mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

2677. [func] Changes to key metadata behavior:

Browse Source 
- Keys without "publish" or "active" dates set will
			  no longer be used for smart signing.  However,
			  those dates will be set to "now" by default when
			  a key is created; to generate a key but not use
			  it yet, use dnssec-keygen -G.
			- New "inactive" date (dnssec-keygen/settime -I)
			  sets the time when a key is no longer used for
			  signing but is still published.
			- The "unpublished" date (-U) is deprecated in
			  favor of "deleted" (-D).
			[rt20247]
This commit is contained in:
Evan Hunt
2009-09-14 18:45:45 +00:00
parent d00827dabc
commit b843f577bb
10 changed files with 199 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGES
View File

@@ -1,3 +1,16 @@
2677. [func] Changes to key metadata behavior:
- Keys without "publish" or "active" dates set will
no longer be used for smart signing. However,
those dates will be set to "now" by default when
a key is created; to generate a key but not use
it yet, use dnssec-keygen -G.
- New "inactive" date (dnssec-keygen/settime -I)
sets the time when a key is no longer used for
signing but is still published.
- The "unpublished" date (-U) is deprecated in
favor of "deleted" (-D).
[rt20247]
2676. [bug] --with-export-installdir should have been
--with-export-includedir. [RT #20252]

55
bin/dnssec/dnssec-keyfromlabel.c
View File

@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.13 2009/09/07 23:11:48 fdupont Exp $ */
/* $Id: dnssec-keyfromlabel.c,v 1.14 2009/09/14 18:45:45 each Exp $ */
/*! \file */
@@ -78,10 +78,11 @@ usage(void) {
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -U date/[+-]offset: set key unpublication date\n");
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting"
" dates\n");
" all dates\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
@@ -114,14 +115,15 @@ main(int argc, char **argv) {
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL, *engine = NULL;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t unpublish = 0, delete = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t genonly = ISC_FALSE;
if (argc == 1)
usage();
@@ -135,7 +137,7 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"a:Cc:f:K:kl:n:p:t:v:FhP:A:R:U:D:")) != -1)
"a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
{
switch (ch) {
case 'a':
@@ -182,6 +184,9 @@ main(int argc, char **argv) {
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'G':
genonly = ISC_TRUE;
break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
@@ -218,16 +223,16 @@ main(int argc, char **argv) {
unsetrev = ISC_TRUE;
}
break;
case 'U':
if (setunpub || unsetunpub)
fatal("-U specified more than once");
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setunpub = ISC_TRUE;
unpublish = strtotime(isc_commandline_argument,
setinact = ISC_TRUE;
inactive = strtotime(isc_commandline_argument,
now, now);
} else {
unsetunpub = ISC_TRUE;
unsetinact = ISC_TRUE;
}
break;
case 'D':
@@ -381,26 +386,40 @@ main(int argc, char **argv) {
/*
* Set key timing metadata (unless using -C)
*
* Publish and activation dates are set to "now" by default, but
* can be overridden. Creation date is always set to "now".
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
if (genonly && (setpub || setact))
fatal("cannot use -G together with -P or -A options");
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, publish);
else if (!genonly)
dst_key_settime(key, DST_TIME_PUBLISH, now);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, activate);
else if (!genonly)
dst_key_settime(key, DST_TIME_ACTIVATE, now);
if (setrev)
dst_key_settime(key, DST_TIME_REVOKE, revoke);
if (setunpub)
dst_key_settime(key, DST_TIME_UNPUBLISH, unpublish);
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE, inactive);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, delete);
} else {
if (setpub || setact || setrev || setunpub ||
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetunpub || unsetdel)
unsetrev || unsetinact || unsetdel || genonly)
fatal("cannot use -C together with "
"-P, -A, -R, -U, or -D options");
"-P, -A, -R, -I, -D, or -G options");
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.

33
bin/dnssec/dnssec-keyfromlabel.docbook
View File

@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.9 2009/09/07 12:54:59 fdupont Exp $ -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.10 2009/09/14 18:45:45 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
@@ -51,6 +51,8 @@
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
@@ -58,7 +60,6 @@
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
@@ -160,6 +161,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
@@ -245,7 +256,8 @@
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
@@ -256,7 +268,8 @@
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included and the zone and used to sign
it.
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
@@ -276,9 +289,9 @@
<term>-U <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be unpublished. After that
date, the key will no longer be included in the zone, but it
may remain in the key repository.
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
@@ -288,10 +301,8 @@
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key can be removed from the key repository.
NOTE: Keys are not currently deleted automatically; this field
is included for informational purposes and for future
development.
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>

74
bin/dnssec/dnssec-keygen.c
View File

@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.94 2009/09/07 12:54:59 fdupont Exp $ */
/* $Id: dnssec-keygen.c,v 1.95 2009/09/14 18:45:45 each Exp $ */
/*! \file */
@@ -131,13 +131,16 @@ usage(void) {
fprintf(stderr, " usage | trace | record | size | mctx\n");
fprintf(stderr, " -v <level>: set verbosity level (0 - 10)\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date "
"(default: now)\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date "
"(default: now)\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -U date/[+-]offset: set key unpublication date\n");
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting "
"dates\n");
"all dates\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
@@ -172,14 +175,15 @@ main(int argc, char **argv) {
int dbits = 0;
isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t unpublish = 0, delete = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t genonly = ISC_FALSE;
if (argc == 1)
usage();
@@ -191,7 +195,7 @@ main(int argc, char **argv) {
/*
* Process memory debugging argument first.
*/
#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hP:A:R:U:D:"
#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
@@ -310,6 +314,9 @@ main(int argc, char **argv) {
case 'z':
/* already the default */
break;
case 'G':
genonly = ISC_TRUE;
break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
@@ -346,16 +353,16 @@ main(int argc, char **argv) {
unsetrev = ISC_TRUE;
}
break;
case 'U':
if (setunpub || unsetunpub)
fatal("-U specified more than once");
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setunpub = ISC_TRUE;
unpublish = strtotime(isc_commandline_argument,
setinact = ISC_TRUE;
inactive = strtotime(isc_commandline_argument,
now, now);
} else {
unsetunpub = ISC_TRUE;
unsetinact = ISC_TRUE;
}
break;
case 'D':
@@ -665,31 +672,44 @@ main(int argc, char **argv) {
/*
* Set key timing metadata (unless using -C)
*
* Publish and activation dates are set to "now" by default,
* but can be overridden. Creation date is always set to
* "now".
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
if (genonly && (setpub || setact))
fatal("cannot use -G together with "
"-P or -A options");
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH,
publish);
dst_key_settime(key, DST_TIME_PUBLISH, publish);
else if (!genonly)
dst_key_settime(key, DST_TIME_PUBLISH, now);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE,
activate);
else if (!genonly)
dst_key_settime(key, DST_TIME_ACTIVATE, now);
if (setrev)
dst_key_settime(key, DST_TIME_REVOKE,
revoke);
if (setunpub)
dst_key_settime(key, DST_TIME_UNPUBLISH,
unpublish);
dst_key_settime(key, DST_TIME_REVOKE, revoke);
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE,
inactive);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE,
delete);
dst_key_settime(key, DST_TIME_DELETE, delete);
} else {
if (setpub || setact || setrev || setunpub ||
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetunpub || unsetdel)
unsetrev || unsetinact || unsetdel || genonly)
fatal("cannot use -C together with "
"-P, -A, -R, -U, or -D options");
"-P, -A, -R, -I, -D, or -G options");
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.

35
bin/dnssec/dnssec-keygen.docbook
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.27 2009/09/02 06:29:00 each Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.28 2009/09/14 18:45:45 each Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
@@ -66,8 +66,10 @@
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -76,7 +78,6 @@
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-z</option></arg>
<arg choice="req">name</arg>
@@ -224,6 +225,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
@@ -365,7 +376,8 @@
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
@@ -376,7 +388,8 @@
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included and the zone and used to sign
it.
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
@@ -393,12 +406,12 @@
</varlistentry>
<varlistentry>
<term>-U <replaceable class="parameter">date/offset</replaceable></term>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be unpublished. After that
date, the key will no longer be included in the zone, but it
may remain in the key repository.
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
@@ -408,10 +421,8 @@
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key can be removed from the key repository.
NOTE: Keys are not currently deleted automatically; this field
is included for informational purposes and for future
development.
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>

48
bin/dnssec/dnssec-settime.c
View File

@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-settime.c,v 1.11 2009/09/04 16:57:22 each Exp $ */
/* $Id: dnssec-settime.c,v 1.12 2009/09/14 18:45:45 each Exp $ */
/*! \file */
@@ -66,8 +66,8 @@ usage(void) {
"activation date\n");
fprintf(stderr, " -R date/[+-]offset/none: set key "
"revocation date\n");
fprintf(stderr, " -U date/[+-]offset/none: set key "
"unpublication date\n");
fprintf(stderr, " -I date/[+-]offset/none: set key "
"inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set key "
"deletion date\n");
fprintf(stderr, "Printing options:\n");
@@ -119,16 +119,16 @@ main(int argc, char **argv) {
isc_buffer_t buf;
int major, minor;
isc_stdtime_t now;
isc_stdtime_t pub = 0, act = 0, rev = 0, unpub = 0, del = 0;
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
isc_boolean_t printunpub = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t printinact = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t forceupdate = ISC_FALSE;
isc_boolean_t epoch = ISC_FALSE;
isc_boolean_t changed = ISC_FALSE;
@@ -147,7 +147,7 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"fK:uhp:v:P:A:R:U:D:")) != -1) {
"fK:uhp:v:P:A:R:I:D:")) != -1) {
switch (ch) {
case 'f':
forceupdate = ISC_TRUE;
@@ -159,7 +159,7 @@ main(int argc, char **argv) {
printpub = ISC_TRUE;
printact = ISC_TRUE;
printrev = ISC_TRUE;
printunpub = ISC_TRUE;
printinact = ISC_TRUE;
printdel = ISC_TRUE;
break;
}
@@ -178,8 +178,8 @@ main(int argc, char **argv) {
case 'R':
printrev = ISC_TRUE;
break;
case 'U':
printunpub = ISC_TRUE;
case 'I':
printinact = ISC_TRUE;
break;
case 'D':
printdel = ISC_TRUE;
@@ -251,16 +251,16 @@ main(int argc, char **argv) {
now, now);
}
break;
case 'U':
if (setunpub || unsetunpub)
fatal("-U specified more than once");
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetunpub = ISC_TRUE;
unsetinact = ISC_TRUE;
} else {
setunpub = ISC_TRUE;
unpub = strtotime(isc_commandline_argument,
setinact = ISC_TRUE;
inact = strtotime(isc_commandline_argument,
now, now);
}
break;
@@ -360,7 +360,7 @@ main(int argc, char **argv) {
dst_key_unsettime(key, DST_TIME_ACTIVATE);
if (setrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; changing the revocation date "
"will not affect this.\n",
@@ -375,10 +375,10 @@ main(int argc, char **argv) {
dst_key_unsettime(key, DST_TIME_REVOKE);
}
if (setunpub)
dst_key_settime(key, DST_TIME_UNPUBLISH, unpub);
else if (unsetunpub)
dst_key_unsettime(key, DST_TIME_UNPUBLISH);
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE, inact);
else if (unsetinact)
dst_key_unsettime(key, DST_TIME_INACTIVE);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
@@ -400,8 +400,8 @@ main(int argc, char **argv) {
if (printrev)
printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
if (printunpub)
printtime(key, DST_TIME_UNPUBLISH, "Unpublish", epoch, stdout);
if (printinact)
printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
if (printdel)
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);

22
bin/dnssec/dnssec-settime.docbook
View File

@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-settime.docbook,v 1.3 2009/09/02 06:29:00 each Exp $ -->
<!-- $Id: dnssec-settime.docbook,v 1.4 2009/09/14 18:45:45 each Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
@@ -44,12 +44,12 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-settime</command>
<arg><option>-fr</option></arg>
<arg><option>-f</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
@@ -62,7 +62,7 @@
<para><command>dnssec-settime</command>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <option>-P</option>, <option>-A</option>,
<option>-R</option>, <option>-U</option>, and <option>-D</option>
<option>-R</option>, <option>-I</option>, and <option>-D</option>
options. The metadata can then be used by
<command>dnssec-signzone</command> or other signing software to
determine when a key is to be published, whether it should be
@@ -178,12 +178,12 @@
</varlistentry>
<varlistentry>
<term>-U <replaceable class="parameter">date/offset</replaceable></term>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be unpublished. After that
date, the key will no longer be included in the zone, but it
may remain in the key repository.
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
@@ -193,10 +193,8 @@
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key can be removed from the key repository.
NOTE: Keys are not currently deleted automatically; this field
is included for informational purposes and for future
development.
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>

34
lib/dns/dnssec.c
View File

@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.101 2009/09/10 05:09:31 each Exp $
* $Id: dnssec.c,v 1.102 2009/09/14 18:45:45 each Exp $
*/
/*! \file */
@@ -1004,9 +1004,9 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
static void
get_hints(dns_dnsseckey_t *key) {
isc_result_t result;
isc_stdtime_t now, publish, active, revoke, unpublish, delete;
isc_stdtime_t now, publish, active, revoke, inactive, delete;
isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
isc_boolean_t revset = ISC_FALSE, remset = ISC_FALSE;
isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
isc_boolean_t delset = ISC_FALSE;
REQUIRE(key != NULL && key->key != NULL);
@@ -1025,26 +1025,20 @@ get_hints(dns_dnsseckey_t *key) {
if (result == ISC_R_SUCCESS)
revset = ISC_TRUE;
result = dst_key_gettime(key->key, DST_TIME_UNPUBLISH, &unpublish);
result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &inactive);
if (result == ISC_R_SUCCESS)
remset = ISC_TRUE;
inactset = ISC_TRUE;
result = dst_key_gettime(key->key, DST_TIME_DELETE, &delete);
if (result == ISC_R_SUCCESS)
delset = ISC_TRUE;
/* No metadata set: Publish and sign. */
if (!pubset && !actset && !revset && !remset && !delset) {
key->hint_sign = ISC_TRUE;
key->hint_publish = ISC_TRUE;
}
/* Metadata says publish (but possibly not activate) */
if (pubset && publish < now)
if (pubset && publish <= now)
key->hint_publish = ISC_TRUE;
/* Metadata says activate (so we must also publish) */
if (actset && active < now) {
if (actset && active <= now) {
key->hint_sign = ISC_TRUE;
key->hint_publish = ISC_TRUE;
}
@@ -1064,6 +1058,14 @@ get_hints(dns_dnsseckey_t *key) {
key->prepublish = active - now;
}
/*
* Key has been marked inactive: we can continue publishing,
* but don't sign.
*/
if (key->hint_publish && inactset && inactive <= now) {
key->hint_sign = ISC_FALSE;
}
/*
* Metadata says revoke. If the key is published,
* we *have to* sign with it per RFC5011--even if it was
@@ -1082,11 +1084,9 @@ get_hints(dns_dnsseckey_t *key) {
}
/*
* Metadata says unpublish or delete, so don't publish
* this key or sign with it.
* Metadata says delete, so don't publish this key or sign with it.
*/
if ((remset && unpublish < now) ||
(delset && delete < now)) {
if (delset && delete <= now) {
key->hint_publish = ISC_FALSE;
key->hint_sign = ISC_FALSE;
key->hint_remove = ISC_TRUE;

4
lib/dns/dst_api.c
View File

@@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
* $Id: dst_api.c,v 1.29 2009/09/03 04:09:58 marka Exp $
* $Id: dst_api.c,v 1.30 2009/09/14 18:45:45 each Exp $
*/
/*! \file */
@@ -1274,7 +1274,7 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
printtime(key, DST_TIME_UNPUBLISH, "; Unpublish", fp);
printtime(key, DST_TIME_INACTIVE, "; Inactive", fp);
printtime(key, DST_TIME_DELETE, "; Delete", fp);
}

4
lib/dns/include/dst/dst.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst.h,v 1.17 2009/09/02 06:29:01 each Exp $ */
/* $Id: dst.h,v 1.18 2009/09/14 18:45:45 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
@@ -84,7 +84,7 @@ typedef struct dst_context dst_context_t;
#define DST_TIME_PUBLISH 1
#define DST_TIME_ACTIVATE 2
#define DST_TIME_REVOKE 3
#define DST_TIME_UNPUBLISH 4
#define DST_TIME_INACTIVE 4
#define DST_TIME_DELETE 5
#define DST_MAX_TIMES 5