mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 07:35:26 +00:00
Code Issues Releases Wiki Activity

New option to dnssec-signzone to ignore sync rrs

Browse Source 
By default, CDS and CDNSKEY records are generated from the given
key list. In some cases you don't want that.
This commit is contained in:
Matthijs Mekking
2023-02-10 15:05:02 +01:00
parent e5841856f8
commit 06e64821f5
2 changed files with 30 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
bin/dnssec/dnssec-signzone.c
View File

@@ -65,6 +65,7 @@
#include <dns/dnssec.h> #include <dns/dnssec.h>
#include <dns/ds.h> #include <dns/ds.h>
#include <dns/fixedname.h> #include <dns/fixedname.h>
#include <dns/kasp.h>
#include <dns/keyvalues.h> #include <dns/keyvalues.h>
#include <dns/log.h> #include <dns/log.h>
#include <dns/master.h> #include <dns/master.h>
@@ -172,6 +173,7 @@ static bool output_stdout = false;
static bool set_maxttl = false; static bool set_maxttl = false;
static dns_ttl_t maxttl = 0; static dns_ttl_t maxttl = 0;
static bool no_max_check = false; static bool no_max_check = false;
static bool ignore_sync = false;
#define INCSTAT(counter) \ #define INCSTAT(counter) \
if (printstats) { \ if (printstats) { \
@@ -2740,10 +2742,20 @@ build_final_keylist(void) {
dns_dnsseckeylist_t rmkeys, matchkeys; dns_dnsseckeylist_t rmkeys, matchkeys;
char name[DNS_NAME_FORMATSIZE]; char name[DNS_NAME_FORMATSIZE];
dns_rdataset_t cdsset, cdnskeyset, soaset; dns_rdataset_t cdsset, cdnskeyset, soaset;
dns_kasp_digestlist_t digests;
dns_kasp_digest_t digest = {
.digest = DNS_DSDIGEST_SHA256,
.link = ISC_LINK_INITIALIZER,
};
ISC_LIST_INIT(rmkeys); ISC_LIST_INIT(rmkeys);
ISC_LIST_INIT(matchkeys); ISC_LIST_INIT(matchkeys);
ISC_LIST_INIT(digests);
if (!ignore_sync) {
ISC_LIST_APPEND(digests, &digest, link);
}
dns_rdataset_init(&soaset); dns_rdataset_init(&soaset);
dns_rdataset_init(&cdsset); dns_rdataset_init(&cdsset);
dns_rdataset_init(&cdnskeyset); dns_rdataset_init(&cdnskeyset);
@@ -2789,8 +2801,9 @@ build_final_keylist(void) {
/* /*
* Update keylist with sync records. * Update keylist with sync records.
*/ */
dns_dnssec_syncupdate(&keylist, &rmkeys, &cdsset, &cdnskeyset, now, dns_dnssec_syncupdate(&keylist, &rmkeys, &cdsset, &cdnskeyset, now,
DNS_DSDIGEST_SHA256, keyttl, &diff, mctx); &digests, keyttl, &diff, mctx);
dns_name_format(gorigin, name, sizeof(name)); dns_name_format(gorigin, name, sizeof(name));
@@ -2814,6 +2827,11 @@ build_final_keylist(void) {
clear_keylist(&rmkeys); clear_keylist(&rmkeys);
clear_keylist(&matchkeys); clear_keylist(&matchkeys);
if (!ignore_sync) {
ISC_LIST_UNLINK(digests, &digest, link);
}
INSIST(ISC_LIST_EMPTY(digests));
} }
static void static void
@@ -3285,8 +3303,8 @@ main(int argc, char *argv[]) {
atomic_init(&finished, false); atomic_init(&finished, false);
/* Unused letters: Bb G J q Yy (and F is reserved). */ /* Unused letters: Bb G J q Yy (and F is reserved). */
#define CMDLINE_FLAGS \ #define CMDLINE_FLAGS \
"3:AaCc:Dd:E:e:f:FghH:i:I:j:J:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:" \ "3:AaCc:Dd:E:e:f:FgGhH:i:I:j:J:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:" \
"VX:xzZ:" "VX:xzZ:"
/* /*
@@ -3392,6 +3410,10 @@ main(int argc, char *argv[]) {
generateds = true; generateds = true;
break; break;
case 'G':
ignore_sync = true;
break;
case 'H': case 'H':
set_iter = true; set_iter = true;
/* too-many is NOT DOCUMENTED */ /* too-many is NOT DOCUMENTED */

6
bin/dnssec/dnssec-signzone.rst
View File

@@ -21,7 +21,7 @@ dnssec-signzone - DNSSEC zone signing tool
Synopsis Synopsis
~~~~~~~~ ~~~~~~~~
:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...] :program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-G**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
Description Description
~~~~~~~~~~~ ~~~~~~~~~~~
@@ -76,6 +76,10 @@ Options
This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-`` This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``
file. Existing DS records are removed. file. Existing DS records are removed.
.. option:: -G
This option indicates that CDS and CDNSKEY records should not be generated from the given key set.
.. option:: -K directory .. option:: -K directory
This option specifies the directory to search for DNSSEC keys. If not This option specifies the directory to search for DNSSEC keys. If not