mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

1659. [cleanup] Cleanup some messages that were referring to KEY vs

Browse Source 
DNSKEY, NXT vs NSEC and SIG vs RRSIG.

1658.   [func]          Update dnssec-keygen to default to KEY for HMAC-MD5
                        and DH.  Tighten which options apply to KEY and
                        DNSKEY records.
This commit is contained in:
Mark Andrews
2004-06-11 01:12:40 +00:00
parent 3386e92795
commit cc3aafe737
6 changed files with 137 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES
View File

@@ -1,3 +1,10 @@
1659. [cleanup] Cleanup some messages that were referring to KEY vs
DNSKEY, NXT vs NSEC and SIG vs RRSIG.
1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
and DH. Tighten which options apply to KEY and
DNSKEY records.
1657. [doc] ARM: document query log output.
1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC

42
bin/dnssec/dnssec-keygen.c
View File

@@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.66 2004/03/10 02:19:51 marka Exp $ */
/* $Id: dnssec-keygen.c,v 1.67 2004/06/11 01:12:39 marka Exp $ */
#include <config.h>
@@ -68,7 +68,7 @@ usage(void) {
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -c <class> (default: IN)\n");
@@ -101,7 +101,7 @@ main(int argc, char **argv) {
dst_key_t *key = NULL, *oldkey;
dns_fixedname_t fname;
dns_name_t *name;
isc_uint16_t flags = 0;
isc_uint16_t flags = 0, ksk = 0;
dns_secalg_t alg;
isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE;
isc_mem_t *mctx = NULL;
@@ -143,7 +143,7 @@ main(int argc, char **argv) {
break;
case 'f':
if (strcasecmp(isc_commandline_argument, "KSK") == 0)
flags |= DNS_KEYFLAG_KSK;
ksk = DNS_KEYFLAG_KSK;
else
fatal("unknown flag '%s'",
isc_commandline_argument);
@@ -211,17 +211,20 @@ main(int argc, char **argv) {
if (algname == NULL)
fatal("no algorithm was specified");
if (strcasecmp(algname, "HMAC-MD5") == 0)
if (strcasecmp(algname, "HMAC-MD5") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACMD5;
else {
} else {
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS)
fatal("unknown algorithm %s", algname);
if (alg == DST_ALG_DH)
options |= DST_TYPE_KEY;
}
if (type != NULL) {
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH;
else if (strcasecmp(type, "NOCONF") == 0)
@@ -271,20 +274,29 @@ main(int argc, char **argv) {
fatal("no nametype specified");
if (strcasecmp(nametype, "zone") == 0)
flags |= DNS_KEYOWNER_ZONE;
else if (strcasecmp(nametype, "host") == 0 ||
strcasecmp(nametype, "entity") == 0)
flags |= DNS_KEYOWNER_ENTITY;
else if (strcasecmp(nametype, "user") == 0)
flags |= DNS_KEYOWNER_USER;
else
fatal("invalid nametype %s", nametype);
else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
if (strcasecmp(nametype, "host") == 0 ||
strcasecmp(nametype, "entity") == 0)
flags |= DNS_KEYOWNER_ENTITY;
else if (strcasecmp(nametype, "user") == 0)
flags |= DNS_KEYOWNER_USER;
else
fatal("invalid KEY nametype %s", nametype);
} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
fatal("invalid DNSKEY nametype %s", nametype);
rdclass = strtoclass(classname);
flags |= signatory;
if ((options & DST_TYPE_KEY) != 0) /* KEY */
flags |= signatory;
else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
flags |= ksk;
if (protocol == -1)
protocol = DNS_KEYPROTO_DNSSEC;
else if ((options & DST_TYPE_KEY) == 0 &&
protocol != DNS_KEYPROTO_DNSSEC)
fatal("invalid DNSKEY protocol: %d", protocol);
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
if (size > 0)

43
bin/dnssec/dnssec-keygen.docbook
View File

@@ -16,7 +16,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.8 2004/06/03 02:22:31 marka Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.9 2004/06/11 01:12:40 marka Exp $ -->
<refentry>
<refentryinfo>
@@ -45,6 +45,7 @@
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-k</option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
@@ -58,7 +59,7 @@
<title>DESCRIPTION</title>
<para>
<command>dnssec-keygen</command> generates keys for DNSSEC
(Secure DNS), as defined in RFC 2535. It can also generate
(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;. It can also generate
keys for use with TSIG (Transaction Signatures), as
defined in RFC 2845.
</para>
@@ -73,13 +74,16 @@
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5 or RSA,
<option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
DSA, DH (Diffie Hellman), or HMAC-MD5. These values
are case insensitive.
</para>
<para>
Note that for DNSSEC, DSA is a mandatory to implement algorithm,
and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
</para>
<para>
Note 2: HMAC-MD5 and DH automatically set the -k flag.
</para>
</listitem>
</varlistentry>
@@ -89,7 +93,7 @@
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be between
size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between
512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC-MD5 keys must be
@@ -104,8 +108,8 @@
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key), HOST or ENTITY (for a key associated with a host),
or USER (for a key associated with a user). These values are
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are
case insensitive.
</para>
</listitem>
@@ -125,7 +129,7 @@
<term>-e</term>
<listitem>
<para>
If generating an RSA key, use a large exponent.
If generating an RSAMD5/RSASHA1 key, use a large exponent.
</para>
</listitem>
</varlistentry>
@@ -134,8 +138,8 @@
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the key record.
The only recognized flag is KSK (Key Signing Key).
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flag is KSK (Key Signing Key) DNSKEY.
</para>
</listitem>
</varlistentry>
@@ -162,6 +166,15 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
@@ -302,14 +315,6 @@
<refsect1>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>dnssec-makekeyset</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signkey</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle>
<manvolnum>8</manvolnum>

123
bin/dnssec/dnssec-signzone.c
View File

@@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.178 2004/04/15 01:58:22 marka Exp $ */
/* $Id: dnssec-signzone.c,v 1.179 2004/06/11 01:12:40 marka Exp $ */
#include <config.h>
@@ -222,7 +222,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
if (result != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(key, keystr, sizeof(keystr));
fatal("key '%s' failed to sign data: %s",
fatal("dnskey '%s' failed to sign data: %s",
keystr, isc_result_totext(result));
}
INCSTAT(nsigned);
@@ -252,30 +252,32 @@ iszonekey(signer_key_t *key) {
}
/*
* Finds the key that generated a SIG, if possible. First look at the keys
* Finds the key that generated a RRSIG, if possible. First look at the keys
* that we've loaded already, and then see if there's a key on disk.
*/
static signer_key_t *
keythatsigned(dns_rdata_rrsig_t *sig) {
keythatsigned(dns_rdata_rrsig_t *rrsig) {
isc_result_t result;
dst_key_t *pubkey = NULL, *privkey = NULL;
signer_key_t *key;
key = ISC_LIST_HEAD(keylist);
while (key != NULL) {
if (sig->keyid == dst_key_id(key->key) &&
sig->algorithm == dst_key_alg(key->key) &&
dns_name_equal(&sig->signer, dst_key_name(key->key)))
if (rrsig->keyid == dst_key_id(key->key) &&
rrsig->algorithm == dst_key_alg(key->key) &&
dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
return key;
key = ISC_LIST_NEXT(key, link);
}
result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
DST_TYPE_PUBLIC, NULL, mctx, &pubkey);
result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
rrsig->algorithm, DST_TYPE_PUBLIC,
NULL, mctx, &pubkey);
if (result != ISC_R_SUCCESS)
return (NULL);
result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
rrsig->algorithm,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
NULL, mctx, &privkey);
if (result == ISC_R_SUCCESS) {
@@ -288,8 +290,8 @@ keythatsigned(dns_rdata_rrsig_t *sig) {
}
/*
* Check to see if we expect to find a key at this name. If we see a SIG
* and can't find the signing key that we expect to find, we drop the sig.
* Check to see if we expect to find a key at this name. If we see a RRSIG
* and can't find the signing key that we expect to find, we drop the rrsig.
* I'm not sure if this is completely correct, but it seems to work.
*/
static isc_boolean_t
@@ -313,17 +315,17 @@ expecttofindkey(dns_name_t *name) {
return (ISC_FALSE);
}
dns_name_format(name, namestr, sizeof(namestr));
fatal("failure looking for '%s KEY' in database: %s",
fatal("failure looking for '%s DNSKEY' in database: %s",
namestr, isc_result_totext(result));
return (ISC_FALSE); /* removes a warning */
}
static inline isc_boolean_t
setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
dns_rdata_t *sig)
dns_rdata_t *rrsig)
{
isc_result_t result;
result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, sig);
result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig);
if (result == ISC_R_SUCCESS) {
INCSTAT(nverified);
return (ISC_TRUE);
@@ -334,7 +336,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
}
/*
* Signs a set. Goes through contortions to decide if each SIG should
* Signs a set. Goes through contortions to decide if each RRSIG should
* be dropped or retained, and then determines if any new SIGs need to
* be generated.
*/
@@ -344,7 +346,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
{
dns_rdataset_t sigset;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_rdata_rrsig_t sig;
dns_rdata_rrsig_t rrsig;
signer_key_t *key;
isc_result_t result;
isc_boolean_t nosigs = ISC_FALSE;
@@ -370,7 +372,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
nosigs = ISC_TRUE;
}
if (result != ISC_R_SUCCESS)
fatal("failed while looking for '%s SIG %s': %s",
fatal("failed while looking for '%s RRSIG %s': %s",
namestr, typestr, isc_result_totext(result));
vbprintf(1, "%s/%s:\n", namestr, typestr);
@@ -397,44 +399,44 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
dns_rdataset_current(&sigset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
check_result(result, "dns_rdata_tostruct");
future = isc_serial_lt(now, sig.timesigned);
future = isc_serial_lt(now, rrsig.timesigned);
key = keythatsigned(&sig);
sig_format(&sig, sigstr, sizeof(sigstr));
key = keythatsigned(&rrsig);
sig_format(&rrsig, sigstr, sizeof(sigstr));
if (key != NULL && issigningkey(key))
expired = isc_serial_gt(now + cycle, sig.timeexpire);
expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
else
expired = isc_serial_gt(now, sig.timeexpire);
expired = isc_serial_gt(now, rrsig.timeexpire);
if (isc_serial_gt(sig.timesigned, sig.timeexpire)) {
/* sig is dropped and not replaced */
vbprintf(2, "\tsig by %s dropped - "
if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
/* rrsig is dropped and not replaced */
vbprintf(2, "\trrsig by %s dropped - "
"invalid validity period\n",
sigstr);
} else if (key == NULL && !future &&
expecttofindkey(&sig.signer))
expecttofindkey(&rrsig.signer))
{
/* sig is dropped and not replaced */
vbprintf(2, "\tsig by %s dropped - "
"private key not found\n",
/* rrsig is dropped and not replaced */
vbprintf(2, "\trrsig by %s dropped - "
"private dnskey not found\n",
sigstr);
} else if (key == NULL || future) {
vbprintf(2, "\tsig by %s %s - key not found\n",
vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
expired ? "retained" : "dropped", sigstr);
if (!expired)
keep = ISC_TRUE;
} else if (issigningkey(key)) {
if (!expired && setverifies(name, set, key, &sigrdata))
{
vbprintf(2, "\tsig by %s retained\n", sigstr);
vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
wassignedby[key->position] = ISC_TRUE;
nowsignedby[key->position] = ISC_TRUE;
} else {
vbprintf(2, "\tsig by %s dropped - %s\n",
vbprintf(2, "\trrsig by %s dropped - %s\n",
sigstr,
expired ? "expired" :
"failed to verify");
@@ -444,22 +446,22 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
} else if (iszonekey(key)) {
if (!expired && setverifies(name, set, key, &sigrdata))
{
vbprintf(2, "\tsig by %s retained\n", sigstr);
vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
wassignedby[key->position] = ISC_TRUE;
nowsignedby[key->position] = ISC_TRUE;
} else {
vbprintf(2, "\tsig by %s dropped - %s\n",
vbprintf(2, "\trrsig by %s dropped - %s\n",
sigstr,
expired ? "expired" :
"failed to verify");
wassignedby[key->position] = ISC_TRUE;
}
} else if (!expired) {
vbprintf(2, "\tsig by %s retained\n", sigstr);
vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
} else {
vbprintf(2, "\tsig by %s expired\n", sigstr);
vbprintf(2, "\trrsig by %s expired\n", sigstr);
}
if (keep) {
@@ -482,7 +484,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
char keystr[KEY_FORMATSIZE];
key_format(key->key, keystr, sizeof(keystr));
vbprintf(1, "\tresigning with key %s\n", keystr);
vbprintf(1, "\tresigning with dnskey %s\n", keystr);
isc_buffer_init(&b, array, sizeof(array));
signwithkey(name, set, &trdata, key->key, &b);
nowsignedby[key->position] = ISC_TRUE;
@@ -495,7 +497,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
}
dns_rdata_reset(&sigrdata);
dns_rdata_freestruct(&sig);
dns_rdata_freestruct(&rrsig);
result = dns_rdataset_next(&sigset);
}
if (result == ISC_R_NOMORE)
@@ -526,7 +528,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
continue;
key_format(key->key, keystr, sizeof(keystr));
vbprintf(1, "\tsigning with key %s\n", keystr);
vbprintf(1, "\tsigning with dnskey %s\n", keystr);
dns_rdata_init(&trdata);
isc_buffer_init(&b, array, sizeof(array));
signwithkey(name, set, &trdata, key->key, &b);
@@ -607,7 +609,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
return (result);
}
vbprintf(2, "found KEY records\n");
vbprintf(2, "found DNSKEY records\n");
result = dns_db_newversion(db, &ver);
check_result(result, "dns_db_newversion");
@@ -753,7 +755,7 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
/*
* Signs all records at a name. This mostly just signs each set individually,
* but also adds the SIG bit to any NSECs generated earlier, deals with
* but also adds the RRSIG bit to any NSECs generated earlier, deals with
* parent/child KEY signatures, and handles other exceptional cases.
*/
static void
@@ -815,9 +817,9 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
dns_rdataset_disassociate(&sigdsset);
} else if (dns_rdataset_isassociated(&sigdsset)) {
result = dns_db_deleterdataset(gdb, node,
gversion,
dns_rdatatype_rrsig,
dns_rdatatype_ds);
gversion,
dns_rdatatype_rrsig,
dns_rdatatype_ds);
check_result(result, "dns_db_deleterdataset");
dns_rdataset_disassociate(&sigdsset);
}
@@ -858,7 +860,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
while (result == ISC_R_SUCCESS) {
dns_rdatasetiter_current(rdsiter, &rdataset);
/* If this is a SIG set, skip it. */
/* If this is a RRSIG set, skip it. */
if (rdataset.type == dns_rdatatype_rrsig)
goto skip;
@@ -871,18 +873,11 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
if (rdataset.type != dns_rdatatype_nsec &&
rdataset.type != dns_rdatatype_ds)
goto skip;
#if 0
/*
* The current draft allows DS not at a zone cut.
* This is a bad idea. Update once the RFC is published.
* XXXMPA.
*/
} else if (rdataset.type == dns_rdatatype_ds) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(name, namebuf, sizeof(namebuf));
fatal("'%s': found DS RRset without NS RRset\n",
namebuf);
#endif
}
signset(&diff, node, name, &rdataset);
@@ -979,7 +974,7 @@ soattl(void) {
}
/*
* Delete any SIG records at a node.
* Delete any RRSIG records at a node.
*/
static void
cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
@@ -1411,8 +1406,8 @@ warnifallksk(dns_db_t *db) {
dns_db_detachnode(db, &node);
dns_db_closeversion(db, &currentversion, ISC_FALSE);
if (!have_non_ksk && !ignoreksk)
fprintf(stderr,
"%s: warning: No non-KSK key found. Supply non-KSK key or use '-z'.\n",
fprintf(stderr, "%s: warning: No non-KSK dnskey found. "
"Supply non-KSK dnskey or use '-z'.\n",
program);
}
@@ -1568,9 +1563,9 @@ usage(void) {
fprintf(stderr, "\t-g:\t");
fprintf(stderr, "generate DS records from keyset files\n");
fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
fprintf(stderr, "\t\tSIG start time - absolute|offset (now - 1 hour)\n");
fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n");
fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
fprintf(stderr, "\t\tSIG end time - absolute|from start|from now "
fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now "
"(now + 30 days)\n");
fprintf(stderr, "\t-i interval:\n");
fprintf(stderr, "\t\tcycle interval - resign "
@@ -1592,6 +1587,8 @@ usage(void) {
fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
fprintf(stderr, "\t-k key_signing_key\n");
fprintf(stderr, "\t-l lookasidezone\n");
fprintf(stderr, "\t-z:\t");
fprintf(stderr, "ignore KSK flag in DNSKEYs");
fprintf(stderr, "\n");
@@ -1850,7 +1847,7 @@ main(int argc, char *argv[]) {
DST_TYPE_PRIVATE,
mctx, &newkey);
if (result != ISC_R_SUCCESS)
fatal("cannot load key %s: %s", argv[i],
fatal("cannot load dnskey %s: %s", argv[i],
isc_result_totext(result));
key = ISC_LIST_HEAD(keylist);
@@ -1863,7 +1860,7 @@ main(int argc, char *argv[]) {
{
if (!dst_key_isprivate(dkey))
fatal("cannot sign zone with "
"non-private key %s",
"non-private dnskey %s",
argv[i]);
break;
}
@@ -1887,7 +1884,7 @@ main(int argc, char *argv[]) {
DST_TYPE_PRIVATE,
mctx, &newkey);
if (result != ISC_R_SUCCESS)
fatal("cannot load key %s: %s", dskeyfile[i],
fatal("cannot load dnskey %s: %s", dskeyfile[i],
isc_result_totext(result));
key = ISC_LIST_HEAD(keylist);
@@ -1909,7 +1906,7 @@ main(int argc, char *argv[]) {
key = ISC_LIST_NEXT(key, link);
}
if (key == NULL) {
/* Override key flags. */
/* Override dnskey flags. */
key = newkeystruct(newkey, ISC_TRUE);
key->isksk = ISC_TRUE;
key->isdsk = ISC_FALSE;

22
bin/dnssec/dnssec-signzone.docbook
View File

@@ -16,7 +16,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.11 2004/06/03 02:22:32 marka Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.12 2004/06/11 01:12:40 marka Exp $ -->
<refentry>
<refentryinfo>
@@ -63,14 +63,12 @@
<refsect1>
<title>DESCRIPTION</title>
<para>
<command>dnssec-signzone</command> signs a zone. It generates NSEC
and RRSIG records and produces a signed version of the zone. If there
is a <filename>signedkey</filename> file from the zone's parent,
the parent's signatures will be incorporated into the generated
signed zone file. The security status of delegations from the
signed zone (that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<filename>signedkey</filename> file for each child zone.
<command>dnssec-signzone</command> signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
zone. The security status of delegations from the signed zone
(that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<filename>keyset</filename> file for each child zone.
</para>
</refsect1>
@@ -120,7 +118,7 @@
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for <filename>signedkey</filename> files in
Look for <filename>keyset</filename> files in
<option>directory</option> as the directory
</para>
</listitem>
@@ -317,8 +315,8 @@
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated in the <command>dnssec-keygen</command>
man page. The zone's keys must be in the zone. If there are
<filename>signedkey</filename> files associated with this zone
or any child zones, they must be in the current directory.
<filename>keyset</filename> files associated with child zones,
they must be in the current directory.
<userinput>example.com</userinput>, the following command would be
issued:
</para>

16
lib/dns/validator.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.122 2004/05/14 04:45:57 marka Exp $ */
/* $Id: validator.c,v 1.123 2004/06/11 01:12:38 marka Exp $ */
#include <config.h>
@@ -1593,7 +1593,7 @@ dlv_validatezonekey(dns_validator_t *val) {
}
if (result != ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
"no KEY matching DLV");
"no DNSKEY matching DLV");
continue;
}
@@ -1628,7 +1628,8 @@ dlv_validatezonekey(dns_validator_t *val) {
dns_rdataset_disassociate(&trdataset);
if (result == ISC_R_SUCCESS)
break;
validator_log(val, ISC_LOG_DEBUG(3), "no SIG matching DLV key");
validator_log(val, ISC_LOG_DEBUG(3),
"no RRSIG matching DLV key");
}
if (result == ISC_R_SUCCESS) {
val->event->rdataset->trust = dns_trust_secure;
@@ -1877,7 +1878,7 @@ validatezonekey(dns_validator_t *val) {
}
if (result != ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
"no KEY matching DS");
"no DNSKEY matching DS");
continue;
}
@@ -1912,7 +1913,8 @@ validatezonekey(dns_validator_t *val) {
dns_rdataset_disassociate(&trdataset);
if (result == ISC_R_SUCCESS)
break;
validator_log(val, ISC_LOG_DEBUG(3), "no SIG matching DS key");
validator_log(val, ISC_LOG_DEBUG(3),
"no RRSIG matching DS key");
}
if (result == ISC_R_SUCCESS) {
event->rdataset->trust = dns_trust_secure;
@@ -2092,8 +2094,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
* would lead to a query for the zone key, which
* would return a negative answer, which would contain
* an SOA and an NSEC signed by the missing key, which
* would trigger another query for the KEY (since the
* first one is still in progress), and go into an
* would trigger another query for the DNSKEY (since
* the first one is still in progress), and go into an
* infinite loop. Avoid that.
*/
if (val->event->type == dns_rdatatype_dnskey &&