mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 18:19:42 +00:00
Code Issues Releases Wiki Activity

3061. [func] New option "dnssec-signzone -D", only write out

Browse Source 
generated DNSSEC records. [RT #22896]
This commit is contained in:
Mark Andrews 2011-03-05 06:35:41 +00:00
parent 3c618c6eaf
commit eff7f78bc6
11 changed files with 256 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,3 +1,6 @@
3061. [func] New option "dnssec-signzone -D", only write out
generated DNSSEC records. [RT #22896]
3060. [func] New option "dnssec-signzone -X <date>" allows 3060. [func] New option "dnssec-signzone -X <date>" allows
specification of a separate expiration date specification of a separate expiration date
for DNSKEY RRSIGs and other RRSIGs. [RT #22141] for DNSKEY RRSIGs and other RRSIGs. [RT #22141]

77
bin/dnssec/dnssec-signzone.c
View File

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: dnssec-signzone.c,v 1.266 2011/03/04 23:47:47 tbox Exp $ */ /* $Id: dnssec-signzone.c,v 1.267 2011/03/05 06:35:40 marka Exp $ */
/*! \file */ /*! \file */
@ -171,6 +171,8 @@ static isc_boolean_t disable_zone_check = ISC_FALSE;
static isc_boolean_t update_chain = ISC_FALSE; static isc_boolean_t update_chain = ISC_FALSE;
static isc_boolean_t set_keyttl = ISC_FALSE; static isc_boolean_t set_keyttl = ISC_FALSE;
static dns_ttl_t keyttl; static dns_ttl_t keyttl;
static isc_boolean_t smartsign = ISC_FALSE;
static isc_boolean_t output_dnssec_only = ISC_FALSE;
#define INCSTAT(counter) \ #define INCSTAT(counter) \
if (printstats) { \ if (printstats) { \
@ -188,13 +190,69 @@ sign(isc_task_t *task, isc_event_t *event);
static void static void
dumpnode(dns_name_t *name, dns_dbnode_t *node) { dumpnode(dns_name_t *name, dns_dbnode_t *node) {
dns_rdataset_t rds;
dns_rdatasetiter_t *iter = NULL;
isc_buffer_t *buffer = NULL;
isc_region_t r;
isc_result_t result; isc_result_t result;
unsigned bufsize = 4096;
if (outputformat != dns_masterformat_text) if (outputformat != dns_masterformat_text)
return; return;
result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name,
masterstyle, fp); if (!output_dnssec_only) {
result = dns_master_dumpnodetostream(mctx, gdb, gversion, node,
name, masterstyle, fp);
check_result(result, "dns_master_dumpnodetostream"); check_result(result, "dns_master_dumpnodetostream");
return;
}
result = dns_db_allrdatasets(gdb, node, gversion, 0, &iter);
check_result(result, "dns_db_allrdatasets");
dns_rdataset_init(&rds);
result = isc_buffer_allocate(mctx, &buffer, bufsize);
check_result(result, "isc_buffer_allocate");
for (result = dns_rdatasetiter_first(iter);
result == ISC_R_SUCCESS;
result = dns_rdatasetiter_next(iter)) {
dns_rdatasetiter_current(iter, &rds);
if (rds.type != dns_rdatatype_rrsig &&
rds.type != dns_rdatatype_nsec &&
rds.type != dns_rdatatype_nsec3 &&
rds.type != dns_rdatatype_nsec3param &&
(!smartsign || rds.type != dns_rdatatype_dnskey)) {
dns_rdataset_disassociate(&rds);
continue;
}
while (ISC_TRUE) {
result = dns_master_rdatasettotext(name, &rds,
masterstyle, buffer);
if (result != ISC_R_NOSPACE)
break;
bufsize <<= 1;
isc_buffer_free(&buffer);
result = isc_buffer_allocate(mctx, &buffer, bufsize);
check_result(result, "isc_buffer_allocate");
}
check_result(result, "dns_master_rdatasettotext");
isc_buffer_usedregion(buffer, &r);
result = isc_stdio_write(r.base, 1, r.length, fp, NULL);
check_result(result, "isc_stdio_write");
isc_buffer_clear(buffer);
dns_rdataset_disassociate(&rds);
}
isc_buffer_free(&buffer);
dns_rdatasetiter_destroy(&iter);
} }
/*% /*%
@ -3297,6 +3355,8 @@ usage(void) {
fprintf(stderr, "\t\tfile format of signed zone file (text)\n"); fprintf(stderr, "\t\tfile format of signed zone file (text)\n");
fprintf(stderr, "\t-N format:\n"); fprintf(stderr, "\t-N format:\n");
fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n"); fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n");
fprintf(stderr, "\t-D:\n");
fprintf(stderr, "\t\toutput only DNSSEC-related records\n");
fprintf(stderr, "\t-r randomdev:\n"); fprintf(stderr, "\t-r randomdev:\n");
fprintf(stderr, "\t\ta file containing random data\n"); fprintf(stderr, "\t\ta file containing random data\n");
fprintf(stderr, "\t-a:\t"); fprintf(stderr, "\t-a:\t");
@ -3397,7 +3457,6 @@ main(int argc, char *argv[]) {
isc_buffer_t b; isc_buffer_t b;
int len; int len;
hashlist_t hashlist; hashlist_t hashlist;
isc_boolean_t smartsign = ISC_FALSE;
isc_boolean_t make_keyset = ISC_FALSE; isc_boolean_t make_keyset = ISC_FALSE;
isc_boolean_t set_salt = ISC_FALSE; isc_boolean_t set_salt = ISC_FALSE;
isc_boolean_t set_optout = ISC_FALSE; isc_boolean_t set_optout = ISC_FALSE;
@ -3490,6 +3549,10 @@ main(int argc, char *argv[]) {
dsdir, isc_result_totext(result)); dsdir, isc_result_totext(result));
break; break;
case 'D':
output_dnssec_only = ISC_TRUE;
break;
case 'E': case 'E':
engine = isc_commandline_argument; engine = isc_commandline_argument;
break; break;
@ -3759,6 +3822,12 @@ main(int argc, char *argv[]) {
serialformatstr); serialformatstr);
} }
if (output_dnssec_only && outputformat != dns_masterformat_text)
fatal("option -D can only be used with \"-O text\"\n");
if (output_dnssec_only && serialformat != SOA_SERIAL_KEEP)
fatal("option -D can only be used with \"-N keep\"\n");
result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL, result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL,
0, 24, 0, 0, 0, 8, mctx); 0, 24, 0, 0, 0, 8, mctx);
check_result(result, "dns_master_stylecreate"); check_result(result, "dns_master_stylecreate");

19
bin/dnssec/dnssec-signzone.docbook
View File

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE. - PERFORMANCE OF THIS SOFTWARE.
--> -->
<!-- $Id: dnssec-signzone.docbook,v 1.45 2011/03/04 22:20:20 each Exp $ --> <!-- $Id: dnssec-signzone.docbook,v 1.46 2011/03/05 06:35:40 marka Exp $ -->
<refentry id="man.dnssec-signzone"> <refentry id="man.dnssec-signzone">
<refentryinfo> <refentryinfo>
<date>June 05, 2009</date> <date>June 05, 2009</date>
@ -60,6 +60,7 @@
<arg><option>-a</option></arg> <arg><option>-a</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg> <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg> <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg> <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg> <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
@ -152,6 +153,22 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Output only those record types automatically managed by
<command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
NSEC3 and NSEC3PARAM records. If smart signing
(<option>-S</option>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <command>$INCLUDE</command>. This option
cannot be combined with <option>-O raw</option> or serial
number updating.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term> <term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem> <listitem>

4
bin/tests/system/dnssec/clean.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.38 2011/03/04 14:07:03 smann Exp $ # $Id: clean.sh,v 1.39 2011/03/05 06:35:40 marka Exp $
exit exit
@ -25,6 +25,7 @@ rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns3/split-dnssec.example.db
rm -f ns2/private.secure.example.db rm -f ns2/private.secure.example.db
rm -f ns2/badparam.db ns2/badparam.db.bad rm -f ns2/badparam.db ns2/badparam.db.bad
rm -f ns2/single-nsec3.db rm -f ns2/single-nsec3.db
@ -55,3 +56,4 @@ rm -f signer/example.db.after signer/example.db.before
rm -f signer/example.db.changed rm -f signer/example.db.changed
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/split-smart.example.db

8
bin/tests/system/dnssec/ns2/example.db.in
View File

@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE. ; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.29 2011/02/28 14:21:35 fdupont Exp $ ; $Id: example.db.in,v 1.30 2011/03/05 06:35:41 marka Exp $
$TTL 300 ; 5 minutes $TTL 300 ; 5 minutes
@ IN SOA mname1. . ( @ IN SOA mname1. . (
@ -128,3 +128,9 @@ ns.secure.below-cname A 10.53.0.3
ttlpatch NS ns.ttlpatch ttlpatch NS ns.ttlpatch
ns.ttlpatch A 10.53.0.3 ns.ttlpatch A 10.53.0.3
split-dnssec NS ns.split-dnssec
ns.split-dnssec A 10.53.0.3
split-smart NS ns.split-smart
ns.split-smart A 10.53.0.3

5
bin/tests/system/dnssec/ns2/sign.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.46 2011/02/28 14:21:35 fdupont Exp $ # $Id: sign.sh,v 1.47 2011/03/05 06:35:41 marka Exp $
SYSTEMTESTTOP=../.. SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
@ -32,7 +32,8 @@ zonefile=example.db
for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \ for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \ optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
auto-nsec auto-nsec3 secure.below-cname ttlpatch auto-nsec auto-nsec3 secure.below-cname ttlpatch split-dnssec \
split-smart
do do
cp ../ns3/dsset-$subdomain.example. . cp ../ns3/dsset-$subdomain.example. .
done done

12
bin/tests/system/dnssec/ns3/named.conf
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: named.conf,v 1.44 2011/02/28 14:21:35 fdupont Exp $ */ /* $Id: named.conf,v 1.45 2011/03/05 06:35:41 marka Exp $ */
// NS3 // NS3
@ -207,4 +207,14 @@ zone "ttlpatch.example" {
file "ttlpatch.example.db.patched"; file "ttlpatch.example.db.patched";
}; };
zone "split-dnssec.example" {
type master;
file "split-dnssec.example.db";
};
zone "split-smart.example" {
type master;
file "split-smart.example.db";
};
include "trusted.conf"; include "trusted.conf";

31
bin/tests/system/dnssec/ns3/sign.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.38 2011/02/28 14:21:35 fdupont Exp $ # $Id: sign.sh,v 1.39 2011/03/05 06:35:41 marka Exp $
SYSTEMTESTTOP=../.. SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
@ -340,3 +340,32 @@ cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1 $SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
sed 's/300/3600/' $signedfile > $patchedfile sed 's/300/3600/' $signedfile > $patchedfile
#
# Seperate DNSSEC records.
#
zone=split-dnssec.example.
infile=split-dnssec.example.db.in
zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
: > $signedfile
$SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
#
# Seperate DNSSEC records smart signing.
#
zone=split-smart.example.
infile=split-smart.example.db.in
zonefile=split-smart.example.db
signedfile=split-smart.example.db.signed
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
cp $infile $zonefile
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
: > $signedfile
$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1

43
bin/tests/system/dnssec/ns3/split-dnssec.example.db.in Normal file
View File

@ -0,0 +1,43 @@
; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: split-dnssec.example.db.in,v 1.2 2011/03/05 06:35:41 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17

43
bin/tests/system/dnssec/ns3/split-smart.example.db.in Normal file
View File

@ -0,0 +1,43 @@
; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: split-smart.example.db.in,v 1.2 2011/03/05 06:35:41 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17

22
bin/tests/system/dnssec/tests.sh
View File

@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.80 2011/03/01 14:40:39 smann Exp $ # $Id: tests.sh,v 1.81 2011/03/05 06:35:40 marka Exp $
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
@ -1224,5 +1224,25 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:check that a split dnssec dnssec-signzone work ($n)"
ret=0
$DIG $DIGOPTS soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that a smart split dnssec dnssec-signzone work ($n)"
ret=0
$DIG $DIGOPTS soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status" echo "I:exit status: $status"
exit $status exit $status