1181. [func] Add the "key-directory" configuration statement,

which allows the server to look for online signing
			keys in alternate directories.

CHANGES

@@ -1,3 +1,7 @@
+1181.	[func]		Add the "key-directory" configuration statement,
+			which allows the server to look for online signing
+			keys in alternate directories.
+
 1180.	[func]		dnssec-keygen should always generate keys with
 			protocol 3 (DNSSEC), since it's less confusing
 			that way.

bin/named/update.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.92 2001/12/11 23:53:13 marka Exp $ */
+/* $Id: update.c,v 1.93 2002/01/21 11:00:11 bwelling Exp $ */
 
 #include <config.h>
 
@@ -1500,14 +1500,16 @@ add_placeholder_nxt(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }
 
 static isc_result_t
-find_zone_keys(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
+find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	       unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys)
+	       isc_mem_t *mctx, unsigned int maxkeys,
+	       dst_key_t **keys, unsigned int *nkeys)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
+	const char *directory = dns_zone_getkeydirectory(zone);
 	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	CHECK(dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
+	CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
-				      mctx, maxkeys, keys, nkeys));
+				       directory, mctx, maxkeys, keys, nkeys));
  failure:
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
@@ -1574,9 +1576,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
  * The SIGs generated will be valid for 'sigvalidityinterval' seconds.
  */
 static isc_result_t
-update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
+update_signatures(isc_mem_t *mctx, dns_zone_t *zone, dns_db_t *db,
-		  dns_dbversion_t *newver, dns_diff_t *diff,
+		  dns_dbversion_t *oldver, dns_dbversion_t *newver,
-		  isc_uint32_t sigvalidityinterval)
+		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
 {
 	isc_result_t result;
 	dns_difftuple_t *t;
@@ -1598,7 +1600,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 	dns_diff_init(mctx, &nxt_diff);
 	dns_diff_init(mctx, &nxt_mindiff);
 
-	result = find_zone_keys(db, newver, mctx,
+	result = find_zone_keys(zone, db, newver, mctx,
 				MAXZONEKEYS, zone_keys, &nkeys);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE,
@@ -2460,7 +2462,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 
 		if (dns_db_issecure(db)) {
 
-			result = update_signatures(mctx, db, oldver, ver,
+			result = update_signatures(mctx, zone, db, oldver, ver,
 			   &diff, dns_zone_getsigvalidityinterval(zone));
 			if (result != ISC_R_SUCCESS) {
 				update_log(client, zone,

bin/named/zoneconf.c

@@ -15,11 +15,12 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.98 2002/01/14 04:16:01 marka Exp $ */
+/* $Id: zoneconf.c,v 1.99 2002/01/21 11:00:12 bwelling Exp $ */
 
 #include <config.h>
 
 #include <isc/buffer.h>
+#include <isc/file.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
@@ -535,6 +536,20 @@ ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
 		INSIST(result == ISC_R_SUCCESS);
 		dns_zone_setsigvalidityinterval(zone,
 						cfg_obj_asuint32(obj) * 86400);
+
+		obj = NULL;
+		result = ns_config_get(maps, "key-directory", &obj);
+		if (result == ISC_R_SUCCESS) {
+			filename = cfg_obj_asstring(obj);
+			if (!isc_file_isabsolute(filename)) {
+				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+					    "key-directory '%s' "
+					    "is not absolute", filename);
+				return (ISC_R_FAILURE);
+			}
+			RETERR(dns_zone_setkeydirectory(zone, filename));
+		}
+
 	} else if (ztype == dns_zone_slave) {
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
 					  "allow-update-forwarding", ac, zone,

lib/bind9/check.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.14 2002/01/14 04:15:58 marka Exp $ */
+/* $Id: check.c,v 1.15 2002/01/21 11:00:14 bwelling Exp $ */
 
 #include <config.h>
 
@@ -184,6 +184,7 @@ check_zoneconf(cfg_obj_t *zconfig, isc_symtab_t *symtab,
 	{ "pubkey", MASTERZONE | SLAVEZONE | STUBZONE },
 	{ "update-policy", MASTERZONE },
 	{ "database", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "key-directory", MASTERZONE },
 	};
 
 	static optionstable dialups[] = {

lib/dns/dnssec.c

@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.70 2001/11/30 01:59:07 gson Exp $
+ * $Id: dnssec.c,v 1.71 2002/01/21 11:00:17 bwelling Exp $
  */
 
 
@@ -481,8 +481,9 @@ cleanup_struct:
 			  == DNS_KEYOWNER_ZONE)
 
 isc_result_t
-dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
+dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
-			dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
+			dns_dbnode_t *node, dns_name_t *name,
+			const char *directory, isc_mem_t *mctx,
 			unsigned int maxkeys, dst_key_t **keys,
 			unsigned int *nkeys)
 {
@@ -508,7 +509,7 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 					  dst_key_id(pubkey),
 					  dst_key_alg(pubkey),
 					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
-					  NULL,
+					  directory,
 					  mctx, &keys[count]);
 		if (result == DST_R_INVALIDPRIVATEKEY)
 			goto next;
@@ -540,6 +541,16 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 	return (result);
 }
 
+isc_result_t
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
+			dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
+			unsigned int maxkeys, dst_key_t **keys,
+			unsigned int *nkeys)
+{
+	return (dns_dnssec_findzonekeys2(db, ver, node, name, NULL, mctx,
+					 maxkeys, keys, nkeys));
+}
+
 isc_result_t
 dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	dns_rdata_sig_t sig;

lib/dns/include/dns/dnssec.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.22 2001/10/10 21:39:15 gson Exp $ */
+/* $Id: dnssec.h,v 1.23 2002/01/21 11:00:22 bwelling Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -113,6 +113,12 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
 			dns_name_t *name, isc_mem_t *mctx,
 			unsigned int maxkeys, dst_key_t **keys,
 			unsigned int *nkeys);
+isc_result_t
+dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
+			 dns_dbnode_t *node, dns_name_t *name,
+			 const char *directory, isc_mem_t *mctx,
+			 unsigned int maxkeys, dst_key_t **keys,
+			 unsigned int *nkeys);
 /*
  * 	Finds a set of zone keys.
  * 	XXX temporary - this should be handled in dns_zone_t.

lib/dns/include/dns/zone.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.108 2001/11/09 04:21:57 marka Exp $ */
+/* $Id: zone.h,v 1.109 2002/01/21 11:00:23 bwelling Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -1098,6 +1098,34 @@ dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
  *	(result ISC_R_NOMORE).
  */
 
+isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
+/*
+ *	Sets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ */
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone);
+/*
+ * 	Gets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *	Pointer to null-terminated file name, or NULL.
+ */
+
+
 isc_result_t
 dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,

lib/dns/zone.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.358 2002/01/15 06:42:15 marka Exp $ */
+/* $Id: zone.c,v 1.359 2002/01/21 11:00:20 bwelling Exp $ */
 
 #include <config.h>
 
@@ -157,6 +157,7 @@ struct dns_zone {
 	isc_uint32_t		retry;
 	isc_uint32_t		expire;
 	isc_uint32_t		minimum;
+	char			*keydirectory;
 
 	isc_uint32_t		maxrefresh;
 	isc_uint32_t		minrefresh;
@@ -501,6 +502,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->irefs = 0;
 	dns_name_init(&zone->origin, NULL);
 	zone->masterfile = NULL;
+	zone->keydirectory = NULL;
 	zone->journalsize = -1;
 	zone->journal = NULL;
 	zone->rdclass = dns_rdataclass_none;
@@ -609,6 +611,9 @@ zone_free(dns_zone_t *zone) {
 	if (zone->masterfile != NULL)
 		isc_mem_free(zone->mctx, zone->masterfile);
 	zone->masterfile = NULL;
+	if (zone->keydirectory != NULL)
+		isc_mem_free(zone->mctx, zone->keydirectory);
+	zone->keydirectory = NULL;
 	zone->journalsize = -1;
 	if (zone->journal != NULL)
 		isc_mem_free(zone->mctx, zone->journal);
@@ -6187,6 +6192,25 @@ dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
 	UNLOCK_ZONE(zone);
 }
 
+isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->keydirectory, directory);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->keydirectory);
+}
 unsigned int
 dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
 	dns_zone_t *zone;

lib/isccfg/namedconf.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.1 2002/01/04 02:32:12 gson Exp $ */
+/* $Id: namedconf.c,v 1.2 2002/01/21 11:00:25 bwelling Exp $ */
 
 #include <config.h>
 
@@ -597,6 +597,7 @@ zone_clauses[] = {
 	{ "min-refresh-time", &cfg_type_uint32, 0 },
 	{ "sig-validity-interval", &cfg_type_uint32, 0 },
 	{ "zone-statistics", &cfg_type_boolean, 0 },
+	{ "key-directory", &cfg_type_qstring, 0 },
 	{ NULL, NULL, 0 }
 };