mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and

Browse Source 
dnssec-keyfromlabel sets the default TTL of the
			key.  When possible, automatic signing will use that
			TTL when the key is published.  [RT #23304]
This commit is contained in:
Evan Hunt 2011-03-17 01:40:40 +00:00
parent 0e095727ff
commit 61bcc23203
25 changed files with 535 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -1,3 +1,8 @@
3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
dnssec-keyfromlabel sets the default TTL of the
key. When possible, automatic signing will use that
TTL when the key is published. [RT #23304]
3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant
timestamp when determining which keys are active.
[RT #23642]

19
bin/dnssec/dnssec-keyfromlabel.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.34 2011/03/12 04:59:46 tbox Exp $ */
/* $Id: dnssec-keyfromlabel.c,v 1.35 2011/03/17 01:40:34 each Exp $ */
/*! \file */
@ -84,6 +84,7 @@ usage(void) {
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
fprintf(stderr, " -k: generate a TYPE=KEY key\n");
fprintf(stderr, " -L ttl: default key TTL\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
@ -137,12 +138,13 @@ main(int argc, char **argv) {
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL;
dns_ttl_t ttl;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE, setttl = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
@ -164,7 +166,7 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"3a:Cc:E:f:K:kl:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
"3a:Cc:E:f:K:kl:L:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
{
switch (ch) {
case '3':
@ -202,6 +204,13 @@ main(int argc, char **argv) {
case 'k':
options |= DST_TYPE_KEY;
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
setttl = ISC_TRUE;
break;
case 'l':
label = isc_mem_strdup(mctx, isc_commandline_argument);
break;
@ -509,6 +518,10 @@ main(int argc, char **argv) {
dst_key_setprivateformat(key, 1, 2);
}
/* Set default key TTL */
if (setttl)
dst_key_setttl(key, ttl);
/*
* Do not overwrite an existing key. Warn LOUDLY if there
* is a risk of ID collision due to this key or another key

17
bin/dnssec/dnssec-keyfromlabel.docbook
View File

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.20 2011/02/03 12:18:10 tbox Exp $ -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.21 2011/03/17 01:40:34 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
@ -59,6 +59,7 @@
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
@ -234,6 +235,20 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>

22
bin/dnssec/dnssec-keygen.c
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.117 2011/03/12 04:59:46 tbox Exp $ */
/* $Id: dnssec-keygen.c,v 1.118 2011/03/17 01:40:34 each Exp $ */
/*! \file */
@ -125,7 +125,9 @@ usage(void) {
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
fprintf(stderr, " -g <generator>: use specified generator "
"(DH only)\n");
fprintf(stderr, " -L <ttl>: default key TTL\n");
fprintf(stderr, " -p <protocol>: (default: 3 [dnssec])\n");
fprintf(stderr, " -r <randomdev>: a file containing random data\n");
fprintf(stderr, " -s <strength>: strength value this key signs DNS "
"records with (default: 0)\n");
fprintf(stderr, " -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
@ -134,8 +136,6 @@ usage(void) {
fprintf(stderr, " -t <type>: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
fprintf(stderr, " -r <randomdev>: a file containing random data\n");
fprintf(stderr, " -h: print usage and exit\n");
fprintf(stderr, " -m <memory debugging mode>:\n");
fprintf(stderr, " usage | trace | record | size | mctx\n");
@ -227,6 +227,7 @@ main(int argc, char **argv) {
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
int dbits = 0;
dns_ttl_t ttl = 0;
isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, delete = 0;
@ -234,7 +235,7 @@ main(int argc, char **argv) {
int prepub = -1;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE, setttl = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
@ -253,7 +254,7 @@ main(int argc, char **argv) {
/*
* Process memory debugging argument first.
*/
#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:km:n:P:p:qR:r:S:s:T:t:v:"
#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:kL:m:n:P:p:qR:r:S:s:T:t:v:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
@ -336,6 +337,13 @@ main(int argc, char **argv) {
"To generate a key-signing key, use -f KSK.\n"
"To generate a key with TYPE=KEY, use -T KEY.\n");
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
setttl = ISC_TRUE;
break;
case 'n':
nametype = isc_commandline_argument;
break;
@ -960,6 +968,10 @@ main(int argc, char **argv) {
dst_key_setprivateformat(key, 1, 2);
}
/* Set the default key TTL */
if (setttl)
dst_key_setttl(key, ttl);
/*
* Do not overwrite an existing key, or create a key
* if there is a risk of ID collision due to this key

17
bin/dnssec/dnssec-keygen.docbook
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.36 2010/12/23 04:07:59 marka Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.37 2011/03/17 01:40:34 each Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
@ -74,6 +74,7 @@
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
@ -296,6 +297,20 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>

19
bin/dnssec/dnssec-settime.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-settime.c,v 1.28 2010/12/19 07:29:36 each Exp $ */
/* $Id: dnssec-settime.c,v 1.29 2011/03/17 01:40:35 each Exp $ */
/*! \file */
@ -66,6 +66,7 @@ usage(void) {
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
fprintf(stderr, " -L ttl: set default key TTL\n");
fprintf(stderr, " -v level: set level of verbosity\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, "Timing options:\n");
@ -138,11 +139,12 @@ main(int argc, char **argv) {
unsigned int size = 0;
isc_uint16_t flags = 0;
int prepub = -1;
dns_ttl_t ttl = 0;
isc_stdtime_t now;
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE, setttl = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
@ -166,7 +168,7 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
#define CMDLINE_FLAGS "A:D:E:fhI:i:K:P:p:R:S:uv:"
#define CMDLINE_FLAGS "A:D:E:fhI:i:K:L:P:p:R:S:uv:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'E':
@ -230,6 +232,14 @@ main(int argc, char **argv) {
"directory");
}
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
changed = ISC_TRUE;
setttl = ISC_TRUE;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
@ -513,6 +523,9 @@ main(int argc, char **argv) {
else if (unsetdel)
dst_key_unsettime(key, DST_TIME_DELETE);
if (setttl)
dst_key_setttl(key, ttl);
/*
* Print out time values, if -p was used.
*/

17
bin/dnssec/dnssec-settime.docbook
View File

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-settime.docbook,v 1.11 2010/08/16 22:21:06 marka Exp $ -->
<!-- $Id: dnssec-settime.docbook,v 1.12 2011/03/17 01:40:35 each Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
@ -47,6 +47,7 @@
<command>dnssec-settime</command>
<arg><option>-f</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
@ -112,6 +113,20 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>

12
bin/dnssec/dnssec-signzone.docbook
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.47 2011/03/05 23:52:29 tbox Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.48 2011/03/17 01:40:35 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
@ -552,15 +552,17 @@
<term>-T <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Specifies the TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not specified,
the default is the minimum TTL value from the zone's SOA
Specifies a TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not
specified, the default is the TTL value from the zone's SOA
record. This option is ignored when signing without
<option>-S</option>, since DNSKEY records are not imported
from the key repository in that case. It is also ignored if
there are any pre-existing DNSKEY records at the zone apex,
in which case new records' TTL values will be set to match
them.
them, or if any of the imported DNSKEY records had a default
TTL value. In the event of a a conflict between TTL values in
imported keys, the shortest one is used.
</para>
</listitem>
</varlistentry>

68
bin/tests/dst/t_dst.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: t_dst.c,v 1.58 2009/09/01 00:22:25 jinmei Exp $ */
/* $Id: t_dst.c,v 1.59 2011/03/17 01:40:35 each Exp $ */
#include <config.h>
@ -264,8 +264,8 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx,
}
static void
io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
isc_result_t exp_result, int *nfails, int *nprobs)
io(dns_name_t *name, isc_uint16_t id, isc_uint16_t alg, int type,
isc_mem_t *mctx, isc_result_t exp_result, int *nfails, int *nprobs)
{
dst_key_t *key = NULL;
isc_result_t ret;
@ -277,7 +277,7 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
if (p == NULL) {
t_info("getcwd failed %d\n", errno);
++*nprobs;
return;
goto failure;
}
ret = dst_key_fromfile(name, id, alg, type, current, mctx, &key);
@ -285,7 +285,25 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
t_info("dst_key_fromfile(%d) returned: %s\n",
alg, dst_result_totext(ret));
++*nfails;
return;
goto failure;
}
if (dst_key_id(key) != id) {
t_info("key ID incorrect\n");
++*nfails;
goto failure;
}
if (dst_key_alg(key) != alg) {
t_info("key algorithm incorrect\n");
++*nfails;
goto failure;
}
if (dst_key_getttl(key) != 0) {
t_info("initial key TTL incorrect\n");
++*nfails;
goto failure;
}
ret = isc_file_mktemplate("/tmp/", tmp, sizeof(tmp));
@ -293,14 +311,14 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
t_info("isc_file_mktemplate failed %s\n",
isc_result_totext(ret));
++*nprobs;
return;
goto failure;
}
ret = isc_dir_createunique(tmp);
if (ret != ISC_R_SUCCESS) {
t_info("mkdir failed %d\n", errno);
++*nprobs;
return;
goto failure;
}
ret = dst_key_tofile(key, type, tmp);
@ -308,14 +326,48 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
t_info("dst_key_tofile(%d) returned: %s\n",
alg, dst_result_totext(ret));
++*nfails;
return;
goto failure;
}
if (dst_key_alg(key) != DST_ALG_DH)
use(key, mctx, exp_result, nfails);
/*
* Skip the rest of this test if we weren't expecting
* the read to be successful.
*/
if (exp_result != ISC_R_SUCCESS)
goto cleanup;
dst_key_setttl(key, 3600);
ret = dst_key_tofile(key, type, tmp);
if (ret != 0) {
t_info("dst_key_tofile(%d) returned: %s\n",
alg, dst_result_totext(ret));
++*nfails;
goto failure;
}
/* Reread key to confirm TTL was changed */
dst_key_free(&key);
ret = dst_key_fromfile(name, id, alg, type, tmp, mctx, &key);
if (ret != ISC_R_SUCCESS) {
t_info("dst_key_fromfile(%d) returned: %s\n",
alg, dst_result_totext(ret));
++*nfails;
goto failure;
}
if (dst_key_getttl(key) != 3600) {
t_info("modified key TTL incorrect\n");
++*nfails;
goto failure;
}
cleanup:
cleandir(tmp);
failure:
dst_key_free(&key);
}

3
bin/tests/system/autosign/clean.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.7 2010/12/18 02:12:43 each Exp $
# $Id: clean.sh,v 1.8 2011/03/17 01:40:35 each Exp $
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f active.key inact.key del.key unpub.key standby.key rev.key
@ -45,3 +45,4 @@ rm -f ns3/secure-to-insecure.example.db
rm -f ns3/prepub.example.db
rm -f ns3/prepub.example.db.in
rm -f ns3/secure-to-insecure2.example.db
rm -f ns3/ttl*.db

35
bin/tests/system/autosign/ns3/keygen.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: keygen.sh,v 1.8 2010/12/15 18:44:37 each Exp $
# $Id: keygen.sh,v 1.9 2011/03/17 01:40:36 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
@ -205,3 +205,36 @@ zonefile="${zone}.db"
$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
$SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1
#
# Key TTL tests.
#
# no default key TTL; DNSKEY should get SOA TTL
zone=ttl1.example
zonefile="${zone}.db"
infile="${zonefile}.in"
$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
cp $infile $zonefile
# default key TTL should be used
zone=ttl2.example
zonefile="${zone}.db"
$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > /dev/null
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > /dev/null
cp $infile $zonefile
# mismatched key TTLs, should use shortest
zone=ttl3.example
zonefile="${zone}.db"
$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > /dev/null
$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > /dev/null
cp $infile $zonefile
# existing DNSKEY RRset, should retain TTL
zone=ttl4.example
zonefile="${zone}.db"
$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > /dev/null
cat ${infile} K${zone}.+*.key > $zonefile
$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > /dev/null

30
bin/tests/system/autosign/ns3/named.conf
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.7 2010/12/15 18:44:37 each Exp $ */
/* $Id: named.conf,v 1.8 2011/03/17 01:40:37 each Exp $ */
// NS3
@ -185,4 +185,32 @@ zone "prepub.example" {
auto-dnssec maintain;
};
zone "ttl1.example" {
type master;
file "ttl1.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "ttl2.example" {
type master;
file "ttl2.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "ttl3.example" {
type master;
file "ttl3.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "ttl4.example" {
type master;
file "ttl4.example.db";
allow-update { any; };
auto-dnssec maintain;
};
include "trusted.conf";

31
bin/tests/system/autosign/ns3/ttl1.example.db.in Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: ttl1.example.db.in,v 1.2 2011/03/17 01:40:37 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

31
bin/tests/system/autosign/ns3/ttl2.example.db.in Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: ttl2.example.db.in,v 1.2 2011/03/17 01:40:37 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

31
bin/tests/system/autosign/ns3/ttl3.example.db.in Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: ttl3.example.db.in,v 1.2 2011/03/17 01:40:38 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

31
bin/tests/system/autosign/ns3/ttl4.example.db.in Normal file
View File

@ -0,0 +1,31 @@
; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: ttl4.example.db.in,v 1.2 2011/03/17 01:40:38 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2009102722 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
x CNAME a

38
bin/tests/system/autosign/tests.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.17 2011/03/02 09:03:45 fdupont Exp $
# $Id: tests.sh,v 1.18 2011/03/17 01:40:36 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -182,6 +182,42 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking TTLs of imported DNSKEYs (no default) ($n)"
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
awk 'BEGIN {r=0} $2 != 300 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking TTLs of imported DNSKEYs (with default) ($n)"
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
awk 'BEGIN {r=0} $2 != 60 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking TTLs of imported DNSKEYs (mismatched) ($n)"
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
awk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking TTLs of imported DNSKEYs (existing RRset) ($n)"
ret=0
$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1
[ -s dig.out.ns3.test$n ] || ret=1
awk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking positive validation NSEC ($n)"
ret=0
$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1

31
bin/tests/system/smartsign/tests.sh
View File

@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.9 2011/03/05 23:52:30 tbox Exp $
# $Id: tests.sh,v 1.10 2011/03/17 01:40:38 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -31,7 +31,7 @@ cfile=child.db
echo I:generating keys
# active zsk
czsk1=`$KEYGEN -q -r $RANDFILE $czone`
czsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone`
# not yet published or active
czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
@ -50,7 +50,7 @@ czsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-`
# active ksk
cksk1=`$KEYGEN -q -r $RANDFILE -fk $czone`
cksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone`
# published but not YET active; will be active in 20 seconds
cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
@ -131,6 +131,31 @@ grep "key id = $czsuccessor" $cfile.signed && echo succ is there
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking key TTLs are correct"
grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1
grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1
grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
$SETTIME -L 45 ${czsk2} > /dev/null
grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
$SETTIME -L 0 ${czsk2} > /dev/null
grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking key TTLs were imported correctly"
awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \
${cfile}.signed || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:re-signing and checking imported TTLs again"
$SETTIME -L 15 ${czsk2} > /dev/null
czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
${cfile}.signed || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking child zone signatures"
ret=0
# check DNSKEY signatures first

53
lib/dns/dnssec.c
View File

@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.122 2011/03/17 01:17:21 marka Exp $
* $Id: dnssec.c,v 1.123 2011/03/17 01:40:38 each Exp $
*/
/*! \file */
@ -625,6 +625,8 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
pubkey = NULL;
dns_rdataset_current(&rdataset, &rdata);
RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
dst_key_setttl(pubkey, rdataset.ttl);
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto next;
@ -702,6 +704,12 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
goto next;
}
/*
* Whatever the key's default TTL may have
* been, the rdataset TTL takes priority.
*/
dst_key_setttl(keys[count], rdataset.ttl);
if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
/* We should never get here. */
dst_key_free(&keys[count]);
@ -1432,6 +1440,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
dns_rdata_reset(&rdata);
dns_rdataset_current(&keys, &rdata);
RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
dst_key_setttl(pubkey, keys.ttl);
if (!is_zone_key(pubkey) ||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
@ -1504,6 +1513,12 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
goto skip;
/*
* Whatever the key's default TTL may have
* been, the rdataset TTL takes priority.
*/
dst_key_setttl(privkey, dst_key_getttl(pubkey));
addkey(keylist, &privkey, savekeys, mctx);
skip:
if (pubkey != NULL)
@ -1629,16 +1644,22 @@ remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
isc_result_t
dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
dns_dnsseckeylist_t *removed, dns_name_t *origin,
dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
isc_mem_t *mctx, void (*report)(const char *, ...))
dns_ttl_t hint_ttl, dns_diff_t *diff,
isc_boolean_t allzsk, isc_mem_t *mctx,
void (*report)(const char *, ...))
{
isc_result_t result;
dns_dnsseckey_t *key, *key1, *key2, *next;
isc_boolean_t found_ttl = ISC_FALSE;
dns_ttl_t ttl = hint_ttl;
/*
* First, look through the existing key list to find keys
* supplied from the command line which are not in the zone.
* Update the zone to include them.
*
* Also, if there are keys published in the zone already,
* use their TTL for all subsequent published keys.
*/
for (key = ISC_LIST_HEAD(*keys);
key != NULL;
@ -1648,6 +1669,32 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
RETERR(publish_key(diff, key, origin, ttl,
mctx, allzsk, report));
}
if (key->source == dns_keysource_zoneapex) {
ttl = dst_key_getttl(key->key);
found_ttl = ISC_TRUE;
}
}
/*
* If there were no existing keys, use the smallest nonzero
* TTL of the keys found in the repository.
*/
if (!found_ttl && !ISC_LIST_EMPTY(*newkeys)) {
dns_ttl_t shortest = 0;
for (key = ISC_LIST_HEAD(*newkeys);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
dns_ttl_t thisttl = dst_key_getttl(key->key);
if (thisttl != 0 &&
(shortest == 0 || thisttl < shortest))
shortest = thisttl;
}
if (shortest != 0) {
found_ttl = ISC_TRUE;
ttl = shortest;
}
}
/*

27
lib/dns/dst_api.c
View File

@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
* $Id: dst_api.c,v 1.57 2011/01/11 23:47:13 tbox Exp $
* $Id: dst_api.c,v 1.58 2011/03/17 01:40:39 each Exp $
*/
/*! \file */
@ -91,6 +91,7 @@ static dst_key_t * get_key_struct(dns_name_t *name,
unsigned int protocol,
unsigned int bits,
dns_rdataclass_t rdclass,
dns_ttl_t ttl,
isc_mem_t *mctx);
static isc_result_t write_public_key(const dst_key_t *key, int type,
const char *directory);
@ -514,7 +515,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname,
key = get_key_struct(pubkey->key_name, pubkey->key_alg,
pubkey->key_flags, pubkey->key_proto, 0,
pubkey->key_class, mctx);
pubkey->key_class, pubkey->key_ttl, mctx);
if (key == NULL) {
dst_key_free(&pubkey);
return (ISC_R_NOMEMORY);
@ -712,7 +713,7 @@ dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
REQUIRE(keyp != NULL && *keyp == NULL);
key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
0, dns_rdataclass_in, mctx);
0, dns_rdataclass_in, 0, mctx);
if (key == NULL)
return (ISC_R_NOMEMORY);
@ -750,7 +751,7 @@ dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
CHECKALG(alg);
key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
if (key == NULL)
return (ISC_R_NOMEMORY);
@ -804,7 +805,8 @@ dst_key_generate2(dns_name_t *name, unsigned int alg,
CHECKALG(alg);
key = get_key_struct(name, alg, flags, protocol, bits, rdclass, mctx);
key = get_key_struct(name, alg, flags, protocol, bits,
rdclass, 0, mctx);
if (key == NULL)
return (ISC_R_NOMEMORY);
@ -1210,7 +1212,7 @@ dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
if (dst_t_func[alg]->restore == NULL)
return (ISC_R_NOTIMPLEMENTED);
key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
if (key == NULL)
return (ISC_R_NOMEMORY);
@ -1234,7 +1236,7 @@ static dst_key_t *
get_key_struct(dns_name_t *name, unsigned int alg,
unsigned int flags, unsigned int protocol,
unsigned int bits, dns_rdataclass_t rdclass,
isc_mem_t *mctx)
dns_ttl_t ttl, isc_mem_t *mctx)
{
dst_key_t *key;
isc_result_t result;
@ -1274,6 +1276,7 @@ get_key_struct(dns_name_t *name, unsigned int alg,
key->keydata.generic = NULL;
key->key_size = bits;
key->key_class = rdclass;
key->key_ttl = ttl;
key->func = dst_t_func[alg];
key->fmt_major = 0;
key->fmt_minor = 0;
@ -1301,7 +1304,7 @@ dst_key_read_public(const char *filename, int type,
unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
dns_rdataclass_t rdclass = dns_rdataclass_in;
isc_lexspecials_t specials;
isc_uint32_t ttl;
isc_uint32_t ttl = 0;
isc_result_t result;
dns_rdatatype_t keytype;
@ -1402,6 +1405,8 @@ dst_key_read_public(const char *filename, int type,
if (ret != ISC_R_SUCCESS)
goto cleanup;
dst_key_setttl(*keyp, ttl);
cleanup:
if (lex != NULL)
isc_lex_destroy(&lex);
@ -1568,9 +1573,11 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
/* Now print the actual key */
ret = dns_name_print(key->key_name, fp);
fprintf(fp, " ");
if (key->key_ttl != 0)
fprintf(fp, "%d ", key->key_ttl);
isc_buffer_usedregion(&classb, &r);
isc_util_fwrite(r.base, 1, r.length, fp);
@ -1659,7 +1666,7 @@ frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
REQUIRE(mctx != NULL);
REQUIRE(keyp != NULL && *keyp == NULL);
key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
if (key == NULL)
return (ISC_R_NOMEMORY);

3
lib/dns/dst_internal.h
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst_internal.h,v 1.29 2011/01/11 23:47:13 tbox Exp $ */
/* $Id: dst_internal.h,v 1.30 2011/03/17 01:40:39 each Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
@ -96,6 +96,7 @@ struct dst_key {
isc_uint16_t key_id; /*%< identifier of the key */
isc_uint16_t key_bits; /*%< hmac digest bits */
dns_rdataclass_t key_class; /*%< class of the key record */
dns_ttl_t key_ttl; /*%< default/initial dnskey ttl */
isc_mem_t *mctx; /*%< memory context */
char *engine; /*%< engine name (HSM) */
char *label; /*%< engine label (HSM) */

12
lib/dns/include/dns/dnssec.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec.h,v 1.42 2010/01/09 23:48:45 tbox Exp $ */
/* $Id: dnssec.h,v 1.43 2011/03/17 01:40:39 each Exp $ */
#ifndef DNS_DNSSEC_H
#define DNS_DNSSEC_H 1
@ -290,7 +290,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
isc_result_t
dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
dns_dnsseckeylist_t *removed, dns_name_t *origin,
dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
dns_ttl_t hint_ttl, dns_diff_t *diff, isc_boolean_t allzsk,
isc_mem_t *mctx, void (*report)(const char *, ...));
/*%<
* Update the list of keys in 'keys' with new key information in 'newkeys'.
@ -309,9 +309,11 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
* If 'allzsk' is true, we are allowing KSK-flagged keys to be used as
* ZSKs.
*
* 'ttl' is the TTL of the DNSKEY RRset; if it is longer than the
* time until a new key will be activated, then we have to delay the
* key's activation.
* 'hint_ttl' is the TTL to use for the DNSKEY RRset if there is no
* existing RRset, and if none of the keys to be added has a default TTL
* (in which case we would use the shortest one). If the TTL is longer
* than the time until a new key will be activated, then we have to delay
* the key's activation.
*
* 'report' points to a function for reporting status.
*

22
lib/dns/include/dst/dst.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst.h,v 1.31 2011/01/11 23:47:14 tbox Exp $ */
/* $Id: dst.h,v 1.32 2011/03/17 01:40:39 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
@ -735,6 +735,26 @@ dst_key_setbits(dst_key_t *key, isc_uint16_t bits);
* "key" is a valid key.
*/
void
dst_key_setttl(dst_key_t *key, dns_ttl_t ttl);
/*%<
* Set the default TTL to use when converting the key
* to a KEY or DNSKEY RR.
*
* Requires:
* "key" is a valid key.
*/
dns_ttl_t
dst_key_getttl(const dst_key_t *key);
/*%<
* Get the default TTL to use when converting the key
* to a KEY or DNSKEY RR.
*
* Requires:
* "key" is a valid key.
*/
isc_result_t
dst_key_setflags(dst_key_t *key, isc_uint32_t flags);
/*

14
lib/dns/key.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: key.c,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
/* $Id: key.c,v 1.9 2011/03/17 01:40:39 each Exp $ */
#include <config.h>
@ -144,4 +144,16 @@ dst_key_getbits(const dst_key_t *key) {
return (key->key_bits);
}
void
dst_key_setttl(dst_key_t *key, dns_ttl_t ttl) {
REQUIRE(VALID_KEY(key));
key->key_ttl = ttl;
}
dns_ttl_t
dst_key_getttl(const dst_key_t *key) {
REQUIRE(VALID_KEY(key));
return (key->key_ttl);
}
/*! \file */

2
lib/dns/win32/libdns.def
View File

@ -945,6 +945,7 @@ dst_key_generate
dst_key_generate2
dst_key_getprivateformat
dst_key_gettime
dst_key_getttl
dst_key_id
dst_key_isnullkey
dst_key_isprivate
@ -959,6 +960,7 @@ dst_key_setbits
dst_key_setflags
dst_key_setprivateformat
dst_key_settime
dst_key_setttl
dst_key_sigsize
dst_key_size
dst_key_tobuffer