net/bind910: backport from bind911

Backport changes between BIND 9.11.4-P1 and 9.11.4-P2.

Bump PKGREVISION.


(taca)

$NetBSD: patch-bin_named_server.c,v 1.1 2018/09/23 14:27:07 taca Exp $

* Backport change between BIND 9.11.4-P1 and 9.11.4-P2.

--- bin/named/server.c.orig	2018-07-24 17:26:47.000000000 +0000
+++ bin/named/server.c
@@ -9345,7 +9345,7 @@ ns_server_freeze(ns_server_t *server, is
 		 isc_lex_t *lex, isc_buffer_t *text)
 {
 	isc_result_t result, tresult;
-	dns_zone_t *zone = NULL, *raw = NULL;
+	dns_zone_t *mayberaw = NULL, *raw = NULL;
 	dns_zonetype_t type;
 	char classstr[DNS_RDATACLASS_FORMATSIZE];
 	char zonename[DNS_NAME_FORMATSIZE];
@@ -9354,11 +9354,11 @@ ns_server_freeze(ns_server_t *server, is
 	isc_boolean_t frozen;
 	const char *msg = NULL;
 
-	result = zone_from_args(server, lex, NULL, &zone, NULL,
+	result = zone_from_args(server, lex, NULL, &mayberaw, NULL,
 				text, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	if (zone == NULL) {
+	if (mayberaw == NULL) {
 		result = isc_task_beginexclusive(server->task);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		tresult = ISC_R_SUCCESS;
@@ -9378,26 +9378,26 @@ ns_server_freeze(ns_server_t *server, is
 			      isc_result_totext(tresult));
 		return (tresult);
 	}
-	dns_zone_getraw(zone, &raw);
+	dns_zone_getraw(mayberaw, &raw);
 	if (raw != NULL) {
-		dns_zone_detach(&zone);
-		dns_zone_attach(raw, &zone);
+		dns_zone_detach(&mayberaw);
+		dns_zone_attach(raw, &mayberaw);
 		dns_zone_detach(&raw);
 	}
-	type = dns_zone_gettype(zone);
+	type = dns_zone_gettype(mayberaw);
 	if (type != dns_zone_master) {
-		dns_zone_detach(&zone);
+		dns_zone_detach(&mayberaw);
 		return (DNS_R_NOTMASTER);
 	}
 
-	if (freeze && !dns_zone_isdynamic(zone, ISC_TRUE)) {
-		dns_zone_detach(&zone);
+	if (freeze && !dns_zone_isdynamic(mayberaw, ISC_TRUE)) {
+		dns_zone_detach(&mayberaw);
 		return (DNS_R_NOTDYNAMIC);
 	}
 
 	result = isc_task_beginexclusive(server->task);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	frozen = dns_zone_getupdatedisabled(zone);
+	frozen = dns_zone_getupdatedisabled(mayberaw);
 	if (freeze) {
 		if (frozen) {
 			msg = "WARNING: The zone was already frozen.\n"
@@ -9406,16 +9406,16 @@ ns_server_freeze(ns_server_t *server, is
 			result = DNS_R_FROZEN;
 		}
 		if (result == ISC_R_SUCCESS) {
-			result = dns_zone_flush(zone);
+			result = dns_zone_flush(mayberaw);
 			if (result != ISC_R_SUCCESS)
 				msg = "Flushing the zone updates to "
 				      "disk failed.";
 		}
 		if (result == ISC_R_SUCCESS)
-			dns_zone_setupdatedisabled(zone, freeze);
+			dns_zone_setupdatedisabled(mayberaw, freeze);
 	} else {
 		if (frozen) {
-			result = dns_zone_loadandthaw(zone);
+			result = dns_zone_loadandthaw(mayberaw);
 			switch (result) {
 			case ISC_R_SUCCESS:
 			case DNS_R_UPTODATE:
@@ -9437,7 +9437,7 @@ ns_server_freeze(ns_server_t *server, is
 		isc_buffer_putmem(text, (const unsigned char *)msg,
 				  strlen(msg) + 1);
 
-	view = dns_zone_getview(zone);
+	view = dns_zone_getview(mayberaw);
 	if (strcmp(view->name, "_default") == 0 ||
 	    strcmp(view->name, "_bind") == 0)
 	{
@@ -9447,9 +9447,9 @@ ns_server_freeze(ns_server_t *server, is
 		vname = view->name;
 		sep = " ";
 	}
-	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
+	dns_rdataclass_format(dns_zone_getclass(mayberaw), classstr,
 			      sizeof(classstr));
-	dns_name_format(dns_zone_getorigin(zone),
+	dns_name_format(dns_zone_getorigin(mayberaw),
 			zonename, sizeof(zonename));
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
@@ -9457,7 +9457,7 @@ ns_server_freeze(ns_server_t *server, is
 		      freeze ? "freezing" : "thawing",
 		      zonename, classstr, sep, vname,
 		      isc_result_totext(result));
-	dns_zone_detach(&zone);
+	dns_zone_detach(&mayberaw);
 	return (result);
 }
 

$NetBSD: patch-bin_named_zoneconf.c,v 1.1 2018/09/23 14:27:07 taca Exp $

* Backport change between BIND 9.11.4-P1 and 9.11.4-P2.

--- bin/named/zoneconf.c.orig	2018-07-24 17:26:47.000000000 +0000
+++ bin/named/zoneconf.c
@@ -1214,7 +1214,7 @@ ns_zone_configure(const cfg_obj_t *confi
 			dns_zone_setoption(raw, DNS_ZONEOPT_IXFRFROMDIFFS,
 					   ISC_TRUE);
 			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
-					   ISC_TRUE);
+					   ISC_FALSE);
 		} else
 			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
 					   ixfrdiff);

$NetBSD: patch-lib_dns_zone.c,v 1.1 2018/09/23 14:27:07 taca Exp $

* Backport change between BIND 9.11.4-P1 and 9.11.4-P2.

--- lib/dns/zone.c.orig	2018-07-24 17:26:47.000000000 +0000
+++ lib/dns/zone.c
@@ -1725,6 +1725,10 @@ dns_zone_isdynamic(dns_zone_t *zone, isc
 	    (zone->type == dns_zone_redirect && zone->masters != NULL))
 		return (ISC_TRUE);
 
+	/* Inline zones are always dynamic. */
+	if (zone->type == dns_zone_master && zone->raw != NULL)
+		return (ISC_TRUE);
+
 	/* If !ignore_freeze, we need check whether updates are disabled.  */
 	if (zone->type == dns_zone_master &&
 	    (!zone->update_disabled || ignore_freeze) &&
@@ -1737,6 +1741,11 @@ dns_zone_isdynamic(dns_zone_t *zone, isc
 }
 
 /*
+ * Note: when dealing with inline-signed zones, external callers will always
+ * call zone_load() for the secure zone; zone_load() calls itself recursively
+ * in order to load the raw zone.
+ */
+/*
  * Set the response policy index and information for a zone.
  */
 isc_result_t
@@ -1830,6 +1839,28 @@ zone_load(dns_zone_t *zone, unsigned int
 	INSIST(zone != zone->raw);
 	hasraw = inline_secure(zone);
 	if (hasraw) {
+		/*
+		 * We are trying to load an inline-signed zone.  First call
+		 * self recursively to try loading the raw version of the zone.
+		 * Assuming the raw zone file is readable, there are two
+		 * possibilities:
+		 *
+		 *  a) the raw zone was not yet loaded and thus it will be
+		 *     loaded now, synchronously; if this succeeds, a
+		 *     subsequent attempt to load the signed zone file will
+		 *     take place and thus zone_postload() will be called
+		 *     twice: first for the raw zone and then for the secure
+		 *     zone; the latter call will take care of syncing the raw
+		 *     version with the secure version,
+		 *
+		 *  b) the raw zone was already loaded and we are trying to
+		 *     reload it, which will happen asynchronously; this means
+		 *     zone_postload() will only be called for the raw zone
+		 *     because "result" returned by the zone_load() call below
+		 *     will not be ISC_R_SUCCESS but rather DNS_R_CONTINUE;
+		 *     zone_postload() called for the raw zone will take care
+		 *     of syncing the raw version with the secure version.
+		 */
 		result = zone_load(zone->raw, flags, ISC_FALSE);
 		if (result != ISC_R_SUCCESS) {
 			if (!locked)
@@ -1869,7 +1900,7 @@ zone_load(dns_zone_t *zone, unsigned int
 		 * zone being reloaded.  Do nothing - the database
 		 * we already have is guaranteed to be up-to-date.
 		 */
-		if (zone->type == dns_zone_master)
+		if (zone->type == dns_zone_master && !hasraw)
 			result = DNS_R_DYNAMIC;
 		else
 			result = ISC_R_SUCCESS;
@@ -1912,7 +1943,6 @@ zone_load(dns_zone_t *zone, unsigned int
 			goto cleanup;
 		}
 
-
 		/*
 		 * If the file modification time is in the past
 		 * set loadtime to that value.
@@ -4401,11 +4431,13 @@ zone_postload(dns_zone_t *zone, dns_db_t
 	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
 	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
 	{
-		if (zone->type == dns_zone_master &&
-		    (zone->update_acl != NULL || zone->ssutable != NULL))
+		if (zone->type == dns_zone_master && (inline_secure(zone) ||
+		    (zone->update_acl != NULL || zone->ssutable != NULL)))
+		{
 			options = DNS_JOURNALOPT_RESIGN;
-		else
+		} else {
 			options = 0;
+		}
 		result = dns_journal_rollforward(zone->mctx, db, options,
 						 zone->journal);
 		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
@@ -4547,14 +4579,14 @@ zone_postload(dns_zone_t *zone, dns_db_t
 			    !isc_serial_gt(serial, oldserial)) {
 				isc_uint32_t serialmin, serialmax;
 
-				INSIST(zone->type == dns_zone_master);
+				INSIST(zone->raw == NULL);
 
 				if (serial == oldserial &&
 				    zone_unchanged(zone->db, db, zone->mctx)) {
 					dns_zone_log(zone, ISC_LOG_INFO,
 						     "ixfr-from-differences: "
 						     "unchanged");
-					return(ISC_R_SUCCESS);
+					goto done;
 				}
 
 				serialmin = (oldserial + 1) & 0xffffffffU;
@@ -4778,8 +4810,7 @@ zone_postload(dns_zone_t *zone, dns_db_t
 			     dns_db_issecure(db) ? " (DNSSEC signed)" : "");
 
 	zone->loadtime = loadtime;
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
-	return (result);
+	goto done;
 
  cleanup:
 	for (inc = ISC_LIST_HEAD(zone->newincludes);
@@ -4816,6 +4847,23 @@ zone_postload(dns_zone_t *zone, dns_db_t
 			result = ISC_R_SUCCESS;
 	}
 
+ done:
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	/*
+	 * If this is an inline-signed zone and we were called for the raw
+	 * zone, we need to clear DNS_ZONEFLG_LOADPENDING for the secure zone
+	 * as well, but only if this is a reload, not an initial zone load: in
+	 * the former case, zone_postload() will not be run for the secure
+	 * zone; in the latter case, it will be.  Check which case we are
+	 * dealing with by consulting the DNS_ZONEFLG_LOADED flag for the
+	 * secure zone: if it is set, this must be a reload.
+	 */
+	if (inline_raw(zone) &&
+	    DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
+	{
+		DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
+	}
+
 	return (result);
 }