commit 0f835f7eff5bbd45461b9b43276267ff3c953ece
Author: Tomas Korbar <tkorbar@redhat.com>
Date:   Fri Nov 13 10:23:42 2020 +0100

    Fix inline resigning

diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 564c084..5cd0b05 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -69,6 +69,8 @@ LWTEST=$TOP/bin/tests/system/lwresd/lwtest
 MAKEJOURNAL=$TOP/bin/tests/makejournal
 PIPEQUERIES=$TOP/bin/tests/system/pipelined/pipequeries
 SAMPLEUPDATE=$TOP/lib/samples/sample-update
+DEFAULT_ALGORITHM=ECDSAP256SHA256
+DEFAULT_BITS=256
 
 # we don't want a KRB5_CONFIG setting breaking the tests
 KRB5_CONFIG=/dev/null
@@ -364,3 +366,5 @@ export SAMPLEUPDATE
 export SIGNER
 export SUBDIRS
 export TESTSOCK6
+export DEFAULT_ALGORITHM
+export DEFAULT_BITS
diff --git a/bin/tests/system/inline/ns8/example.com.db.in b/bin/tests/system/inline/ns8/example.com.db.in
new file mode 100644
index 0000000..eb39aa7
--- /dev/null
+++ b/bin/tests/system/inline/ns8/example.com.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns8 . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns8
+ns8			A	10.53.0.8
diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in
new file mode 100644
index 0000000..ea4876b
--- /dev/null
+++ b/bin/tests/system/inline/ns8/named.conf.in
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS8
+
+include "../../common/rndc.key";
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	try-tcp-refresh no;
+	notify-delay 0;
+	allow-new-zones yes;
+};
+
+zone "example01.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example01.com.db";
+};
+
+zone "example02.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example02.com.db";
+};
+
+zone "example03.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example03.com.db";
+};
+
+zone "example04.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example04.com.db";
+};
+
+zone "example05.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example05.com.db";
+};
+
+zone "example06.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example06.com.db";
+};
+
+zone "example07.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example07.com.db";
+};
+
+zone "example08.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example08.com.db";
+};
+
+zone "example09.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example09.com.db";
+};
+
+zone "example10.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example10.com.db";
+};
+
+zone "example11.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example11.com.db";
+};
+
+zone "example12.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example12.com.db";
+};
+
+zone "example13.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example13.com.db";
+};
+
+zone "example14.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example14.com.db";
+};
+
+zone "example15.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example15.com.db";
+};
+
+zone "example16.com" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "example16.com.db";
+};
diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh
new file mode 100644
index 0000000..5d36cb9
--- /dev/null
+++ b/bin/tests/system/inline/ns8/sign.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+for zone in example01.com example02.com example03.com example04.com \
+	    example05.com example06.com example07.com example08.com \
+	    example09.com example10.com example11.com example12.com \
+	    example13.com example14.com example15.com example16.com
+do
+  rm -f K${zone}.+*+*.key
+  rm -f K${zone}.+*+*.private
+  keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+  keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone`
+  cp example.com.db.in ${zone}.db
+  $SIGNER -S -T 3600 -O raw -o ${zone} ${zone}.db > /dev/null 2>&1
+done
diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh
index 4dd4dd0..13dd6c7 100644
--- a/bin/tests/system/inline/setup.sh
+++ b/bin/tests/system/inline/setup.sh
@@ -49,7 +49,9 @@ copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.pre ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
 
 (cd ns3; $SHELL -e sign.sh)
 (cd ns1; $SHELL -e sign.sh)
 (cd ns7; $SHELL -e sign.sh)
+(cd ns8; $SHELL -e sign.sh)
diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
index b517138..22fc1af 100755
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -1342,5 +1342,24 @@ grep "type: slave" rndc.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking reload of touched inline zones ($n)"
+echo_ic "pre-reload 'next key event'"
+nextpart ns8/named.run > nextpart.pre$n.out
+count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l`
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+echo_ic "touch and reload"
+touch ns8/example??.com.db
+$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 5
+echo_ic "post-reload 'next key event'"
+nextpart ns8/named.run > nextpart.post$n.out
+count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l`
+echo_ic "found: $count/16"
+[ $count -eq 16 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 96c98d5..42a1811 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -3611,6 +3611,8 @@ set_resigntime(dns_zone_t *zone) {
 	isc_uint32_t nanosecs;
 	dns_db_t *db = NULL;
 
+	INSIST(LOCKED_ZONE(zone));
+
 	/* We only re-sign zones that can be dynamically updated */
 	if (zone->update_disabled)
 		return;
@@ -4958,6 +4960,14 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	    DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
 	{
 		DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
+		/*
+		 * Re-start zone maintenance if it had been stalled
+		 * due to DNS_ZONEFLG_LOADPENDING being set when
+		 * zone_maintenance was called.
+		 */
+		if (zone->secure->task != NULL) {
+			zone_settimer(zone->secure, &now);
+		}
 	}
 
 	return (result);
@@ -6672,14 +6682,15 @@ zone_resigninc(dns_zone_t *zone) {
 	if (version != NULL) {
 		dns_db_closeversion(db, &version, ISC_FALSE);
 		dns_db_detach(&db);
-	} else if (db != NULL)
+	} else if (db != NULL) {
 		dns_db_detach(&db);
+	}
+
+	LOCK_ZONE(zone);
 	if (result == ISC_R_SUCCESS) {
 		set_resigntime(zone);
-		LOCK_ZONE(zone);
 		zone_needdump(zone, DNS_DUMP_DELAY);
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-		UNLOCK_ZONE(zone);
 	} else {
 		/*
 		 * Something failed.  Retry in 5 minutes.
@@ -6688,6 +6699,7 @@ zone_resigninc(dns_zone_t *zone) {
 		isc_interval_set(&ival, 300, 0);
 		isc_time_nowplusinterval(&zone->resigntime, &ival);
 	}
+	UNLOCK_ZONE(zone);
 
 	INSIST(version == NULL);
 }
@@ -8177,7 +8189,9 @@ zone_nsec3chain(dns_zone_t *zone) {
 		nsec3chain = ISC_LIST_HEAD(cleanup);
 	}
 
+	LOCK_ZONE(zone);
 	set_resigntime(zone);
+	UNLOCK_ZONE(zone);
 
  failure:
 	if (result != ISC_R_SUCCESS)
@@ -8841,14 +8855,14 @@ zone_sign(dns_zone_t *zone) {
 		signing = ISC_LIST_HEAD(cleanup);
 	}
 
+	LOCK_ZONE(zone);
 	set_resigntime(zone);
 
 	if (commit) {
-		LOCK_ZONE(zone);
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
 		zone_needdump(zone, DNS_DUMP_DELAY);
-		UNLOCK_ZONE(zone);
 	}
+	UNLOCK_ZONE(zone);
 
  failure:
 	/*
@@ -8885,6 +8899,7 @@ zone_sign(dns_zone_t *zone) {
 	} else if (db != NULL)
 		dns_db_detach(&db);
 
+	LOCK_ZONE(zone);
 	if (ISC_LIST_HEAD(zone->signing) != NULL) {
 		isc_interval_t interval;
 		if (zone->update_disabled || result != ISC_R_SUCCESS)
@@ -8892,8 +8907,10 @@ zone_sign(dns_zone_t *zone) {
 		else
 			isc_interval_set(&interval, 0, 10000000); /* 10 ms */
 		isc_time_nowplusinterval(&zone->signingtime, &interval);
-	} else
+ 	} else {
 		isc_time_settoepoch(&zone->signingtime);
+	}
+	UNLOCK_ZONE(zone);
 
 	INSIST(version == NULL);
 }
@@ -9983,7 +10000,7 @@ zone_maintenance(dns_zone_t *zone) {
 	const char me[] = "zone_maintenance";
 	isc_time_t now;
 	isc_result_t result;
-	isc_boolean_t dumping;
+	isc_boolean_t dumping, viewok;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	ENTER;
@@ -10001,8 +10018,12 @@ zone_maintenance(dns_zone_t *zone) {
 	 * adb or resolver will be NULL, and we had better not try
 	 * to do further maintenance on it.
 	 */
-	if (zone->view == NULL || zone->view->adb == NULL)
+	LOCK_ZONE(zone);
+	viewok = (zone->view != NULL && zone->view->adb != NULL);
+	UNLOCK_ZONE(zone);
+	if (!viewok) {
 		return;
+	}
 
 	TIME_NOW(&now);
 
@@ -10195,8 +10216,14 @@ dns_zone_markdirty(dns_zone_t *zone) {
 		}
 
 		/* XXXMPA make separate call back */
-		if (result == ISC_R_SUCCESS)
+		if (result == ISC_R_SUCCESS) {
 			set_resigntime(zone);
+			if (zone->task != NULL) {
+				isc_time_t now;
+				TIME_NOW(&now);
+				zone_settimer(zone, &now);
+			}
+		}
 	}
 	if (secure != NULL)
 		UNLOCK_ZONE(secure);
@@ -14418,6 +14445,11 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 	zone->sourceserialset = ISC_TRUE;
 	zone_needdump(zone, DNS_DUMP_DELAY);
 
+	/*
+	 * Set resign time to make sure it is set to the earliest
+	 * signature expiration.
+	 */
+	set_resigntime(zone);
 	TIME_NOW(&timenow);
 	zone_settimer(zone, &timenow);
 	UNLOCK_ZONE(zone);
@@ -14436,9 +14468,15 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 
 	if (zone->rss_raw != NULL)
 		dns_zone_detach(&zone->rss_raw);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		LOCK_ZONE(zone);
+		set_resigntime(zone);
+		TIME_NOW(&timenow);
+		zone_settimer(zone, &timenow);
+		UNLOCK_ZONE(zone);
 		dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_serial: %s",
 			     dns_result_totext(result));
+	}
 	if (tuple != NULL)
 		dns_difftuple_free(&tuple);
 	if (soatuple != NULL)
@@ -18096,10 +18134,11 @@ zone_rekey(dns_zone_t *zone) {
 
 	dns_db_closeversion(db, &ver, ISC_TRUE);
 
+	LOCK_ZONE(zone);
+
 	if (commit) {
 		dns_difftuple_t *tuple;
 
-		LOCK_ZONE(zone);
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
 
 		zone_needdump(zone, DNS_DUMP_DELAY);
@@ -18217,7 +18256,6 @@ zone_rekey(dns_zone_t *zone) {
 		 * Schedule the next resigning event
 		 */
 		set_resigntime(zone);
-		UNLOCK_ZONE(zone);
 	}
 
 	isc_time_settoepoch(&zone->refreshkeytime);
@@ -18231,11 +18269,9 @@ zone_rekey(dns_zone_t *zone) {
 		isc_time_t timethen;
 		isc_stdtime_t then;
 
-		LOCK_ZONE(zone);
 		DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval,
 				  &timethen);
 		zone->refreshkeytime = timethen;
-		UNLOCK_ZONE(zone);
 
 		for (key = ISC_LIST_HEAD(dnskeys);
 		     key != NULL;
@@ -18246,12 +18282,10 @@ zone_rekey(dns_zone_t *zone) {
 				continue;
 
 			DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
-			LOCK_ZONE(zone);
 			if (isc_time_compare(&timethen,
 					     &zone->refreshkeytime) < 0) {
 				zone->refreshkeytime = timethen;
 			}
-			UNLOCK_ZONE(zone);
 		}
 
 		zone_settimer(zone, &timenow);
@@ -18259,6 +18293,7 @@ zone_rekey(dns_zone_t *zone) {
 		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
 		dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
 	}
+	UNLOCK_ZONE(zone);
 
  done:
 	dns_diff_clear(&diff);
@@ -18293,8 +18328,10 @@ zone_rekey(dns_zone_t *zone) {
 	 * Something went wrong; try again in ten minutes or
 	 * after a key refresh interval, whichever is shorter.
 	 */
+	LOCK_ZONE(zone);
 	isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), 0);
 	isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
+	UNLOCK_ZONE(zone);
 	goto done;
 }