mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-25 19:47:42 +00:00
Code Issues Releases Wiki Activity

3060. [func] New option "dnssec-signzone -X <date>" allows

Browse Source 
specification of a separate expiration date
			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
This commit is contained in:
Evan Hunt 2011-03-04 22:20:21 +00:00
parent 122e8dba8b
commit 61271cdee6
4 changed files with 80 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -1,3 +1,7 @@
3060. [func] New option "dnssec-signzone -X <date>" allows
specification of a separate expiration date
for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
3059. [test] Added a regression test for change #3023. 3059. [test] Added a regression test for change #3023.
3058. [bug] Cause named to terminate at startup or rndc reconfig/ 3058. [bug] Cause named to terminate at startup or rndc reconfig/

48
bin/dnssec/dnssec-signzone.c
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dnssec-signzone.c,v 1.264 2011/03/01 23:48:05 tbox Exp $ */ /* $Id: dnssec-signzone.c,v 1.265 2011/03/04 22:20:20 each Exp $ */
/*! \file */ /*! \file */
@ -124,7 +124,7 @@ struct signer_event {
static dns_dnsseckeylist_t keylist; static dns_dnsseckeylist_t keylist;
static unsigned int keycount = 0; static unsigned int keycount = 0;
isc_rwlock_t keylist_lock; isc_rwlock_t keylist_lock;
static isc_stdtime_t starttime = 0, endtime = 0, now; static isc_stdtime_t starttime = 0, endtime = 0, dnskey_endtime = 0, now;
static int cycle = -1; static int cycle = -1;
static int jitter = 0; static int jitter = 0;
static isc_boolean_t tryverify = ISC_FALSE; static isc_boolean_t tryverify = ISC_FALSE;
@ -206,7 +206,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
dns_ttl_t ttl, dns_diff_t *add, const char *logmsg) dns_ttl_t ttl, dns_diff_t *add, const char *logmsg)
{ {
isc_result_t result; isc_result_t result;
isc_stdtime_t jendtime; isc_stdtime_t jendtime, expiry;
char keystr[DST_KEY_FORMATSIZE]; char keystr[DST_KEY_FORMATSIZE];
dns_rdata_t trdata = DNS_RDATA_INIT; dns_rdata_t trdata = DNS_RDATA_INIT;
unsigned char array[BUFSIZE]; unsigned char array[BUFSIZE];
@ -216,7 +216,12 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
dst_key_format(key, keystr, sizeof(keystr)); dst_key_format(key, keystr, sizeof(keystr));
vbprintf(1, "\t%s %s\n", logmsg, keystr); vbprintf(1, "\t%s %s\n", logmsg, keystr);
jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime; if (rdataset->type == dns_rdatatype_dnskey)
expiry = dnskey_endtime;
else
expiry = endtime;
jendtime = (jitter != 0) ? isc_random_jitter(expiry, jitter) : expiry;
isc_buffer_init(&b, array, sizeof(array)); isc_buffer_init(&b, array, sizeof(array));
result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime, result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
mctx, &b, &trdata); mctx, &b, &trdata);
@ -416,10 +421,16 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
char namestr[DNS_NAME_FORMATSIZE]; char namestr[DNS_NAME_FORMATSIZE];
char typestr[TYPE_FORMATSIZE]; char typestr[TYPE_FORMATSIZE];
char sigstr[SIG_FORMATSIZE]; char sigstr[SIG_FORMATSIZE];
isc_stdtime_t expiry;
dns_name_format(name, namestr, sizeof(namestr)); dns_name_format(name, namestr, sizeof(namestr));
type_format(set->type, typestr, sizeof(typestr)); type_format(set->type, typestr, sizeof(typestr));
if (set->type == dns_rdatatype_dnskey)
expiry = dnskey_endtime;
else
expiry = endtime;
ttl = ISC_MIN(set->ttl, endtime - starttime); ttl = ISC_MIN(set->ttl, endtime - starttime);
dns_rdataset_init(&sigset); dns_rdataset_init(&sigset);
@ -3259,10 +3270,16 @@ usage(void) {
fprintf(stderr, "update DS records based on child zones' " fprintf(stderr, "update DS records based on child zones' "
"dsset-* files\n"); "dsset-* files\n");
fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n"); fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n");
fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n"); fprintf(stderr, "\t\tRRSIG start time "
"- absolute|offset (now - 1 hour)\n");
fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now " fprintf(stderr, "\t\tRRSIG end time "
"- absolute|from start|from now "
"(now + 30 days)\n"); "(now + 30 days)\n");
fprintf(stderr, "\t-X [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
fprintf(stderr, "\t\tDNSKEY RRSIG end "
"- absolute|from start|from now "
"(matches -e)\n");
fprintf(stderr, "\t-i interval:\n"); fprintf(stderr, "\t-i interval:\n");
fprintf(stderr, "\t\tcycle interval - resign " fprintf(stderr, "\t\tcycle interval - resign "
"if < interval from end ( (end-start)/4 )\n"); "if < interval from end ( (end-start)/4 )\n");
@ -3355,6 +3372,7 @@ int
main(int argc, char *argv[]) { main(int argc, char *argv[]) {
int i, ch; int i, ch;
char *startstr = NULL, *endstr = NULL, *classname = NULL; char *startstr = NULL, *endstr = NULL, *classname = NULL;
char *dnskey_endstr = NULL;
char *origin = NULL, *file = NULL, *output = NULL; char *origin = NULL, *file = NULL, *output = NULL;
char *inputformatstr = NULL, *outputformatstr = NULL; char *inputformatstr = NULL, *outputformatstr = NULL;
char *serialformatstr = NULL; char *serialformatstr = NULL;
@ -3386,7 +3404,7 @@ main(int argc, char *argv[]) {
isc_boolean_t set_iter = ISC_FALSE; isc_boolean_t set_iter = ISC_FALSE;
#define CMDLINE_FLAGS \ #define CMDLINE_FLAGS \
"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:xz" "3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:X:xz"
/* /*
* Process memory debugging argument first. * Process memory debugging argument first.
@ -3609,6 +3627,10 @@ main(int argc, char *argv[]) {
fatal("verbose level must be numeric"); fatal("verbose level must be numeric");
break; break;
case 'X':
dnskey_endstr = isc_commandline_argument;
break;
case 'x': case 'x':
keyset_kskonly = ISC_TRUE; keyset_kskonly = ISC_TRUE;
break; break;
@ -3656,11 +3678,19 @@ main(int argc, char *argv[]) {
} else } else
starttime = now - 3600; /* Allow for some clock skew. */ starttime = now - 3600; /* Allow for some clock skew. */
if (endstr != NULL) { if (endstr != NULL)
endtime = strtotime(endstr, now, starttime); endtime = strtotime(endstr, now, starttime);
} else else
endtime = starttime + (30 * 24 * 60 * 60); endtime = starttime + (30 * 24 * 60 * 60);
if (dnskey_endstr != NULL) {
dnskey_endtime = strtotime(dnskey_endstr, now, starttime);
if (endstr != NULL && dnskey_endtime == endtime)
fprintf(stderr, "WARNING: -e and -X were both set, "
"but have identical values.\n");
} else
dnskey_endtime = endtime;
if (cycle == -1) if (cycle == -1)
cycle = (endtime - starttime) / 4; cycle = (endtime - starttime) / 4;

28
bin/dnssec/dnssec-signzone.docbook
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE. - PERFORMANCE OF THIS SOFTWARE.
--> -->
<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ --> <!-- $Id: dnssec-signzone.docbook,v 1.45 2011/03/04 22:20:20 each Exp $ -->
<refentry id="man.dnssec-signzone"> <refentry id="man.dnssec-signzone">
<refentryinfo> <refentryinfo>
<date>June 05, 2009</date> <date>June 05, 2009</date>
@ -83,6 +83,7 @@
<arg><option>-t</option></arg> <arg><option>-t</option></arg>
<arg><option>-u</option></arg> <arg><option>-u</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
<arg><option>-x</option></arg> <arg><option>-x</option></arg>
<arg><option>-z</option></arg> <arg><option>-z</option></arg>
<arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg> <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
@ -237,6 +238,31 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-X <replaceable class="parameter">extended end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
for the DNSKEY RRset will expire. This is to be used in cases
when the DNSKEY signatures need to persist longer than
signatures on other records; e.g., when the private component
of the KSK is kept offline and the KSK signature is to be
refreshed manually.
</para>
<para>
As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <option>extended end-time</option> is
specified, the value of <option>end-time</option> is used as
the default. (<option>end-time</option>, in turn, defaults to
30 days from the start time.) <option>extended end-time</option>
must be later than <option>start-time</option>.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-f <replaceable class="parameter">output-file</replaceable></term> <term>-f <replaceable class="parameter">output-file</replaceable></term>
<listitem> <listitem>

12
bin/tests/system/smartsign/tests.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.6 2010/08/16 22:21:06 marka Exp $ # $Id: tests.sh,v 1.7 2011/03/04 22:20:21 each Exp $
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
@ -63,7 +63,7 @@ cksk4=`$REVOKE $cksk3`
$SETTIME -A now+20s $cksk2 > /dev/null $SETTIME -A now+20s $cksk2 > /dev/null
echo I:signing child zone echo I:signing child zone
czoneout=`$SIGNER -Sg -r $RANDFILE -o $czone $cfile 2>&1` czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
echo I:generating keys echo I:generating keys
pzsk=`$KEYGEN -q -r $RANDFILE $pzone` pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
@ -159,6 +159,14 @@ grep "$czsuccessor" other.sigs > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:checking RRSIG expiry date correctness"
dnskey_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}'`
soa_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}'`
[ $dnskey_expiry -gt $soa_expiry ] || ret=1
status=`expr $status + $ret`
echo "I:waiting 20 seconds for key activation" echo "I:waiting 20 seconds for key activation"
sleep 20 sleep 20
echo "I:re-signing child zone" echo "I:re-signing child zone"