ -256,11 +257,14 @@ class ZoneFile(object): ...@@ -256,11 +257,14 @@ class ZoneFile(object):
try: try:
if random.randint(1, 20) in [4, 5]: if random.randint(1, 20) in [4, 5]:
ddns.delete(line[0], line[2]) ddns.delete(line[0], line[2])
changes += 1
if random.randint(1, 20) in [2, 3] and line[2] not in ["DNAME"]: if random.randint(1, 20) in [2, 3] and line[2] not in ["DNAME"]:
ddns.add("xyz."+line[0], line[1], line[2], line[3]) ddns.add("xyz."+line[0], line[1], line[2], line[3])
changes += 1
except (dns.rdatatype.UnknownRdatatype, dns.name.LabelTooLong, dns.name.NameTooLong): except (dns.rdatatype.UnknownRdatatype, dns.name.LabelTooLong, dns.name.NameTooLong):
# problems - simply skip. This is completely stochastic anyway. # problems - simply skip. This is completely stochastic anyway.
pass pass
return changes
def remove(self): def remove(self):
'''Remove zone file.''' '''Remove zone file.'''
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment