Merge branch '4027-nsec3-of-removed-empty-non-terminal-remains-in-chain-breaking-validation-tools' into 'main'

Resolve "NSEC3 of removed empty-non-terminal remains in chain, breaking validation tools"

Closes #4027

See merge request isc-projects/bind9!7857

Author: marka63

CHANGES

@@ -1,3 +1,7 @@
+6157.	[bug]		When removing delegations in an OPTOUT range
+			empty-non-terminal NSEC3 records generated by
+			those delegations where not removed. [GL #4027]
+
 6156.	[bug]		Reimplement the maximum and idle timeouts for incoming
 			zone tranfers. [GL #4004]
 

bin/tests/system/autosign/clean.sh

@@ -23,14 +23,13 @@ rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
 rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
 rm -f dig.out.*
 rm -f digcomp.out.test*
-rm -f digcomp.out.test*
 rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key
 rm -f nopriv.key vanishing.key del1.key del2.key
 rm -f ns*/managed-keys.bind*
 rm -f ns*/named.lock
-rm -f ns*/named.lock
 rm -f ns1/root.db
 rm -f ns2/example.db
+rm -f ns2/optout-with-ent.db
 rm -f ns2/private.secure.example.db ns2/bar.db
 rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
 rm -f ns3/*.nzf

bin/tests/system/autosign/ns2/keygen.sh

@@ -54,3 +54,11 @@ do
 done
 $KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null
 $DSFROMKEY Kbar.+013+60101.key > dsset-bar.
+
+# a zone with empty non-terminals.
+zone=optout-with-ent
+zonefile=optout-with-ent.db
+infile=optout-with-ent.db.in
+cat $infile > $zonefile
+kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone)
+$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null

bin/tests/system/autosign/ns2/named.conf.in

@@ -97,4 +97,13 @@ zone "child.optout.example" {
 	auto-dnssec maintain;
 };
 
+zone "optout-with-ent" {
+	type primary;
+	file "optout-with-ent.db";
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
 include "trusted.conf";

bin/tests/system/autosign/ns2/optout-with-ent.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA  ns2.example. . (
+			2010042407	; serial
+			20		; refresh (20 seconds)
+			20		; retry (20 seconds)
+			1814400		; expire (3 weeks)
+			3600		; minimum (1 hour)
+			)
+			NS	ns2.example.
+sub1.ent		NS	.
+sub2.ent		NS	.

bin/tests/system/autosign/tests.sh

@@ -160,7 +160,7 @@ do
 		$DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1
 		grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1
 	done
-	for z in bar. example. private.secure.example.
+	for z in bar. example. private.secure.example. optout-with-ent.
 	do
 		$DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
 		grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
@@ -180,6 +180,9 @@ n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "done"; fi
 status=$((status + ret))
 
+echo_i "Convert optout-with-ent from nsec to nsec3"
+($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
+
 echo_i "Initial counts of RRSIG expiry fields values for auto signed zones"
 for z in .
 do
@@ -1566,5 +1569,45 @@ n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)"
+ret=0
+zone=optout-with-ent
+hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL
+# check that NSEC3 for ENT is present
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
+grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1
+grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1
+# remove first delegation of two delegations, NSEC3 for ENT should remain.
+(
+echo zone $zone
+echo server 10.53.0.2 "$PORT"
+echo update del sub1.ent.$zone NS
+echo send
+) | $NSUPDATE
+# check that NSEC3 for ENT is still present
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n
+grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1
+grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1
+# remove second delegation of two delegations, NSEC3 for ENT should be deleted.
+(
+echo zone $zone
+echo server 10.53.0.2 "$PORT"
+echo update del sub2.ent.$zone NS
+echo send
+) | $NSUPDATE
+# check that NSEC3 for ENT is gone present
+$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n
+grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1
+grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1
+grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1
+$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n
+grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1
+n=$((n+1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

lib/dns/nsec3.c

@@ -1440,7 +1440,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
 
 	result = dns_dbiterator_seek(dbit, hashname);
 	if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) {
-		goto success;
+		goto cleanup_orphaned_ents;
 	}
 	if (result != ISC_R_SUCCESS) {
 		goto failure;
@@ -1452,7 +1452,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
 				     (isc_stdtime_t)0, &rdataset, NULL);
 	dns_db_detachnode(db, &node);
 	if (result == ISC_R_NOTFOUND) {
-		goto success;
+		goto cleanup_orphaned_ents;
 	}
 	if (result != ISC_R_SUCCESS) {
 		goto failure;
@@ -1537,6 +1537,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version,
 	/*
 	 *  Delete NSEC3 records for now non active nodes.
 	 */
+cleanup_orphaned_ents:
 	dns_name_init(&empty, NULL);
 	dns_name_clone(name, &empty);
 	do {