diff --git a/CHANGES b/CHANGES index 9a7858ce11..83ebb7552c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3061. [func] New option "dnssec-signzone -D", only write out + generated DNSSEC records. [RT #22896] + 3060. [func] New option "dnssec-signzone -X " allows specification of a separate expiration date for DNSKEY RRSIGs and other RRSIGs. [RT #22141] diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 46bbc553b1..66f2099ad3 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.266 2011/03/04 23:47:47 tbox Exp $ */ +/* $Id: dnssec-signzone.c,v 1.267 2011/03/05 06:35:40 marka Exp $ */ /*! \file */ @@ -171,6 +171,8 @@ static isc_boolean_t disable_zone_check = ISC_FALSE; static isc_boolean_t update_chain = ISC_FALSE; static isc_boolean_t set_keyttl = ISC_FALSE; static dns_ttl_t keyttl; +static isc_boolean_t smartsign = ISC_FALSE; +static isc_boolean_t output_dnssec_only = ISC_FALSE; #define INCSTAT(counter) \ if (printstats) { \ @@ -188,13 +190,69 @@ sign(isc_task_t *task, isc_event_t *event); static void dumpnode(dns_name_t *name, dns_dbnode_t *node) { + dns_rdataset_t rds; + dns_rdatasetiter_t *iter = NULL; + isc_buffer_t *buffer = NULL; + isc_region_t r; isc_result_t result; + unsigned bufsize = 4096; if (outputformat != dns_masterformat_text) return; - result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name, - masterstyle, fp); - check_result(result, "dns_master_dumpnodetostream"); + + if (!output_dnssec_only) { + result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, + name, masterstyle, fp); + check_result(result, "dns_master_dumpnodetostream"); + return; + } + + result = dns_db_allrdatasets(gdb, node, gversion, 0, &iter); + check_result(result, "dns_db_allrdatasets"); + + dns_rdataset_init(&rds); + + result = isc_buffer_allocate(mctx, &buffer, bufsize); + check_result(result, "isc_buffer_allocate"); + + for (result = dns_rdatasetiter_first(iter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(iter)) { + + dns_rdatasetiter_current(iter, &rds); + + if (rds.type != dns_rdatatype_rrsig && + rds.type != dns_rdatatype_nsec && + rds.type != dns_rdatatype_nsec3 && + rds.type != dns_rdatatype_nsec3param && + (!smartsign || rds.type != dns_rdatatype_dnskey)) { + dns_rdataset_disassociate(&rds); + continue; + } + + while (ISC_TRUE) { + result = dns_master_rdatasettotext(name, &rds, + masterstyle, buffer); + if (result != ISC_R_NOSPACE) + break; + + bufsize <<= 1; + isc_buffer_free(&buffer); + result = isc_buffer_allocate(mctx, &buffer, bufsize); + check_result(result, "isc_buffer_allocate"); + } + check_result(result, "dns_master_rdatasettotext"); + + isc_buffer_usedregion(buffer, &r); + result = isc_stdio_write(r.base, 1, r.length, fp, NULL); + check_result(result, "isc_stdio_write"); + isc_buffer_clear(buffer); + + dns_rdataset_disassociate(&rds); + } + + isc_buffer_free(&buffer); + dns_rdatasetiter_destroy(&iter); } /*% @@ -3297,6 +3355,8 @@ usage(void) { fprintf(stderr, "\t\tfile format of signed zone file (text)\n"); fprintf(stderr, "\t-N format:\n"); fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n"); + fprintf(stderr, "\t-D:\n"); + fprintf(stderr, "\t\toutput only DNSSEC-related records\n"); fprintf(stderr, "\t-r randomdev:\n"); fprintf(stderr, "\t\ta file containing random data\n"); fprintf(stderr, "\t-a:\t"); @@ -3397,7 +3457,6 @@ main(int argc, char *argv[]) { isc_buffer_t b; int len; hashlist_t hashlist; - isc_boolean_t smartsign = ISC_FALSE; isc_boolean_t make_keyset = ISC_FALSE; isc_boolean_t set_salt = ISC_FALSE; isc_boolean_t set_optout = ISC_FALSE; @@ -3490,6 +3549,10 @@ main(int argc, char *argv[]) { dsdir, isc_result_totext(result)); break; + case 'D': + output_dnssec_only = ISC_TRUE; + break; + case 'E': engine = isc_commandline_argument; break; @@ -3759,6 +3822,12 @@ main(int argc, char *argv[]) { serialformatstr); } + if (output_dnssec_only && outputformat != dns_masterformat_text) + fatal("option -D can only be used with \"-O text\"\n"); + + if (output_dnssec_only && serialformat != SOA_SERIAL_KEEP) + fatal("option -D can only be used with \"-N keep\"\n"); + result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL, 0, 24, 0, 0, 0, 8, mctx); check_result(result, "dns_master_stylecreate"); diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 156ad0e9a0..71dee54a0d 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 05, 2009 @@ -60,6 +60,7 @@ + @@ -152,6 +153,22 @@ + + -D + + + Output only those record types automatically managed by + dnssec-signzone, i.e. RRSIG, NSEC, + NSEC3 and NSEC3PARAM records. If smart signing + () is used, DNSKEY records are also + included. The resulting file can be included in the original + zone file with $INCLUDE. This option + cannot be combined with or serial + number updating. + + + + -E engine diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index a869850381..923886adf7 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.38 2011/03/04 14:07:03 smann Exp $ +# $Id: clean.sh,v 1.39 2011/03/05 06:35:40 marka Exp $ exit @@ -25,6 +25,7 @@ rm -f ns1/root.db ns2/example.db ns3/secure.example.db rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db +rm -f ns3/split-dnssec.example.db rm -f ns2/private.secure.example.db rm -f ns2/badparam.db ns2/badparam.db.bad rm -f ns2/single-nsec3.db @@ -55,3 +56,4 @@ rm -f signer/example.db.after signer/example.db.before rm -f signer/example.db.changed rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed rm -f ns3/ttlpatch.example.db.patched +rm -f ns3/split-smart.example.db diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index ff62510846..964ce74cfc 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -13,7 +13,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: example.db.in,v 1.29 2011/02/28 14:21:35 fdupont Exp $ +; $Id: example.db.in,v 1.30 2011/03/05 06:35:41 marka Exp $ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( @@ -128,3 +128,9 @@ ns.secure.below-cname A 10.53.0.3 ttlpatch NS ns.ttlpatch ns.ttlpatch A 10.53.0.3 + +split-dnssec NS ns.split-dnssec +ns.split-dnssec A 10.53.0.3 + +split-smart NS ns.split-smart +ns.split-smart A 10.53.0.3 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 002ec765e0..081493a1f1 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.46 2011/02/28 14:21:35 fdupont Exp $ +# $Id: sign.sh,v 1.47 2011/03/05 06:35:41 marka Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -32,7 +32,8 @@ zonefile=example.db for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \ optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \ - auto-nsec auto-nsec3 secure.below-cname ttlpatch + auto-nsec auto-nsec3 secure.below-cname ttlpatch split-dnssec \ + split-smart do cp ../ns3/dsset-$subdomain.example. . done diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index 0287d649df..62bc93e783 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.44 2011/02/28 14:21:35 fdupont Exp $ */ +/* $Id: named.conf,v 1.45 2011/03/05 06:35:41 marka Exp $ */ // NS3 @@ -207,4 +207,14 @@ zone "ttlpatch.example" { file "ttlpatch.example.db.patched"; }; +zone "split-dnssec.example" { + type master; + file "split-dnssec.example.db"; +}; + +zone "split-smart.example" { + type master; + file "split-smart.example.db"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index edce07590d..27cc97a8bc 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.38 2011/02/28 14:21:35 fdupont Exp $ +# $Id: sign.sh,v 1.39 2011/03/05 06:35:41 marka Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -340,3 +340,32 @@ cat $infile $keyname.key >$zonefile $SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1 sed 's/300/3600/' $signedfile > $patchedfile + +# +# Seperate DNSSEC records. +# +zone=split-dnssec.example. +infile=split-dnssec.example.db.in +zonefile=split-dnssec.example.db +signedfile=split-dnssec.example.db.signed + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +cat $infile $keyname.key >$zonefile +echo '$INCLUDE "'"$signedfile"'"' >> $zonefile +: > $signedfile +$SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 + +# +# Seperate DNSSEC records smart signing. +# +zone=split-smart.example. +infile=split-smart.example.db.in +zonefile=split-smart.example.db +signedfile=split-smart.example.db.signed + +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` +cp $infile $zonefile +echo '$INCLUDE "'"$signedfile"'"' >> $zonefile +: > $signedfile +$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1 + diff --git a/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in new file mode 100644 index 0000000000..03b70ff682 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/split-dnssec.example.db.in @@ -0,0 +1,43 @@ +; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: split-dnssec.example.db.in,v 1.2 2011/03/05 06:35:41 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/ns3/split-smart.example.db.in b/bin/tests/system/dnssec/ns3/split-smart.example.db.in new file mode 100644 index 0000000000..6e9fae7bd5 --- /dev/null +++ b/bin/tests/system/dnssec/ns3/split-smart.example.db.in @@ -0,0 +1,43 @@ +; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: split-smart.example.db.in,v 1.2 2011/03/05 06:35:41 marka Exp $ + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a A 10.0.0.3 +*.wild A 10.0.0.6 +child NS ns2.example. +insecure NS ns.insecure +ns.insecure A 10.53.0.3 +secure NS ns.secure +ns.secure A 10.53.0.3 +nsec3 NS ns.nsec3 +ns.nsec3 A 10.53.0.3 +optout NS ns.optout +ns.optout A 10.53.0.3 +02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 7c2b81ebee..ddf041eae4 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.80 2011/03/01 14:40:39 smann Exp $ +# $Id: tests.sh,v 1.81 2011/03/05 06:35:40 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -1224,5 +1224,25 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check that a split dnssec dnssec-signzone work ($n)" +ret=0 +$DIG $DIGOPTS soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:check that a smart split dnssec dnssec-signzone work ($n)" +ret=0 +$DIG $DIGOPTS soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status