mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00
Code Issues Releases Wiki Activity

2668. [func] Several improvements to dnssec-* tools, including:

Browse Source 
- dnssec-keygen and dnssec-settime can now set key
			  metadata fields 0 (to unset a value, use "none")
			- dnssec-revoke sets the revocation date in
			  addition to the revoke bit
			- dnssec-settime can now print individual metadata
			  fields instead of always printing all of them,
			  and can print them in unix epoch time format for
			  use by scripts
			[RT #19942]
This commit is contained in:
Evan Hunt 2009-09-02 06:29:01 +00:00
parent be3d498c6e
commit eab9975bcf
18 changed files with 597 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGES
View File

@ -1,3 +1,16 @@
--- 9.7.0a3 released ---
2668. [func] Several improvements to dnssec-* tools, including:
- dnssec-keygen and dnssec-settime can now set key
metadata fields 0 (to unset a value, use "none")
- dnssec-revoke sets the revocation date in
addition to the revoke bit
- dnssec-settime can now print individual metadata
fields instead of always printing all of them,
and can print them in unix epoch time format for
use by scripts
[RT #19942]
2667. [func] Add support for logging stack backtrace on assertion
failure (not available for all platforms). [RT #19780]

106
bin/dnssec/dnssec-keygen.c
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.90 2009/09/01 00:22:24 jinmei Exp $ */
/* $Id: dnssec-keygen.c,v 1.91 2009/09/02 06:29:00 each Exp $ */
/*! \file */
@ -174,6 +174,12 @@ main(int argc, char **argv) {
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t unpublish = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
if (argc == 1)
usage();
@ -305,24 +311,64 @@ main(int argc, char **argv) {
/* already the default */
break;
case 'P':
publish = strtotime(isc_commandline_argument,
now, now);
if (setpub || unsetpub)
fatal("-P specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setpub = ISC_TRUE;
publish = strtotime(isc_commandline_argument,
now, now);
} else {
unsetpub = ISC_TRUE;
}
break;
case 'A':
activate = strtotime(isc_commandline_argument,
now, now);
if (setact || unsetact)
fatal("-A specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setact = ISC_TRUE;
activate = strtotime(isc_commandline_argument,
now, now);
} else {
unsetact = ISC_TRUE;
}
break;
case 'R':
revoke = strtotime(isc_commandline_argument,
now, now);
if (setrev || unsetrev)
fatal("-R specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setrev = ISC_TRUE;
revoke = strtotime(isc_commandline_argument,
now, now);
} else {
unsetrev = ISC_TRUE;
}
break;
case 'U':
unpublish = strtotime(isc_commandline_argument,
now, now);
if (setunpub || unsetunpub)
fatal("-U specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setunpub = ISC_TRUE;
unpublish = strtotime(isc_commandline_argument,
now, now);
} else {
unsetunpub = ISC_TRUE;
}
break;
case 'D':
delete = strtotime(isc_commandline_argument,
now, now);
if (setdel || unsetdel)
fatal("-D specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setdel = ISC_TRUE;
delete = strtotime(isc_commandline_argument,
now, now);
} else {
unsetdel = ISC_TRUE;
}
break;
case 'F':
/* Reserved for FIPS mode */
@ -618,19 +664,37 @@ main(int argc, char **argv) {
dst_key_setbits(key, dbits);
/*
* Set key timing metadata
* Set key timing metadata (unless using -C)
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
dst_key_settime(key, DST_TIME_PUBLISH, publish);
dst_key_settime(key, DST_TIME_ACTIVATE, activate);
dst_key_settime(key, DST_TIME_REVOKE, revoke);
dst_key_settime(key, DST_TIME_REMOVE, unpublish);
dst_key_settime(key, DST_TIME_DELETE, delete);
} else if (publish != 0 || activate != 0 || revoke != 0 ||
unpublish != 0 || delete != 0) {
fatal("cannot use -C together with "
"-P, -A, -R, -U, or -D options");
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH,
publish);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE,
activate);
if (setrev)
dst_key_settime(key, DST_TIME_REVOKE,
revoke);
if (setunpub)
dst_key_settime(key, DST_TIME_UNPUBLISH,
unpublish);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE,
delete);
} else {
if (setpub || setact || setrev || setunpub ||
setdel || unsetpub || unsetact ||
unsetrev || unsetunpub || unsetdel)
fatal("cannot use -C together with "
"-P, -A, -R, -U, or -D options");
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.
*/
dst_key_setprivateformat(key, 1, 2);
}
/*

12
bin/dnssec/dnssec-keygen.docbook
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.26 2009/08/28 21:47:02 each Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.27 2009/09/02 06:29:00 each Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
@ -350,10 +350,12 @@
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. If such an offset is followed
by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
offset is computed in years, months, weeks, days, or hours,
respectively; otherwise it is computed in seconds.
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</para>
<variablelist>

7
bin/dnssec/dnssec-revoke.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-revoke.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */
/* $Id: dnssec-revoke.c,v 1.9 2009/09/02 06:29:00 each Exp $ */
/*! \file */
@ -161,6 +161,11 @@ main(int argc, char **argv) {
flags = dst_key_flags(key);
if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
isc_stdtime_t now;
isc_stdtime_get(&now);
dst_key_settime(key, DST_TIME_REVOKE, now);
dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
isc_buffer_init(&buf, newname, sizeof(newname));

274
bin/dnssec/dnssec-settime.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-settime.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */
/* $Id: dnssec-settime.c,v 1.9 2009/09/02 06:29:00 each Exp $ */
/*! \file */
@ -53,18 +53,29 @@ usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Options:\n");
fprintf(stderr, "General options:\n");
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, " -v level: set level of verbosity\n");
fprintf(stderr, " -v level: set level of verbosity\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -U date/[+-]offset: set key unpublication date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
fprintf(stderr, " -A date/[+-]offset/none: set key "
"activation date\n");
fprintf(stderr, " -R date/[+-]offset/none: set key "
"revocation date\n");
fprintf(stderr, " -U date/[+-]offset/none: set key "
"unpublication date\n");
fprintf(stderr, " -D date/[+-]offset/none: set key "
"deletion date\n");
fprintf(stderr, "Printing options:\n");
fprintf(stderr, " -p C/P/A/R/U/D/all: print a particular time "
"value or values "
"[default: all]\n");
fprintf(stderr, " -u: print times in unix epoch "
"format\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
"K<name>+<alg>+<new id>.private\n");
@ -73,19 +84,26 @@ usage(void) {
}
static void
printtime(dst_key_t *key, int type, const char *tag, FILE *stream) {
printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
FILE *stream)
{
isc_result_t result;
time_t when;
const char *output;
const char *output = NULL;
isc_stdtime_t when;
result = dst_key_gettime(key, type, (isc_stdtime_t *) &when);
if (result == ISC_R_NOTFOUND || when == 0) {
fprintf(stream, "%s: NOT SET\n", tag);
return;
if (tag != NULL)
fprintf(stream, "%s: ", tag);
result = dst_key_gettime(key, type, &when);
if (result == ISC_R_NOTFOUND) {
fprintf(stream, "UNSET\n");
} else if (epoch) {
fprintf(stream, "%d\n", (int) when);
} else {
time_t time = when;
output = ctime(&time);
fprintf(stream, "%s", output);
}
output = ctime(&when);
fprintf(stream, "%s: %s", tag, output);
}
int
@ -94,18 +112,26 @@ main(int argc, char **argv) {
char *filename = NULL, *directory = NULL;
char newname[1024];
char keystr[KEY_FORMATSIZE];
char *endp;
char *endp, *p;
int ch;
isc_entropy_t *ectx = NULL;
dst_key_t *key = NULL;
isc_buffer_t buf;
isc_stdtime_t now, when;
int major, minor;
isc_stdtime_t now;
isc_stdtime_t pub = 0, act = 0, rev = 0, unpub = 0, del = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
isc_boolean_t printunpub = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t forceupdate = ISC_FALSE;
isc_boolean_t print = ISC_TRUE;
isc_boolean_t epoch = ISC_FALSE;
isc_boolean_t changed = ISC_FALSE;
if (argc == 1)
usage();
@ -121,11 +147,54 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"fK:hv:P:A:R:U:D:")) != -1) {
"fK:uhp:v:P:A:R:U:D:")) != -1) {
switch (ch) {
case 'f':
forceupdate = ISC_TRUE;
break;
case 'p':
p = isc_commandline_argument;
if (!strcasecmp(p, "all")) {
printcreate = ISC_TRUE;
printpub = ISC_TRUE;
printact = ISC_TRUE;
printrev = ISC_TRUE;
printunpub = ISC_TRUE;
printdel = ISC_TRUE;
break;
}
do {
switch (*p++) {
case 'C':
printcreate = ISC_TRUE;
break;
case 'P':
printpub = ISC_TRUE;
break;
case 'A':
printact = ISC_TRUE;
break;
case 'R':
printrev = ISC_TRUE;
break;
case 'U':
printunpub = ISC_TRUE;
break;
case 'D':
printdel = ISC_TRUE;
break;
case ' ':
break;
default:
usage();
break;
}
} while (*p != '\0');
break;
case 'u':
epoch = ISC_TRUE;
break;
case 'K':
/*
* We don't have to copy it here, but do it to
@ -144,29 +213,69 @@ main(int argc, char **argv) {
fatal("-v must be followed by a number");
break;
case 'P':
print = ISC_FALSE;
setpub = ISC_TRUE;
pub = strtotime(isc_commandline_argument, now, now);
if (setpub || unsetpub)
fatal("-P specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetpub = ISC_TRUE;
} else {
setpub = ISC_TRUE;
pub = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'A':
print = ISC_FALSE;
setact = ISC_TRUE;
act = strtotime(isc_commandline_argument, now, now);
if (setact || unsetact)
fatal("-A specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetact = ISC_TRUE;
} else {
setact = ISC_TRUE;
act = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'R':
print = ISC_FALSE;
setrev = ISC_TRUE;
rev = strtotime(isc_commandline_argument, now, now);
if (setrev || unsetrev)
fatal("-R specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetrev = ISC_TRUE;
} else {
setrev = ISC_TRUE;
rev = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'U':
print = ISC_FALSE;
setunpub = ISC_TRUE;
unpub = strtotime(isc_commandline_argument, now, now);
if (setunpub || unsetunpub)
fatal("-U specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetunpub = ISC_TRUE;
} else {
setunpub = ISC_TRUE;
unpub = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'D':
print = ISC_FALSE;
setdel = ISC_TRUE;
del = strtotime(isc_commandline_argument, now, now);
if (setdel || unsetdel)
fatal("-D specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetdel = ISC_TRUE;
} else {
setdel = ISC_TRUE;
del = strtotime(isc_commandline_argument,
now, now);
}
break;
case '?':
if (isc_commandline_option != '?')
@ -220,41 +329,84 @@ main(int argc, char **argv) {
key_format(key, keystr, sizeof(keystr));
/* Is this an old-style key? */
result = dst_key_gettime(key, DST_TIME_CREATED, &when);
if (result == ISC_R_NOTFOUND) {
if (forceupdate)
dst_key_getprivateformat(key, &major, &minor);
if (major <= 1 && minor <= 2) {
if (forceupdate) {
/*
* Updating to new-style key: set
* Private-key-format to 1.3
*/
dst_key_setprivateformat(key, 1, 3);
dst_key_settime(key, DST_TIME_CREATED, now);
else
} else
fatal("Incompatible key %s, "
"use -f force update.", keystr);
"use -f to force update.", keystr);
}
if (verbose > 2)
fprintf(stderr, "%s: %s\n", program, keystr);
if (print) {
printtime(key, DST_TIME_CREATED, "Created", stdout);
printtime(key, DST_TIME_PUBLISH, "Publish", stdout);
printtime(key, DST_TIME_ACTIVATE, "Activate", stdout);
printtime(key, DST_TIME_REVOKE, "Revoke", stdout);
printtime(key, DST_TIME_REMOVE, "Remove", stdout);
printtime(key, DST_TIME_DELETE, "Delete", stdout);
} else {
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, pub);
/*
* Set time values.
*/
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, pub);
else if (unsetpub)
dst_key_unsettime(key, DST_TIME_PUBLISH);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, act);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, act);
else if (unsetact)
dst_key_unsettime(key, DST_TIME_ACTIVATE);
if (setrev)
dst_key_settime(key, DST_TIME_REVOKE, rev);
if (setrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; changing the revocation date "
"will not affect this.\n",
program, keystr);
dst_key_settime(key, DST_TIME_REVOKE, rev);
} else if (unsetrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; removing the revocation date "
"will not affect this.\n",
program, keystr);
dst_key_unsettime(key, DST_TIME_REVOKE);
}
if (setunpub)
dst_key_settime(key, DST_TIME_REMOVE, unpub);
if (setunpub)
dst_key_settime(key, DST_TIME_UNPUBLISH, unpub);
else if (unsetunpub)
dst_key_unsettime(key, DST_TIME_UNPUBLISH);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
else if (unsetdel)
dst_key_unsettime(key, DST_TIME_DELETE);
/*
* Print out time values, if -p was used.
*/
if (printcreate)
printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
if (printpub)
printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
if (printact)
printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
if (printrev)
printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
if (printunpub)
printtime(key, DST_TIME_UNPUBLISH, "Unpublish", epoch, stdout);
if (printdel)
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
if (changed) {
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
&buf);

50
bin/dnssec/dnssec-settime.docbook
View File

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-settime.docbook,v 1.2 2009/07/19 04:18:04 each Exp $ -->
<!-- $Id: dnssec-settime.docbook,v 1.3 2009/09/02 06:29:00 each Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
@ -135,10 +135,12 @@
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. If such an offset is followed
by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
offset is computed in years, months, weeks, days, or hours,
respectively; otherwise it is computed in seconds.
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none'.
</para>
<variablelist>
@ -202,6 +204,44 @@
</variablelist>
</refsect1>
<refsect1>
<title>PRINTING OPTIONS</title>
<para>
<command>dnssec-settime</command> can also be used to print the
timing metadata associated with a key.
</para>
<variablelist>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Print times in UNIX epoch format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">C/P/A/R/U/D/all</replaceable></term>
<listitem>
<para>
Print a specific metadata value or set of metadata values.
The <option>-p</option> option may be followed by one or more
of the following letters to indicate which value or values to print:
<option>C</option> for the creation date,
<option>P</option> for the publication date,
<option>A</option> for the activation date,
<option>R</option> for the revokation date,
<option>U</option> for the unpublication date, or
<option>D</option> for the deletion date.
To print all of the metadata, use <option>-p all</option>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>

57
bin/dnssec/dnssec-signzone.c
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.228 2009/09/01 00:22:24 jinmei Exp $ */
/* $Id: dnssec-signzone.c,v 1.229 2009/09/02 06:29:00 each Exp $ */
/*! \file */
@ -130,6 +130,7 @@ static isc_boolean_t printstats = ISC_FALSE;
static isc_mem_t *mctx = NULL;
static isc_entropy_t *ectx = NULL;
static dns_ttl_t zone_soa_min_ttl;
static dns_ttl_t soa_ttl;
static FILE *fp;
static char *tempfile = NULL;
static const dns_master_style_t *masterstyle;
@ -160,7 +161,8 @@ static unsigned int serialformat = SOA_SERIAL_KEEP;
static unsigned int hash_length = 0;
static isc_boolean_t unknownalg = ISC_FALSE;
static isc_boolean_t disable_zone_check = ISC_FALSE;
static int keyttl = 3600;
static isc_boolean_t set_keyttl = ISC_FALSE;
static dns_ttl_t keyttl;
#define INCSTAT(counter) \
if (printstats) { \
@ -1128,17 +1130,15 @@ active_node(dns_dbnode_t *node) {
}
/*%
* Extracts the minimum TTL from the SOA.
* Extracts the minimum TTL from the SOA record, and the SOA record's TTL.
*/
static dns_ttl_t
soa_min_ttl(void) {
static void
get_soa_ttls(void) {
dns_rdataset_t soaset;
dns_fixedname_t fname;
dns_name_t *name;
isc_result_t result;
dns_ttl_t ttl;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_soa_t soa;
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
@ -1152,11 +1152,9 @@ soa_min_ttl(void) {
result = dns_rdataset_first(&soaset);
check_result(result, "dns_rdataset_first");
dns_rdataset_current(&soaset, &rdata);
result = dns_rdata_tostruct(&rdata, &soa, NULL);
check_result(result, "dns_rdata_tostruct");
ttl = soa.minimum;
zone_soa_min_ttl = dns_soa_getminimum(&rdata);
soa_ttl = soaset.ttl;
dns_rdataset_disassociate(&soaset);
return (ttl);
}
/*%
@ -2530,6 +2528,14 @@ loadzonekeys(dns_db_t *db) {
&rdataset, NULL);
if (result == ISC_R_SUCCESS) {
if (set_keyttl && keyttl != rdataset.ttl) {
fprintf(stderr, "User-specified TTL (%d) conflicts "
"with existing DNSKEY RRset TTL.\n",
keyttl);
fprintf(stderr, "Imported keys will use the RRSet "
"TTL (%d) instead.\n",
rdataset.ttl);
}
keyttl = rdataset.ttl;
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
@ -2744,7 +2750,7 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
make_dnskey(key1->key, &dnskey);
alg_format(dst_key_alg(key1->key), alg, sizeof(alg));
fprintf(stderr, "Fetching %s %d/%s from key %s.\n",
fprintf(stderr, "Fetching %s %d/%s from key %s\n",
isksk(key1) ?
(iszsk(key1) ? "KSK/ZSK" : "KSK") :
"ZSK",
@ -2753,6 +2759,19 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
"file" :
"repository");
if (key1->prepublish && keyttl > key1->prepublish) {
char keystr[KEY_FORMATSIZE];
key_format(key1->key, keystr, sizeof(keystr));
fatal("Key %s is scheduled to\n"
"become active in %d seconds. "
"This is less than the DNSKEY TTL\n"
"value of %d seconds. Reduce "
"the TTL, or change the activation\n"
"date of the key using "
"'dnssec-settime -A'.",
keystr, key1->prepublish, keyttl);
}
/* add key to the zone */
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
gorigin, keyttl,
@ -3324,9 +3343,8 @@ main(int argc, char *argv[]) {
case 'T':
endp = NULL;
keyttl = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("key TTL must be numeric");
set_keyttl = ISC_TRUE;
keyttl = strtottl(isc_commandline_argument);
break;
case 't':
@ -3382,15 +3400,11 @@ main(int argc, char *argv[]) {
isc_stdtime_get(&now);
if (startstr != NULL) {
if (startstr[0] == '-' || strncmp(startstr, "now-", 4) == 0)
fatal("time value %s is invalid", startstr);
starttime = strtotime(startstr, now, now);
} else
starttime = now - 3600; /* Allow for some clock skew. */
if (endstr != NULL) {
if (endstr[0] == '-' || strncmp(endstr, "now-", 4) == 0)
fatal("time value %s is invalid", endstr);
endtime = strtotime(endstr, now, starttime);
} else
endtime = starttime + (30 * 24 * 60 * 60);
@ -3471,7 +3485,10 @@ main(int argc, char *argv[]) {
loadzone(file, origin, rdclass, &gdb);
gorigin = dns_db_origin(gdb);
gclass = dns_db_class(gdb);
zone_soa_min_ttl = soa_min_ttl();
get_soa_ttls();
if (!set_keyttl)
keyttl = soa_ttl;
if (IS_NSEC3) {
isc_boolean_t answer;

29
bin/dnssec/dnssec-signzone.docbook
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.35 2009/07/19 04:18:04 each Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.36 2009/09/02 06:29:00 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
@ -124,6 +124,20 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: Generate a
<filename>keyset-<replaceable>zonename</replaceable></filename>
file in addition to
<filename>dsset-<replaceable>zonename</replaceable></filename>
when signing a zone, for use by older versions of
<command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
@ -202,6 +216,8 @@
the start time. A time relative to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
<option>end-time</option> must be later than
<option>start-time</option>.
</para>
</listitem>
</varlistentry>
@ -477,8 +493,15 @@
<term>-T <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Specifies the TTL of new DNSKEY records imported to the zone
from the key repository. Only useful with the -S option.
Specifies the TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not specified,
the default is the minimum TTL value from the zone's SOA
record. This option is ignored when signing without
<option>-S</option>, since DNSKEY records are not imported
from the key repository in that case. It is also ignored if
there are any pre-existing DNSKEY records at the zone apex,
in which case new records' TTL values will be set to match
them.
</para>
</listitem>
</varlistentry>

36
bin/dnssec/dnssectool.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssectool.c,v 1.50 2009/08/13 04:13:58 marka Exp $ */
/* $Id: dnssectool.c,v 1.51 2009/09/02 06:29:01 each Exp $ */
/*! \file */
@ -266,12 +266,23 @@ cleanup_entropy(isc_entropy_t **ectx) {
}
static isc_stdtime_t
time_units(isc_stdtime_t offset, char suffix, const char *str) {
switch(suffix) {
time_units(isc_stdtime_t offset, char *suffix, const char *str) {
switch (suffix[0]) {
case 'Y': case 'y':
return (offset * (365 * 24 * 3600));
case 'M': case 'm':
return (offset * (30 * 24 * 3600));
switch (suffix[1]) {
case 'O': case 'o':
return (offset * (30 * 24 * 3600));
case 'I': case 'i':
return (offset * 60);
case '\0':
fatal("'%s' ambiguous: use 'mi' for minutes "
"or 'mo' for months", str);
default:
fatal("time value %s is invalid", str);
}
break;
case 'W': case 'w':
return (offset * (7 * 24 * 3600));
case 'D': case 'd':
@ -286,6 +297,19 @@ time_units(isc_stdtime_t offset, char suffix, const char *str) {
return(0); /* silence compiler warning */
}
dns_ttl_t
strtottl(const char *str) {
const char *orig = str;
dns_ttl_t ttl;
char *endp;
ttl = strtol(str, &endp, 0);
if (ttl == 0 && endp == str)
fatal("TTL must be numeric");
ttl = time_units(ttl, endp, orig);
return (ttl);
}
isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
isc_int64_t val, offset;
@ -305,11 +329,11 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
return ((isc_stdtime_t) base);
else if (str[0] == '+') {
offset = strtol(str + 1, &endp, 0);
offset = time_units(offset, *endp, orig);
offset = time_units(offset, endp, orig);
val = base + offset;
} else if (str[0] == '-') {
offset = strtol(str + 1, &endp, 0);
offset = time_units(offset, *endp, orig);
offset = time_units(offset, endp, orig);
val = base - offset;
} else if (strlen(str) == 8U) {
char timestr[15];

4
bin/dnssec/dnssectool.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssectool.h,v 1.22 2008/09/25 04:02:38 tbox Exp $ */
/* $Id: dnssectool.h,v 1.23 2009/09/02 06:29:01 each Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
@ -67,6 +67,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx);
void
cleanup_entropy(isc_entropy_t **ectx);
dns_ttl_t strtottl(const char *str);
isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base);

24
lib/dns/dnssec.c
View File

@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.98 2009/07/19 23:47:55 tbox Exp $
* $Id: dnssec.c,v 1.99 2009/09/02 06:29:01 each Exp $
*/
/*! \file */
@ -958,8 +958,8 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
dns_dnsseckey_t **dkp)
{
isc_result_t result;
isc_stdtime_t when;
dns_dnsseckey_t *dk;
int major, minor;
REQUIRE(dkp != NULL && *dkp == NULL);
dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t));
@ -973,6 +973,7 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
dk->hint_publish = ISC_FALSE;
dk->hint_sign = ISC_FALSE;
dk->hint_remove = ISC_FALSE;
dk->prepublish = 0;
dk->source = dns_keysource_unknown;
dk->index = 0;
@ -980,8 +981,8 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
dk->ksk = ISC_TF((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) != 0);
/* Is this an old-style key? */
result = dst_key_gettime(dk->key, DST_TIME_CREATED, &when);
dk->legacy = ISC_TF(result != ISC_R_SUCCESS);
result = dst_key_getprivateformat(dk->key, &major, &minor);
dk->legacy = ISC_TF(major == 1 && minor <= 2);
ISC_LINK_INIT(dk, link);
*dkp = dk;
@ -1003,7 +1004,7 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
static void
get_hints(dns_dnsseckey_t *key) {
isc_result_t result;
isc_stdtime_t now, publish, active, revoke, remove, delete;
isc_stdtime_t now, publish, active, revoke, unpublish, delete;
isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
isc_boolean_t revset = ISC_FALSE, remset = ISC_FALSE;
isc_boolean_t delset = ISC_FALSE;
@ -1024,7 +1025,7 @@ get_hints(dns_dnsseckey_t *key) {
if (result == ISC_R_SUCCESS)
revset = ISC_TRUE;
result = dst_key_gettime(key->key, DST_TIME_REMOVE, &remove);
result = dst_key_gettime(key->key, DST_TIME_UNPUBLISH, &unpublish);
if (result == ISC_R_SUCCESS)
remset = ISC_TRUE;
@ -1056,6 +1057,13 @@ get_hints(dns_dnsseckey_t *key) {
if (actset && !pubset)
key->hint_publish = ISC_TRUE;
/*
* If activation date is in the future, make note of how far off
*/
if (key->hint_publish && actset && active > now) {
key->prepublish = active - now;
}
/*
* Metadata says revoke. If the key is published,
* we *have to* sign with it per RFC5011--even if it was
@ -1074,10 +1082,10 @@ get_hints(dns_dnsseckey_t *key) {
}
/*
* Metadata says remove or delete, so don't publish
* Metadata says unpublish or delete, so don't publish
* this key or sign with it.
*/
if ((remset && remove < now) ||
if ((remset && unpublish < now) ||
(delset && delete < now)) {
key->hint_publish = ISC_FALSE;
key->hint_sign = ISC_FALSE;

39
lib/dns/dst_api.c
View File

@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
* $Id: dst_api.c,v 1.27 2009/09/01 00:22:26 jinmei Exp $
* $Id: dst_api.c,v 1.28 2009/09/02 06:29:01 each Exp $
*/
/*! \file */
@ -786,7 +786,7 @@ dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {
REQUIRE(VALID_KEY(key));
REQUIRE(timep != NULL);
REQUIRE(type <= DST_MAX_TIMES);
if (key->times[type] == 0)
if (!key->timeset[type])
return (ISC_R_NOTFOUND);
*timep = key->times[type];
return (ISC_R_SUCCESS);
@ -797,6 +797,31 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
REQUIRE(VALID_KEY(key));
REQUIRE(type <= DST_MAX_TIMES);
key->times[type] = when;
key->timeset[type] = ISC_TRUE;
}
void
dst_key_unsettime(dst_key_t *key, int type) {
REQUIRE(VALID_KEY(key));
REQUIRE(type <= DST_MAX_TIMES);
key->timeset[type] = ISC_FALSE;
}
isc_result_t
dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) {
REQUIRE(VALID_KEY(key));
REQUIRE(majorp != NULL);
REQUIRE(minorp != NULL);
*majorp = key->fmt_major;
*minorp = key->fmt_minor;
return (ISC_R_SUCCESS);
}
void
dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
REQUIRE(VALID_KEY(key));
key->fmt_major = major;
key->fmt_minor = minor;
}
isc_boolean_t
@ -954,6 +979,7 @@ get_key_struct(dns_name_t *name, unsigned int alg,
{
dst_key_t *key;
isc_result_t result;
int i;
key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
if (key == NULL)
@ -977,12 +1003,17 @@ get_key_struct(dns_name_t *name, unsigned int alg,
key->key_alg = alg;
key->key_flags = flags;
key->key_proto = protocol;
memset(key->times, 0, sizeof(key->times));
key->mctx = mctx;
key->keydata.generic = NULL;
key->key_size = bits;
key->key_class = rdclass;
key->func = dst_t_func[alg];
key->fmt_major = 0;
key->fmt_minor = 0;
for (i = 0; i < (DST_MAX_TIMES + 1); i++) {
key->times[i] = 0;
key->timeset[i] = ISC_FALSE;
}
return (key);
}
@ -1242,7 +1273,7 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
printtime(key, DST_TIME_REMOVE, "; Remove", fp);
printtime(key, DST_TIME_UNPUBLISH, "; Unpublish", fp);
printtime(key, DST_TIME_DELETE, "; Delete", fp);
}

7
lib/dns/dst_internal.h
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst_internal.h,v 1.15 2009/07/19 04:18:05 each Exp $ */
/* $Id: dst_internal.h,v 1.16 2009/09/02 06:29:01 each Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
@ -117,6 +117,11 @@ struct dst_key {
} keydata; /*%< pointer to key in crypto pkg fmt */
isc_stdtime_t times[DST_MAX_TIMES + 1]; /*%< key timing metadata */
isc_boolean_t timeset[DST_MAX_TIMES + 1]; /*%< metadata set? */
int fmt_major; /*%< private key format, major version */
int fmt_minor; /*%< private key format, minor version */
dst_func_t * func; /*%< crypto package specific functions */
};

50
lib/dns/dst_parse.c
View File

@ -31,7 +31,7 @@
/*%
* Principal Author: Brian Wellington
* $Id: dst_parse.c,v 1.19 2009/07/19 23:47:55 tbox Exp $
* $Id: dst_parse.c,v 1.20 2009/09/02 06:29:01 each Exp $
*/
#include <config.h>
@ -62,7 +62,7 @@ static const char *metatags[METADATA_NTAGS] = {
"Publish:",
"Activate:",
"Revoke:",
"Remove:",
"Unpublish:",
"Delete:"
};
@ -309,7 +309,7 @@ dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
priv->nelements = 0;
}
int
isc_result_t
dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
isc_mem_t *mctx, dst_private_t *priv)
{
@ -373,6 +373,11 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
goto fail;
}
/*
* Store the private key format version number
*/
dst_key_setprivateformat(key, major, minor);
READLINE(lex, opt, &token);
/*
@ -474,7 +479,7 @@ fail:
return (ret);
}
int
isc_result_t
dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
const char *directory)
{
@ -487,6 +492,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
isc_stdtime_t when;
isc_buffer_t b;
isc_region_t r;
int major, minor;
REQUIRE(priv != NULL);
@ -507,11 +513,17 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
&access);
(void)isc_fsaccess_set(filename, access);
dst_key_getprivateformat(key, &major, &minor);
if (major == 0 && minor == 0) {
major = MAJOR_VERSION;
minor = MINOR_VERSION;
}
/* XXXDCL return value should be checked for full filesystem */
fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, MAJOR_VERSION,
MINOR_VERSION);
fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (dst_key_alg(key)) {
case DST_ALG_RSAMD5:
@ -576,21 +588,23 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
}
/* Add the timing metadata tags */
for (i = 0; i < METADATA_NTAGS; i++) {
result = dst_key_gettime(key, i, &when);
if (result != ISC_R_SUCCESS)
continue;
if (major > 1 || (major == 1 && minor >= 3)) {
for (i = 0; i < METADATA_NTAGS; i++) {
result = dst_key_gettime(key, i, &when);
if (result != ISC_R_SUCCESS)
continue;
isc_buffer_init(&b, buffer, sizeof(buffer));
result = dns_time32_totext(when, &b);
if (result != ISC_R_SUCCESS)
continue;
isc_buffer_init(&b, buffer, sizeof(buffer));
result = dns_time32_totext(when, &b);
if (result != ISC_R_SUCCESS)
continue;
isc_buffer_usedregion(&b, &r);
isc_buffer_usedregion(&b, &r);
fprintf(fp, "%s ", metatags[i]);
fwrite(r.base, 1, r.length, fp);
fprintf(fp, "\n");
fprintf(fp, "%s ", metatags[i]);
fwrite(r.base, 1, r.length, fp);
fprintf(fp, "\n");
}
}
fflush(fp);

6
lib/dns/dst_parse.h
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst_parse.h,v 1.13 2009/07/19 23:47:55 tbox Exp $ */
/* $Id: dst_parse.h,v 1.14 2009/09/02 06:29:01 each Exp $ */
/*! \file */
#ifndef DST_DST_PARSE_H
@ -126,11 +126,11 @@ ISC_LANG_BEGINDECLS
void
dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
int
isc_result_t
dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
isc_mem_t *mctx, dst_private_t *priv);
int
isc_result_t
dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
const char *directory);

3
lib/dns/include/dns/dnssec.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec.h,v 1.35 2009/07/19 04:18:05 each Exp $ */
/* $Id: dnssec.h,v 1.36 2009/09/02 06:29:01 each Exp $ */
#ifndef DNS_DNSSEC_H
#define DNS_DNSSEC_H 1
@ -52,6 +52,7 @@ struct dns_dnsseckey {
isc_boolean_t hint_sign; /*% metadata says to sign with this key */
isc_boolean_t force_sign; /*% sign with key regardless of metadata */
isc_boolean_t hint_remove; /*% metadata says *don't* publish */
unsigned int prepublish; /*% how long until active? */
dns_keysource_t source; /*% how the key was found */
isc_boolean_t ksk; /*% this is a key-signing key */
isc_boolean_t legacy; /*% this is old-style key with no

37
lib/dns/include/dst/dst.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst.h,v 1.16 2009/07/19 04:18:05 each Exp $ */
/* $Id: dst.h,v 1.17 2009/09/02 06:29:01 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
@ -84,7 +84,7 @@ typedef struct dst_context dst_context_t;
#define DST_TIME_PUBLISH 1
#define DST_TIME_ACTIVATE 2
#define DST_TIME_REVOKE 3
#define DST_TIME_REMOVE 4
#define DST_TIME_UNPUBLISH 4
#define DST_TIME_DELETE 5
#define DST_MAX_TIMES 5
@ -683,6 +683,39 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when);
* "type" is no larger than DST_MAX_TIMES
*/
void
dst_key_unsettime(dst_key_t *key, int type);
/*%<
* Flag a member of the timing metadata array as "not set".
*
* Requires:
* "key" is a valid key.
* "type" is no larger than DST_MAX_TIMES
*/
isc_result_t
dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp);
/*%<
* Get the private key format version number. (If the key does not have
* a private key associated with it, the version will be 0.0.) The major
* version number is placed in '*majorp', and the minor version number in
* '*minorp'.
*
* Requires:
* "key" is a valid key.
* "majorp" is not NULL.
* "minorp" is not NULL.
*/
void
dst_key_setprivateformat(dst_key_t *key, int major, int minor);
/*%<
* Set the private key format version number.
*
* Requires:
* "key" is a valid key.
*/
ISC_LANG_ENDDECLS
#endif /* DST_DST_H */

3
lib/dns/win32/libdns.def
View File

@ -866,6 +866,7 @@ dst_key_fromgssapi
dst_key_fromlabel
dst_key_fromnamedfile
dst_key_generate
dst_key_getprivateformat
dst_key_gettime
dst_key_id
dst_key_isnullkey
@ -877,12 +878,14 @@ dst_key_proto
dst_key_secretsize
dst_key_setbits
dst_key_setflags
dst_key_setprivateformat
dst_key_settime
dst_key_sigsize
dst_key_size
dst_key_tobuffer
dst_key_todns
dst_key_tofile
dst_key_unsettime
dst_lib_destroy
dst_lib_init
dst_lib_initmsgcat