From eab9975bcf5830a73f18ed8f320ae18ea32775ee Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 2 Sep 2009 06:29:01 +0000 Subject: [PATCH] 2668. [func] Several improvements to dnssec-* tools, including: - dnssec-keygen and dnssec-settime can now set key metadata fields 0 (to unset a value, use "none") - dnssec-revoke sets the revocation date in addition to the revoke bit - dnssec-settime can now print individual metadata fields instead of always printing all of them, and can print them in unix epoch time format for use by scripts [RT #19942] --- CHANGES | 13 ++ bin/dnssec/dnssec-keygen.c | 106 ++++++++--- bin/dnssec/dnssec-keygen.docbook | 12 +- bin/dnssec/dnssec-revoke.c | 7 +- bin/dnssec/dnssec-settime.c | 274 ++++++++++++++++++++++------- bin/dnssec/dnssec-settime.docbook | 50 +++++- bin/dnssec/dnssec-signzone.c | 57 +++--- bin/dnssec/dnssec-signzone.docbook | 29 ++- bin/dnssec/dnssectool.c | 36 +++- bin/dnssec/dnssectool.h | 4 +- lib/dns/dnssec.c | 24 ++- lib/dns/dst_api.c | 39 +++- lib/dns/dst_internal.h | 7 +- lib/dns/dst_parse.c | 50 ++++-- lib/dns/dst_parse.h | 6 +- lib/dns/include/dns/dnssec.h | 3 +- lib/dns/include/dst/dst.h | 37 +++- lib/dns/win32/libdns.def | 3 + 18 files changed, 597 insertions(+), 160 deletions(-) diff --git a/CHANGES b/CHANGES index c7bae302eb..6abf383fa3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,16 @@ + --- 9.7.0a3 released --- + +2668. [func] Several improvements to dnssec-* tools, including: + - dnssec-keygen and dnssec-settime can now set key + metadata fields 0 (to unset a value, use "none") + - dnssec-revoke sets the revocation date in + addition to the revoke bit + - dnssec-settime can now print individual metadata + fields instead of always printing all of them, + and can print them in unix epoch time format for + use by scripts + [RT #19942] + 2667. [func] Add support for logging stack backtrace on assertion failure (not available for all platforms). [RT #19780] diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 60451ec23e..cb1b5cd08c 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.90 2009/09/01 00:22:24 jinmei Exp $ */ +/* $Id: dnssec-keygen.c,v 1.91 2009/09/02 06:29:00 each Exp $ */ /*! \file */ @@ -174,6 +174,12 @@ main(int argc, char **argv) { isc_stdtime_t publish = 0, activate = 0, revoke = 0; isc_stdtime_t unpublish = 0, delete = 0; isc_stdtime_t now; + isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE; + isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE; + isc_boolean_t setdel = ISC_FALSE; + isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE; + isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE; + isc_boolean_t unsetdel = ISC_FALSE; if (argc == 1) usage(); @@ -305,24 +311,64 @@ main(int argc, char **argv) { /* already the default */ break; case 'P': - publish = strtotime(isc_commandline_argument, - now, now); + if (setpub || unsetpub) + fatal("-P specified more than once"); + + if (strcasecmp(isc_commandline_argument, "none")) { + setpub = ISC_TRUE; + publish = strtotime(isc_commandline_argument, + now, now); + } else { + unsetpub = ISC_TRUE; + } break; case 'A': - activate = strtotime(isc_commandline_argument, - now, now); + if (setact || unsetact) + fatal("-A specified more than once"); + + if (strcasecmp(isc_commandline_argument, "none")) { + setact = ISC_TRUE; + activate = strtotime(isc_commandline_argument, + now, now); + } else { + unsetact = ISC_TRUE; + } break; case 'R': - revoke = strtotime(isc_commandline_argument, - now, now); + if (setrev || unsetrev) + fatal("-R specified more than once"); + + if (strcasecmp(isc_commandline_argument, "none")) { + setrev = ISC_TRUE; + revoke = strtotime(isc_commandline_argument, + now, now); + } else { + unsetrev = ISC_TRUE; + } break; case 'U': - unpublish = strtotime(isc_commandline_argument, - now, now); + if (setunpub || unsetunpub) + fatal("-U specified more than once"); + + if (strcasecmp(isc_commandline_argument, "none")) { + setunpub = ISC_TRUE; + unpublish = strtotime(isc_commandline_argument, + now, now); + } else { + unsetunpub = ISC_TRUE; + } break; case 'D': - delete = strtotime(isc_commandline_argument, - now, now); + if (setdel || unsetdel) + fatal("-D specified more than once"); + + if (strcasecmp(isc_commandline_argument, "none")) { + setdel = ISC_TRUE; + delete = strtotime(isc_commandline_argument, + now, now); + } else { + unsetdel = ISC_TRUE; + } break; case 'F': /* Reserved for FIPS mode */ @@ -618,19 +664,37 @@ main(int argc, char **argv) { dst_key_setbits(key, dbits); /* - * Set key timing metadata + * Set key timing metadata (unless using -C) */ if (!oldstyle) { dst_key_settime(key, DST_TIME_CREATED, now); - dst_key_settime(key, DST_TIME_PUBLISH, publish); - dst_key_settime(key, DST_TIME_ACTIVATE, activate); - dst_key_settime(key, DST_TIME_REVOKE, revoke); - dst_key_settime(key, DST_TIME_REMOVE, unpublish); - dst_key_settime(key, DST_TIME_DELETE, delete); - } else if (publish != 0 || activate != 0 || revoke != 0 || - unpublish != 0 || delete != 0) { - fatal("cannot use -C together with " - "-P, -A, -R, -U, or -D options"); + + if (setpub) + dst_key_settime(key, DST_TIME_PUBLISH, + publish); + if (setact) + dst_key_settime(key, DST_TIME_ACTIVATE, + activate); + if (setrev) + dst_key_settime(key, DST_TIME_REVOKE, + revoke); + if (setunpub) + dst_key_settime(key, DST_TIME_UNPUBLISH, + unpublish); + if (setdel) + dst_key_settime(key, DST_TIME_DELETE, + delete); + } else { + if (setpub || setact || setrev || setunpub || + setdel || unsetpub || unsetact || + unsetrev || unsetunpub || unsetdel) + fatal("cannot use -C together with " + "-P, -A, -R, -U, or -D options"); + /* + * Compatibility mode: Private-key-format + * should be set to 1.2. + */ + dst_key_setprivateformat(key, 1, 2); } /* diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index 5d6d6e62f5..2ff764ac1d 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 30, 2000 @@ -350,10 +350,12 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. If such an offset is followed - by one of the characters 'y', 'm', 'w', 'd', or 'h', then the - offset is computed in years, months, weeks, days, or hours, - respectively; otherwise it is computed in seconds. + an offset from the present time. For convenience, if such an offset + is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', + then the offset is computed in years (defined as 365 24-hour days, + ignoring leap years), months (defined as 30 24-hour days), weeks, + days, hours, or minutes, respectively. Without a suffix, the offset + is computed in seconds. diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 27d6835a0a..d58db629ca 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-revoke.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */ +/* $Id: dnssec-revoke.c,v 1.9 2009/09/02 06:29:00 each Exp $ */ /*! \file */ @@ -161,6 +161,11 @@ main(int argc, char **argv) { flags = dst_key_flags(key); if ((flags & DNS_KEYFLAG_REVOKE) == 0) { + isc_stdtime_t now; + + isc_stdtime_get(&now); + dst_key_settime(key, DST_TIME_REVOKE, now); + dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE); isc_buffer_init(&buf, newname, sizeof(newname)); diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index d862bc61f8..77fa98242d 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-settime.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */ +/* $Id: dnssec-settime.c,v 1.9 2009/09/02 06:29:00 each Exp $ */ /*! \file */ @@ -53,18 +53,29 @@ usage(void) { fprintf(stderr, "Usage:\n"); fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", VERSION); - fprintf(stderr, "Options:\n"); + fprintf(stderr, "General options:\n"); fprintf(stderr, " -f: force update of old-style " "keys\n"); fprintf(stderr, " -K directory: set key file location\n"); - fprintf(stderr, " -h: help\n"); - fprintf(stderr, " -v level: set level of verbosity\n"); + fprintf(stderr, " -v level: set level of verbosity\n"); + fprintf(stderr, " -h: help\n"); fprintf(stderr, "Timing options:\n"); - fprintf(stderr, " -P date/[+-]offset: set key publication date\n"); - fprintf(stderr, " -A date/[+-]offset: set key activation date\n"); - fprintf(stderr, " -R date/[+-]offset: set key revocation date\n"); - fprintf(stderr, " -U date/[+-]offset: set key unpublication date\n"); - fprintf(stderr, " -D date/[+-]offset: set key deletion date\n"); + fprintf(stderr, " -P date/[+-]offset/none: set/unset key " + "publication date\n"); + fprintf(stderr, " -A date/[+-]offset/none: set key " + "activation date\n"); + fprintf(stderr, " -R date/[+-]offset/none: set key " + "revocation date\n"); + fprintf(stderr, " -U date/[+-]offset/none: set key " + "unpublication date\n"); + fprintf(stderr, " -D date/[+-]offset/none: set key " + "deletion date\n"); + fprintf(stderr, "Printing options:\n"); + fprintf(stderr, " -p C/P/A/R/U/D/all: print a particular time " + "value or values " + "[default: all]\n"); + fprintf(stderr, " -u: print times in unix epoch " + "format\n"); fprintf(stderr, "Output:\n"); fprintf(stderr, " K++.key, " "K++.private\n"); @@ -73,19 +84,26 @@ usage(void) { } static void -printtime(dst_key_t *key, int type, const char *tag, FILE *stream) { +printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch, + FILE *stream) +{ isc_result_t result; - time_t when; - const char *output; + const char *output = NULL; + isc_stdtime_t when; - result = dst_key_gettime(key, type, (isc_stdtime_t *) &when); - if (result == ISC_R_NOTFOUND || when == 0) { - fprintf(stream, "%s: NOT SET\n", tag); - return; + if (tag != NULL) + fprintf(stream, "%s: ", tag); + + result = dst_key_gettime(key, type, &when); + if (result == ISC_R_NOTFOUND) { + fprintf(stream, "UNSET\n"); + } else if (epoch) { + fprintf(stream, "%d\n", (int) when); + } else { + time_t time = when; + output = ctime(&time); + fprintf(stream, "%s", output); } - - output = ctime(&when); - fprintf(stream, "%s: %s", tag, output); } int @@ -94,18 +112,26 @@ main(int argc, char **argv) { char *filename = NULL, *directory = NULL; char newname[1024]; char keystr[KEY_FORMATSIZE]; - char *endp; + char *endp, *p; int ch; isc_entropy_t *ectx = NULL; dst_key_t *key = NULL; isc_buffer_t buf; - isc_stdtime_t now, when; + int major, minor; + isc_stdtime_t now; isc_stdtime_t pub = 0, act = 0, rev = 0, unpub = 0, del = 0; isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE; isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE; isc_boolean_t setdel = ISC_FALSE; + isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE; + isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE; + isc_boolean_t unsetdel = ISC_FALSE; + isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE; + isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE; + isc_boolean_t printunpub = ISC_FALSE, printdel = ISC_FALSE; isc_boolean_t forceupdate = ISC_FALSE; - isc_boolean_t print = ISC_TRUE; + isc_boolean_t epoch = ISC_FALSE; + isc_boolean_t changed = ISC_FALSE; if (argc == 1) usage(); @@ -121,11 +147,54 @@ main(int argc, char **argv) { isc_stdtime_get(&now); while ((ch = isc_commandline_parse(argc, argv, - "fK:hv:P:A:R:U:D:")) != -1) { + "fK:uhp:v:P:A:R:U:D:")) != -1) { switch (ch) { case 'f': forceupdate = ISC_TRUE; break; + case 'p': + p = isc_commandline_argument; + if (!strcasecmp(p, "all")) { + printcreate = ISC_TRUE; + printpub = ISC_TRUE; + printact = ISC_TRUE; + printrev = ISC_TRUE; + printunpub = ISC_TRUE; + printdel = ISC_TRUE; + break; + } + + do { + switch (*p++) { + case 'C': + printcreate = ISC_TRUE; + break; + case 'P': + printpub = ISC_TRUE; + break; + case 'A': + printact = ISC_TRUE; + break; + case 'R': + printrev = ISC_TRUE; + break; + case 'U': + printunpub = ISC_TRUE; + break; + case 'D': + printdel = ISC_TRUE; + break; + case ' ': + break; + default: + usage(); + break; + } + } while (*p != '\0'); + break; + case 'u': + epoch = ISC_TRUE; + break; case 'K': /* * We don't have to copy it here, but do it to @@ -144,29 +213,69 @@ main(int argc, char **argv) { fatal("-v must be followed by a number"); break; case 'P': - print = ISC_FALSE; - setpub = ISC_TRUE; - pub = strtotime(isc_commandline_argument, now, now); + if (setpub || unsetpub) + fatal("-P specified more than once"); + + changed = ISC_TRUE; + if (!strcasecmp(isc_commandline_argument, "none")) { + unsetpub = ISC_TRUE; + } else { + setpub = ISC_TRUE; + pub = strtotime(isc_commandline_argument, + now, now); + } break; case 'A': - print = ISC_FALSE; - setact = ISC_TRUE; - act = strtotime(isc_commandline_argument, now, now); + if (setact || unsetact) + fatal("-A specified more than once"); + + changed = ISC_TRUE; + if (!strcasecmp(isc_commandline_argument, "none")) { + unsetact = ISC_TRUE; + } else { + setact = ISC_TRUE; + act = strtotime(isc_commandline_argument, + now, now); + } break; case 'R': - print = ISC_FALSE; - setrev = ISC_TRUE; - rev = strtotime(isc_commandline_argument, now, now); + if (setrev || unsetrev) + fatal("-R specified more than once"); + + changed = ISC_TRUE; + if (!strcasecmp(isc_commandline_argument, "none")) { + unsetrev = ISC_TRUE; + } else { + setrev = ISC_TRUE; + rev = strtotime(isc_commandline_argument, + now, now); + } break; case 'U': - print = ISC_FALSE; - setunpub = ISC_TRUE; - unpub = strtotime(isc_commandline_argument, now, now); + if (setunpub || unsetunpub) + fatal("-U specified more than once"); + + changed = ISC_TRUE; + if (!strcasecmp(isc_commandline_argument, "none")) { + unsetunpub = ISC_TRUE; + } else { + setunpub = ISC_TRUE; + unpub = strtotime(isc_commandline_argument, + now, now); + } break; case 'D': - print = ISC_FALSE; - setdel = ISC_TRUE; - del = strtotime(isc_commandline_argument, now, now); + if (setdel || unsetdel) + fatal("-D specified more than once"); + + changed = ISC_TRUE; + if (!strcasecmp(isc_commandline_argument, "none")) { + unsetdel = ISC_TRUE; + } else { + setdel = ISC_TRUE; + del = strtotime(isc_commandline_argument, + now, now); + } break; case '?': if (isc_commandline_option != '?') @@ -220,41 +329,84 @@ main(int argc, char **argv) { key_format(key, keystr, sizeof(keystr)); /* Is this an old-style key? */ - result = dst_key_gettime(key, DST_TIME_CREATED, &when); - if (result == ISC_R_NOTFOUND) { - if (forceupdate) + dst_key_getprivateformat(key, &major, &minor); + if (major <= 1 && minor <= 2) { + if (forceupdate) { + /* + * Updating to new-style key: set + * Private-key-format to 1.3 + */ + dst_key_setprivateformat(key, 1, 3); dst_key_settime(key, DST_TIME_CREATED, now); - else + } else fatal("Incompatible key %s, " - "use -f force update.", keystr); + "use -f to force update.", keystr); } if (verbose > 2) fprintf(stderr, "%s: %s\n", program, keystr); - if (print) { - printtime(key, DST_TIME_CREATED, "Created", stdout); - printtime(key, DST_TIME_PUBLISH, "Publish", stdout); - printtime(key, DST_TIME_ACTIVATE, "Activate", stdout); - printtime(key, DST_TIME_REVOKE, "Revoke", stdout); - printtime(key, DST_TIME_REMOVE, "Remove", stdout); - printtime(key, DST_TIME_DELETE, "Delete", stdout); - } else { - if (setpub) - dst_key_settime(key, DST_TIME_PUBLISH, pub); + /* + * Set time values. + */ + if (setpub) + dst_key_settime(key, DST_TIME_PUBLISH, pub); + else if (unsetpub) + dst_key_unsettime(key, DST_TIME_PUBLISH); - if (setact) - dst_key_settime(key, DST_TIME_ACTIVATE, act); + if (setact) + dst_key_settime(key, DST_TIME_ACTIVATE, act); + else if (unsetact) + dst_key_unsettime(key, DST_TIME_ACTIVATE); - if (setrev) - dst_key_settime(key, DST_TIME_REVOKE, rev); + if (setrev) { + if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now) + fprintf(stderr, "%s: warning: Key %s is already " + "revoked; changing the revocation date " + "will not affect this.\n", + program, keystr); + dst_key_settime(key, DST_TIME_REVOKE, rev); + } else if (unsetrev) { + if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0) + fprintf(stderr, "%s: warning: Key %s is already " + "revoked; removing the revocation date " + "will not affect this.\n", + program, keystr); + dst_key_unsettime(key, DST_TIME_REVOKE); + } - if (setunpub) - dst_key_settime(key, DST_TIME_REMOVE, unpub); + if (setunpub) + dst_key_settime(key, DST_TIME_UNPUBLISH, unpub); + else if (unsetunpub) + dst_key_unsettime(key, DST_TIME_UNPUBLISH); - if (setdel) - dst_key_settime(key, DST_TIME_DELETE, del); + if (setdel) + dst_key_settime(key, DST_TIME_DELETE, del); + else if (unsetdel) + dst_key_unsettime(key, DST_TIME_DELETE); + /* + * Print out time values, if -p was used. + */ + if (printcreate) + printtime(key, DST_TIME_CREATED, "Created", epoch, stdout); + + if (printpub) + printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout); + + if (printact) + printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout); + + if (printrev) + printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout); + + if (printunpub) + printtime(key, DST_TIME_UNPUBLISH, "Unpublish", epoch, stdout); + + if (printdel) + printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout); + + if (changed) { isc_buffer_init(&buf, newname, sizeof(newname)); result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &buf); diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook index 7e0142e87a..224df4d3dc 100644 --- a/bin/dnssec/dnssec-settime.docbook +++ b/bin/dnssec/dnssec-settime.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + July 15, 2009 @@ -135,10 +135,12 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as - an offset from the present time. If such an offset is followed - by one of the characters 'y', 'm', 'w', 'd', or 'h', then the - offset is computed in years, months, weeks, days, or hours, - respectively; otherwise it is computed in seconds. + an offset from the present time. For convenience, if such an offset + is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', + then the offset is computed in years (defined as 365 24-hour days, + ignoring leap years), months (defined as 30 24-hour days), weeks, + days, hours, or minutes, respectively. Without a suffix, the offset + is computed in seconds. To unset a date, use 'none'. @@ -202,6 +204,44 @@ + + PRINTING OPTIONS + + dnssec-settime can also be used to print the + timing metadata associated with a key. + + + + + -u + + + Print times in UNIX epoch format. + + + + + + -p C/P/A/R/U/D/all + + + Print a specific metadata value or set of metadata values. + The option may be followed by one or more + of the following letters to indicate which value or values to print: + for the creation date, + for the publication date, + for the activation date, + for the revokation date, + for the unpublication date, or + for the deletion date. + To print all of the metadata, use . + + + + + + + SEE ALSO diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index d369298227..a9e356423e 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.228 2009/09/01 00:22:24 jinmei Exp $ */ +/* $Id: dnssec-signzone.c,v 1.229 2009/09/02 06:29:00 each Exp $ */ /*! \file */ @@ -130,6 +130,7 @@ static isc_boolean_t printstats = ISC_FALSE; static isc_mem_t *mctx = NULL; static isc_entropy_t *ectx = NULL; static dns_ttl_t zone_soa_min_ttl; +static dns_ttl_t soa_ttl; static FILE *fp; static char *tempfile = NULL; static const dns_master_style_t *masterstyle; @@ -160,7 +161,8 @@ static unsigned int serialformat = SOA_SERIAL_KEEP; static unsigned int hash_length = 0; static isc_boolean_t unknownalg = ISC_FALSE; static isc_boolean_t disable_zone_check = ISC_FALSE; -static int keyttl = 3600; +static isc_boolean_t set_keyttl = ISC_FALSE; +static dns_ttl_t keyttl; #define INCSTAT(counter) \ if (printstats) { \ @@ -1128,17 +1130,15 @@ active_node(dns_dbnode_t *node) { } /*% - * Extracts the minimum TTL from the SOA. + * Extracts the minimum TTL from the SOA record, and the SOA record's TTL. */ -static dns_ttl_t -soa_min_ttl(void) { +static void +get_soa_ttls(void) { dns_rdataset_t soaset; dns_fixedname_t fname; dns_name_t *name; isc_result_t result; - dns_ttl_t ttl; dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_soa_t soa; dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); @@ -1152,11 +1152,9 @@ soa_min_ttl(void) { result = dns_rdataset_first(&soaset); check_result(result, "dns_rdataset_first"); dns_rdataset_current(&soaset, &rdata); - result = dns_rdata_tostruct(&rdata, &soa, NULL); - check_result(result, "dns_rdata_tostruct"); - ttl = soa.minimum; + zone_soa_min_ttl = dns_soa_getminimum(&rdata); + soa_ttl = soaset.ttl; dns_rdataset_disassociate(&soaset); - return (ttl); } /*% @@ -2530,6 +2528,14 @@ loadzonekeys(dns_db_t *db) { &rdataset, NULL); if (result == ISC_R_SUCCESS) { + if (set_keyttl && keyttl != rdataset.ttl) { + fprintf(stderr, "User-specified TTL (%d) conflicts " + "with existing DNSKEY RRset TTL.\n", + keyttl); + fprintf(stderr, "Imported keys will use the RRSet " + "TTL (%d) instead.\n", + rdataset.ttl); + } keyttl = rdataset.ttl; if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); @@ -2744,7 +2750,7 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) { make_dnskey(key1->key, &dnskey); alg_format(dst_key_alg(key1->key), alg, sizeof(alg)); - fprintf(stderr, "Fetching %s %d/%s from key %s.\n", + fprintf(stderr, "Fetching %s %d/%s from key %s\n", isksk(key1) ? (iszsk(key1) ? "KSK/ZSK" : "KSK") : "ZSK", @@ -2753,6 +2759,19 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) { "file" : "repository"); + if (key1->prepublish && keyttl > key1->prepublish) { + char keystr[KEY_FORMATSIZE]; + key_format(key1->key, keystr, sizeof(keystr)); + fatal("Key %s is scheduled to\n" + "become active in %d seconds. " + "This is less than the DNSKEY TTL\n" + "value of %d seconds. Reduce " + "the TTL, or change the activation\n" + "date of the key using " + "'dnssec-settime -A'.", + keystr, key1->prepublish, keyttl); + } + /* add key to the zone */ result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, gorigin, keyttl, @@ -3324,9 +3343,8 @@ main(int argc, char *argv[]) { case 'T': endp = NULL; - keyttl = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("key TTL must be numeric"); + set_keyttl = ISC_TRUE; + keyttl = strtottl(isc_commandline_argument); break; case 't': @@ -3382,15 +3400,11 @@ main(int argc, char *argv[]) { isc_stdtime_get(&now); if (startstr != NULL) { - if (startstr[0] == '-' || strncmp(startstr, "now-", 4) == 0) - fatal("time value %s is invalid", startstr); starttime = strtotime(startstr, now, now); } else starttime = now - 3600; /* Allow for some clock skew. */ if (endstr != NULL) { - if (endstr[0] == '-' || strncmp(endstr, "now-", 4) == 0) - fatal("time value %s is invalid", endstr); endtime = strtotime(endstr, now, starttime); } else endtime = starttime + (30 * 24 * 60 * 60); @@ -3471,7 +3485,10 @@ main(int argc, char *argv[]) { loadzone(file, origin, rdclass, &gdb); gorigin = dns_db_origin(gdb); gclass = dns_db_class(gdb); - zone_soa_min_ttl = soa_min_ttl(); + get_soa_ttls(); + + if (!set_keyttl) + keyttl = soa_ttl; if (IS_NSEC3) { isc_boolean_t answer; diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index d22fd6c0f9..d6e5bb79a9 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 05, 2009 @@ -124,6 +124,20 @@ + + -C + + + Compatibility mode: Generate a + keyset-zonename + file in addition to + dsset-zonename + when signing a zone, for use by older versions of + dnssec-signzone. + + + + -d directory @@ -202,6 +216,8 @@ the start time. A time relative to the current time is indicated with now+N. If no is specified, 30 days from the start time is used as a default. + must be later than + . @@ -477,8 +493,15 @@ -T ttl - Specifies the TTL of new DNSKEY records imported to the zone - from the key repository. Only useful with the -S option. + Specifies the TTL to be used for new DNSKEY records imported + into the zone from the key repository. If not specified, + the default is the minimum TTL value from the zone's SOA + record. This option is ignored when signing without + , since DNSKEY records are not imported + from the key repository in that case. It is also ignored if + there are any pre-existing DNSKEY records at the zone apex, + in which case new records' TTL values will be set to match + them. diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 32a8537438..225e48ca90 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.c,v 1.50 2009/08/13 04:13:58 marka Exp $ */ +/* $Id: dnssectool.c,v 1.51 2009/09/02 06:29:01 each Exp $ */ /*! \file */ @@ -266,12 +266,23 @@ cleanup_entropy(isc_entropy_t **ectx) { } static isc_stdtime_t -time_units(isc_stdtime_t offset, char suffix, const char *str) { - switch(suffix) { +time_units(isc_stdtime_t offset, char *suffix, const char *str) { + switch (suffix[0]) { case 'Y': case 'y': return (offset * (365 * 24 * 3600)); case 'M': case 'm': - return (offset * (30 * 24 * 3600)); + switch (suffix[1]) { + case 'O': case 'o': + return (offset * (30 * 24 * 3600)); + case 'I': case 'i': + return (offset * 60); + case '\0': + fatal("'%s' ambiguous: use 'mi' for minutes " + "or 'mo' for months", str); + default: + fatal("time value %s is invalid", str); + } + break; case 'W': case 'w': return (offset * (7 * 24 * 3600)); case 'D': case 'd': @@ -286,6 +297,19 @@ time_units(isc_stdtime_t offset, char suffix, const char *str) { return(0); /* silence compiler warning */ } +dns_ttl_t +strtottl(const char *str) { + const char *orig = str; + dns_ttl_t ttl; + char *endp; + + ttl = strtol(str, &endp, 0); + if (ttl == 0 && endp == str) + fatal("TTL must be numeric"); + ttl = time_units(ttl, endp, orig); + return (ttl); +} + isc_stdtime_t strtotime(const char *str, isc_int64_t now, isc_int64_t base) { isc_int64_t val, offset; @@ -305,11 +329,11 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) { return ((isc_stdtime_t) base); else if (str[0] == '+') { offset = strtol(str + 1, &endp, 0); - offset = time_units(offset, *endp, orig); + offset = time_units(offset, endp, orig); val = base + offset; } else if (str[0] == '-') { offset = strtol(str + 1, &endp, 0); - offset = time_units(offset, *endp, orig); + offset = time_units(offset, endp, orig); val = base - offset; } else if (strlen(str) == 8U) { char timestr[15]; diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index ee476f4ea7..3506184d98 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.h,v 1.22 2008/09/25 04:02:38 tbox Exp $ */ +/* $Id: dnssectool.h,v 1.23 2009/09/02 06:29:01 each Exp $ */ #ifndef DNSSECTOOL_H #define DNSSECTOOL_H 1 @@ -67,6 +67,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx); void cleanup_entropy(isc_entropy_t **ectx); +dns_ttl_t strtottl(const char *str); + isc_stdtime_t strtotime(const char *str, isc_int64_t now, isc_int64_t base); diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index ba65203889..906af63866 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -16,7 +16,7 @@ */ /* - * $Id: dnssec.c,v 1.98 2009/07/19 23:47:55 tbox Exp $ + * $Id: dnssec.c,v 1.99 2009/09/02 06:29:01 each Exp $ */ /*! \file */ @@ -958,8 +958,8 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey, dns_dnsseckey_t **dkp) { isc_result_t result; - isc_stdtime_t when; dns_dnsseckey_t *dk; + int major, minor; REQUIRE(dkp != NULL && *dkp == NULL); dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t)); @@ -973,6 +973,7 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey, dk->hint_publish = ISC_FALSE; dk->hint_sign = ISC_FALSE; dk->hint_remove = ISC_FALSE; + dk->prepublish = 0; dk->source = dns_keysource_unknown; dk->index = 0; @@ -980,8 +981,8 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey, dk->ksk = ISC_TF((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) != 0); /* Is this an old-style key? */ - result = dst_key_gettime(dk->key, DST_TIME_CREATED, &when); - dk->legacy = ISC_TF(result != ISC_R_SUCCESS); + result = dst_key_getprivateformat(dk->key, &major, &minor); + dk->legacy = ISC_TF(major == 1 && minor <= 2); ISC_LINK_INIT(dk, link); *dkp = dk; @@ -1003,7 +1004,7 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) { static void get_hints(dns_dnsseckey_t *key) { isc_result_t result; - isc_stdtime_t now, publish, active, revoke, remove, delete; + isc_stdtime_t now, publish, active, revoke, unpublish, delete; isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE; isc_boolean_t revset = ISC_FALSE, remset = ISC_FALSE; isc_boolean_t delset = ISC_FALSE; @@ -1024,7 +1025,7 @@ get_hints(dns_dnsseckey_t *key) { if (result == ISC_R_SUCCESS) revset = ISC_TRUE; - result = dst_key_gettime(key->key, DST_TIME_REMOVE, &remove); + result = dst_key_gettime(key->key, DST_TIME_UNPUBLISH, &unpublish); if (result == ISC_R_SUCCESS) remset = ISC_TRUE; @@ -1056,6 +1057,13 @@ get_hints(dns_dnsseckey_t *key) { if (actset && !pubset) key->hint_publish = ISC_TRUE; + /* + * If activation date is in the future, make note of how far off + */ + if (key->hint_publish && actset && active > now) { + key->prepublish = active - now; + } + /* * Metadata says revoke. If the key is published, * we *have to* sign with it per RFC5011--even if it was @@ -1074,10 +1082,10 @@ get_hints(dns_dnsseckey_t *key) { } /* - * Metadata says remove or delete, so don't publish + * Metadata says unpublish or delete, so don't publish * this key or sign with it. */ - if ((remset && remove < now) || + if ((remset && unpublish < now) || (delset && delete < now)) { key->hint_publish = ISC_FALSE; key->hint_sign = ISC_FALSE; diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 71fd242ca6..ae08c00670 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.27 2009/09/01 00:22:26 jinmei Exp $ + * $Id: dst_api.c,v 1.28 2009/09/02 06:29:01 each Exp $ */ /*! \file */ @@ -786,7 +786,7 @@ dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) { REQUIRE(VALID_KEY(key)); REQUIRE(timep != NULL); REQUIRE(type <= DST_MAX_TIMES); - if (key->times[type] == 0) + if (!key->timeset[type]) return (ISC_R_NOTFOUND); *timep = key->times[type]; return (ISC_R_SUCCESS); @@ -797,6 +797,31 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) { REQUIRE(VALID_KEY(key)); REQUIRE(type <= DST_MAX_TIMES); key->times[type] = when; + key->timeset[type] = ISC_TRUE; +} + +void +dst_key_unsettime(dst_key_t *key, int type) { + REQUIRE(VALID_KEY(key)); + REQUIRE(type <= DST_MAX_TIMES); + key->timeset[type] = ISC_FALSE; +} + +isc_result_t +dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) { + REQUIRE(VALID_KEY(key)); + REQUIRE(majorp != NULL); + REQUIRE(minorp != NULL); + *majorp = key->fmt_major; + *minorp = key->fmt_minor; + return (ISC_R_SUCCESS); +} + +void +dst_key_setprivateformat(dst_key_t *key, int major, int minor) { + REQUIRE(VALID_KEY(key)); + key->fmt_major = major; + key->fmt_minor = minor; } isc_boolean_t @@ -954,6 +979,7 @@ get_key_struct(dns_name_t *name, unsigned int alg, { dst_key_t *key; isc_result_t result; + int i; key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t)); if (key == NULL) @@ -977,12 +1003,17 @@ get_key_struct(dns_name_t *name, unsigned int alg, key->key_alg = alg; key->key_flags = flags; key->key_proto = protocol; - memset(key->times, 0, sizeof(key->times)); key->mctx = mctx; key->keydata.generic = NULL; key->key_size = bits; key->key_class = rdclass; key->func = dst_t_func[alg]; + key->fmt_major = 0; + key->fmt_minor = 0; + for (i = 0; i < (DST_MAX_TIMES + 1); i++) { + key->times[i] = 0; + key->timeset[i] = ISC_FALSE; + } return (key); } @@ -1242,7 +1273,7 @@ write_public_key(const dst_key_t *key, int type, const char *directory) { printtime(key, DST_TIME_PUBLISH, "; Publish", fp); printtime(key, DST_TIME_ACTIVATE, "; Activate", fp); printtime(key, DST_TIME_REVOKE, "; Revoke", fp); - printtime(key, DST_TIME_REMOVE, "; Remove", fp); + printtime(key, DST_TIME_UNPUBLISH, "; Unpublish", fp); printtime(key, DST_TIME_DELETE, "; Delete", fp); } diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 6bdd5ed2e6..7adc68d328 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_internal.h,v 1.15 2009/07/19 04:18:05 each Exp $ */ +/* $Id: dst_internal.h,v 1.16 2009/09/02 06:29:01 each Exp $ */ #ifndef DST_DST_INTERNAL_H #define DST_DST_INTERNAL_H 1 @@ -117,6 +117,11 @@ struct dst_key { } keydata; /*%< pointer to key in crypto pkg fmt */ isc_stdtime_t times[DST_MAX_TIMES + 1]; /*%< key timing metadata */ + isc_boolean_t timeset[DST_MAX_TIMES + 1]; /*%< metadata set? */ + + int fmt_major; /*%< private key format, major version */ + int fmt_minor; /*%< private key format, minor version */ + dst_func_t * func; /*%< crypto package specific functions */ }; diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c index af66e74670..807fc0562c 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c @@ -31,7 +31,7 @@ /*% * Principal Author: Brian Wellington - * $Id: dst_parse.c,v 1.19 2009/07/19 23:47:55 tbox Exp $ + * $Id: dst_parse.c,v 1.20 2009/09/02 06:29:01 each Exp $ */ #include @@ -62,7 +62,7 @@ static const char *metatags[METADATA_NTAGS] = { "Publish:", "Activate:", "Revoke:", - "Remove:", + "Unpublish:", "Delete:" }; @@ -309,7 +309,7 @@ dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) { priv->nelements = 0; } -int +isc_result_t dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, isc_mem_t *mctx, dst_private_t *priv) { @@ -373,6 +373,11 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, goto fail; } + /* + * Store the private key format version number + */ + dst_key_setprivateformat(key, major, minor); + READLINE(lex, opt, &token); /* @@ -474,7 +479,7 @@ fail: return (ret); } -int +isc_result_t dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, const char *directory) { @@ -487,6 +492,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, isc_stdtime_t when; isc_buffer_t b; isc_region_t r; + int major, minor; REQUIRE(priv != NULL); @@ -507,11 +513,17 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, &access); (void)isc_fsaccess_set(filename, access); + dst_key_getprivateformat(key, &major, &minor); + if (major == 0 && minor == 0) { + major = MAJOR_VERSION; + minor = MINOR_VERSION; + } + /* XXXDCL return value should be checked for full filesystem */ - fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, MAJOR_VERSION, - MINOR_VERSION); + fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor); fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key)); + /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (dst_key_alg(key)) { case DST_ALG_RSAMD5: @@ -576,21 +588,23 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, } /* Add the timing metadata tags */ - for (i = 0; i < METADATA_NTAGS; i++) { - result = dst_key_gettime(key, i, &when); - if (result != ISC_R_SUCCESS) - continue; + if (major > 1 || (major == 1 && minor >= 3)) { + for (i = 0; i < METADATA_NTAGS; i++) { + result = dst_key_gettime(key, i, &when); + if (result != ISC_R_SUCCESS) + continue; - isc_buffer_init(&b, buffer, sizeof(buffer)); - result = dns_time32_totext(when, &b); - if (result != ISC_R_SUCCESS) - continue; + isc_buffer_init(&b, buffer, sizeof(buffer)); + result = dns_time32_totext(when, &b); + if (result != ISC_R_SUCCESS) + continue; - isc_buffer_usedregion(&b, &r); + isc_buffer_usedregion(&b, &r); - fprintf(fp, "%s ", metatags[i]); - fwrite(r.base, 1, r.length, fp); - fprintf(fp, "\n"); + fprintf(fp, "%s ", metatags[i]); + fwrite(r.base, 1, r.length, fp); + fprintf(fp, "\n"); + } } fflush(fp); diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h index 66c4399fa9..d893c2dc2a 100644 --- a/lib/dns/dst_parse.h +++ b/lib/dns/dst_parse.h @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_parse.h,v 1.13 2009/07/19 23:47:55 tbox Exp $ */ +/* $Id: dst_parse.h,v 1.14 2009/09/02 06:29:01 each Exp $ */ /*! \file */ #ifndef DST_DST_PARSE_H @@ -126,11 +126,11 @@ ISC_LANG_BEGINDECLS void dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx); -int +isc_result_t dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, isc_mem_t *mctx, dst_private_t *priv); -int +isc_result_t dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv, const char *directory); diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index ea1c916761..9064a73752 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec.h,v 1.35 2009/07/19 04:18:05 each Exp $ */ +/* $Id: dnssec.h,v 1.36 2009/09/02 06:29:01 each Exp $ */ #ifndef DNS_DNSSEC_H #define DNS_DNSSEC_H 1 @@ -52,6 +52,7 @@ struct dns_dnsseckey { isc_boolean_t hint_sign; /*% metadata says to sign with this key */ isc_boolean_t force_sign; /*% sign with key regardless of metadata */ isc_boolean_t hint_remove; /*% metadata says *don't* publish */ + unsigned int prepublish; /*% how long until active? */ dns_keysource_t source; /*% how the key was found */ isc_boolean_t ksk; /*% this is a key-signing key */ isc_boolean_t legacy; /*% this is old-style key with no diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 0236248f60..258e6143c2 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst.h,v 1.16 2009/07/19 04:18:05 each Exp $ */ +/* $Id: dst.h,v 1.17 2009/09/02 06:29:01 each Exp $ */ #ifndef DST_DST_H #define DST_DST_H 1 @@ -84,7 +84,7 @@ typedef struct dst_context dst_context_t; #define DST_TIME_PUBLISH 1 #define DST_TIME_ACTIVATE 2 #define DST_TIME_REVOKE 3 -#define DST_TIME_REMOVE 4 +#define DST_TIME_UNPUBLISH 4 #define DST_TIME_DELETE 5 #define DST_MAX_TIMES 5 @@ -683,6 +683,39 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when); * "type" is no larger than DST_MAX_TIMES */ +void +dst_key_unsettime(dst_key_t *key, int type); +/*%< + * Flag a member of the timing metadata array as "not set". + * + * Requires: + * "key" is a valid key. + * "type" is no larger than DST_MAX_TIMES + */ + +isc_result_t +dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp); +/*%< + * Get the private key format version number. (If the key does not have + * a private key associated with it, the version will be 0.0.) The major + * version number is placed in '*majorp', and the minor version number in + * '*minorp'. + * + * Requires: + * "key" is a valid key. + * "majorp" is not NULL. + * "minorp" is not NULL. + */ + +void +dst_key_setprivateformat(dst_key_t *key, int major, int minor); +/*%< + * Set the private key format version number. + * + * Requires: + * "key" is a valid key. + */ + ISC_LANG_ENDDECLS #endif /* DST_DST_H */ diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def index 4ed7c413b4..f934ad7dc4 100644 --- a/lib/dns/win32/libdns.def +++ b/lib/dns/win32/libdns.def @@ -866,6 +866,7 @@ dst_key_fromgssapi dst_key_fromlabel dst_key_fromnamedfile dst_key_generate +dst_key_getprivateformat dst_key_gettime dst_key_id dst_key_isnullkey @@ -877,12 +878,14 @@ dst_key_proto dst_key_secretsize dst_key_setbits dst_key_setflags +dst_key_setprivateformat dst_key_settime dst_key_sigsize dst_key_size dst_key_tobuffer dst_key_todns dst_key_tofile +dst_key_unsettime dst_lib_destroy dst_lib_init dst_lib_initmsgcat