mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-04 08:35:31 +00:00
Code Issues Releases Wiki Activity

2684. [bug] dnssec-signzone should clean the old NSEC chain when

Browse Source 
signing with NSEC3 and vica versa. [RT #20301]
This commit is contained in:
Mark Andrews
2009-09-23 14:05:11 +00:00
parent 484076c325
commit 4d0e2cf9b9
2 changed files with 109 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
2684. [bug] dnssec-signzone should clean the old NSEC chain when
signing with NSEC3 and vica versa. [RT #20301]
2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054] 2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]
2684. [cleanup] dig: formalize +ad and +cd as synonyms for 2684. [cleanup] dig: formalize +ad and +cd as synonyms for

136
bin/dnssec/dnssec-signzone.c
View File

@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dnssec-signzone.c,v 1.230 2009/09/23 04:30:16 marka Exp $ */ /* $Id: dnssec-signzone.c,v 1.231 2009/09/23 14:05:11 marka Exp $ */
/*! \file */ /*! \file */
@@ -1069,6 +1069,20 @@ active_node(dns_dbnode_t *node) {
type = rdataset.type; type = rdataset.type;
covers = rdataset.covers; covers = rdataset.covers;
dns_rdataset_disassociate(&rdataset); dns_rdataset_disassociate(&rdataset);
/*
* Delete the NSEC chain if we are signing with
* NSEC3.
*/
if (nsec_datatype == dns_rdatatype_nsec3 &&
(type == dns_rdatatype_nsec ||
covers == dns_rdatatype_nsec)) {
result = dns_db_deleterdataset(gdb, node,
gversion, type,
covers);
check_result(result,
"dns_db_deleterdataset(nsec/rrsig)");
continue;
}
if (type != dns_rdatatype_rrsig) if (type != dns_rdatatype_rrsig)
continue; continue;
found = ISC_FALSE; found = ISC_FALSE;
@@ -1098,32 +1112,6 @@ active_node(dns_dbnode_t *node) {
fatal("rdataset iteration failed: %s", fatal("rdataset iteration failed: %s",
isc_result_totext(result)); isc_result_totext(result));
dns_rdatasetiter_destroy(&rdsiter2); dns_rdatasetiter_destroy(&rdsiter2);
#if 0
/*
* Delete all NSEC records and RRSIG(NSEC) if we are in
* NSEC3 mode and vica versa.
*/
for (result = dns_rdatasetiter_first(rdsiter2);
result == ISC_R_SUCCESS;
result = dns_rdatasetiter_next(rdsiter2)) {
dns_rdatasetiter_current(rdsiter, &rdataset);
type = rdataset.type;
covers = rdataset.covers;
if (type == dns_rdatatype_rrsig)
type = covers;
dns_rdataset_disassociate(&rdataset);
if (type == nsec_datatype ||
(type != dns_rdatatype_nsec &&
type != dns_rdatatype_nsec3))
continue;
if (covers != 0)
type = dns_rdatatype_rrsig;
result = dns_db_deleterdataset(gdb, node, gversion,
type, covers);
check_result(result, "dns_db_deleterdataset()");
}
#endif
} }
dns_rdatasetiter_destroy(&rdsiter); dns_rdatasetiter_destroy(&rdsiter);
@@ -1948,7 +1936,7 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
} }
/*% /*%
* Generate NSEC records for the zone. * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records
*/ */
static void static void
nsecify(void) { nsecify(void) {
@@ -1956,10 +1944,14 @@ nsecify(void) {
dns_dbnode_t *node = NULL, *nextnode = NULL; dns_dbnode_t *node = NULL, *nextnode = NULL;
dns_fixedname_t fname, fnextname, fzonecut; dns_fixedname_t fname, fnextname, fzonecut;
dns_name_t *name, *nextname, *zonecut; dns_name_t *name, *nextname, *zonecut;
dns_rdataset_t rdataset;
dns_rdatasetiter_t *rdsiter = NULL;
dns_rdatatype_t type, covers;
isc_boolean_t done = ISC_FALSE; isc_boolean_t done = ISC_FALSE;
isc_result_t result; isc_result_t result;
isc_uint32_t nsttl = 0; isc_uint32_t nsttl = 0;
dns_rdataset_init(&rdataset);
dns_fixedname_init(&fname); dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname); name = dns_fixedname_name(&fname);
dns_fixedname_init(&fnextname); dns_fixedname_init(&fnextname);
@@ -1967,12 +1959,67 @@ nsecify(void) {
dns_fixedname_init(&fzonecut); dns_fixedname_init(&fzonecut);
zonecut = NULL; zonecut = NULL;
/*
* Remove any NSEC3 chains.
*/
result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter);
check_result(result, "dns_db_createiterator()");
for (result = dns_dbiterator_first(dbiter);
result == ISC_R_SUCCESS;
result = dns_dbiterator_next(dbiter)) {
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()");
for (result = dns_rdatasetiter_first(rdsiter);
result == ISC_R_SUCCESS;
result = dns_rdatasetiter_next(rdsiter)) {
dns_rdatasetiter_current(rdsiter, &rdataset);
type = rdataset.type;
covers = rdataset.covers;
dns_rdataset_disassociate(&rdataset);
result = dns_db_deleterdataset(gdb, node, gversion, type,
covers);
check_result(result,
"dns_db_deleterdataset(nsec3param/rrsig)");
}
dns_rdatasetiter_destroy(&rdsiter);
dns_db_detachnode(gdb, &node);
}
dns_dbiterator_destroy(&dbiter);
result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
check_result(result, "dns_db_createiterator()"); check_result(result, "dns_db_createiterator()");
result = dns_dbiterator_first(dbiter); result = dns_dbiterator_first(dbiter);
check_result(result, "dns_dbiterator_first()"); check_result(result, "dns_dbiterator_first()");
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
/*
* Delete any NSEC3PARAM records at the apex.
*/
result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()");
for (result = dns_rdatasetiter_first(rdsiter);
result == ISC_R_SUCCESS;
result = dns_rdatasetiter_next(rdsiter)) {
dns_rdatasetiter_current(rdsiter, &rdataset);
type = rdataset.type;
covers = rdataset.covers;
dns_rdataset_disassociate(&rdataset);
if (type == dns_rdatatype_nsec3param ||
covers == dns_rdatatype_nsec3param) {
result = dns_db_deleterdataset(gdb, node, gversion,
type, covers);
check_result(result,
"dns_db_deleterdataset(nsec3param/rrsig)");
continue;
}
}
dns_rdatasetiter_destroy(&rdsiter);
dns_db_detachnode(gdb, &node);
while (!done) { while (!done) {
result = dns_dbiterator_current(dbiter, &node, name); result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result); check_dns_dbiterator_current(result);
@@ -2255,13 +2302,17 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
dns_dbnode_t *node = NULL, *nextnode = NULL; dns_dbnode_t *node = NULL, *nextnode = NULL;
dns_fixedname_t fname, fnextname, fzonecut; dns_fixedname_t fname, fnextname, fzonecut;
dns_name_t *name, *nextname, *zonecut; dns_name_t *name, *nextname, *zonecut;
dns_rdataset_t rdataset;
dns_rdatasetiter_t *rdsiter = NULL;
dns_rdatatype_t type, covers;
int order;
isc_boolean_t active;
isc_boolean_t done = ISC_FALSE; isc_boolean_t done = ISC_FALSE;
isc_result_t result; isc_result_t result;
isc_boolean_t active;
isc_uint32_t nsttl = 0; isc_uint32_t nsttl = 0;
unsigned int count, nlabels; unsigned int count, nlabels;
int order;
dns_rdataset_init(&rdataset);
dns_fixedname_init(&fname); dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname); name = dns_fixedname_name(&fname);
dns_fixedname_init(&fnextname); dns_fixedname_init(&fnextname);
@@ -2278,6 +2329,31 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
result = dns_dbiterator_first(dbiter); result = dns_dbiterator_first(dbiter);
check_result(result, "dns_dbiterator_first()"); check_result(result, "dns_dbiterator_first()");
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
/*
* Delete any NSEC records at the apex.
*/
result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()");
for (result = dns_rdatasetiter_first(rdsiter);
result == ISC_R_SUCCESS;
result = dns_rdatasetiter_next(rdsiter)) {
dns_rdatasetiter_current(rdsiter, &rdataset);
type = rdataset.type;
covers = rdataset.covers;
dns_rdataset_disassociate(&rdataset);
if (type == dns_rdatatype_nsec || covers == dns_rdatatype_nsec) {
result = dns_db_deleterdataset(gdb, node, gversion,
type, covers);
check_result(result,
"dns_db_deleterdataset(nsec3param/rrsig)");
continue;
}
}
dns_rdatasetiter_destroy(&rdsiter);
dns_db_detachnode(gdb, &node);
while (!done) { while (!done) {
result = dns_dbiterator_current(dbiter, &node, name); result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result); check_dns_dbiterator_current(result);