From 61bcc232038f0a2cb77ed6269675fdc288f5ec98 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 17 Mar 2011 01:40:40 +0000 Subject: [PATCH] 3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and dnssec-keyfromlabel sets the default TTL of the key. When possible, automatic signing will use that TTL when the key is published. [RT #23304] --- CHANGES | 5 ++ bin/dnssec/dnssec-keyfromlabel.c | 19 +++++- bin/dnssec/dnssec-keyfromlabel.docbook | 17 ++++- bin/dnssec/dnssec-keygen.c | 22 ++++-- bin/dnssec/dnssec-keygen.docbook | 17 ++++- bin/dnssec/dnssec-settime.c | 19 +++++- bin/dnssec/dnssec-settime.docbook | 17 ++++- bin/dnssec/dnssec-signzone.docbook | 12 ++-- bin/tests/dst/t_dst.c | 68 ++++++++++++++++--- bin/tests/system/autosign/clean.sh | 3 +- bin/tests/system/autosign/ns3/keygen.sh | 35 +++++++++- bin/tests/system/autosign/ns3/named.conf | 30 +++++++- .../system/autosign/ns3/ttl1.example.db.in | 31 +++++++++ .../system/autosign/ns3/ttl2.example.db.in | 31 +++++++++ .../system/autosign/ns3/ttl3.example.db.in | 31 +++++++++ .../system/autosign/ns3/ttl4.example.db.in | 31 +++++++++ bin/tests/system/autosign/tests.sh | 38 ++++++++++- bin/tests/system/smartsign/tests.sh | 31 ++++++++- lib/dns/dnssec.c | 53 ++++++++++++++- lib/dns/dst_api.c | 27 +++++--- lib/dns/dst_internal.h | 3 +- lib/dns/include/dns/dnssec.h | 12 ++-- lib/dns/include/dst/dst.h | 22 +++++- lib/dns/key.c | 14 +++- lib/dns/win32/libdns.def | 2 + 25 files changed, 535 insertions(+), 55 deletions(-) create mode 100644 bin/tests/system/autosign/ns3/ttl1.example.db.in create mode 100644 bin/tests/system/autosign/ns3/ttl2.example.db.in create mode 100644 bin/tests/system/autosign/ns3/ttl3.example.db.in create mode 100644 bin/tests/system/autosign/ns3/ttl4.example.db.in diff --git a/CHANGES b/CHANGES index fb1fcd3177..b18a627f69 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and + dnssec-keyfromlabel sets the default TTL of the + key. When possible, automatic signing will use that + TTL when the key is published. [RT #23304] + 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant timestamp when determining which keys are active. [RT #23642] diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index cdd76b3458..ec706e3c2c 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keyfromlabel.c,v 1.34 2011/03/12 04:59:46 tbox Exp $ */ +/* $Id: dnssec-keyfromlabel.c,v 1.35 2011/03/17 01:40:34 each Exp $ */ /*! \file */ @@ -84,6 +84,7 @@ usage(void) { fprintf(stderr, " -K directory: directory in which to place " "key files\n"); fprintf(stderr, " -k: generate a TYPE=KEY key\n"); + fprintf(stderr, " -L ttl: default key TTL\n"); fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n"); fprintf(stderr, " (DNSKEY generation defaults to ZONE\n"); fprintf(stderr, " -p protocol: default: 3 [dnssec]\n"); @@ -137,12 +138,13 @@ main(int argc, char **argv) { dns_rdataclass_t rdclass; int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; char *label = NULL; + dns_ttl_t ttl; isc_stdtime_t publish = 0, activate = 0, revoke = 0; isc_stdtime_t inactive = 0, delete = 0; isc_stdtime_t now; isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE; isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE; - isc_boolean_t setdel = ISC_FALSE; + isc_boolean_t setdel = ISC_FALSE, setttl = ISC_FALSE; isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE; isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE; isc_boolean_t unsetdel = ISC_FALSE; @@ -164,7 +166,7 @@ main(int argc, char **argv) { isc_stdtime_get(&now); while ((ch = isc_commandline_parse(argc, argv, - "3a:Cc:E:f:K:kl:n:p:t:v:yFhGP:A:R:I:D:")) != -1) + "3a:Cc:E:f:K:kl:L:n:p:t:v:yFhGP:A:R:I:D:")) != -1) { switch (ch) { case '3': @@ -202,6 +204,13 @@ main(int argc, char **argv) { case 'k': options |= DST_TYPE_KEY; break; + case 'L': + if (strcmp(isc_commandline_argument, "none") == 0) + ttl = 0; + else + ttl = strtottl(isc_commandline_argument); + setttl = ISC_TRUE; + break; case 'l': label = isc_mem_strdup(mctx, isc_commandline_argument); break; @@ -509,6 +518,10 @@ main(int argc, char **argv) { dst_key_setprivateformat(key, 1, 2); } + /* Set default key TTL */ + if (setttl) + dst_key_setttl(key, ttl); + /* * Do not overwrite an existing key. Warn LOUDLY if there * is a risk of ID collision due to this key or another key diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index 7952a246b4..8db438fbbe 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + February 8, 2008 @@ -59,6 +59,7 @@ + @@ -234,6 +235,20 @@ + + -L ttl + + + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. + + + + -p protocol diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 48e3ecc4ff..633610a104 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.117 2011/03/12 04:59:46 tbox Exp $ */ +/* $Id: dnssec-keygen.c,v 1.118 2011/03/17 01:40:34 each Exp $ */ /*! \file */ @@ -125,7 +125,9 @@ usage(void) { fprintf(stderr, " -f : KSK | REVOKE\n"); fprintf(stderr, " -g : use specified generator " "(DH only)\n"); + fprintf(stderr, " -L : default key TTL\n"); fprintf(stderr, " -p : (default: 3 [dnssec])\n"); + fprintf(stderr, " -r : a file containing random data\n"); fprintf(stderr, " -s : strength value this key signs DNS " "records with (default: 0)\n"); fprintf(stderr, " -T : DNSKEY | KEY (default: DNSKEY; " @@ -134,8 +136,6 @@ usage(void) { fprintf(stderr, " -t : " "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF " "(default: AUTHCONF)\n"); - fprintf(stderr, " -r : a file containing random data\n"); - fprintf(stderr, " -h: print usage and exit\n"); fprintf(stderr, " -m :\n"); fprintf(stderr, " usage | trace | record | size | mctx\n"); @@ -227,6 +227,7 @@ main(int argc, char **argv) { dns_rdataclass_t rdclass; int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; int dbits = 0; + dns_ttl_t ttl = 0; isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE; isc_stdtime_t publish = 0, activate = 0, revoke = 0; isc_stdtime_t inactive = 0, delete = 0; @@ -234,7 +235,7 @@ main(int argc, char **argv) { int prepub = -1; isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE; isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE; - isc_boolean_t setdel = ISC_FALSE; + isc_boolean_t setdel = ISC_FALSE, setttl = ISC_FALSE; isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE; isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE; isc_boolean_t unsetdel = ISC_FALSE; @@ -253,7 +254,7 @@ main(int argc, char **argv) { /* * Process memory debugging argument first. */ -#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:km:n:P:p:qR:r:S:s:T:t:v:" +#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:kL:m:n:P:p:qR:r:S:s:T:t:v:" while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { case 'm': @@ -336,6 +337,13 @@ main(int argc, char **argv) { "To generate a key-signing key, use -f KSK.\n" "To generate a key with TYPE=KEY, use -T KEY.\n"); break; + case 'L': + if (strcmp(isc_commandline_argument, "none") == 0) + ttl = 0; + else + ttl = strtottl(isc_commandline_argument); + setttl = ISC_TRUE; + break; case 'n': nametype = isc_commandline_argument; break; @@ -960,6 +968,10 @@ main(int argc, char **argv) { dst_key_setprivateformat(key, 1, 2); } + /* Set the default key TTL */ + if (setttl) + dst_key_setttl(key, ttl); + /* * Do not overwrite an existing key, or create a key * if there is a risk of ID collision due to this key diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index f0cf7f5f08..ae4889b3f2 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 30, 2000 @@ -74,6 +74,7 @@ + @@ -296,6 +297,20 @@ + + -L ttl + + + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. + + + + -p protocol diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 7791db01e0..5953807277 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-settime.c,v 1.28 2010/12/19 07:29:36 each Exp $ */ +/* $Id: dnssec-settime.c,v 1.29 2011/03/17 01:40:35 each Exp $ */ /*! \file */ @@ -66,6 +66,7 @@ usage(void) { fprintf(stderr, " -f: force update of old-style " "keys\n"); fprintf(stderr, " -K directory: set key file location\n"); + fprintf(stderr, " -L ttl: set default key TTL\n"); fprintf(stderr, " -v level: set level of verbosity\n"); fprintf(stderr, " -h: help\n"); fprintf(stderr, "Timing options:\n"); @@ -138,11 +139,12 @@ main(int argc, char **argv) { unsigned int size = 0; isc_uint16_t flags = 0; int prepub = -1; + dns_ttl_t ttl = 0; isc_stdtime_t now; isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0; isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE; isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE; - isc_boolean_t setdel = ISC_FALSE; + isc_boolean_t setdel = ISC_FALSE, setttl = ISC_FALSE; isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE; isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE; isc_boolean_t unsetdel = ISC_FALSE; @@ -166,7 +168,7 @@ main(int argc, char **argv) { isc_stdtime_get(&now); -#define CMDLINE_FLAGS "A:D:E:fhI:i:K:P:p:R:S:uv:" +#define CMDLINE_FLAGS "A:D:E:fhI:i:K:L:P:p:R:S:uv:" while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { case 'E': @@ -230,6 +232,14 @@ main(int argc, char **argv) { "directory"); } break; + case 'L': + if (strcmp(isc_commandline_argument, "none") == 0) + ttl = 0; + else + ttl = strtottl(isc_commandline_argument); + changed = ISC_TRUE; + setttl = ISC_TRUE; + break; case 'v': verbose = strtol(isc_commandline_argument, &endp, 0); if (*endp != '\0') @@ -513,6 +523,9 @@ main(int argc, char **argv) { else if (unsetdel) dst_key_unsettime(key, DST_TIME_DELETE); + if (setttl) + dst_key_setttl(key, ttl); + /* * Print out time values, if -p was used. */ diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook index 44cd9de1de..6c618a35e0 100644 --- a/bin/dnssec/dnssec-settime.docbook +++ b/bin/dnssec/dnssec-settime.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + July 15, 2009 @@ -47,6 +47,7 @@ dnssec-settime + @@ -112,6 +113,20 @@ + + -L ttl + + + Sets the default TTL to use for this key when it is converted + into a DNSKEY RR. If the key is imported into a zone, + this is the TTL that will be used for it, unless there was + already a DNSKEY RRset in place, in which case the existing TTL + would take precedence. Setting the default TTL to + 0 or none removes it. + + + + -h diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 4955d0c218..dcf5c617fd 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 05, 2009 @@ -552,15 +552,17 @@ -T ttl - Specifies the TTL to be used for new DNSKEY records imported - into the zone from the key repository. If not specified, - the default is the minimum TTL value from the zone's SOA + Specifies a TTL to be used for new DNSKEY records imported + into the zone from the key repository. If not + specified, the default is the TTL value from the zone's SOA record. This option is ignored when signing without , since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match - them. + them, or if any of the imported DNSKEY records had a default + TTL value. In the event of a a conflict between TTL values in + imported keys, the shortest one is used. diff --git a/bin/tests/dst/t_dst.c b/bin/tests/dst/t_dst.c index bc430ec64a..94c1d3a017 100644 --- a/bin/tests/dst/t_dst.c +++ b/bin/tests/dst/t_dst.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: t_dst.c,v 1.58 2009/09/01 00:22:25 jinmei Exp $ */ +/* $Id: t_dst.c,v 1.59 2011/03/17 01:40:35 each Exp $ */ #include @@ -264,8 +264,8 @@ dh(dns_name_t *name1, int id1, dns_name_t *name2, int id2, isc_mem_t *mctx, } static void -io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx, - isc_result_t exp_result, int *nfails, int *nprobs) +io(dns_name_t *name, isc_uint16_t id, isc_uint16_t alg, int type, + isc_mem_t *mctx, isc_result_t exp_result, int *nfails, int *nprobs) { dst_key_t *key = NULL; isc_result_t ret; @@ -277,7 +277,7 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx, if (p == NULL) { t_info("getcwd failed %d\n", errno); ++*nprobs; - return; + goto failure; } ret = dst_key_fromfile(name, id, alg, type, current, mctx, &key); @@ -285,7 +285,25 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx, t_info("dst_key_fromfile(%d) returned: %s\n", alg, dst_result_totext(ret)); ++*nfails; - return; + goto failure; + } + + if (dst_key_id(key) != id) { + t_info("key ID incorrect\n"); + ++*nfails; + goto failure; + } + + if (dst_key_alg(key) != alg) { + t_info("key algorithm incorrect\n"); + ++*nfails; + goto failure; + } + + if (dst_key_getttl(key) != 0) { + t_info("initial key TTL incorrect\n"); + ++*nfails; + goto failure; } ret = isc_file_mktemplate("/tmp/", tmp, sizeof(tmp)); @@ -293,14 +311,14 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx, t_info("isc_file_mktemplate failed %s\n", isc_result_totext(ret)); ++*nprobs; - return; + goto failure; } ret = isc_dir_createunique(tmp); if (ret != ISC_R_SUCCESS) { t_info("mkdir failed %d\n", errno); ++*nprobs; - return; + goto failure; } ret = dst_key_tofile(key, type, tmp); @@ -308,14 +326,48 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx, t_info("dst_key_tofile(%d) returned: %s\n", alg, dst_result_totext(ret)); ++*nfails; - return; + goto failure; } if (dst_key_alg(key) != DST_ALG_DH) use(key, mctx, exp_result, nfails); + /* + * Skip the rest of this test if we weren't expecting + * the read to be successful. + */ + if (exp_result != ISC_R_SUCCESS) + goto cleanup; + + dst_key_setttl(key, 3600); + ret = dst_key_tofile(key, type, tmp); + if (ret != 0) { + t_info("dst_key_tofile(%d) returned: %s\n", + alg, dst_result_totext(ret)); + ++*nfails; + goto failure; + } + + /* Reread key to confirm TTL was changed */ + dst_key_free(&key); + ret = dst_key_fromfile(name, id, alg, type, tmp, mctx, &key); + if (ret != ISC_R_SUCCESS) { + t_info("dst_key_fromfile(%d) returned: %s\n", + alg, dst_result_totext(ret)); + ++*nfails; + goto failure; + } + + if (dst_key_getttl(key) != 3600) { + t_info("modified key TTL incorrect\n"); + ++*nfails; + goto failure; + } + + cleanup: cleandir(tmp); + failure: dst_key_free(&key); } diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 49eda70256..54dce6e471 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.7 2010/12/18 02:12:43 each Exp $ +# $Id: clean.sh,v 1.8 2011/03/17 01:40:35 each Exp $ rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk rm -f active.key inact.key del.key unpub.key standby.key rev.key @@ -45,3 +45,4 @@ rm -f ns3/secure-to-insecure.example.db rm -f ns3/prepub.example.db rm -f ns3/prepub.example.db.in rm -f ns3/secure-to-insecure2.example.db +rm -f ns3/ttl*.db diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 8c0b162bd6..a41b962a50 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: keygen.sh,v 1.8 2010/12/15 18:44:37 each Exp $ +# $Id: keygen.sh,v 1.9 2011/03/17 01:40:36 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -205,3 +205,36 @@ zonefile="${zone}.db" $KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null $KEYGEN -3 -q -r $RANDFILE $zone > /dev/null $SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1 + +# +# Key TTL tests. +# + +# no default key TTL; DNSKEY should get SOA TTL +zone=ttl1.example +zonefile="${zone}.db" +infile="${zonefile}.in" +$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null +$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null +cp $infile $zonefile + +# default key TTL should be used +zone=ttl2.example +zonefile="${zone}.db" +$KEYGEN -3 -q -r $RANDFILE -fk -L 60 $zone > /dev/null +$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > /dev/null +cp $infile $zonefile + +# mismatched key TTLs, should use shortest +zone=ttl3.example +zonefile="${zone}.db" +$KEYGEN -3 -q -r $RANDFILE -fk -L 30 $zone > /dev/null +$KEYGEN -3 -q -r $RANDFILE -L 60 $zone > /dev/null +cp $infile $zonefile + +# existing DNSKEY RRset, should retain TTL +zone=ttl4.example +zonefile="${zone}.db" +$KEYGEN -3 -q -r $RANDFILE -L 30 -fk $zone > /dev/null +cat ${infile} K${zone}.+*.key > $zonefile +$KEYGEN -3 -q -r $RANDFILE -L 180 $zone > /dev/null diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf index be43563bcd..c7547bd29b 100644 --- a/bin/tests/system/autosign/ns3/named.conf +++ b/bin/tests/system/autosign/ns3/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.7 2010/12/15 18:44:37 each Exp $ */ +/* $Id: named.conf,v 1.8 2011/03/17 01:40:37 each Exp $ */ // NS3 @@ -185,4 +185,32 @@ zone "prepub.example" { auto-dnssec maintain; }; +zone "ttl1.example" { + type master; + file "ttl1.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "ttl2.example" { + type master; + file "ttl2.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "ttl3.example" { + type master; + file "ttl3.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "ttl4.example" { + type master; + file "ttl4.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns3/ttl1.example.db.in b/bin/tests/system/autosign/ns3/ttl1.example.db.in new file mode 100644 index 0000000000..dda546a65a --- /dev/null +++ b/bin/tests/system/autosign/ns3/ttl1.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: ttl1.example.db.in,v 1.2 2011/03/17 01:40:37 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/ttl2.example.db.in b/bin/tests/system/autosign/ns3/ttl2.example.db.in new file mode 100644 index 0000000000..2b0dbda3e5 --- /dev/null +++ b/bin/tests/system/autosign/ns3/ttl2.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: ttl2.example.db.in,v 1.2 2011/03/17 01:40:37 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/ttl3.example.db.in b/bin/tests/system/autosign/ns3/ttl3.example.db.in new file mode 100644 index 0000000000..e60b35c8b9 --- /dev/null +++ b/bin/tests/system/autosign/ns3/ttl3.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: ttl3.example.db.in,v 1.2 2011/03/17 01:40:38 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/ns3/ttl4.example.db.in b/bin/tests/system/autosign/ns3/ttl4.example.db.in new file mode 100644 index 0000000000..329eca0474 --- /dev/null +++ b/bin/tests/system/autosign/ns3/ttl4.example.db.in @@ -0,0 +1,31 @@ +; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: ttl4.example.db.in,v 1.2 2011/03/17 01:40:38 each Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x CNAME a diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 5de197adbe..a5e1c335fe 100644 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.17 2011/03/02 09:03:45 fdupont Exp $ +# $Id: tests.sh,v 1.18 2011/03/17 01:40:36 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -182,6 +182,42 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking TTLs of imported DNSKEYs (no default) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl1.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +[ -s dig.out.ns3.test$n ] || ret=1 +awk 'BEGIN {r=0} $2 != 300 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking TTLs of imported DNSKEYs (with default) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl2.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +[ -s dig.out.ns3.test$n ] || ret=1 +awk 'BEGIN {r=0} $2 != 60 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking TTLs of imported DNSKEYs (mismatched) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl3.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +[ -s dig.out.ns3.test$n ] || ret=1 +awk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking TTLs of imported DNSKEYs (existing RRset) ($n)" +ret=0 +$DIG $DIGOPTS +tcp +noall +answer dnskey ttl4.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 +[ -s dig.out.ns3.test$n ] || ret=1 +awk 'BEGIN {r=0} $2 != 30 {r=1; print "I:found TTL " $2} END {exit r}' dig.out.ns3.test$n || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking positive validation NSEC ($n)" ret=0 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1 diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh index adf1b893ee..a0d9958cda 100644 --- a/bin/tests/system/smartsign/tests.sh +++ b/bin/tests/system/smartsign/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.9 2011/03/05 23:52:30 tbox Exp $ +# $Id: tests.sh,v 1.10 2011/03/17 01:40:38 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -31,7 +31,7 @@ cfile=child.db echo I:generating keys # active zsk -czsk1=`$KEYGEN -q -r $RANDFILE $czone` +czsk1=`$KEYGEN -q -r $RANDFILE -L 30 $czone` # not yet published or active czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone` @@ -50,7 +50,7 @@ czsk5=`$KEYGEN -q -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone` czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>&-` # active ksk -cksk1=`$KEYGEN -q -r $RANDFILE -fk $czone` +cksk1=`$KEYGEN -q -r $RANDFILE -fk -L 30 $czone` # published but not YET active; will be active in 20 seconds cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone` @@ -131,6 +131,31 @@ grep "key id = $czsuccessor" $cfile.signed && echo succ is there if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:checking key TTLs are correct" +grep "${czone}. 30 IN" ${czsk1}.key > /dev/null 2>&1 || ret=1 +grep "${czone}. 30 IN" ${cksk1}.key > /dev/null 2>&1 || ret=1 +grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 +$SETTIME -L 45 ${czsk2} > /dev/null +grep "${czone}. 45 IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 +$SETTIME -L 0 ${czsk2} > /dev/null +grep "${czone}. IN" ${czsk2}.key > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking key TTLs were imported correctly" +awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 30 {r = 1} END {exit r}' \ + ${cfile}.signed || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:re-signing and checking imported TTLs again" +$SETTIME -L 15 ${czsk2} > /dev/null +czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1` +awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \ + ${cfile}.signed || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:checking child zone signatures" ret=0 # check DNSKEY signatures first diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index ef995b4486..3f101cb585 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -16,7 +16,7 @@ */ /* - * $Id: dnssec.c,v 1.122 2011/03/17 01:17:21 marka Exp $ + * $Id: dnssec.c,v 1.123 2011/03/17 01:40:38 each Exp $ */ /*! \file */ @@ -625,6 +625,8 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, pubkey = NULL; dns_rdataset_current(&rdataset, &rdata); RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); + dst_key_setttl(pubkey, rdataset.ttl); + if (!is_zone_key(pubkey) || (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) goto next; @@ -702,6 +704,12 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, goto next; } + /* + * Whatever the key's default TTL may have + * been, the rdataset TTL takes priority. + */ + dst_key_setttl(keys[count], rdataset.ttl); + if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { /* We should never get here. */ dst_key_free(&keys[count]); @@ -1432,6 +1440,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin, dns_rdata_reset(&rdata); dns_rdataset_current(&keys, &rdata); RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey)); + dst_key_setttl(pubkey, keys.ttl); if (!is_zone_key(pubkey) || (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) @@ -1504,6 +1513,12 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin, if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) goto skip; + /* + * Whatever the key's default TTL may have + * been, the rdataset TTL takes priority. + */ + dst_key_setttl(privkey, dst_key_getttl(pubkey)); + addkey(keylist, &privkey, savekeys, mctx); skip: if (pubkey != NULL) @@ -1629,16 +1644,22 @@ remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin, isc_result_t dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, dns_dnsseckeylist_t *removed, dns_name_t *origin, - dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk, - isc_mem_t *mctx, void (*report)(const char *, ...)) + dns_ttl_t hint_ttl, dns_diff_t *diff, + isc_boolean_t allzsk, isc_mem_t *mctx, + void (*report)(const char *, ...)) { isc_result_t result; dns_dnsseckey_t *key, *key1, *key2, *next; + isc_boolean_t found_ttl = ISC_FALSE; + dns_ttl_t ttl = hint_ttl; /* * First, look through the existing key list to find keys * supplied from the command line which are not in the zone. * Update the zone to include them. + * + * Also, if there are keys published in the zone already, + * use their TTL for all subsequent published keys. */ for (key = ISC_LIST_HEAD(*keys); key != NULL; @@ -1648,6 +1669,32 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, RETERR(publish_key(diff, key, origin, ttl, mctx, allzsk, report)); } + if (key->source == dns_keysource_zoneapex) { + ttl = dst_key_getttl(key->key); + found_ttl = ISC_TRUE; + } + } + + /* + * If there were no existing keys, use the smallest nonzero + * TTL of the keys found in the repository. + */ + if (!found_ttl && !ISC_LIST_EMPTY(*newkeys)) { + dns_ttl_t shortest = 0; + + for (key = ISC_LIST_HEAD(*newkeys); + key != NULL; + key = ISC_LIST_NEXT(key, link)) { + dns_ttl_t thisttl = dst_key_getttl(key->key); + if (thisttl != 0 && + (shortest == 0 || thisttl < shortest)) + shortest = thisttl; + } + + if (shortest != 0) { + found_ttl = ISC_TRUE; + ttl = shortest; + } } /* diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 649ccd42ba..d43e370560 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.57 2011/01/11 23:47:13 tbox Exp $ + * $Id: dst_api.c,v 1.58 2011/03/17 01:40:39 each Exp $ */ /*! \file */ @@ -91,6 +91,7 @@ static dst_key_t * get_key_struct(dns_name_t *name, unsigned int protocol, unsigned int bits, dns_rdataclass_t rdclass, + dns_ttl_t ttl, isc_mem_t *mctx); static isc_result_t write_public_key(const dst_key_t *key, int type, const char *directory); @@ -514,7 +515,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, key = get_key_struct(pubkey->key_name, pubkey->key_alg, pubkey->key_flags, pubkey->key_proto, 0, - pubkey->key_class, mctx); + pubkey->key_class, pubkey->key_ttl, mctx); if (key == NULL) { dst_key_free(&pubkey); return (ISC_R_NOMEMORY); @@ -712,7 +713,7 @@ dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx, REQUIRE(keyp != NULL && *keyp == NULL); key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC, - 0, dns_rdataclass_in, mctx); + 0, dns_rdataclass_in, 0, mctx); if (key == NULL) return (ISC_R_NOMEMORY); @@ -750,7 +751,7 @@ dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags, CHECKALG(alg); - key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx); + key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx); if (key == NULL) return (ISC_R_NOMEMORY); @@ -804,7 +805,8 @@ dst_key_generate2(dns_name_t *name, unsigned int alg, CHECKALG(alg); - key = get_key_struct(name, alg, flags, protocol, bits, rdclass, mctx); + key = get_key_struct(name, alg, flags, protocol, bits, + rdclass, 0, mctx); if (key == NULL) return (ISC_R_NOMEMORY); @@ -1210,7 +1212,7 @@ dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags, if (dst_t_func[alg]->restore == NULL) return (ISC_R_NOTIMPLEMENTED); - key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx); + key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx); if (key == NULL) return (ISC_R_NOMEMORY); @@ -1234,7 +1236,7 @@ static dst_key_t * get_key_struct(dns_name_t *name, unsigned int alg, unsigned int flags, unsigned int protocol, unsigned int bits, dns_rdataclass_t rdclass, - isc_mem_t *mctx) + dns_ttl_t ttl, isc_mem_t *mctx) { dst_key_t *key; isc_result_t result; @@ -1274,6 +1276,7 @@ get_key_struct(dns_name_t *name, unsigned int alg, key->keydata.generic = NULL; key->key_size = bits; key->key_class = rdclass; + key->key_ttl = ttl; key->func = dst_t_func[alg]; key->fmt_major = 0; key->fmt_minor = 0; @@ -1301,7 +1304,7 @@ dst_key_read_public(const char *filename, int type, unsigned int opt = ISC_LEXOPT_DNSMULTILINE; dns_rdataclass_t rdclass = dns_rdataclass_in; isc_lexspecials_t specials; - isc_uint32_t ttl; + isc_uint32_t ttl = 0; isc_result_t result; dns_rdatatype_t keytype; @@ -1402,6 +1405,8 @@ dst_key_read_public(const char *filename, int type, if (ret != ISC_R_SUCCESS) goto cleanup; + dst_key_setttl(*keyp, ttl); + cleanup: if (lex != NULL) isc_lex_destroy(&lex); @@ -1568,9 +1573,11 @@ write_public_key(const dst_key_t *key, int type, const char *directory) { /* Now print the actual key */ ret = dns_name_print(key->key_name, fp); - fprintf(fp, " "); + if (key->key_ttl != 0) + fprintf(fp, "%d ", key->key_ttl); + isc_buffer_usedregion(&classb, &r); isc_util_fwrite(r.base, 1, r.length, fp); @@ -1659,7 +1666,7 @@ frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags, REQUIRE(mctx != NULL); REQUIRE(keyp != NULL && *keyp == NULL); - key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx); + key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx); if (key == NULL) return (ISC_R_NOMEMORY); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index f2b3e3e5c4..c6bae505eb 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_internal.h,v 1.29 2011/01/11 23:47:13 tbox Exp $ */ +/* $Id: dst_internal.h,v 1.30 2011/03/17 01:40:39 each Exp $ */ #ifndef DST_DST_INTERNAL_H #define DST_DST_INTERNAL_H 1 @@ -96,6 +96,7 @@ struct dst_key { isc_uint16_t key_id; /*%< identifier of the key */ isc_uint16_t key_bits; /*%< hmac digest bits */ dns_rdataclass_t key_class; /*%< class of the key record */ + dns_ttl_t key_ttl; /*%< default/initial dnskey ttl */ isc_mem_t *mctx; /*%< memory context */ char *engine; /*%< engine name (HSM) */ char *label; /*%< engine label (HSM) */ diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index 625991ddef..3562ed4476 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec.h,v 1.42 2010/01/09 23:48:45 tbox Exp $ */ +/* $Id: dnssec.h,v 1.43 2011/03/17 01:40:39 each Exp $ */ #ifndef DNS_DNSSEC_H #define DNS_DNSSEC_H 1 @@ -290,7 +290,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin, isc_result_t dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, dns_dnsseckeylist_t *removed, dns_name_t *origin, - dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk, + dns_ttl_t hint_ttl, dns_diff_t *diff, isc_boolean_t allzsk, isc_mem_t *mctx, void (*report)(const char *, ...)); /*%< * Update the list of keys in 'keys' with new key information in 'newkeys'. @@ -309,9 +309,11 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, * If 'allzsk' is true, we are allowing KSK-flagged keys to be used as * ZSKs. * - * 'ttl' is the TTL of the DNSKEY RRset; if it is longer than the - * time until a new key will be activated, then we have to delay the - * key's activation. + * 'hint_ttl' is the TTL to use for the DNSKEY RRset if there is no + * existing RRset, and if none of the keys to be added has a default TTL + * (in which case we would use the shortest one). If the TTL is longer + * than the time until a new key will be activated, then we have to delay + * the key's activation. * * 'report' points to a function for reporting status. * diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 0563603678..d1e0d750ad 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst.h,v 1.31 2011/01/11 23:47:14 tbox Exp $ */ +/* $Id: dst.h,v 1.32 2011/03/17 01:40:39 each Exp $ */ #ifndef DST_DST_H #define DST_DST_H 1 @@ -735,6 +735,26 @@ dst_key_setbits(dst_key_t *key, isc_uint16_t bits); * "key" is a valid key. */ +void +dst_key_setttl(dst_key_t *key, dns_ttl_t ttl); +/*%< + * Set the default TTL to use when converting the key + * to a KEY or DNSKEY RR. + * + * Requires: + * "key" is a valid key. + */ + +dns_ttl_t +dst_key_getttl(const dst_key_t *key); +/*%< + * Get the default TTL to use when converting the key + * to a KEY or DNSKEY RR. + * + * Requires: + * "key" is a valid key. + */ + isc_result_t dst_key_setflags(dst_key_t *key, isc_uint32_t flags); /* diff --git a/lib/dns/key.c b/lib/dns/key.c index 5cf4442915..646c7b3f68 100644 --- a/lib/dns/key.c +++ b/lib/dns/key.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: key.c,v 1.8 2007/06/19 23:47:16 tbox Exp $ */ +/* $Id: key.c,v 1.9 2011/03/17 01:40:39 each Exp $ */ #include @@ -144,4 +144,16 @@ dst_key_getbits(const dst_key_t *key) { return (key->key_bits); } +void +dst_key_setttl(dst_key_t *key, dns_ttl_t ttl) { + REQUIRE(VALID_KEY(key)); + key->key_ttl = ttl; +} + +dns_ttl_t +dst_key_getttl(const dst_key_t *key) { + REQUIRE(VALID_KEY(key)); + return (key->key_ttl); +} + /*! \file */ diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index e125fb8de9..2f9d1dce5f 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -945,6 +945,7 @@ dst_key_generate dst_key_generate2 dst_key_getprivateformat dst_key_gettime +dst_key_getttl dst_key_id dst_key_isnullkey dst_key_isprivate @@ -959,6 +960,7 @@ dst_key_setbits dst_key_setflags dst_key_setprivateformat dst_key_settime +dst_key_setttl dst_key_sigsize dst_key_size dst_key_tobuffer