mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

Some of the resigning policies were a bit strange.

Browse Source
This commit is contained in:
Brian Wellington
2000-09-08 14:16:43 +00:00
parent c668509ab7
commit 66f5b00c37
1 changed files with 34 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
bin/dnssec/dnssec-signzone.c
View File

@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dnssec-signzone.c,v 1.96 2000/09/08 08:38:57 bwelling Exp $ */ /* $Id: dnssec-signzone.c,v 1.97 2000/09/08 14:16:43 bwelling Exp $ */
#include <config.h> #include <config.h>
@@ -64,10 +64,12 @@ typedef struct signer_key_struct signer_key_t;
struct signer_key_struct { struct signer_key_struct {
dst_key_t *key; dst_key_t *key;
isc_boolean_t isdefault; isc_boolean_t isdefault;
unsigned int position;
ISC_LINK(signer_key_t) link; ISC_LINK(signer_key_t) link;
}; };
static ISC_LIST(signer_key_t) keylist; static ISC_LIST(signer_key_t) keylist;
static unsigned int keycount = 0;
static isc_stdtime_t starttime = 0, endtime = 0, now; static isc_stdtime_t starttime = 0, endtime = 0, now;
static int cycle = -1; static int cycle = -1;
static isc_boolean_t tryverify = ISC_FALSE; static isc_boolean_t tryverify = ISC_FALSE;
@@ -166,6 +168,7 @@ keythatsigned(dns_rdata_sig_t *sig) {
else else
key->key = pubkey; key->key = pubkey;
key->isdefault = ISC_FALSE; key->isdefault = ISC_FALSE;
key->position = keycount++;
ISC_LIST_APPEND(keylist, key, link); ISC_LIST_APPEND(keylist, key, link);
return key; return key;
} }
@@ -224,8 +227,9 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
dns_rdata_sig_t sig; dns_rdata_sig_t sig;
signer_key_t *key; signer_key_t *key;
isc_result_t result; isc_result_t result;
isc_boolean_t notsigned = ISC_TRUE, nosigs = ISC_FALSE; isc_boolean_t nosigs = ISC_FALSE;
isc_boolean_t wassignedby[256], nowsignedby[256]; isc_boolean_t *wassignedby, *nowsignedby;
int arraysize;
dns_difftuple_t *tuple; dns_difftuple_t *tuple;
dns_ttl_t ttl; dns_ttl_t ttl;
int i; int i;
@@ -238,9 +242,6 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
ttl = ISC_MIN(set->ttl, endtime - starttime); ttl = ISC_MIN(set->ttl, endtime - starttime);
for (i = 0; i < 256; i++)
wassignedby[i] = nowsignedby[i] = ISC_FALSE;
dns_rdataset_init(&sigset); dns_rdataset_init(&sigset);
result = dns_db_findrdataset(db, node, version, dns_rdatatype_sig, result = dns_db_findrdataset(db, node, version, dns_rdatatype_sig,
set->type, 0, &sigset, NULL); set->type, 0, &sigset, NULL);
@@ -254,6 +255,19 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
vbprintf(1, "%s/%s:\n", namestr, typestr); vbprintf(1, "%s/%s:\n", namestr, typestr);
arraysize = keycount;
if (!nosigs)
arraysize += dns_rdataset_count(&sigset);
wassignedby = isc_mem_get(mctx,
arraysize * sizeof(isc_boolean_t));
nowsignedby = isc_mem_get(mctx,
arraysize * sizeof(isc_boolean_t));
if (wassignedby == NULL || nowsignedby == NULL)
fatal("out of memory");
for (i = 0; i < arraysize; i++)
wassignedby[i] = nowsignedby[i] = ISC_FALSE;
if (nosigs) if (nosigs)
result = ISC_R_NOMORE; result = ISC_R_NOMORE;
else else
@@ -296,13 +310,14 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
{ {
vbprintf(2, "\tsig by %s retained\n", sigstr); vbprintf(2, "\tsig by %s retained\n", sigstr);
keep = ISC_TRUE; keep = ISC_TRUE;
wassignedby[sig.algorithm] = ISC_TRUE; wassignedby[key->position] = ISC_TRUE;
nowsignedby[key->position] = ISC_TRUE;
} else { } else {
vbprintf(2, "\tsig by %s dropped - %s\n", vbprintf(2, "\tsig by %s dropped - %s\n",
sigstr, sigstr,
expired ? "expired" : expired ? "expired" :
"failed to verify"); "failed to verify");
wassignedby[sig.algorithm] = ISC_TRUE; wassignedby[key->position] = ISC_TRUE;
resign = ISC_TRUE; resign = ISC_TRUE;
} }
} else if (iszonekey(key, db)) { } else if (iszonekey(key, db)) {
@@ -310,16 +325,14 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
{ {
vbprintf(2, "\tsig by %s retained\n", sigstr); vbprintf(2, "\tsig by %s retained\n", sigstr);
keep = ISC_TRUE; keep = ISC_TRUE;
wassignedby[sig.algorithm] = ISC_TRUE; wassignedby[key->position] = ISC_TRUE;
nowsignedby[sig.algorithm] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE;
} else { } else {
vbprintf(2, "\tsig by %s dropped - %s\n", vbprintf(2, "\tsig by %s dropped - %s\n",
sigstr, sigstr,
expired ? "expired" : expired ? "expired" :
"failed to verify"); "failed to verify");
wassignedby[sig.algorithm] = ISC_TRUE; wassignedby[key->position] = ISC_TRUE;
if (dst_key_isprivate(key->key))
resign = ISC_TRUE;
} }
} else if (!expired) { } else if (!expired) {
vbprintf(2, "\tsig by %s retained\n", sigstr); vbprintf(2, "\tsig by %s retained\n", sigstr);
@@ -329,7 +342,7 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
} }
if (keep) if (keep)
nowsignedby[sig.algorithm] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE;
else { else {
tuple = NULL; tuple = NULL;
result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
@@ -349,7 +362,7 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
vbprintf(1, "\tresigning with key %s\n", keystr); vbprintf(1, "\tresigning with key %s\n", keystr);
isc_buffer_init(&b, array, sizeof(array)); isc_buffer_init(&b, array, sizeof(array));
signwithkey(name, set, &trdata, key->key, &b); signwithkey(name, set, &trdata, key->key, &b);
nowsignedby[sig.algorithm] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE;
tuple = NULL; tuple = NULL;
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
name, ttl, &trdata, name, ttl, &trdata,
@@ -368,18 +381,9 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
if (dns_rdataset_isassociated(&sigset)) if (dns_rdataset_isassociated(&sigset))
dns_rdataset_disassociate(&sigset); dns_rdataset_disassociate(&sigset);
for (i = 0; i < 256; i++)
if (wassignedby[i]) {
notsigned = ISC_FALSE;
break;
}
key = ISC_LIST_HEAD(keylist); key = ISC_LIST_HEAD(keylist);
while (key != NULL) { while (key != NULL) {
unsigned int alg = dst_key_alg(key->key); if (key->isdefault && !nowsignedby[key->position]) {
if (key->isdefault &&
(notsigned || (wassignedby[alg] && !nowsignedby[alg])))
{
isc_buffer_t b; isc_buffer_t b;
dns_rdata_t trdata; dns_rdata_t trdata;
unsigned char array[BUFSIZE]; unsigned char array[BUFSIZE];
@@ -398,6 +402,9 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
} }
key = ISC_LIST_NEXT(key, link); key = ISC_LIST_NEXT(key, link);
} }
isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t));
isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
} }
/* Determine if a KEY set contains a null key */ /* Determine if a KEY set contains a null key */
@@ -1168,7 +1175,7 @@ loadzonekeys(dns_db_t *db) {
fatal("out of memory"); fatal("out of memory");
key->key = keys[i]; key->key = keys[i];
key->isdefault = ISC_FALSE; key->isdefault = ISC_FALSE;
key->position = keycount++;
ISC_LIST_APPEND(keylist, key, link); ISC_LIST_APPEND(keylist, key, link);
} }
dns_db_detachnode(db, &node); dns_db_detachnode(db, &node);
@@ -1383,6 +1390,7 @@ main(int argc, char *argv[]) {
fatal("out of memory"); fatal("out of memory");
key->key = newkey; key->key = newkey;
key->isdefault = ISC_TRUE; key->isdefault = ISC_TRUE;
key->position = keycount++;
ISC_LIST_APPEND(keylist, key, link); ISC_LIST_APPEND(keylist, key, link);
} else } else
dst_key_free(&newkey); dst_key_free(&newkey);