mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 23:25:38 +00:00
Code Issues Releases Wiki Activity

2707. [func] dnssec-keyfromlabel no longer require engine name

Browse Source 
to be specified in the label if there is a default
			engine or the -E option has been used.  Also, it
			now uses default algorithms as dnssec-keygen does
			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
			[RT #20371]
This commit is contained in:
Evan Hunt
2009-10-06 22:58:45 +00:00
parent ca60f7ba75
commit d1f39121a6
4 changed files with 75 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES
View File

@@ -1,3 +1,10 @@
2707. [func] dnssec-keyfromlabel no longer require engine name
to be specified in the label if there is a default
engine or the -E option has been used. Also, it
now uses default algorithms as dnssec-keygen does
(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
[RT #20371]
2706. [bug] Loading a zone with a very large NSEC3 salt could 2706. [bug] Loading a zone with a very large NSEC3 salt could
trigger an assert. [RT #20368] trigger an assert. [RT #20368]

54
bin/dnssec/dnssec-keyfromlabel.c
View File

@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dnssec-keyfromlabel.c,v 1.18 2009/10/05 17:30:49 fdupont Exp $ */ /* $Id: dnssec-keyfromlabel.c,v 1.19 2009/10/06 22:58:45 each Exp $ */
/*! \file */ /*! \file */
@@ -48,6 +48,9 @@
const char *program = "dnssec-keyfromlabel"; const char *program = "dnssec-keyfromlabel";
int verbose; int verbose;
#define DEFAULT_ALGORITHM "RSASHA1"
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1"; " NSEC3DSA | NSEC3RSASHA1";
@@ -57,22 +60,22 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
static void static void
usage(void) { usage(void) {
fprintf(stderr, "Usage:\n"); fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s -a alg -l label [options] name\n\n", fprintf(stderr, " %s -l label [options] name\n\n",
program); program);
fprintf(stderr, "Version: %s\n", VERSION); fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Required options:\n"); fprintf(stderr, "Required options:\n");
fprintf(stderr, " -a algorithm: %s\n", algs);
fprintf(stderr, " -l label: label of the key pair\n"); fprintf(stderr, " -l label: label of the key pair\n");
#ifdef USE_PKCS11
fprintf(stderr, " (for instance \"pkcs11:foo\"\n");
#else
fprintf(stderr, " -E enginename\n");
#endif
fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n"); fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: %s\n", algs);
fprintf(stderr, " (default: RSASHA1, or "
"NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n"); fprintf(stderr, " -c class (default: IN)\n");
#ifdef USE_PKCS11 #ifdef USE_PKCS11
fprintf(stderr, " -E enginename (default: pkcs11)\n"); fprintf(stderr, " -E enginename (default: pkcs11)\n");
#else
fprintf(stderr, " -E enginename\n");
#endif #endif
fprintf(stderr, " -f keyflag: KSK | REVOKE\n"); fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place " fprintf(stderr, " -K directory: directory in which to place "
@@ -140,6 +143,7 @@ main(int argc, char **argv) {
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE; isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE; isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t genonly = ISC_FALSE; isc_boolean_t genonly = ISC_FALSE;
isc_boolean_t use_nsec3 = ISC_FALSE;
if (argc == 1) if (argc == 1)
usage(); usage();
@@ -153,9 +157,12 @@ main(int argc, char **argv) {
isc_stdtime_get(&now); isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv, while ((ch = isc_commandline_parse(argc, argv,
"a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1) "3a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
{ {
switch (ch) { switch (ch) {
case '3':
use_nsec3 = ISC_TRUE;
break;
case 'a': case 'a':
algname = isc_commandline_argument; algname = isc_commandline_argument;
break; break;
@@ -301,8 +308,27 @@ main(int argc, char **argv) {
if (argc > isc_commandline_index + 1) if (argc > isc_commandline_index + 1)
fatal("extraneous arguments"); fatal("extraneous arguments");
if (algname == NULL) if (strchr(label, ':') == NULL &&
fatal("no algorithm was specified"); engine != NULL && strlen(engine) != 0) {
char *l;
int len;
len = strlen(label) + strlen(engine) + 2;
l = isc_mem_get(mctx, len);
snprintf(l, len, "%s:%s", engine, label);
label = l;
}
if (algname == NULL) {
if (use_nsec3)
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
else
algname = strdup(DEFAULT_ALGORITHM);
if (verbose > 0)
fprintf(stderr, "no algorithm specified; "
"defaulting to %s\n", algname);
}
if (strcasecmp(algname, "RSA") == 0) { if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n" fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
"If you still wish to use RSA (RSAMD5) please " "If you still wish to use RSA (RSAMD5) please "
@@ -318,6 +344,12 @@ main(int argc, char **argv) {
options |= DST_TYPE_KEY; options |= DST_TYPE_KEY;
} }
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) { if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0) if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH; flags |= DNS_KEYTYPE_NOAUTH;

30
bin/dnssec/dnssec-keyfromlabel.docbook
View File

@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE. - PERFORMANCE OF THIS SOFTWARE.
--> -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.11 2009/10/05 17:30:49 fdupont Exp $ --> <!-- $Id: dnssec-keyfromlabel.docbook,v 1.12 2009/10/06 22:58:45 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel"> <refentry id="man.dnssec-keyfromlabel">
<refentryinfo> <refentryinfo>
<date>February 8, 2008</date> <date>February 8, 2008</date>
@@ -45,8 +45,9 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>dnssec-keyfromlabel</command> <command>dnssec-keyfromlabel</command>
<arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req">-l <replaceable class="parameter">label</replaceable></arg> <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
<arg><option>-3</option></arg>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg> <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg> <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -93,6 +94,11 @@
RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
These values are case insensitive. These values are case insensitive.
</para> </para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead.
</para>
<para> <para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. algorithm, and DSA is recommended.
@@ -103,12 +109,24 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term> <term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem> <listitem>
<para> <para>
Specifies the name of the crypto hardware (OpenSSL engine). Specifies the name of the crypto hardware (OpenSSL engine).
When compiled with PKCS#11 support it defaults to pcks11. When compiled with PKCS#11 support it defaults to "pcks11".
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -117,9 +135,9 @@
<term>-l <replaceable class="parameter">label</replaceable></term> <term>-l <replaceable class="parameter">label</replaceable></term>
<listitem> <listitem>
<para> <para>
Specifies the label of keys in the crypto hardware (OpenSSL Specifies the label of the key pair in the crypto hardware.
engine). An example for the pkcs11 engine is pkcs11:foo The label may be preceded by an optional OpenSSL engine name,
(note the string pkcs11 is in both E and l options.) separated by a colon, as in "pkcs11:keylabel".
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

4
bin/dnssec/dnssec-keygen.c
View File

@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dnssec-keygen.c,v 1.99 2009/10/05 17:30:49 fdupont Exp $ */ /* $Id: dnssec-keygen.c,v 1.100 2009/10/06 22:58:45 each Exp $ */
/*! \file */ /*! \file */
@@ -66,8 +66,6 @@ int verbose;
#define DEFAULT_ALGORITHM "RSASHA1" #define DEFAULT_ALGORITHM "RSASHA1"
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1" #define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
#define DEFAULT_ALGORITHM "RSASHA1"
static isc_boolean_t static isc_boolean_t
dsa_size_ok(int size) { dsa_size_ok(int size) {
return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0)); return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));