]>
Commit | Line | Data |
---|---|---|
870a0fe4 AT |
1 | #ifdef HAVE_CONFIG_H |
2 | #include "config.h" | |
3 | #endif | |
1d211b1b | 4 | #include "dnsseckeeper.hh" |
d3151289 | 5 | #include "dnssecinfra.hh" |
1d211b1b | 6 | #include "statbag.hh" |
01fde57c | 7 | #include "base32.hh" |
ed3f8559 | 8 | #include "base64.hh" |
fa8fd4d2 | 9 | |
1d211b1b | 10 | #include <boost/program_options.hpp> |
8daea594 | 11 | #include <boost/assign/std/vector.hpp> |
451ba512 | 12 | #include <boost/assign/list_of.hpp> |
20002664 BH |
13 | #include "dnsbackend.hh" |
14 | #include "ueberbackend.hh" | |
15 | #include "arguments.hh" | |
16 | #include "packetcache.hh" | |
aa65a832 | 17 | #include "zoneparser-tng.hh" |
ea937fd4 | 18 | #include "signingpipe.hh" |
a56bc64d | 19 | #include "dns_random.hh" |
a0a6cb58 | 20 | #include <fstream> |
c2e0881c | 21 | #include <termios.h> //termios, TCSANOW, ECHO, ICANON |
22 | ||
d4f29089 KM |
23 | #ifdef HAVE_LIBSODIUM |
24 | #include <sodium.h> | |
25 | #endif | |
7581a35b KM |
26 | #ifdef HAVE_OPENSSL |
27 | #include "opensslsigners.hh" | |
28 | #endif | |
a2b0e9b5 KM |
29 | #ifdef HAVE_SQLITE3 |
30 | #include "ssqlite3.hh" | |
fd9f80de | 31 | #include "bind-dnssec.schema.sqlite3.sql.h" |
a2b0e9b5 | 32 | #endif |
49449751 | 33 | |
20002664 BH |
34 | StatBag S; |
35 | PacketCache PC; | |
1d211b1b | 36 | |
1d211b1b BH |
37 | namespace po = boost::program_options; |
38 | po::variables_map g_vm; | |
39 | ||
39a8b5c0 | 40 | string s_programname="pdns"; |
20002664 | 41 | |
b3ce3dec | 42 | namespace { |
b8572438 | 43 | bool g_verbose; |
49449751 BH |
44 | } |
45 | ||
20002664 BH |
46 | ArgvMap &arg() |
47 | { | |
48 | static ArgvMap arg; | |
49 | return arg; | |
50 | } | |
51 | ||
1d211b1b BH |
52 | string humanTime(time_t t) |
53 | { | |
54 | char ret[256]; | |
55 | struct tm tm; | |
56 | localtime_r(&t, &tm); | |
57 | strftime(ret, sizeof(ret)-1, "%c", &tm); // %h:%M %Y-%m-%d | |
58 | return ret; | |
59 | } | |
60 | ||
e0ad7bb1 PD |
61 | static void algorithm2name(uint8_t algo, string &name) { |
62 | switch(algo) { | |
63 | case 0: | |
64 | name = "Reserved"; return; | |
65 | case 1: | |
66 | name = "RSAMD5"; return; | |
67 | case 2: | |
68 | name = "DH"; return; | |
69 | case 3: | |
70 | name = "DSA"; return; | |
71 | case 4: | |
72 | name = "ECC"; return; | |
73 | case 5: | |
74 | name = "RSASHA1"; return; | |
75 | case 6: | |
76 | name = "DSA-NSEC3-SHA1"; return; | |
77 | case 7: | |
78 | name = "RSASHA1-NSEC3-SHA1"; return; | |
79 | case 8: | |
80 | name = "RSASHA256"; return; | |
81 | case 9: | |
82 | name = "Reserved"; return; | |
83 | case 10: | |
84 | name = "RSASHA512"; return; | |
85 | case 11: | |
86 | name = "Reserved"; return; | |
87 | case 12: | |
88 | name = "ECC-GOST"; return; | |
89 | case 13: | |
90 | name = "ECDSAP256SHA256"; return; | |
91 | case 14: | |
92 | name = "ECDSAP384SHA384"; return; | |
45826dd7 KM |
93 | case 250: |
94 | name = "ED25519SHA512"; return; | |
e0ad7bb1 PD |
95 | case 252: |
96 | name = "INDIRECT"; return; | |
97 | case 253: | |
98 | name = "PRIVATEDNS"; return; | |
99 | case 254: | |
100 | name = "PRIVATEOID"; return; | |
101 | default: | |
102 | name = "Unallocated/Reserved"; return; | |
232f0877 | 103 | } |
e0ad7bb1 PD |
104 | }; |
105 | ||
36758d25 PD |
106 | static int shorthand2algorithm(const string &algorithm) |
107 | { | |
108 | if (!algorithm.compare("rsamd5")) return 1; | |
109 | if (!algorithm.compare("dh")) return 2; | |
110 | if (!algorithm.compare("dsa")) return 3; | |
111 | if (!algorithm.compare("ecc")) return 4; | |
112 | if (!algorithm.compare("rsasha1")) return 5; | |
113 | if (!algorithm.compare("rsasha256")) return 8; | |
114 | if (!algorithm.compare("rsasha512")) return 10; | |
115 | if (!algorithm.compare("gost")) return 12; | |
116 | if (!algorithm.compare("ecdsa256")) return 13; | |
117 | if (!algorithm.compare("ecdsa384")) return 14; | |
feafa2f3 | 118 | if (!algorithm.compare("experimental-ed25519")) return 250; |
36758d25 PD |
119 | return -1; |
120 | } | |
121 | ||
7d9dcde0 | 122 | void loadMainConfig(const std::string& configdir) |
20002664 | 123 | { |
7d9dcde0 | 124 | ::arg().set("config-dir","Location of configuration directory (pdns.conf)")=configdir; |
f2e7d77b | 125 | ::arg().set("default-ttl","Seconds a result is valid if not set otherwise")="3600"; |
20002664 | 126 | ::arg().set("launch","Which backends to launch"); |
6dfa0aa0 | 127 | ::arg().set("dnssec","if we should do dnssec")="true"; |
4f6cf113 | 128 | ::arg().set("config-name","Name of this virtual configuration - will rename the binary image")=g_vm["config-name"].as<string>(); |
20002664 BH |
129 | ::arg().setCmd("help","Provide a helpful message"); |
130 | //::arg().laxParse(argc,argv); | |
131 | ||
132 | if(::arg().mustDo("help")) { | |
ff5ba4f9 WA |
133 | cout<<"syntax:"<<endl<<endl; |
134 | cout<<::arg().helpstring(::arg()["help"])<<endl; | |
135 | exit(0); | |
20002664 BH |
136 | } |
137 | ||
138 | if(::arg()["config-name"]!="") | |
139 | s_programname+="-"+::arg()["config-name"]; | |
140 | ||
141 | string configname=::arg()["config-dir"]+"/"+s_programname+".conf"; | |
142 | cleanSlashes(configname); | |
36758d25 | 143 | |
5209ee17 | 144 | ::arg().set("default-ksk-algorithms","Default KSK algorithms")=""; |
36758d25 | 145 | ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0"; |
d113baca | 146 | ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="ecdsa256"; |
92bdc094 | 147 | ::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0"; |
4192773a KM |
148 | ::arg().set("default-soa-edit","Default SOA-EDIT value")=""; |
149 | ::arg().set("default-soa-edit-signed","Default SOA-EDIT value for signed zones")=""; | |
b5baefaf | 150 | ::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000"; |
0949b8ae | 151 | ::arg().set("module-dir","Default directory for modules")=PKGLIBDIR; |
a56bc64d | 152 | ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom"; |
0f310932 AT |
153 | ::arg().setSwitch("query-logging","Hint backends that queries should be logged")="no"; |
154 | ::arg().set("loglevel","Amount of logging. Higher is more.")="0"; | |
cc8df07f | 155 | ::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no"; |
28b66a94 | 156 | ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3 |
bba84134 | 157 | ::arg().set("max-signature-cache-entries", "Maximum number of signatures cache entries")=""; |
966828ac | 158 | ::arg().laxFile(configname.c_str()); |
12a92688 | 159 | |
38392ad7 | 160 | L.toConsole(Logger::Error); // so we print any errors |
20002664 | 161 | BackendMakers().launch(::arg()["launch"]); // vrooooom! |
38392ad7 | 162 | L.toConsole((Logger::Urgency)(::arg().asNum("loglevel"))); |
20002664 | 163 | ::arg().laxFile(configname.c_str()); |
9abd98d3 | 164 | //cerr<<"Backend: "<<::arg()["launch"]<<", '" << ::arg()["gmysql-dbname"] <<"'" <<endl; |
20002664 BH |
165 | |
166 | S.declare("qsize-q","Number of questions waiting for database attention"); | |
167 | ||
168 | S.declare("deferred-cache-inserts","Amount of cache inserts that were deferred because of maintenance"); | |
169 | S.declare("deferred-cache-lookup","Amount of cache lookups that were deferred because of maintenance"); | |
170 | ||
171 | S.declare("query-cache-hit","Number of hits on the query cache"); | |
172 | S.declare("query-cache-miss","Number of misses on the query cache"); | |
173 | ::arg().set("max-cache-entries", "Maximum number of cache entries")="1000000"; | |
174 | ::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no"; | |
ec7f535c | 175 | ::arg().set("recursive-cache-ttl","Seconds to store packets for recursive queries in the PacketCache")="10"; |
20002664 | 176 | ::arg().set("cache-ttl","Seconds to store packets in the PacketCache")="20"; |
ec7f535c PD |
177 | ::arg().set("negquery-cache-ttl","Seconds to store negative query results in the QueryCache")="60"; |
178 | ::arg().set("query-cache-ttl","Seconds to store query results in the QueryCache")="20"; | |
da6a2926 | 179 | ::arg().set("default-soa-name","name to insert in the SOA record if none set in the backend")="a.misconfigured.powerdns.server"; |
326a1978 | 180 | ::arg().set("default-soa-mail","mail address to insert in the SOA record if none set in the backend")=""; |
20002664 BH |
181 | ::arg().set("soa-refresh-default","Default SOA refresh")="10800"; |
182 | ::arg().set("soa-retry-default","Default SOA retry")="3600"; | |
183 | ::arg().set("soa-expire-default","Default SOA expire")="604800"; | |
abc1d928 | 184 | ::arg().set("soa-minimum-ttl","Default SOA minimum ttl")="3600"; |
12a92688 | 185 | |
20002664 BH |
186 | UeberBackend::go(); |
187 | } | |
188 | ||
d6c16697 | 189 | // irritatingly enough, rectifyZone needs its own ueberbackend and can't therefore benefit from transactions outside its scope |
d4904322 | 190 | // I think this has to do with interlocking transactions between B and DK, but unsure. |
675fa24c | 191 | bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone) |
20002664 | 192 | { |
9bd211e1 | 193 | if(dk.isPresigned(zone)){ |
675fa24c | 194 | cerr<<"Rectify presigned zone '"<<zone.toString()<<"' is not allowed/necessary."<<endl; |
9bd211e1 KM |
195 | return false; |
196 | } | |
197 | ||
ba86110a | 198 | UeberBackend B("default"); |
d6c16697 | 199 | bool doTransaction=true; // but see above |
20002664 | 200 | SOAData sd; |
a279bc18 | 201 | |
79ba7763 | 202 | if(!B.getSOAUncached(zone, sd)) { |
675fa24c | 203 | cerr<<"No SOA known for '"<<zone.toString()<<"', is such a zone in the database?"<<endl; |
032e3906 | 204 | return false; |
a279bc18 | 205 | } |
81b39e4b | 206 | sd.db->list(zone, sd.domain_id); |
81b39e4b | 207 | |
b5baefaf | 208 | DNSResourceRecord rr; |
675fa24c PD |
209 | set<DNSName> qnames, nsset, dsnames, insnonterm, delnonterm; |
210 | map<DNSName,bool> nonterm; | |
b5baefaf | 211 | bool doent=true; |
a279bc18 | 212 | |
20002664 | 213 | while(sd.db->get(rr)) { |
b5baefaf PD |
214 | if (rr.qtype.getCode()) |
215 | { | |
216 | qnames.insert(rr.qname); | |
4fcd7e9b | 217 | if(rr.qtype.getCode() == QType::NS && rr.qname != zone) |
b5baefaf PD |
218 | nsset.insert(rr.qname); |
219 | if(rr.qtype.getCode() == QType::DS) | |
220 | dsnames.insert(rr.qname); | |
221 | } | |
222 | else | |
223 | if(doent) | |
224 | delnonterm.insert(rr.qname); | |
81b39e4b | 225 | } |
9abd98d3 | 226 | |
c3c89361 | 227 | NSEC3PARAMRecordContent ns3pr; |
f28f2324 | 228 | bool narrow; |
3c873e66 | 229 | bool haveNSEC3=dk.getNSEC3PARAM(zone, &ns3pr, &narrow); |
a279bc18 | 230 | bool isOptOut=(haveNSEC3 && ns3pr.d_flags); |
ece45ffb PD |
231 | if(sd.db->doesDNSSEC()) |
232 | { | |
a279bc18 | 233 | if(!haveNSEC3) |
ece45ffb | 234 | cerr<<"Adding NSEC ordering information "<<endl; |
a279bc18 KM |
235 | else if(!narrow) { |
236 | if(!isOptOut) | |
675fa24c | 237 | cerr<<"Adding NSEC3 hashed ordering information for '"<<zone.toString()<<"'"<<endl; |
a279bc18 | 238 | else |
675fa24c | 239 | cerr<<"Adding NSEC3 opt-out hashed ordering information for '"<<zone.toString()<<"'"<<endl; |
a279bc18 | 240 | } else |
ece45ffb PD |
241 | cerr<<"Erasing NSEC3 ordering since we are narrow, only setting 'auth' fields"<<endl; |
242 | } | |
243 | else | |
5911b051 | 244 | cerr<<"Adding empty non-terminals for non-DNSSEC zone"<<endl; |
a279bc18 | 245 | |
d6c16697 | 246 | if(doTransaction) |
7da05748 | 247 | sd.db->startTransaction(zone, -1); |
a279bc18 | 248 | |
b5baefaf | 249 | bool realrr=true; |
b5baefaf PD |
250 | uint32_t maxent = ::arg().asNum("max-ent-entries"); |
251 | ||
252 | dononterm:; | |
4fcd7e9b | 253 | for (const auto& qname: qnames) |
81b39e4b | 254 | { |
f28f2324 | 255 | bool auth=true; |
4fcd7e9b KM |
256 | DNSName ordername; |
257 | auto shorter(qname); | |
27045410 | 258 | |
b5baefaf PD |
259 | if(realrr) { |
260 | do { | |
261 | if(nsset.count(shorter)) { | |
262 | auth=false; | |
263 | break; | |
264 | } | |
675fa24c | 265 | } while(shorter.chopOff()); |
b5baefaf | 266 | } |
27045410 | 267 | |
4fcd7e9b | 268 | if(haveNSEC3) // NSEC3 |
27045410 | 269 | { |
4fcd7e9b | 270 | if(!narrow && (realrr || !isOptOut || nonterm.find(qname)->second)) |
28e2e78e | 271 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, qname))) + zone; |
4fcd7e9b KM |
272 | else if(!realrr) |
273 | auth=false; | |
b5baefaf | 274 | } |
4fcd7e9b KM |
275 | else if (realrr) // NSEC |
276 | ordername=qname; | |
277 | ||
278 | if(g_verbose) | |
279 | cerr<<"'"<<qname.toString()<<"' -> '"<< ordername.toString() <<"'"<<endl; | |
280 | sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, auth); | |
b5baefaf | 281 | |
b8adb30d | 282 | if(realrr) |
b5baefaf | 283 | { |
b8adb30d | 284 | if (dsnames.count(qname)) |
4fcd7e9b | 285 | sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, true, QType::DS); |
b8adb30d | 286 | if (!auth || nsset.count(qname)) { |
4fcd7e9b | 287 | ordername.clear(); |
a279bc18 | 288 | if(isOptOut) |
4fcd7e9b KM |
289 | sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::NS); |
290 | sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::A); | |
291 | sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::AAAA); | |
b8adb30d KM |
292 | } |
293 | ||
a279bc18 | 294 | if(doent) |
b5baefaf | 295 | { |
b8adb30d | 296 | shorter=qname; |
675fa24c | 297 | while(shorter!=zone && shorter.chopOff()) |
b5baefaf | 298 | { |
54c9247e | 299 | if(!qnames.count(shorter)) |
b5baefaf | 300 | { |
b8adb30d KM |
301 | if(!(maxent)) |
302 | { | |
675fa24c | 303 | cerr<<"Zone '"<<zone.toString()<<"' has too many empty non terminals."<<endl; |
b8adb30d KM |
304 | insnonterm.clear(); |
305 | delnonterm.clear(); | |
306 | doent=false; | |
307 | break; | |
308 | } | |
a279bc18 | 309 | |
54c9247e KM |
310 | if (!delnonterm.count(shorter) && !nonterm.count(shorter)) |
311 | insnonterm.insert(shorter); | |
312 | else | |
313 | delnonterm.erase(shorter); | |
314 | ||
a279bc18 | 315 | if (!nonterm.count(shorter)) { |
675fa24c | 316 | nonterm.insert(pair<DNSName, bool>(shorter, auth)); |
a279bc18 KM |
317 | --maxent; |
318 | } else if (auth) | |
319 | nonterm[shorter]=true; | |
b5baefaf | 320 | } |
b5baefaf | 321 | } |
27045410 | 322 | } |
c3c89361 | 323 | } |
20002664 | 324 | } |
b5baefaf PD |
325 | |
326 | if(realrr) | |
327 | { | |
328 | //cerr<<"Total: "<<nonterm.size()<<" Insert: "<<insnonterm.size()<<" Delete: "<<delnonterm.size()<<endl; | |
329 | if(!insnonterm.empty() || !delnonterm.empty() || !doent) | |
330 | { | |
331 | sd.db->updateEmptyNonTerminals(sd.domain_id, zone, insnonterm, delnonterm, !doent); | |
332 | } | |
333 | if(doent) | |
334 | { | |
335 | realrr=false; | |
a279bc18 | 336 | qnames.clear(); |
d4535f5d | 337 | for(const auto& nt : nonterm){ |
a279bc18 KM |
338 | qnames.insert(nt.first); |
339 | } | |
b5baefaf PD |
340 | goto dononterm; |
341 | } | |
342 | } | |
343 | ||
d6c16697 BH |
344 | if(doTransaction) |
345 | sd.db->commitTransaction(); | |
032e3906 PD |
346 | |
347 | return true; | |
20002664 BH |
348 | } |
349 | ||
a0a6cb58 | 350 | void dbBench(const std::string& fname) |
351 | { | |
352 | ::arg().set("query-cache-ttl")="0"; | |
353 | ::arg().set("negquery-cache-ttl")="0"; | |
354 | UeberBackend B("default"); | |
355 | ||
356 | vector<string> domains; | |
357 | if(!fname.empty()) { | |
358 | ifstream ifs(fname.c_str()); | |
359 | if(!ifs) { | |
360 | cerr<<"Could not open '"<<fname<<"' for reading domain names to query"<<endl; | |
361 | } | |
362 | string line; | |
363 | while(getline(ifs,line)) { | |
364 | trim(line); | |
365 | domains.push_back(line); | |
366 | } | |
367 | } | |
368 | if(domains.empty()) | |
369 | domains.push_back("powerdns.com"); | |
370 | ||
371 | int n=0; | |
372 | DNSResourceRecord rr; | |
373 | DTime dt; | |
374 | dt.set(); | |
375 | unsigned int hits=0, misses=0; | |
376 | for(; n < 10000; ++n) { | |
b873e23a | 377 | DNSName domain(domains[random() % domains.size()]); |
a0a6cb58 | 378 | B.lookup(QType(QType::NS), domain); |
379 | while(B.get(rr)) { | |
380 | hits++; | |
381 | } | |
335da0ba | 382 | B.lookup(QType(QType::A), DNSName(std::to_string(random()))+domain); |
a0a6cb58 | 383 | while(B.get(rr)) { |
384 | } | |
385 | misses++; | |
386 | ||
387 | } | |
388 | cout<<0.001*dt.udiff()/n<<" millisecond/lookup"<<endl; | |
389 | cout<<"Retrieved "<<hits<<" records, did "<<misses<<" queries which should have no match"<<endl; | |
390 | cout<<"Packet cache reports: "<<S.read("query-cache-hit")<<" hits (should be 0) and "<<S.read("query-cache-miss") <<" misses"<<endl; | |
391 | } | |
392 | ||
1325e8a2 PD |
393 | void rectifyAllZones(DNSSECKeeper &dk) |
394 | { | |
ba86110a | 395 | UeberBackend B("default"); |
1325e8a2 PD |
396 | vector<DomainInfo> domainInfo; |
397 | ||
ba86110a | 398 | B.getAllDomains(&domainInfo); |
ff05fd12 | 399 | for(DomainInfo di : domainInfo) { |
675fa24c | 400 | cerr<<"Rectifying "<<di.zone.toString()<<": "; |
1325e8a2 PD |
401 | rectifyZone(dk, di.zone); |
402 | } | |
403 | cout<<"Rectified "<<domainInfo.size()<<" zones."<<endl; | |
404 | } | |
405 | ||
c2e0881c | 406 | int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone, const vector<DNSResourceRecord>* suppliedrecords=0) |
5d2e58b0 | 407 | { |
5d2e58b0 | 408 | SOAData sd; |
79ba7763 | 409 | if(!B.getSOAUncached(zone, sd)) { |
675fa24c PD |
410 | cout<<"[error] No SOA record present, or active, in zone '"<<zone.toString()<<"'"<<endl; |
411 | cout<<"Checked 0 records of '"<<zone.toString()<<"', 1 errors, 0 warnings."<<endl; | |
fdc0adaf | 412 | return 1; |
bb0bbee2 | 413 | } |
74bf221f KM |
414 | |
415 | NSEC3PARAMRecordContent ns3pr; | |
416 | bool narrow = false; | |
417 | bool haveNSEC3 = dk.getNSEC3PARAM(zone, &ns3pr, &narrow); | |
418 | bool isOptOut=(haveNSEC3 && ns3pr.d_flags); | |
419 | ||
420 | bool isSecure=dk.isSecuredZone(zone); | |
bb0bbee2 | 421 | bool presigned=dk.isPresigned(zone); |
74bf221f | 422 | |
5d2e58b0 | 423 | DNSResourceRecord rr; |
8c949c52 | 424 | uint64_t numrecords=0, numerrors=0, numwarnings=0; |
f1b672ae | 425 | |
3155c04a PL |
426 | if (haveNSEC3 && isSecure && zone.wirelength() > 222) { |
427 | numerrors++; | |
694ea7ae | 428 | cout<<"[Error] zone '" << zone.toStringNoDot() << "' has NSEC3 semantics but is too long to have the hash prepended. Zone name is " << zone.wirelength() << " bytes long, whereas the maximum is 222 bytes." << endl; |
3155c04a | 429 | } |
95ba91f7 KM |
430 | |
431 | // Check for delegation in parent zone | |
21a3792f KM |
432 | DNSName parent(zone); |
433 | while(parent.chopOff()) { | |
95ba91f7 KM |
434 | SOAData sd_p; |
435 | if(B.getSOAUncached(parent, sd_p)) { | |
436 | bool ns=false; | |
437 | DNSResourceRecord rr; | |
438 | B.lookup(QType(QType::ANY), zone, NULL, sd_p.domain_id); | |
439 | while(B.get(rr)) | |
440 | ns |= (rr.qtype == QType::NS); | |
441 | if (!ns) { | |
694ea7ae | 442 | cout<<"[Error] No delegation for zone '"<<zone.toString()<<"' in parent '"<<parent.toString()<<"'"<<endl; |
95ba91f7 KM |
443 | numerrors++; |
444 | } | |
445 | break; | |
446 | } | |
447 | } | |
448 | ||
449 | ||
1e2e9565 | 450 | bool hasNsAtApex = false; |
2e5f6225 | 451 | set<DNSName> tlsas, cnames, noncnames, glue, checkglue; |
c2e0881c | 452 | set<string> recordcontents; |
bb0bbee2 | 453 | map<string, unsigned int> ttl; |
f1b672ae KM |
454 | |
455 | ostringstream content; | |
bb0bbee2 | 456 | pair<map<string, unsigned int>::iterator,bool> ret; |
61717a51 | 457 | |
c2e0881c | 458 | vector<DNSResourceRecord> records; |
459 | if(!suppliedrecords) { | |
460 | sd.db->list(zone, sd.domain_id, false); | |
461 | while(sd.db->get(rr)) { | |
462 | records.push_back(rr); | |
463 | } | |
464 | } | |
465 | else | |
466 | records=*suppliedrecords; | |
95ba91f7 | 467 | |
c2e0881c | 468 | for(auto rr : records) { // we modify this |
f1b672ae KM |
469 | if(!rr.qtype.getCode()) |
470 | continue; | |
471 | ||
a6230867 | 472 | numrecords++; |
b191a835 | 473 | |
2e5f6225 PL |
474 | if(rr.qtype.getCode() == QType::TLSA) |
475 | tlsas.insert(rr.qname); | |
84a0d08c KM |
476 | if(rr.qtype.getCode() == QType::SOA) { |
477 | vector<string>parts; | |
478 | stringtok(parts, rr.content); | |
479 | ||
480 | ostringstream o; | |
481 | o<<rr.content; | |
482 | for(int pleft=parts.size(); pleft < 7; ++pleft) { | |
483 | o<<" 0"; | |
484 | } | |
485 | rr.content=o.str(); | |
bb0bbee2 KM |
486 | } |
487 | ||
77da04f6 KM |
488 | if(rr.qtype.getCode() == QType::TXT && !rr.content.empty() && rr.content[0]!='"') |
489 | rr.content = "\""+rr.content+"\""; | |
490 | ||
491 | try { | |
492 | shared_ptr<DNSRecordContent> drc(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content)); | |
493 | string tmp=drc->serialize(rr.qname); | |
f21fc0aa | 494 | tmp = drc->getZoneRepresentation(true); |
0f470360 KM |
495 | if (rr.qtype.getCode() != QType::AAAA) { |
496 | if (!pdns_iequals(tmp, rr.content)) { | |
657c0bf7 | 497 | if(rr.qtype.getCode() == QType::SOA) { |
498 | tmp = drc->getZoneRepresentation(false); | |
499 | } | |
500 | if(!pdns_iequals(tmp, rr.content)) { | |
501 | cout<<"[Warning] Parsed and original record content are not equal: "<<rr.qname.toString()<<" IN " <<rr.qtype.getName()<< " '" << rr.content<<"' (Content parsed as '"<<tmp<<"')"<<endl; | |
502 | numwarnings++; | |
503 | } | |
0f470360 KM |
504 | } |
505 | } else { | |
1cac2653 KM |
506 | struct in6_addr tmpbuf; |
507 | if (inet_pton(AF_INET6, rr.content.c_str(), &tmpbuf) != 1 || rr.content.find('.') != string::npos) { | |
675fa24c | 508 | cout<<"[Warning] Following record is not a valid IPv6 address: "<<rr.qname.toString()<<" IN " <<rr.qtype.getName()<< " '" << rr.content<<"'"<<endl; |
0f470360 | 509 | numwarnings++; |
1cac2653 | 510 | } |
77da04f6 KM |
511 | } |
512 | } | |
513 | catch(std::exception& e) | |
514 | { | |
675fa24c | 515 | cout<<"[Error] Following record had a problem: "<<rr.qname.toString()<<" IN " <<rr.qtype.getName()<< " " << rr.content<<endl; |
77da04f6 KM |
516 | cout<<"[Error] Error was: "<<e.what()<<endl; |
517 | numerrors++; | |
518 | continue; | |
519 | } | |
520 | ||
675fa24c | 521 | if(!rr.qname.isPartOf(zone)) { |
e977acfd | 522 | cout<<"[Error] Record '"<<rr.qname.toString()<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone.toString()<<"' is out-of-zone."<<endl; |
523 | numerrors++; | |
a6230867 KM |
524 | continue; |
525 | } | |
526 | ||
f1b672ae | 527 | content.str(""); |
675fa24c | 528 | content<<rr.qname.toString()<<" "<<rr.qtype.getName()<<" "<<rr.content; |
c2e0881c | 529 | if (recordcontents.count(toLower(content.str()))) { |
675fa24c | 530 | cout<<"[Error] Duplicate record found in rrset: '"<<rr.qname.toString()<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"'"<<endl; |
befcd641 KM |
531 | numerrors++; |
532 | continue; | |
533 | } else | |
c2e0881c | 534 | recordcontents.insert(toLower(content.str())); |
befcd641 | 535 | |
f1b672ae | 536 | content.str(""); |
675fa24c | 537 | content<<rr.qname.toString()<<" "<<rr.qtype.getName(); |
63372f34 KM |
538 | if (rr.qtype.getCode() == QType::RRSIG) { |
539 | RRSIGRecordContent rrc(rr.content); | |
540 | content<<" ("<<DNSRecordContent::NumberToType(rrc.d_type)<<")"; | |
541 | } | |
bb0bbee2 KM |
542 | ret = ttl.insert(pair<string, unsigned int>(toLower(content.str()), rr.ttl)); |
543 | if (ret.second == false && ret.first->second != rr.ttl) { | |
675fa24c | 544 | cout<<"[Error] TTL mismatch in rrset: '"<<rr.qname.toString()<<" IN " <<rr.qtype.getName()<<" "<<rr.content<<"' ("<<ret.first->second<<" != "<<rr.ttl<<")"<<endl; |
f1b672ae KM |
545 | numerrors++; |
546 | continue; | |
547 | } | |
548 | ||
675fa24c PD |
549 | if (isSecure && isOptOut && (rr.qname.countLabels() && rr.qname.getRawLabels()[0] == "*")) { |
550 | cout<<"[Warning] wildcard record '"<<rr.qname.toString()<<" IN " <<rr.qtype.getName()<<" "<<rr.content<<"' is insecure"<<endl; | |
fd5076c8 | 551 | cout<<"[Info] Wildcard records in opt-out zones are insecure. Disable the opt-out flag for this zone to avoid this warning. Command: pdnsutil set-nsec3 "<<zone.toString()<<endl; |
74bf221f KM |
552 | numwarnings++; |
553 | } | |
554 | ||
675fa24c | 555 | if(rr.qname==zone) { |
1e2e9565 KM |
556 | if (rr.qtype.getCode() == QType::NS) { |
557 | hasNsAtApex=true; | |
558 | } else if (rr.qtype.getCode() == QType::DS) { | |
675fa24c | 559 | cout<<"[Warning] DS at apex in zone '"<<zone.toString()<<"', should not be here."<<endl; |
1e2e9565 KM |
560 | numwarnings++; |
561 | } | |
562 | } else { | |
563 | if (rr.qtype.getCode() == QType::SOA) { | |
675fa24c | 564 | cout<<"[Error] SOA record not at apex '"<<rr.qname.toString()<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone.toString()<<"'"<<endl; |
1e2e9565 KM |
565 | numerrors++; |
566 | continue; | |
567 | } else if (rr.qtype.getCode() == QType::DNSKEY) { | |
675fa24c | 568 | cout<<"[Warning] DNSKEY record not at apex '"<<rr.qname.toString()<<" IN "<<rr.qtype.getName()<<" "<<rr.content<<"' in zone '"<<zone.toString()<<"', should not be here."<<endl; |
1e2e9565 | 569 | numwarnings++; |
21a3792f | 570 | } else if (rr.qtype.getCode() == QType::NS && DNSName(rr.content).isPartOf(rr.qname)) { |
b873e23a | 571 | checkglue.insert(DNSName(toLower(rr.content))); |
95ba91f7 | 572 | } else if (rr.qtype.getCode() == QType::A || rr.qtype.getCode() == QType::AAAA) { |
b873e23a | 573 | glue.insert(rr.qname); |
1e2e9565 KM |
574 | } |
575 | } | |
576 | ||
61717a51 | 577 | if (rr.qtype.getCode() == QType::CNAME) { |
675fa24c PD |
578 | if (!cnames.count(rr.qname)) |
579 | cnames.insert(rr.qname); | |
c90d822b | 580 | else { |
675fa24c | 581 | cout<<"[Error] Duplicate CNAME found at '"<<rr.qname.toString()<<"'"<<endl; |
ca57aa98 KM |
582 | numerrors++; |
583 | continue; | |
584 | } | |
c90d822b KM |
585 | } else { |
586 | if (rr.qtype.getCode() == QType::RRSIG) { | |
3aa5b00f | 587 | if(!presigned) { |
675fa24c | 588 | cout<<"[Error] RRSIG found at '"<<rr.qname.toString()<<"' in non-presigned zone. These do not belong in the database."<<endl; |
c90d822b | 589 | numerrors++; |
befcd641 | 590 | continue; |
c90d822b KM |
591 | } |
592 | } else | |
675fa24c | 593 | noncnames.insert(rr.qname); |
61717a51 PD |
594 | } |
595 | ||
0aabca97 PD |
596 | if(rr.qtype.getCode() == QType::NSEC || rr.qtype.getCode() == QType::NSEC3) |
597 | { | |
675fa24c | 598 | cout<<"[Error] NSEC or NSEC3 found at '"<<rr.qname.toString()<<"'. These do not belong in the database."<<endl; |
0aabca97 PD |
599 | numerrors++; |
600 | continue; | |
601 | } | |
602 | ||
0a0f82c8 | 603 | if(!presigned && rr.qtype.getCode() == QType::DNSKEY) |
12a92688 | 604 | { |
cc8df07f | 605 | if(::arg().mustDo("direct-dnskey")) |
12a92688 | 606 | { |
0a0f82c8 | 607 | if(rr.ttl != sd.default_ttl) |
12a92688 | 608 | { |
675fa24c | 609 | cout<<"[Warning] DNSKEY TTL of "<<rr.ttl<<" at '"<<rr.qname.toString()<<"' differs from SOA minimum of "<<sd.default_ttl<<endl; |
c90d822b | 610 | numwarnings++; |
12a92688 PD |
611 | } |
612 | } | |
0a0f82c8 KM |
613 | else |
614 | { | |
675fa24c | 615 | cout<<"[Warning] DNSKEY at '"<<rr.qname.toString()<<"' in non-presigned zone will mostly be ignored and can cause problems."<<endl; |
0a0f82c8 KM |
616 | numwarnings++; |
617 | } | |
12a92688 PD |
618 | } |
619 | ||
675fa24c PD |
620 | // if (rr.qname[rr.qname.size()-1] == '.') { |
621 | // cout<<"[Error] Record '"<<rr.qname.toString()<<"' has a trailing dot. PowerDNS will ignore this record!"<<endl; | |
622 | // numerrors++; | |
623 | // } | |
bb0bbee2 | 624 | |
165e5695 | 625 | if ( (rr.qtype.getCode() == QType::NS || rr.qtype.getCode() == QType::SRV || rr.qtype.getCode() == QType::MX || rr.qtype.getCode() == QType::CNAME || rr.qtype.getCode() == QType::DNAME) && |
8c949c52 | 626 | rr.content[rr.content.size()-1] == '.') { |
675fa24c | 627 | cout<<"[Warning] The record "<<rr.qname.toString()<<" with type "<<rr.qtype.getName()<<" has a trailing dot in the content ("<<rr.content<<"). Your backend might not work well with this."<<endl; |
8c949c52 PD |
628 | numwarnings++; |
629 | } | |
630 | ||
27045410 | 631 | if(rr.auth == 0 && rr.qtype.getCode()!=QType::NS && rr.qtype.getCode()!=QType::A && rr.qtype.getCode()!=QType::AAAA) |
7ddd79a7 | 632 | { |
fd5076c8 | 633 | cout<<"[Error] Following record is auth=0, run pdnsutil rectify-zone?: "<<rr.qname.toString()<<" IN " <<rr.qtype.getName()<< " " << rr.content<<endl; |
5e42374c | 634 | numerrors++; |
7ddd79a7 | 635 | } |
035297ad | 636 | } |
61717a51 | 637 | |
675fa24c PD |
638 | for(auto &i: cnames) { |
639 | if (noncnames.find(i) != noncnames.end()) { | |
640 | cout<<"[Error] CNAME "<<i.toString()<<" found, but other records with same label exist."<<endl; | |
61717a51 PD |
641 | numerrors++; |
642 | } | |
643 | } | |
644 | ||
2e5f6225 PL |
645 | for(const auto &i: tlsas) { |
646 | DNSName name = DNSName(i); | |
647 | name.trimToLabels(name.getRawLabels().size()-2); | |
648 | if (cnames.find(name) == cnames.end() && noncnames.find(name) == noncnames.end()) { | |
649 | // No specific record for the name in the TLSA record exists, this | |
650 | // is already worth emitting a warning. Let's see if a wildcard exist. | |
651 | cout<<"[Warning] "; | |
652 | DNSName wcname(name); | |
653 | wcname.chopOff(); | |
654 | wcname.prependRawLabel("*"); | |
655 | if (cnames.find(wcname) != cnames.end() || noncnames.find(wcname) != noncnames.end()) { | |
656 | cout<<"A wildcard record exist for '"<<wcname.toString()<<"' and a TLSA record for '"<<i.toString()<<"'."; | |
657 | } else { | |
658 | cout<<"No record for '"<<name.toString()<<"' exists, but a TLSA record for '"<<i.toString()<<"' does."; | |
659 | } | |
660 | numwarnings++; | |
661 | cout<<" A query for '"<<name.toString()<<"' will yield an empty response. This is most likely a mistake, please create records for '"<<name.toString()<<"'."<<endl; | |
662 | } | |
663 | } | |
664 | ||
1e2e9565 | 665 | if(!hasNsAtApex) { |
675fa24c | 666 | cout<<"[Error] No NS record at zone apex in zone '"<<zone.toString()<<"'"<<endl; |
1e2e9565 KM |
667 | numerrors++; |
668 | } | |
669 | ||
95ba91f7 KM |
670 | for(const auto &qname : checkglue) { |
671 | if (!glue.count(qname)) { | |
694ea7ae | 672 | cout<<"[Warning] Missing glue for '"<<qname.toString()<<"' in zone '"<<zone.toString()<<"'"<<endl; |
13a9aa3e | 673 | numwarnings++; |
95ba91f7 KM |
674 | } |
675 | } | |
676 | ||
675fa24c | 677 | cout<<"Checked "<<numrecords<<" records of '"<<zone.toString()<<"', "<<numerrors<<" errors, "<<numwarnings<<" warnings."<<endl; |
d6ddb28a PL |
678 | if(!numerrors) |
679 | return 0; | |
680 | return 1; | |
5d2e58b0 BH |
681 | } |
682 | ||
d6ddb28a | 683 | int checkAllZones(DNSSECKeeper &dk, bool exitOnError) |
1325e8a2 | 684 | { |
ba86110a | 685 | UeberBackend B("default"); |
1325e8a2 PD |
686 | vector<DomainInfo> domainInfo; |
687 | ||
fdc0adaf | 688 | B.getAllDomains(&domainInfo, true); |
1325e8a2 | 689 | int errors=0; |
d6ddb28a PL |
690 | for(auto di : domainInfo) { |
691 | if (checkZone(dk, B, di.zone) > 0) { | |
692 | errors++; | |
693 | if(exitOnError) | |
694 | return 1; | |
695 | } | |
1325e8a2 PD |
696 | } |
697 | cout<<"Checked "<<domainInfo.size()<<" zones, "<<errors<<" had errors."<<endl; | |
d6ddb28a PL |
698 | if(!errors) |
699 | return 0; | |
700 | return 1; | |
1325e8a2 PD |
701 | } |
702 | ||
675fa24c | 703 | int increaseSerial(const DNSName& zone, DNSSECKeeper &dk) |
04576eed RA |
704 | { |
705 | UeberBackend B("default"); | |
706 | SOAData sd; | |
79ba7763 | 707 | if(!B.getSOAUncached(zone, sd)) { |
694ea7ae | 708 | cerr<<"No SOA for zone '"<<zone.toString()<<"'"<<endl; |
04576eed RA |
709 | return -1; |
710 | } | |
4192773a KM |
711 | |
712 | if (dk.isPresigned(zone)) { | |
713 | cerr<<"Serial increase of presigned zone '"<<zone<<"' is not allowed."<<endl; | |
714 | return -1; | |
715 | } | |
04576eed RA |
716 | |
717 | string soaEditKind; | |
4192773a | 718 | dk.getSoaEdit(zone, soaEditKind); |
04576eed RA |
719 | |
720 | sd.db->lookup(QType(QType::SOA), zone); | |
721 | vector<DNSResourceRecord> rrs; | |
722 | DNSResourceRecord rr; | |
723 | while (sd.db->get(rr)) { | |
724 | if (rr.qtype.getCode() == QType::SOA) | |
725 | rrs.push_back(rr); | |
726 | } | |
727 | ||
728 | if (rrs.size() > 1) { | |
675fa24c | 729 | cerr<<rrs.size()<<" SOA records found for "<<zone.toString()<<"!"<<endl; |
04576eed RA |
730 | return -1; |
731 | } | |
732 | if (rrs.size() < 1) { | |
675fa24c | 733 | cerr<<zone.toString()<<" not found!"<<endl; |
04576eed RA |
734 | } |
735 | ||
63347c6c | 736 | if (soaEditKind.empty()) { |
04576eed | 737 | sd.serial++; |
63347c6c SB |
738 | } |
739 | else if(pdns_iequals(soaEditKind,"INCREMENT-WEEKS")) { | |
740 | sd.serial++; | |
741 | } | |
742 | else if(pdns_iequals(soaEditKind,"INCEPTION-INCREMENT")) { | |
743 | uint32_t today_serial = localtime_format_YYYYMMDDSS(time(NULL), 1); | |
744 | ||
745 | if (sd.serial < today_serial) { | |
746 | sd.serial = today_serial; | |
747 | } | |
748 | else { | |
749 | sd.serial++; | |
750 | } | |
751 | } | |
752 | else { | |
9f44333a | 753 | sd.serial = calculateEditSOA(sd, soaEditKind) + 1; |
63347c6c | 754 | } |
04576eed RA |
755 | rrs[0].content = serializeSOAData(sd); |
756 | ||
7da05748 | 757 | sd.db->startTransaction(zone, -1); |
0881012f | 758 | |
04576eed | 759 | if (! sd.db->replaceRRSet(sd.domain_id, zone, rr.qtype, rrs)) { |
0881012f | 760 | sd.db->abortTransaction(); |
04576eed RA |
761 | cerr<<"Backend did not replace SOA record. Backend might not support this operation."<<endl; |
762 | return -1; | |
763 | } | |
481350e4 AT |
764 | |
765 | if (sd.db->doesDNSSEC()) { | |
766 | NSEC3PARAMRecordContent ns3pr; | |
767 | bool narrow; | |
768 | bool haveNSEC3=dk.getNSEC3PARAM(zone, &ns3pr, &narrow); | |
769 | ||
4fcd7e9b KM |
770 | DNSName ordername; |
771 | if(haveNSEC3) { | |
772 | if(!narrow) | |
28e2e78e | 773 | ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, zone))) + zone; |
4fcd7e9b KM |
774 | } else |
775 | ordername=zone; | |
776 | if(g_verbose) | |
777 | cerr<<"'"<<rrs[0].qname.toString()<<"' -> '"<< ordername.toString() <<"'"<<endl; | |
778 | sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, rrs[0].qname, ordername, true); | |
481350e4 AT |
779 | } |
780 | ||
0881012f AT |
781 | sd.db->commitTransaction(); |
782 | ||
675fa24c | 783 | cout<<"SOA serial for zone "<<zone.toString()<<" set to "<<sd.serial<<endl; |
04576eed RA |
784 | return 0; |
785 | } | |
786 | ||
675fa24c | 787 | int deleteZone(const DNSName &zone) { |
51f6bca1 RA |
788 | UeberBackend B; |
789 | DomainInfo di; | |
790 | if (! B.getDomainInfo(zone, di)) { | |
675fa24c | 791 | cerr<<"Domain '"<<zone.toString()<<"' not found!"<<endl; |
51f6bca1 RA |
792 | return 1; |
793 | } | |
794 | ||
795 | if(di.backend->deleteDomain(zone)) | |
796 | return 0; | |
797 | ||
675fa24c | 798 | cerr<<"Failed to delete domain '"<<zone.toString()<<"'"<<endl;; |
51f6bca1 RA |
799 | return 1; |
800 | } | |
801 | ||
597b9b3e PL |
802 | void listKey(DomainInfo const &di, DNSSECKeeper& dk, bool printHeader = true) { |
803 | if (printHeader) { | |
804 | cout<<"Zone Type Size Algorithm ID Location Keytag"<<endl; | |
805 | cout<<"----------------------------------------------------------------------------------"<<endl; | |
806 | } | |
807 | unsigned int spacelen = 0; | |
808 | for (auto const &key : dk.getKeys(di.zone)) { | |
809 | cout<<di.zone.toStringNoDot(); | |
810 | if (di.zone.toStringNoDot().length() > 29) | |
811 | cout<<endl<<string(30, ' '); | |
812 | else | |
813 | cout<<string(30 - di.zone.toStringNoDot().length(), ' '); | |
814 | ||
815 | cout<<(key.second.keyOrZone ? "KSK" : "ZSK")<<" "; | |
816 | ||
335da0ba | 817 | spacelen = (std::to_string(key.first.getKey()->getBits()).length() >= 8) ? 1 : 8 - std::to_string(key.first.getKey()->getBits()).length(); |
597b9b3e PL |
818 | if (key.first.getKey()->getBits() < 1) { |
819 | cout<<"invalid "<<endl; | |
820 | continue; | |
821 | } else { | |
822 | cout<<key.first.getKey()->getBits()<<string(spacelen, ' '); | |
823 | } | |
824 | ||
825 | string algname; | |
826 | algorithm2name(key.first.d_algorithm, algname); | |
827 | spacelen = (algname.length() >= 13) ? 1 : 13 - algname.length(); | |
828 | cout<<algname<<string(spacelen, ' '); | |
829 | ||
335da0ba | 830 | spacelen = (std::to_string(key.second.id).length() > 5) ? 1 : 5 - std::to_string(key.second.id).length(); |
597b9b3e PL |
831 | cout<<key.second.id<<string(spacelen, ' '); |
832 | ||
833 | #ifdef HAVE_P11KIT1 | |
834 | auto stormap = key.first.getKey()->convertToISCVector(); | |
835 | string engine, slot, label = ""; | |
836 | for (auto const &elem : stormap) { | |
837 | //cout<<elem.first<<" "<<elem.second<<endl; | |
838 | if (elem.first == "Engine") | |
839 | engine = elem.second; | |
840 | if (elem.first == "Slot") | |
841 | slot = elem.second; | |
842 | if (elem.first == "Label") | |
843 | label = elem.second; | |
844 | } | |
845 | if (engine.empty() || slot.empty()){ | |
846 | cout<<"cryptokeys "; | |
847 | } else { | |
848 | spacelen = (engine.length()+slot.length()+label.length()+2 >= 12) ? 1 : 12 - engine.length()-slot.length()-label.length()-2; | |
849 | cout<<engine<<","<<slot<<","<<label<<string(spacelen, ' '); | |
850 | } | |
851 | #else | |
852 | cout<<"cryptokeys "; | |
853 | #endif | |
854 | cout<<key.first.getDNSKEY().getTag()<<endl; | |
855 | } | |
856 | } | |
857 | ||
858 | bool listKeys(const string &zname, DNSSECKeeper& dk){ | |
859 | UeberBackend B("default"); | |
860 | ||
861 | if (zname != "all") { | |
862 | DomainInfo di; | |
863 | if(!B.getDomainInfo(DNSName(zname), di)) { | |
864 | cerr << "Zone "<<zname<<" not found."<<endl; | |
865 | return false; | |
866 | } | |
867 | listKey(di, dk); | |
868 | } else { | |
869 | vector<DomainInfo> domainInfo; | |
870 | B.getAllDomains(&domainInfo); | |
871 | bool printHeader = true; | |
872 | for (auto const di : domainInfo) { | |
873 | listKey(di, dk, printHeader); | |
874 | printHeader = false; | |
875 | } | |
876 | } | |
877 | return true; | |
878 | } | |
879 | ||
675fa24c | 880 | int listZone(const DNSName &zone) { |
c9865bc5 | 881 | UeberBackend B; |
882 | DomainInfo di; | |
883 | ||
884 | if (! B.getDomainInfo(zone, di)) { | |
675fa24c | 885 | cerr<<"Domain '"<<zone.toString()<<"' not found!"<<endl; |
c9865bc5 | 886 | return 1; |
887 | } | |
888 | di.backend->list(zone, di.id); | |
889 | DNSResourceRecord rr; | |
890 | while(di.backend->get(rr)) { | |
891 | if(rr.qtype.getCode()) { | |
892 | if ( (rr.qtype.getCode() == QType::NS || rr.qtype.getCode() == QType::SRV || rr.qtype.getCode() == QType::MX || rr.qtype.getCode() == QType::CNAME) && !rr.content.empty() && rr.content[rr.content.size()-1] != '.') | |
893 | rr.content.append(1, '.'); | |
894 | ||
36b32ec8 | 895 | cout<<rr.qname.toString()<<"\t"<<rr.ttl<<"\tIN\t"<<rr.qtype.getName()<<"\t"<<rr.content<<endl; |
c9865bc5 | 896 | } |
897 | } | |
898 | return 0; | |
899 | } | |
900 | ||
c2e0881c | 901 | // lovingly copied from http://stackoverflow.com/questions/1798511/how-to-avoid-press-enter-with-any-getchar |
902 | int read1char(){ | |
903 | int c; | |
904 | static struct termios oldt, newt; | |
905 | ||
906 | /*tcgetattr gets the parameters of the current terminal | |
907 | STDIN_FILENO will tell tcgetattr that it should write the settings | |
908 | of stdin to oldt*/ | |
909 | tcgetattr( STDIN_FILENO, &oldt); | |
910 | /*now the settings will be copied*/ | |
911 | newt = oldt; | |
912 | ||
913 | /*ICANON normally takes care that one line at a time will be processed | |
914 | that means it will return if it sees a "\n" or an EOF or an EOL*/ | |
915 | newt.c_lflag &= ~(ICANON); | |
916 | ||
917 | /*Those new settings will be set to STDIN | |
918 | TCSANOW tells tcsetattr to change attributes immediately. */ | |
919 | tcsetattr( STDIN_FILENO, TCSANOW, &newt); | |
920 | ||
921 | c=getchar(); | |
922 | ||
923 | /*restore the old settings*/ | |
924 | tcsetattr( STDIN_FILENO, TCSANOW, &oldt); | |
925 | ||
926 | return c; | |
927 | } | |
928 | ||
929 | ||
930 | int editZone(DNSSECKeeper& dk, const DNSName &zone) { | |
931 | UeberBackend B; | |
932 | DomainInfo di; | |
933 | ||
934 | if (! B.getDomainInfo(zone, di)) { | |
935 | cerr<<"Domain '"<<zone.toString()<<"' not found!"<<endl; | |
936 | return 1; | |
937 | } | |
938 | vector<DNSRecord> pre, post; | |
939 | char tmpnam[]="/tmp/pdnsutil-XXXXXX"; | |
940 | int tmpfd=mkstemp(tmpnam); | |
941 | if(tmpfd < 0) | |
942 | unixDie("Making temporary filename in "+string(tmpnam)); | |
943 | struct deleteme { | |
944 | ~deleteme() { unlink(d_name.c_str()); } | |
945 | deleteme(string name) : d_name(name) {} | |
946 | string d_name; | |
947 | } dm(tmpnam); | |
948 | ||
949 | bool first=true; | |
950 | vector<DNSResourceRecord> checkrr; | |
951 | int gotoline=0; | |
952 | string editor="editor"; | |
953 | if(auto e=getenv("EDITOR")) // <3 | |
954 | editor=e; | |
955 | string cmdline; | |
956 | editAgain:; | |
957 | di.backend->list(zone, di.id); | |
958 | pre.clear(); post.clear(); | |
959 | DNSResourceRecord rr; | |
960 | { | |
6945584f | 961 | if(tmpfd < 0 && (tmpfd=open(tmpnam, O_WRONLY | O_TRUNC, 0600)) < 0) |
c2e0881c | 962 | unixDie("Error reopening temporary file "+string(tmpnam)); |
21dd5918 | 963 | string header("; Warning - every name in this file is ABSOLUTE!\n$ORIGIN .\n"); |
c2e0881c | 964 | if(write(tmpfd, header.c_str(), header.length()) < 0) |
965 | unixDie("Writing zone to temporary file"); | |
966 | while(di.backend->get(rr)) { | |
6945584f | 967 | if(!rr.qtype.getCode()) |
968 | continue; | |
c2e0881c | 969 | DNSRecord dr(rr); |
970 | pre.push_back(dr); | |
971 | ostringstream os; | |
972 | os<<dr.d_name<<"\t"<<dr.d_ttl<<"\tIN\t"<<DNSRecordContent::NumberToType(dr.d_type)<<"\t"<<dr.d_content->getZoneRepresentation(true)<<endl; | |
973 | if(write(tmpfd, os.str().c_str(), os.str().length()) < 0) | |
974 | unixDie("Writing zone to temporary file"); | |
975 | } | |
976 | sort(pre.begin(), pre.end()); | |
977 | close(tmpfd); | |
978 | tmpfd=-1; | |
979 | } | |
980 | editMore:; | |
981 | struct stat statbefore, statafter; | |
982 | stat(tmpnam,&statbefore); | |
983 | cmdline=editor+" "; | |
984 | if(gotoline > 0) | |
985 | cmdline+="+"+std::to_string(gotoline)+" "; | |
986 | cmdline += tmpnam; | |
21dd5918 | 987 | int err=system(cmdline.c_str()); |
988 | if(err) { | |
989 | unixDie("Editing file with: '"+cmdline+"', perhaps set EDITOR variable"); | |
c2e0881c | 990 | } |
991 | cmdline.clear(); | |
992 | stat(tmpnam,&statafter); | |
993 | if(first && statbefore.st_ctime == statafter.st_ctime) { | |
994 | cout<<"No change to file"<<endl; | |
995 | return(EXIT_SUCCESS); | |
996 | } | |
997 | first=false; | |
998 | ZoneParserTNG zpt(tmpnam, DNSName(".")); | |
999 | map<pair<DNSName,uint16_t>, vector<DNSRecord> > grouped; | |
1000 | while(zpt.get(rr)) { | |
1001 | try { | |
1002 | DNSRecord dr(rr); | |
1003 | post.push_back(dr); | |
1004 | grouped[{dr.d_name,dr.d_type}].push_back(dr); | |
1005 | } | |
1006 | catch(std::exception& e) { | |
1007 | cerr<<"Problem "<<e.what()<<" "<<zpt.getLineOfFile()<<endl; | |
1008 | auto fnum = zpt.getLineNumAndFile(); | |
1009 | gotoline = fnum.second; | |
1010 | goto reAsk; | |
1011 | } | |
1012 | } | |
1013 | sort(post.begin(), post.end()); | |
1014 | checkrr.clear(); | |
1015 | ||
1016 | for(const DNSRecord& rr : post) { | |
1017 | DNSResourceRecord drr(rr); | |
1018 | drr.domain_id = di.id; | |
1019 | checkrr.push_back(drr); | |
1020 | } | |
1021 | if(checkZone(dk, B, zone, &checkrr)) { | |
1022 | reAsk:; | |
1023 | cerr<<"\x1b[31;1mThere was a problem with your zone\x1b[0m\nOptions are: (e)dit your changes, (r)etry with original zone, (a)pply change anyhow, (q)uit: "<<endl; | |
1024 | int c=read1char(); | |
1025 | cerr<<"\n"; | |
6945584f | 1026 | if(c!='a') |
1027 | post.clear(); | |
c2e0881c | 1028 | if(c=='e') |
1029 | goto editMore; | |
1030 | else if(c=='r') | |
1031 | goto editAgain; | |
1032 | else if(c=='q') | |
1033 | return EXIT_FAILURE; | |
1034 | else if(c!='a') | |
1035 | goto reAsk; | |
1036 | } | |
1037 | ||
1038 | cout<<"Detected the following changes:\n"<<endl; | |
1039 | ||
1040 | vector<DNSRecord> diff; | |
1041 | set<pair<DNSName,uint16_t>> changed; | |
1042 | set_difference(pre.cbegin(), pre.cend(), post.cbegin(), post.cend(), back_inserter(diff)); | |
1043 | for(const auto& d : diff) { | |
1044 | changed.insert({d.d_name,d.d_type}); | |
1045 | cout<<'-'<< d.d_name <<" "<<d.d_ttl<<" IN "<<DNSRecordContent::NumberToType(d.d_type)<<" "<<d.d_content->getZoneRepresentation(true)<<endl; | |
1046 | } | |
1047 | diff.clear(); | |
1048 | set_difference(post.cbegin(), post.cend(), pre.cbegin(), pre.cend(), back_inserter(diff)); | |
1049 | for(const auto& d : diff) { | |
1050 | changed.insert({d.d_name,d.d_type}); | |
1051 | cout<<'+'<< d.d_name <<" "<<d.d_ttl<<" IN "<<DNSRecordContent::NumberToType(d.d_type)<<" "<<d.d_content->getZoneRepresentation(true)<<endl; | |
1052 | } | |
1053 | ||
1054 | reAsk2:; | |
6945584f | 1055 | cout<<"\n"; |
1056 | if(changed.empty()) | |
1057 | cout<<"No changes to apply, "; | |
1058 | else | |
1059 | cout<<"(a)pply these changes, "; | |
1060 | cout<<"(e)dit again, (r)etry with original zone, (q)uit: "; | |
c2e0881c | 1061 | int c=read1char(); |
1062 | post.clear(); | |
1063 | cerr<<'\n'; | |
1064 | if(c=='q') | |
1065 | return(EXIT_SUCCESS); | |
1066 | else if(c=='e') | |
1067 | goto editMore; | |
1068 | else if(c=='r') | |
1069 | goto editAgain; | |
6945584f | 1070 | else if(changed.empty() || c!='a') |
c2e0881c | 1071 | goto reAsk2; |
1072 | ||
1073 | for(const auto& c : changed) { | |
1074 | vector<DNSResourceRecord> vrr; | |
1075 | for(const DNSRecord& rr : grouped[c]) { | |
1076 | DNSResourceRecord drr(rr); | |
1077 | drr.domain_id = di.id; | |
1078 | vrr.push_back(drr); | |
1079 | } | |
1080 | di.backend->replaceRRSet(di.id, c.first, QType(c.second), vrr); | |
1081 | } | |
6945584f | 1082 | rectifyZone(dk, zone); |
c2e0881c | 1083 | return 0; |
1084 | } | |
1085 | ||
1086 | ||
675fa24c | 1087 | int loadZone(DNSName zone, const string& fname) { |
c9865bc5 | 1088 | UeberBackend B; |
1089 | DomainInfo di; | |
1090 | ||
1091 | if (B.getDomainInfo(zone, di)) { | |
675fa24c | 1092 | cerr<<"Domain '"<<zone.toString()<<"' exists already, replacing contents"<<endl; |
c9865bc5 | 1093 | } |
1094 | else { | |
675fa24c | 1095 | cerr<<"Creating '"<<zone.toString()<<"'"<<endl; |
c9865bc5 | 1096 | B.createDomain(zone); |
1097 | ||
1098 | if(!B.getDomainInfo(zone, di)) { | |
6b32c5e8 | 1099 | cerr<<"Domain '"<<zone.toString()<<"' was not created - perhaps backend ("<<::arg()["launch"]<<") does not support storing new zones."<<endl; |
c9865bc5 | 1100 | return 1; |
1101 | } | |
1102 | } | |
1103 | DNSBackend* db = di.backend; | |
1104 | ZoneParserTNG zpt(fname, zone); | |
1105 | ||
1106 | DNSResourceRecord rr; | |
1107 | if(!db->startTransaction(zone, di.id)) { | |
675fa24c | 1108 | cerr<<"Unable to start transaction for load of zone '"<<zone.toString()<<"'"<<endl; |
c9865bc5 | 1109 | return 1; |
1110 | } | |
1111 | rr.domain_id=di.id; | |
1112 | while(zpt.get(rr)) { | |
675fa24c PD |
1113 | if(!rr.qname.isPartOf(zone) && rr.qname!=zone) { |
1114 | cerr<<"File contains record named '"<<rr.qname.toString()<<"' which is not part of zone '"<<zone.toString()<<"'"<<endl; | |
c9865bc5 | 1115 | return 1; |
1116 | } | |
c9865bc5 | 1117 | db->feedRecord(rr); |
1118 | } | |
1119 | db->commitTransaction(); | |
1120 | return 0; | |
1121 | } | |
1122 | ||
66d34461 | 1123 | int createZone(const DNSName &zone, const DNSName& nsname) { |
c9865bc5 | 1124 | UeberBackend B; |
1125 | DomainInfo di; | |
1126 | if (B.getDomainInfo(zone, di)) { | |
675fa24c | 1127 | cerr<<"Domain '"<<zone.toString()<<"' exists already"<<endl; |
c9865bc5 | 1128 | return 1; |
1129 | } | |
66d34461 | 1130 | cerr<<"Creating empty zone '"<<zone.toString()<<"'"<<endl; |
c9865bc5 | 1131 | B.createDomain(zone); |
c9865bc5 | 1132 | if(!B.getDomainInfo(zone, di)) { |
675fa24c | 1133 | cerr<<"Domain '"<<zone.toString()<<"' was not created!"<<endl; |
c9865bc5 | 1134 | return 1; |
1135 | } | |
8e1864cc CH |
1136 | |
1137 | DNSResourceRecord rr; | |
1138 | rr.qname = zone; | |
1139 | rr.auth = 1; | |
1140 | rr.ttl = ::arg().asNum("default-ttl"); | |
1141 | rr.qtype = "SOA"; | |
66d34461 | 1142 | |
8e1864cc | 1143 | string soa = (boost::format("%s %s 1") |
66d34461 | 1144 | % (nsname.empty() ? ::arg()["default-soa-name"] : nsname.toString()) |
1145 | % (::arg().isEmpty("default-soa-mail") ? (DNSName("hostmaster.") + zone).toString() : ::arg()["default-soa-mail"]) | |
8e1864cc CH |
1146 | ).str(); |
1147 | SOAData sd; | |
1148 | fillSOAData(soa, sd); // fills out default values for us | |
1149 | rr.content = DNSRecordContent::mastermake(rr.qtype.getCode(), 1, serializeSOAData(sd))->getZoneRepresentation(true); | |
1150 | rr.domain_id = di.id; | |
1151 | di.backend->startTransaction(zone, di.id); | |
1152 | di.backend->feedRecord(rr); | |
66d34461 | 1153 | if(!nsname.empty()) { |
1154 | cout<<"Also adding one NS record"<<endl; | |
1155 | rr.qtype=QType::NS; | |
1156 | rr.content=nsname.toString(); | |
1157 | di.backend->feedRecord(rr); | |
1158 | } | |
1159 | ||
8e1864cc CH |
1160 | di.backend->commitTransaction(); |
1161 | ||
c9865bc5 | 1162 | return 1; |
1163 | } | |
1164 | ||
e85a76ad | 1165 | int createSlaveZone(const vector<string>& cmds) { |
1166 | UeberBackend B; | |
1167 | DomainInfo di; | |
1168 | DNSName zone(cmds[1]); | |
1169 | if (B.getDomainInfo(zone, di)) { | |
1170 | cerr<<"Domain '"<<zone.toString()<<"' exists already"<<endl; | |
1171 | return 1; | |
1172 | } | |
a3e3bef7 | 1173 | ComboAddress master(cmds[2], 53); |
1174 | cerr<<"Creating slave zone '"<<zone.toString()<<"', master is "<<master.toStringWithPort()<<endl; | |
e85a76ad | 1175 | B.createDomain(zone); |
1176 | if(!B.getDomainInfo(zone, di)) { | |
1177 | cerr<<"Domain '"<<zone.toString()<<"' was not created!"<<endl; | |
1178 | return 1; | |
1179 | } | |
1180 | di.backend->setKind(zone, DomainInfo::Slave); | |
a3e3bef7 | 1181 | di.backend->setMaster(zone, master.toStringWithPort()); |
e85a76ad | 1182 | return EXIT_SUCCESS; |
1183 | } | |
1184 | ||
66d34461 | 1185 | // add-record ZONE name type [ttl] "content" ["content"] |
1186 | int addOrReplaceRecord(bool addOrReplace, const vector<string>& cmds) { | |
1187 | DNSResourceRecord rr; | |
1188 | vector<DNSResourceRecord> newrrs; | |
1189 | DNSName zone(cmds[1]); | |
1190 | DNSName name; | |
1191 | if(cmds[2]=="@") | |
1192 | name=zone; | |
1193 | else | |
1194 | name=DNSName(cmds[2])+zone; | |
1195 | ||
1196 | rr.qtype = DNSRecordContent::TypeToNumber(cmds[3]); | |
1197 | rr.ttl = ::arg().asNum("default-ttl"); | |
1198 | ||
1199 | UeberBackend B; | |
1200 | DomainInfo di; | |
1201 | ||
1202 | if(!B.getDomainInfo(zone, di)) { | |
1203 | cerr<<"Domain '"<<zone<<"' does not exist"<<endl; | |
1204 | return 1; | |
1205 | } | |
1206 | rr.auth = 1; | |
1207 | rr.domain_id = di.id; | |
1208 | rr.qname = name; | |
c07a0c6d | 1209 | DNSResourceRecord oldrr; |
66d34461 | 1210 | if(addOrReplace) { // the 'add' case |
1211 | B.lookup(rr.qtype, rr.qname, 0, di.id); | |
c07a0c6d | 1212 | |
66d34461 | 1213 | while(B.get(oldrr)) |
1214 | newrrs.push_back(oldrr); | |
1215 | } | |
1216 | ||
1217 | unsigned int contentStart = 4; | |
1218 | if(cmds.size() > 5) { | |
1219 | rr.ttl=atoi(cmds[4].c_str()); | |
1220 | if(std::to_string(rr.ttl)==cmds[4]) { | |
1221 | contentStart++; | |
1222 | } | |
1223 | else rr.ttl = ::arg().asNum("default-ttl"); | |
1224 | } | |
1225 | ||
66d34461 | 1226 | B.lookup(QType(QType::ANY), rr.qname, 0, di.id); |
1227 | bool found=false; | |
1228 | if(rr.qtype.getCode() == QType::CNAME) { // this will save us SO many questions | |
1229 | ||
c07a0c6d | 1230 | while(B.get(oldrr)) { |
1231 | if(addOrReplace || oldrr.qtype.getCode() != QType::CNAME) // the replace case is ok if we replace one CNAME by the other | |
66d34461 | 1232 | found=true; |
1233 | } | |
1234 | if(found) { | |
1235 | cerr<<"Attempting to add CNAME to "<<rr.qname<<" which already had existing records"<<endl; | |
1236 | return EXIT_FAILURE; | |
1237 | } | |
1238 | } | |
1239 | else { | |
c07a0c6d | 1240 | while(B.get(oldrr)) { |
1241 | if(oldrr.qtype.getCode() == QType::CNAME) | |
66d34461 | 1242 | found=true; |
1243 | } | |
1244 | if(found) { | |
1245 | cerr<<"Attempting to add record to "<<rr.qname<<" which already had a CNAME record"<<endl; | |
1246 | return EXIT_FAILURE; | |
1247 | } | |
1248 | } | |
1249 | ||
17df2abf | 1250 | if(!addOrReplace) { |
1251 | cout<<"Current records for "<<rr.qname.toString()<<" IN "<<rr.qtype.getName()<<" will be replaced"<<endl; | |
1252 | } | |
1253 | for(auto i = contentStart ; i < cmds.size() ; ++i) { | |
1254 | rr.content = DNSRecordContent::mastermake(rr.qtype.getCode(), 1, cmds[i])->getZoneRepresentation(true); | |
1255 | ||
1256 | newrrs.push_back(rr); | |
1257 | } | |
66d34461 | 1258 | |
17df2abf | 1259 | |
1260 | di.backend->replaceRRSet(di.id, name, rr.qtype, newrrs); | |
1261 | // need to be explicit to bypass the ueberbackend cache! | |
1262 | di.backend->lookup(rr.qtype, name, 0, di.id); | |
1263 | cout<<"New rrset:"<<endl; | |
1264 | while(di.backend->get(rr)) { | |
1265 | cout<<rr.qname.toString()<<" IN "<<rr.qtype.getName()<<" "<<rr.ttl<<" "<<rr.content<<endl; | |
1266 | } | |
66d34461 | 1267 | return 1; |
1268 | } | |
1269 | ||
1270 | // delete-rrset zone name type | |
1271 | int deleteRRSet(const std::string& zone_, const std::string& name_, const std::string& type_) | |
1272 | { | |
1273 | UeberBackend B; | |
1274 | DomainInfo di; | |
1275 | DNSName zone(zone_); | |
1276 | if(!B.getDomainInfo(zone, di)) { | |
1277 | cerr<<"Domain '"<<zone<<"' does not exist"<<endl; | |
1278 | return 1; | |
1279 | } | |
1280 | ||
1281 | DNSName name; | |
1282 | if(name_=="@") | |
1283 | name=zone; | |
1284 | else | |
1285 | name=DNSName(name_)+zone; | |
1286 | ||
1287 | QType qt(QType::chartocode(type_.c_str())); | |
1288 | di.backend->replaceRRSet(di.id, name, qt, vector<DNSResourceRecord>()); | |
1289 | return 0; | |
1290 | } | |
c9865bc5 | 1291 | |
22c68348 | 1292 | int listAllZones(const string &type="") { |
bd108049 RA |
1293 | |
1294 | int kindFilter = -1; | |
1295 | if (type.size()) { | |
1296 | if (toUpper(type) == "MASTER") | |
1297 | kindFilter = 0; | |
1298 | else if (toUpper(type) == "SLAVE") | |
1299 | kindFilter = 1; | |
1300 | else if (toUpper(type) == "NATIVE") | |
1301 | kindFilter = 2; | |
22c68348 | 1302 | else { |
fd5076c8 | 1303 | cerr<<"Syntax: pdnsutil list-all-zones [master|slave|native]"<<endl; |
22c68348 KM |
1304 | return 1; |
1305 | } | |
bd108049 RA |
1306 | } |
1307 | ||
8ecfea3a | 1308 | UeberBackend B("default"); |
bd108049 | 1309 | |
8ecfea3a | 1310 | vector<DomainInfo> domains; |
9c4a4ddc | 1311 | B.getAllDomains(&domains, true); |
8ecfea3a KM |
1312 | |
1313 | int count = 0; | |
bd108049 RA |
1314 | for (vector<DomainInfo>::const_iterator di=domains.begin(); di != domains.end(); di++) { |
1315 | if (di->kind == kindFilter || kindFilter == -1) { | |
675fa24c | 1316 | cout<<di->zone.toString()<<endl; |
bd108049 RA |
1317 | count++; |
1318 | } | |
1319 | } | |
1320 | ||
1321 | if (kindFilter != -1) | |
66d34461 | 1322 | cout<<type<<" zonecount: "<<count<<endl; |
bd108049 | 1323 | else |
66d34461 | 1324 | cout<<"All zonecount: "<<count<<endl; |
bd108049 RA |
1325 | return 0; |
1326 | } | |
1327 | ||
166d8647 | 1328 | bool testAlgorithm(int algo) |
cbb0025b | 1329 | { |
166d8647 | 1330 | return DNSCryptoKeyEngine::testOne(algo); |
cbb0025b | 1331 | } |
1325e8a2 | 1332 | |
166d8647 | 1333 | bool testAlgorithms() |
189bb9d2 | 1334 | { |
166d8647 | 1335 | return DNSCryptoKeyEngine::testAll(); |
189bb9d2 BH |
1336 | } |
1337 | ||
b873e23a | 1338 | void testSpeed(DNSSECKeeper& dk, const DNSName& zone, const string& remote, int cores) |
ea937fd4 BH |
1339 | { |
1340 | DNSResourceRecord rr; | |
b873e23a | 1341 | rr.qname=DNSName("blah")+zone; |
ea937fd4 BH |
1342 | rr.qtype=QType::A; |
1343 | rr.ttl=3600; | |
1344 | rr.auth=1; | |
703761cc | 1345 | rr.qclass = QClass::IN; |
ea937fd4 | 1346 | rr.d_place=DNSResourceRecord::ANSWER; |
ea937fd4 | 1347 | |
49449751 | 1348 | UeberBackend db("key-only"); |
ea937fd4 | 1349 | |
f0c4b9d5 PD |
1350 | if ( ! db.backends.size() ) |
1351 | { | |
1352 | throw runtime_error("No backends available for DNSSEC key storage"); | |
1353 | } | |
1354 | ||
b873e23a | 1355 | ChunkedSigningPipe csp(DNSName(zone), 1, remote, cores); |
ea937fd4 BH |
1356 | |
1357 | vector<DNSResourceRecord> signatures; | |
1358 | uint32_t rnd; | |
1359 | unsigned char* octets = (unsigned char*)&rnd; | |
1360 | char tmp[25]; | |
1361 | DTime dt; | |
1362 | dt.set(); | |
1363 | for(unsigned int n=0; n < 100000; ++n) { | |
1364 | rnd = random(); | |
1365 | snprintf(tmp, sizeof(tmp), "%d.%d.%d.%d", | |
1366 | octets[0], octets[1], octets[2], octets[3]); | |
1367 | rr.content=tmp; | |
1368 | ||
1369 | snprintf(tmp, sizeof(tmp), "r-%u", rnd); | |
b873e23a | 1370 | rr.qname=DNSName(tmp)+zone; |
ea937fd4 BH |
1371 | |
1372 | if(csp.submit(rr)) | |
1373 | while(signatures = csp.getChunk(), !signatures.empty()) | |
1374 | ; | |
1375 | } | |
1376 | cerr<<"Flushing the pipe, "<<csp.d_signed<<" signed, "<<csp.d_queued<<" queued, "<<csp.d_outstanding<<" outstanding"<< endl; | |
451ba512 | 1377 | cerr<<"Net speed: "<<csp.d_signed/ (dt.udiffNoReset()/1000000.0) << " sigs/s"<<endl; |
ea937fd4 BH |
1378 | while(signatures = csp.getChunk(true), !signatures.empty()) |
1379 | ; | |
1380 | cerr<<"Done, "<<csp.d_signed<<" signed, "<<csp.d_queued<<" queued, "<<csp.d_outstanding<<" outstanding"<< endl; | |
451ba512 | 1381 | cerr<<"Net speed: "<<csp.d_signed/ (dt.udiff()/1000000.0) << " sigs/s"<<endl; |
ea937fd4 BH |
1382 | } |
1383 | ||
aa65a832 BH |
1384 | void verifyCrypto(const string& zone) |
1385 | { | |
1386 | ZoneParserTNG zpt(zone); | |
1387 | DNSResourceRecord rr; | |
1388 | DNSKEYRecordContent drc; | |
1389 | RRSIGRecordContent rrc; | |
c3e26094 | 1390 | DSRecordContent dsrc; |
aa65a832 | 1391 | vector<shared_ptr<DNSRecordContent> > toSign; |
675fa24c | 1392 | DNSName qname, apex; |
c3e26094 | 1393 | dsrc.d_digesttype=0; |
aa65a832 BH |
1394 | while(zpt.get(rr)) { |
1395 | if(rr.qtype.getCode() == QType::DNSKEY) { | |
1396 | cerr<<"got DNSKEY!"<<endl; | |
c3e26094 | 1397 | apex=rr.qname; |
aa65a832 BH |
1398 | drc = *dynamic_cast<DNSKEYRecordContent*>(DNSRecordContent::mastermake(QType::DNSKEY, 1, rr.content)); |
1399 | } | |
1400 | else if(rr.qtype.getCode() == QType::RRSIG) { | |
1401 | cerr<<"got RRSIG"<<endl; | |
1402 | rrc = *dynamic_cast<RRSIGRecordContent*>(DNSRecordContent::mastermake(QType::RRSIG, 1, rr.content)); | |
1403 | } | |
c3e26094 BH |
1404 | else if(rr.qtype.getCode() == QType::DS) { |
1405 | cerr<<"got DS"<<endl; | |
1406 | dsrc = *dynamic_cast<DSRecordContent*>(DNSRecordContent::mastermake(QType::DS, 1, rr.content)); | |
1407 | } | |
aa65a832 BH |
1408 | else { |
1409 | qname = rr.qname; | |
aa65a832 BH |
1410 | toSign.push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content))); |
1411 | } | |
1412 | } | |
c3e26094 | 1413 | |
f309dacd | 1414 | string msg = getMessageForRRSET(qname, rrc, toSign); |
49449751 | 1415 | cerr<<"Verify: "<<DNSCryptoKeyEngine::makeFromPublicKeyString(drc.d_algorithm, drc.d_key)->verify(msg, rrc.d_signature)<<endl; |
c3e26094 | 1416 | if(dsrc.d_digesttype) { |
675fa24c PD |
1417 | cerr<<"Calculated DS: "<<apex.toString()<<" IN DS "<<makeDSFromDNSKey(apex, drc, dsrc.d_digesttype).getZoneRepresentation()<<endl; |
1418 | cerr<<"Original DS: "<<apex.toString()<<" IN DS "<<dsrc.getZoneRepresentation()<<endl; | |
c3e26094 | 1419 | } |
295812a1 | 1420 | #if 0 |
8d9f38f2 | 1421 | DNSCryptoKeyEngine*key=DNSCryptoKeyEngine::makeFromISCString(drc, "Private-key-format: v1.2\n" |
295812a1 BH |
1422 | "Algorithm: 12 (ECC-GOST)\n" |
1423 | "GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQg/9MiXtXKg9FDXDN/R9CmVhJDyuzRAIgh4tPwCu4NHIs=\n"); | |
1424 | string resign=key->sign(hash); | |
1425 | cerr<<Base64Encode(resign)<<endl; | |
8d9f38f2 | 1426 | cerr<<"Verify: "<<DNSCryptoKeyEngine::makeFromPublicKeyString(drc.d_algorithm, drc.d_key)->verify(hash, resign)<<endl; |
295812a1 BH |
1427 | #endif |
1428 | ||
aa65a832 | 1429 | } |
675fa24c | 1430 | bool disableDNSSECOnZone(DNSSECKeeper& dk, const DNSName& zone) |
5935cede | 1431 | { |
032e3906 PD |
1432 | UeberBackend B("default"); |
1433 | DomainInfo di; | |
1434 | ||
1435 | if (!B.getDomainInfo(zone, di)){ | |
1436 | cerr << "No such zone in the database" << endl; | |
1437 | return false; | |
1438 | } | |
1439 | ||
5935cede | 1440 | if(!dk.isSecuredZone(zone)) { |
451ba512 | 1441 | cerr<<"Zone is not secured"<<endl; |
032e3906 | 1442 | return false; |
5935cede BH |
1443 | } |
1444 | DNSSECKeeper::keyset_t keyset=dk.getKeys(zone); | |
aa65a832 | 1445 | |
5935cede | 1446 | if(keyset.empty()) { |
675fa24c | 1447 | cerr << "No keys for zone '"<<zone.toString()<<"'."<<endl; |
5935cede BH |
1448 | } |
1449 | else { | |
ff05fd12 | 1450 | for(DNSSECKeeper::keyset_t::value_type value : keyset) { |
5935cede | 1451 | dk.deactivateKey(zone, value.second.id); |
37fd8771 | 1452 | dk.removeKey(zone, value.second.id); |
5935cede BH |
1453 | } |
1454 | } | |
1455 | dk.unsetNSEC3PARAM(zone); | |
1456 | dk.unsetPresigned(zone); | |
032e3906 | 1457 | return true; |
5935cede | 1458 | } |
bddc5d92 | 1459 | |
1460 | int setZoneKind(const DNSName& zone, const DomainInfo::DomainKind kind) | |
1461 | { | |
1462 | UeberBackend B("default"); | |
1463 | DomainInfo di; | |
1464 | std::vector<std::string> meta; | |
1465 | ||
1466 | if (!B.getDomainInfo(zone, di)){ | |
1467 | cerr << "No such zone "<<zone<<" in the database" << endl; | |
1468 | return EXIT_FAILURE; | |
1469 | } | |
1470 | if(!di.backend->setKind(zone, kind)) { | |
1471 | cerr<<"Could not find backend willing to accept new zone configuration"<<endl; | |
1472 | return EXIT_FAILURE; | |
1473 | } | |
1474 | return EXIT_SUCCESS; | |
1475 | } | |
1476 | ||
675fa24c | 1477 | bool showZone(DNSSECKeeper& dk, const DNSName& zone) |
ade1b1e9 | 1478 | { |
032e3906 PD |
1479 | UeberBackend B("default"); |
1480 | DomainInfo di; | |
4831df57 | 1481 | std::vector<std::string> meta; |
032e3906 PD |
1482 | |
1483 | if (!B.getDomainInfo(zone, di)){ | |
1484 | cerr << "No such zone in the database" << endl; | |
1485 | return false; | |
1486 | } | |
1487 | ||
176fdd7e | 1488 | cout<<"This is a "<<DomainInfo::getKindString(di.kind)<<" zone"<<endl; |
1489 | if(di.kind == DomainInfo::Master) { | |
1490 | cout<<"Last SOA serial number we notified: "<<di.notified_serial<<" "; | |
1491 | SOAData sd; | |
1492 | if(B.getSOAUncached(zone, sd)) { | |
1493 | if(sd.serial == di.notified_serial) | |
1494 | cout<< "== "; | |
1495 | else | |
1496 | cout << "!= "; | |
1497 | cout<<sd.serial<<" (serial in the database)"<<endl; | |
1498 | } | |
1499 | else | |
1500 | cout<<"- no serial found in database"<<endl; | |
1501 | } | |
1502 | else if(di.kind == DomainInfo::Slave) { | |
1503 | cout<<"Master"<<addS(di.masters)<<": "; | |
1504 | for(const auto& m : di.masters) | |
1505 | cout<<m<<" "; | |
1506 | cout<<endl; | |
1507 | struct tm tm; | |
1508 | localtime_r(&di.last_check, &tm); | |
1509 | char buf[80]; | |
1510 | if(di.last_check) | |
1511 | strftime(buf, sizeof(buf)-1, "%a %F %H:%M:%S", &tm); | |
1512 | else | |
1513 | strncpy(buf, "Never", sizeof(buf)-1); | |
1514 | ||
1515 | cout<<"Last time we got update from master: "<<buf<<endl; | |
1516 | SOAData sd; | |
1517 | if(B.getSOAUncached(zone, sd)) { | |
1518 | cout<<"SOA serial in database: "<<sd.serial<<endl; | |
1519 | cout<<"Refresh interval: "<<sd.refresh<<" seconds"<<endl; | |
1520 | } | |
1521 | else | |
1522 | cout<<"No SOA serial found in database"<<endl; | |
1523 | } | |
1524 | ||
1525 | ||
d3e7090c | 1526 | if(!dk.isSecuredZone(zone)) { |
5911b051 | 1527 | cout<<"Zone is not actively secured"<<endl; |
d3e7090c | 1528 | } |
ade1b1e9 BH |
1529 | NSEC3PARAMRecordContent ns3pr; |
1530 | bool narrow; | |
3c873e66 | 1531 | bool haveNSEC3=dk.getNSEC3PARAM(zone, &ns3pr, &narrow); |
ade1b1e9 | 1532 | |
d4a4176d | 1533 | DNSSECKeeper::keyset_t keyset=dk.getKeys(zone); |
4831df57 | 1534 | if (B.getDomainMetadata(zone, "TSIG-ALLOW-AXFR", meta) && meta.size() > 0) { |
5911b051 | 1535 | cout << "Zone has following allowed TSIG key(s): " << boost::join(meta, ",") << endl; |
4831df57 AT |
1536 | } |
1537 | ||
a56bc64d | 1538 | meta.clear(); |
4831df57 | 1539 | if (B.getDomainMetadata(zone, "AXFR-MASTER-TSIG", meta) && meta.size() > 0) { |
5911b051 | 1540 | cout << "Zone uses following TSIG key(s): " << boost::join(meta, ",") << endl; |
4831df57 | 1541 | } |
d3e7090c | 1542 | |
5911b051 | 1543 | std::map<std::string, std::vector<std::string> > metamap; |
1544 | if(B.getAllDomainMetadata(zone, metamap)) { | |
176fdd7e | 1545 | cout<<"Metadata items: "; |
1546 | if(metamap.empty()) | |
1547 | cout<<"None"; | |
1548 | cout<<endl; | |
1549 | ||
5911b051 | 1550 | for(const auto& m : metamap) { |
1551 | for(const auto i : m.second) | |
1552 | cout << '\t' << m.first<<'\t' << i <<endl; | |
1553 | } | |
1554 | } | |
1555 | ||
120b4dc6 AT |
1556 | if (dk.isPresigned(zone)) { |
1557 | cout <<"Zone is " << (dk.isPresigned(zone) ? "" : "not ") << "presigned"<<endl; | |
1558 | // get us some keys | |
1559 | vector<DNSKEYRecordContent> keys; | |
1560 | DNSResourceRecord rr; | |
ade1b1e9 | 1561 | |
120b4dc6 AT |
1562 | B.lookup(QType(QType::DNSKEY), DNSName(zone)); |
1563 | while(B.get(rr)) { | |
1564 | if (rr.qtype != QType::DNSKEY) continue; | |
1565 | keys.push_back(*dynamic_cast<DNSKEYRecordContent*>(DNSKEYRecordContent::make(rr.getZoneRepresentation()))); | |
1566 | } | |
1567 | ||
1568 | if(keys.empty()) { | |
1569 | cerr << "No keys for zone '"<<zone.toString()<<"'."<<endl; | |
1570 | return true; | |
1571 | } | |
1572 | ||
1573 | if(!haveNSEC3) | |
1574 | cout<<"Zone has NSEC semantics"<<endl; | |
1575 | else | |
1576 | cout<<"Zone has " << (narrow ? "NARROW " : "") <<"hashed NSEC3 semantics, configuration: "<<ns3pr.getZoneRepresentation()<<endl; | |
1577 | cout << "keys: "<<endl; | |
1578 | sort(keys.begin(),keys.end()); | |
1579 | reverse(keys.begin(),keys.end()); | |
3fc032b9 | 1580 | bool shown=false; |
120b4dc6 AT |
1581 | for(const auto& key : keys) { |
1582 | string algname; | |
1583 | algorithm2name(key.d_algorithm,algname); | |
3fc032b9 AT |
1584 | int bits; |
1585 | if (key.d_key[0] == 0) | |
1586 | bits = *(uint16_t*)(key.d_key.c_str()+1); | |
1587 | else | |
1588 | bits = *(uint8_t*)key.d_key.c_str(); | |
1589 | bits = (key.d_key.size() - (bits+1))*8; | |
1590 | cout << (key.d_flags == 257 ? "KSK" : "ZSK") << ", tag = " << key.getTag() << ", algo = "<<(int)key.d_algorithm << ", bits = " << bits << endl; | |
1591 | cout << "DNSKEY = " <<zone.toString()<<" IN DNSKEY "<< key.getZoneRepresentation() << "; ( " + algname + " ) " <<endl; | |
1592 | if (shown) continue; | |
1593 | shown=true; | |
120b4dc6 AT |
1594 | cout<<"DS = "<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, 1).getZoneRepresentation() << " ; ( SHA1 digest )" << endl; |
1595 | cout<<"DS = "<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, 2).getZoneRepresentation() << " ; ( SHA256 digest )" << endl; | |
1596 | try { | |
1597 | cout<<"DS = "<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, 3).getZoneRepresentation() << " ; ( GOST R 34.11-94 digest )" << endl; | |
1598 | } | |
1599 | catch(...) | |
1600 | {} | |
1601 | try { | |
1602 | cout<<"DS = "<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, 4).getZoneRepresentation() << " ; ( SHA-384 digest )" << endl; | |
1603 | } | |
1604 | catch(...) | |
1605 | {} | |
1606 | } | |
1607 | } | |
1608 | else if(keyset.empty()) { | |
675fa24c | 1609 | cerr << "No keys for zone '"<<zone.toString()<<"'."<<endl; |
ade1b1e9 BH |
1610 | } |
1611 | else { | |
d4a4176d BH |
1612 | if(!haveNSEC3) |
1613 | cout<<"Zone has NSEC semantics"<<endl; | |
1614 | else | |
1615 | cout<<"Zone has " << (narrow ? "NARROW " : "") <<"hashed NSEC3 semantics, configuration: "<<ns3pr.getZoneRepresentation()<<endl; | |
1616 | ||
ade1b1e9 | 1617 | cout << "keys: "<<endl; |
ff05fd12 | 1618 | for(DNSSECKeeper::keyset_t::value_type value : keyset) { |
e0ad7bb1 PD |
1619 | string algname; |
1620 | algorithm2name(value.first.d_algorithm, algname); | |
95b3e84b AT |
1621 | if (value.first.getKey()->getBits() < 1) { |
1622 | cout<<"ID = "<<value.second.id<<" ("<<(value.second.keyOrZone ? "KSK" : "ZSK")<<") <key missing or defunct>" <<endl; | |
1623 | continue; | |
1624 | } | |
ade1b1e9 | 1625 | cout<<"ID = "<<value.second.id<<" ("<<(value.second.keyOrZone ? "KSK" : "ZSK")<<"), tag = "<<value.first.getDNSKEY().getTag(); |
3870e4d1 | 1626 | cout<<", algo = "<<(int)value.first.d_algorithm<<", bits = "<<value.first.getKey()->getBits()<<"\t"<<((int)value.second.active == 1 ? " A" : "Ina")<<"ctive ( " + algname + " ) "<<endl; |
c283741c | 1627 | if(value.second.keyOrZone || ::arg().mustDo("direct-dnskey") || 1) |
675fa24c | 1628 | cout<<(value.second.keyOrZone ? "KSK" : "ZSK")<<" DNSKEY = "<<zone.toString()<<" IN DNSKEY "<< value.first.getDNSKEY().getZoneRepresentation() << " ; ( " + algname + " )" << endl; |
c283741c | 1629 | if(value.second.keyOrZone || 1) { |
675fa24c PD |
1630 | cout<<"DS = "<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, value.first.getDNSKEY(), 1).getZoneRepresentation() << " ; ( SHA1 digest )" << endl; |
1631 | cout<<"DS = "<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, value.first.getDNSKEY(), 2).getZoneRepresentation() << " ; ( SHA256 digest )" << endl; | |
608d776f BH |
1632 | try { |
1633 | string output=makeDSFromDNSKey(zone, value.first.getDNSKEY(), 3).getZoneRepresentation(); | |
675fa24c | 1634 | cout<<"DS = "<<zone.toString()<<" IN DS "<< output << " ; ( GOST R 34.11-94 digest )" << endl; |
e0ad7bb1 PD |
1635 | } |
1636 | catch(...) | |
1637 | { | |
1638 | } | |
1639 | try { | |
1640 | string output=makeDSFromDNSKey(zone, value.first.getDNSKEY(), 4).getZoneRepresentation(); | |
675fa24c | 1641 | cout<<"DS = "<<zone.toString()<<" IN DS "<< output << " ; ( SHA-384 digest )" << endl; |
608d776f BH |
1642 | } |
1643 | catch(...) | |
1644 | { | |
1645 | } | |
1646 | cout<<endl; | |
ade1b1e9 BH |
1647 | } |
1648 | } | |
1649 | } | |
032e3906 | 1650 | return true; |
ade1b1e9 | 1651 | } |
5d2e58b0 | 1652 | |
675fa24c | 1653 | bool secureZone(DNSSECKeeper& dk, const DNSName& zone) |
ddac7145 | 1654 | { |
36758d25 PD |
1655 | // parse attribute |
1656 | vector<string> k_algos; | |
1657 | vector<string> z_algos; | |
1658 | int k_size; | |
1659 | int z_size; | |
1660 | ||
1661 | stringtok(k_algos, ::arg()["default-ksk-algorithms"], " ,"); | |
1662 | k_size = ::arg().asNum("default-ksk-size"); | |
1663 | stringtok(z_algos, ::arg()["default-zsk-algorithms"], " ,"); | |
1664 | z_size = ::arg().asNum("default-zsk-size"); | |
1665 | ||
1666 | if (k_size < 0) { | |
1667 | throw runtime_error("KSK key size must be equal to or greater than 0"); | |
1668 | } | |
1669 | ||
5209ee17 PD |
1670 | if (k_algos.size() < 1 && z_algos.size() < 1) { |
1671 | throw runtime_error("Zero algorithms given for KSK+ZSK in total"); | |
36758d25 PD |
1672 | } |
1673 | ||
1674 | if (z_size < 0) { | |
1675 | throw runtime_error("ZSK key size must be equal to or greater than 0"); | |
1676 | } | |
1677 | ||
f60f4bcd | 1678 | if(dk.isSecuredZone(zone)) { |
fd5076c8 | 1679 | cerr << "Zone '"<<zone.toString()<<"' already secure, remove keys with pdnsutil remove-zone-key if needed"<<endl; |
f60f4bcd BH |
1680 | return false; |
1681 | } | |
1682 | ||
2402c558 BH |
1683 | DomainInfo di; |
1684 | UeberBackend B("default"); | |
1685 | if(!B.getDomainInfo(zone, di) || !di.backend) { // di.backend and B are mostly identical | |
694ea7ae | 1686 | cerr<<"Can't find a zone called '"<<zone.toString()<<"'"<<endl; |
2402c558 BH |
1687 | return false; |
1688 | } | |
1689 | ||
3bf07122 PD |
1690 | if(di.kind == DomainInfo::Slave) |
1691 | { | |
694ea7ae CH |
1692 | cerr<<"Warning! This is a slave domain! If this was a mistake, please run"<<endl; |
1693 | cerr<<"pdnsutil disable-dnssec "<<zone.toString()<<" right now!"<<endl; | |
3bf07122 PD |
1694 | } |
1695 | ||
36758d25 | 1696 | if (k_size) |
5209ee17 | 1697 | cout << "Securing zone with key size " << k_size << endl; |
36758d25 | 1698 | else |
5209ee17 | 1699 | cout << "Securing zone with default key size" << endl; |
f60f4bcd | 1700 | |
f60f4bcd BH |
1701 | |
1702 | DNSSECKeeper::keyset_t zskset=dk.getKeys(zone, false); | |
1703 | ||
1704 | if(!zskset.empty()) { | |
675fa24c | 1705 | cerr<<"There were ZSKs already for zone '"<<zone.toString()<<"', no need to add more"<<endl; |
f60f4bcd BH |
1706 | return false; |
1707 | } | |
36758d25 | 1708 | |
5209ee17 PD |
1709 | for(auto &k_algo: k_algos) { |
1710 | cout << "Adding KSK with algorithm " << k_algo << endl; | |
1711 | ||
1712 | int algo = shorthand2algorithm(k_algo); | |
1713 | ||
1714 | if(!dk.addKey(zone, true, algo, k_size, true)) { | |
1715 | cerr<<"No backend was able to secure '"<<zone.toString()<<"', most likely because no DNSSEC"<<endl; | |
1716 | cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl; | |
1717 | cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl; | |
1718 | cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl; | |
1719 | return false; | |
1720 | } | |
1721 | } | |
1722 | ||
1723 | for(auto &z_algo : z_algos) | |
36758d25 | 1724 | { |
5209ee17 PD |
1725 | cout << "Adding ZSK with algorithm " << z_algo << endl; |
1726 | ||
36758d25 | 1727 | int algo = shorthand2algorithm(z_algo); |
5209ee17 PD |
1728 | |
1729 | if(!dk.addKey(zone, false, algo, z_size, true)) { | |
36a885a9 PD |
1730 | cerr<<"No backend was able to secure '"<<zone.toString()<<"', most likely because no DNSSEC"<<endl; |
1731 | cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl; | |
1732 | cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl; | |
1733 | cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl; | |
1734 | return false; | |
1735 | } | |
1736 | } | |
1737 | ||
f60f4bcd | 1738 | if(!dk.isSecuredZone(zone)) { |
451ba512 AT |
1739 | cerr<<"Failed to secure zone. Is your backend dnssec enabled? (set "<<endl; |
1740 | cerr<<"gsqlite3-dnssec, or gmysql-dnssec etc). Check this first."<<endl; | |
1741 | cerr<<"If you run with the BIND backend, make sure you have configured"<<endl; | |
1742 | cerr<<"it to use DNSSEC with 'bind-dnssec-db=/path/fname' and"<<endl; | |
fd5076c8 | 1743 | cerr<<"'pdnsutil create-bind-db /path/fname'!"<<endl; |
f60f4bcd | 1744 | return false; |
36758d25 PD |
1745 | } |
1746 | ||
f60f4bcd BH |
1747 | // rectifyZone(dk, zone); |
1748 | // showZone(dk, zone); | |
675fa24c | 1749 | cout<<"Zone "<<zone.toString()<<" secured"<<endl; |
d6c16697 | 1750 | return true; |
ddac7145 BH |
1751 | } |
1752 | ||
675fa24c | 1753 | void testSchema(DNSSECKeeper& dk, const DNSName& zone) |
46d2e0d6 PD |
1754 | { |
1755 | cout<<"Note: test-schema will try to create the zone, but it will not remove it."<<endl; | |
1756 | cout<<"Please clean up after this."<<endl; | |
1757 | cout<<endl; | |
1758 | cout<<"Constructing UeberBackend"<<endl; | |
2402c558 | 1759 | UeberBackend B("default"); |
46d2e0d6 | 1760 | cout<<"Picking first backend - if this is not what you want, edit launch line!"<<endl; |
2402c558 | 1761 | DNSBackend *db = B.backends[0]; |
675fa24c | 1762 | cout<<"Creating slave domain "<<zone.toString()<<endl; |
719f9024 | 1763 | db->createSlaveDomain("127.0.0.1", zone, "", "_testschema"); |
46d2e0d6 PD |
1764 | cout<<"Slave domain created"<<endl; |
1765 | ||
1766 | DomainInfo di; | |
2402c558 | 1767 | if(!B.getDomainInfo(zone, di) || !di.backend) { // di.backend and B are mostly identical |
46d2e0d6 PD |
1768 | cout<<"Can't find domain we just created, aborting"<<endl; |
1769 | return; | |
1770 | } | |
1771 | db=di.backend; | |
1772 | DNSResourceRecord rr, rrget; | |
1773 | cout<<"Starting transaction to feed records"<<endl; | |
1774 | db->startTransaction(zone, di.id); | |
1775 | ||
1776 | rr.qtype=QType::SOA; | |
1777 | rr.qname=zone; | |
1778 | rr.ttl=86400; | |
1779 | rr.domain_id=di.id; | |
1780 | rr.auth=1; | |
1781 | rr.content="ns1.example.com. ahu.example.com. 2012081039 7200 3600 1209600 3600"; | |
1782 | cout<<"Feeding SOA"<<endl; | |
1783 | db->feedRecord(rr); | |
1784 | rr.qtype=QType::TXT; | |
1785 | // 300 As | |
1786 | rr.content="\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\""; | |
1787 | cout<<"Feeding overlong TXT"<<endl; | |
1788 | db->feedRecord(rr); | |
1789 | cout<<"Committing"<<endl; | |
1790 | db->commitTransaction(); | |
1791 | cout<<"Querying TXT"<<endl; | |
1792 | db->lookup(QType(QType::TXT), zone, NULL, di.id); | |
1793 | if(db->get(rrget)) | |
1794 | { | |
1795 | DNSResourceRecord rrthrowaway; | |
1796 | if(db->get(rrthrowaway)) // should not touch rr but don't assume anything | |
1797 | { | |
1798 | cout<<"Expected one record, got multiple, aborting"<<endl; | |
1799 | return; | |
1800 | } | |
1801 | int size=rrget.content.size(); | |
1802 | if(size != 302) | |
1803 | { | |
1804 | cout<<"Expected 302 bytes, got "<<size<<", aborting"<<endl; | |
1805 | return; | |
1806 | } | |
1807 | } | |
1808 | cout<<"[+] content field is over 255 bytes"<<endl; | |
1809 | ||
1810 | cout<<"Dropping all records, inserting SOA+2xA"<<endl; | |
1811 | db->startTransaction(zone, di.id); | |
1812 | ||
1813 | rr.qtype=QType::SOA; | |
1814 | rr.qname=zone; | |
1815 | rr.ttl=86400; | |
1816 | rr.domain_id=di.id; | |
1817 | rr.auth=1; | |
1818 | rr.content="ns1.example.com. ahu.example.com. 2012081039 7200 3600 1209600 3600"; | |
1819 | cout<<"Feeding SOA"<<endl; | |
1820 | db->feedRecord(rr); | |
1821 | ||
1822 | rr.qtype=QType::A; | |
b873e23a | 1823 | rr.qname=DNSName("_underscore")+zone; |
46d2e0d6 PD |
1824 | rr.content="127.0.0.1"; |
1825 | db->feedRecord(rr); | |
1826 | ||
b873e23a | 1827 | rr.qname=DNSName("bla")+zone; |
46d2e0d6 PD |
1828 | cout<<"Committing"<<endl; |
1829 | db->commitTransaction(); | |
1830 | ||
1831 | cout<<"Securing zone"<<endl; | |
1832 | secureZone(dk, zone); | |
1833 | cout<<"Rectifying zone"<<endl; | |
1834 | rectifyZone(dk, zone); | |
1835 | cout<<"Checking underscore ordering"<<endl; | |
675fa24c | 1836 | DNSName before, after; |
b873e23a | 1837 | db->getBeforeAndAfterNames(di.id, zone, DNSName("z")+zone, before, after); |
675fa24c | 1838 | cout<<"got '"<<before.toString()<<"' < 'z."<<zone.toString()<<"' < '"<<after.toString()<<"'"<<endl; |
b873e23a | 1839 | if(before != DNSName("_underscore")+zone) |
46d2e0d6 | 1840 | { |
675fa24c | 1841 | cout<<"before is wrong, got '"<<before.toString()<<"', expected '_underscore."<<zone.toString()<<"', aborting"<<endl; |
46d2e0d6 PD |
1842 | return; |
1843 | } | |
1844 | if(after != zone) | |
1845 | { | |
675fa24c | 1846 | cout<<"after is wrong, got '"<<after.toString()<<"', expected '"<<zone.toString()<<"', aborting"<<endl; |
46d2e0d6 PD |
1847 | return; |
1848 | } | |
1849 | cout<<"[+] ordername sorting is correct for names starting with _"<<endl; | |
1850 | cout<<endl; | |
675fa24c | 1851 | cout<<"End of tests, please remove "<<zone.toString()<<" from domains+records"<<endl; |
46d2e0d6 PD |
1852 | } |
1853 | ||
1d211b1b | 1854 | int main(int argc, char** argv) |
20002664 | 1855 | try |
2fa33bce | 1856 | { |
1d211b1b BH |
1857 | po::options_description desc("Allowed options"); |
1858 | desc.add_options() | |
1859 | ("help,h", "produce help message") | |
b3ce3dec | 1860 | ("verbose,v", "be verbose") |
1d211b1b | 1861 | ("force", "force an action") |
aa952078 | 1862 | ("config-name", po::value<string>()->default_value(""), "virtual configuration name") |
7d9dcde0 | 1863 | ("config-dir", po::value<string>()->default_value(SYSCONFDIR), "location of pdns.conf") |
1d211b1b BH |
1864 | ("commands", po::value<vector<string> >()); |
1865 | ||
1866 | po::positional_options_description p; | |
1867 | p.add("commands", -1); | |
1868 | po::store(po::command_line_parser(argc, argv).options(desc).positional(p).run(), g_vm); | |
1869 | po::notify(g_vm); | |
1870 | ||
1871 | vector<string> cmds; | |
1872 | ||
1873 | if(g_vm.count("commands")) | |
1874 | cmds = g_vm["commands"].as<vector<string> >(); | |
1875 | ||
b3ce3dec BH |
1876 | g_verbose = g_vm.count("verbose"); |
1877 | ||
1d211b1b | 1878 | if(cmds.empty() || g_vm.count("help")) { |
fd5076c8 | 1879 | cerr<<"Usage: \npdnsutil [options] <command> [params ..]\n"<<endl; |
451ba512 | 1880 | cerr<<"Commands:"<<endl; |
ec53ae22 | 1881 | cerr<<"activate-tsig-key ZONE NAME {master|slave}"<<endl; |
da7f2896 | 1882 | cerr<<" Enable TSIG key for a zone"<<endl; |
451ba512 | 1883 | cerr<<"activate-zone-key ZONE KEY-ID Activate the key with key id KEY-ID in ZONE"<<endl; |
66d34461 | 1884 | cerr<<"add-record ZONE NAME TYPE [ttl] content"<<endl; |
1885 | cerr<<" [content..] Add one or more records to ZONE"<<endl; | |
d9db3d7e | 1886 | cerr<<"add-zone-key ZONE {zsk|ksk} [BITS] [active|inactive]"<<endl; |
feafa2f3 KM |
1887 | cerr<<" [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384"; |
1888 | #ifdef HAVE_LIBSODIUM | |
1889 | cerr<<"|experimental-ed25519"; | |
1890 | #endif | |
1891 | cerr<<"]"<<endl; | |
451ba512 | 1892 | cerr<<" Add a ZSK or KSK to zone and specify algo&bits"<<endl; |
f641c3b7 | 1893 | cerr<<"backend-cmd BACKEND CMD [CMD..] Perform one or more backend commands"<<endl; |
ec53ae22 | 1894 | cerr<<"b2b-migrate OLD NEW Move all data from one backend to another"<<endl; |
a0a6cb58 | 1895 | cerr<<"bench-db [filename] Bench database backend with queries, one domain per line"<<endl; |
451ba512 | 1896 | cerr<<"check-zone ZONE Check a zone for correctness"<<endl; |
d6ddb28a PL |
1897 | cerr<<"check-all-zones [exit-on-error] Check all zones for correctness. Set exit-on-error to exit immediately"<<endl; |
1898 | cerr<<" after finding an error in a zone."<<endl; | |
ca8e1742 | 1899 | cerr<<"create-bind-db FNAME Create DNSSEC db for BIND backend (bind-dnssec-db)"<<endl; |
66d34461 | 1900 | cerr<<"create-zone ZONE [nsname] Create empty zone ZONE"<<endl; |
ec53ae22 | 1901 | cerr<<"deactivate-tsig-key ZONE NAME {master|slave}"<<endl; |
da7f2896 | 1902 | cerr<<" Disable TSIG key for a zone"<<endl; |
451ba512 | 1903 | cerr<<"deactivate-zone-key ZONE KEY-ID Deactivate the key with key id KEY-ID in ZONE"<<endl; |
66d34461 | 1904 | cerr<<"delete-rrset ZONE NAME TYPE Delete named RRSET from zone"<<endl; |
451ba512 | 1905 | cerr<<"delete-tsig-key NAME Delete TSIG key (warning! will not unmap key!)"<<endl; |
17d89a3e | 1906 | cerr<<"delete-zone ZONE Delete the zone"<<endl; |
451ba512 | 1907 | cerr<<"disable-dnssec ZONE Deactivate all keys and unset PRESIGNED in ZONE"<<endl; |
c2e0881c | 1908 | cerr<<"edit-zone ZONE Edit zone contents using $EDITOR"<<endl; |
451ba512 AT |
1909 | cerr<<"export-zone-dnskey ZONE KEY-ID Export to stdout the public DNSKEY described"<<endl; |
1910 | cerr<<"export-zone-key ZONE KEY-ID Export to stdout the private key described"<<endl; | |
da7f2896 | 1911 | cerr<<"generate-tsig-key NAME ALGORITHM Generate new TSIG key"<<endl; |
ec53ae22 PL |
1912 | cerr<<"generate-zone-key {zsk|ksk} [ALGORITHM] [BITS]"<<endl; |
1913 | cerr<<" Generate a ZSK or KSK to stdout with specified ALGORITHM and BITS"<<endl; | |
1914 | cerr<<"get-meta ZONE [KIND ...] Get zone metadata. If no KIND given, lists all known"<<endl; | |
451ba512 | 1915 | cerr<<"hash-zone-record ZONE RNAME Calculate the NSEC3 hash for RNAME in ZONE"<<endl; |
3c12a7e9 | 1916 | #ifdef HAVE_P11KIT1 |
ec53ae22 | 1917 | cerr<<"hsm assign ZONE ALGORITHM {ksk|zsk} MODULE SLOT PIN LABEL"<<endl<< |
3c12a7e9 | 1918 | " Assign a hardware signing module to a ZONE"<<endl; |
ec53ae22 PL |
1919 | cerr<<"hsm create-key ZONE KEY-ID [BITS] Create a key using hardware signing module for ZONE (use assign first)"<<endl; |
1920 | cerr<<" BITS defaults to 2048"<<endl; | |
3c12a7e9 | 1921 | #endif |
451ba512 AT |
1922 | cerr<<"increase-serial ZONE Increases the SOA-serial by 1. Uses SOA-EDIT"<<endl; |
1923 | cerr<<"import-tsig-key NAME ALGORITHM KEY Import TSIG key"<<endl; | |
ca8e1742 | 1924 | cerr<<"import-zone-key ZONE FILE Import from a file a private key, ZSK or KSK"<<endl; |
d9db3d7e | 1925 | cerr<<" [active|inactive] [ksk|zsk] Defaults to KSK and active"<<endl; |
c9865bc5 | 1926 | cerr<<"load-zone ZONE FILE Load ZONE from FILE, possibly creating zone or atomically"<<endl; |
1927 | cerr<<" replacing contents"<<endl; | |
597b9b3e | 1928 | cerr<<"list-keys [ZONE] List DNSSEC keys for ZONE. When ZONE is unset or \"all\", display all keys for all zones"<<endl; |
c9865bc5 | 1929 | cerr<<"list-zone ZONE List zone contents"<<endl; |
cd76677f | 1930 | cerr<<"list-all-zones [master|slave|native]"<<endl; |
c9865bc5 | 1931 | cerr<<" List all zone names"<<endl;; |
451ba512 AT |
1932 | cerr<<"list-tsig-keys List all TSIG keys"<<endl; |
1933 | cerr<<"rectify-zone ZONE [ZONE ..] Fix up DNSSEC fields (order, auth)"<<endl; | |
1934 | cerr<<"rectify-all-zones Rectify all zones."<<endl; | |
1935 | cerr<<"remove-zone-key ZONE KEY-ID Remove key with KEY-ID from ZONE"<<endl; | |
66d34461 | 1936 | cerr<<"replace-rrset ZONE NAME TYPE [ttl] Replace named RRSET from zone"<<endl; |
1937 | cerr<<" content [content..]"<<endl; | |
f84dba01 | 1938 | cerr<<"secure-all-zones [increase-serial] Secure all zones without keys."<<endl; |
ec53ae22 | 1939 | cerr<<"secure-zone ZONE [ZONE ..] Add KSK and two ZSKs for ZONE"<<endl; |
bddc5d92 | 1940 | cerr<<"set-kind ZONE KIND Change the kind of ZONE to KIND (master, slave native)"<<endl; |
ec53ae22 | 1941 | cerr<<"set-nsec3 ZONE ['PARAMS' [narrow]] Enable NSEC3 with PARAMS. Optionally narrow"<<endl; |
451ba512 | 1942 | cerr<<"set-presigned ZONE Use presigned RRSIGs from storage"<<endl; |
088370cd | 1943 | cerr<<"set-publish-cdnskey ZONE Enable sending CDNSKEY responses for ZONE"<<endl; |
ef542223 | 1944 | cerr<<"set-publish-cds ZONE [DIGESTALGOS] Enable sending CDS responses for ZONE, using DIGESTALGOS as signature algirithms"<<endl; |
ec53ae22 | 1945 | cerr<<" DIGESTALGOS should be a comma separated list of numbers, is is '1,2' by default"<<endl; |
5911b051 | 1946 | cerr<<"set-meta ZONE KIND [VALUE] [VALUE] Set zone metadata, optionally providing a value. Empty clears meta"<<endl; |
1947 | cerr<<" Note - this will replace all metadata records of KIND!"<<endl; | |
451ba512 AT |
1948 | cerr<<"show-zone ZONE Show DNSSEC (public) key details about a zone"<<endl; |
1949 | cerr<<"unset-nsec3 ZONE Switch back to NSEC"<<endl; | |
1950 | cerr<<"unset-presigned ZONE No longer use presigned RRSIGs"<<endl; | |
088370cd | 1951 | cerr<<"unset-publish-cdnskey ZONE Disable sending CDNSKEY responses for ZONE"<<endl; |
ef542223 | 1952 | cerr<<"unset-publish-cds ZONE Disable sending CDS responses for ZONE"<<endl; |
451ba512 | 1953 | cerr<<"test-schema ZONE Test DB schema - will create ZONE"<<endl; |
1d211b1b BH |
1954 | cerr<<desc<<endl; |
1955 | return 0; | |
1956 | } | |
ca8e1742 | 1957 | |
7581a35b KM |
1958 | loadMainConfig(g_vm["config-dir"].as<string>()); |
1959 | ||
1960 | seedRandom(::arg()["entropy-source"]); | |
1961 | ||
d4f29089 KM |
1962 | #ifdef HAVE_LIBSODIUM |
1963 | if (sodium_init() == -1) { | |
1964 | cerr<<"Unable to initialize sodium crypto library"<<endl; | |
1965 | exit(99); | |
1966 | } | |
1967 | #endif | |
1968 | ||
7581a35b KM |
1969 | #ifdef HAVE_OPENSSL |
1970 | openssl_seed(); | |
1971 | #endif | |
1972 | ||
cbb0025b | 1973 | if (cmds[0] == "test-algorithm") { |
2551cc18 | 1974 | if(cmds.size() != 2) { |
fd5076c8 | 1975 | cerr << "Syntax: pdnsutil test-algorithm algonum"<<endl; |
2551cc18 PD |
1976 | return 0; |
1977 | } | |
335da0ba | 1978 | if (testAlgorithm(pdns_stou(cmds[1]))) |
166d8647 KM |
1979 | return 0; |
1980 | return 1; | |
cbb0025b PD |
1981 | } |
1982 | ||
ea937fd4 | 1983 | if(cmds[0] == "test-algorithms") { |
166d8647 KM |
1984 | if (testAlgorithms()) |
1985 | return 0; | |
1986 | return 1; | |
ea937fd4 BH |
1987 | } |
1988 | ||
6dfa0aa0 | 1989 | reportAllTypes(); |
b925384e | 1990 | |
2717b8b3 | 1991 | if(cmds[0] == "create-bind-db") { |
a2b0e9b5 | 1992 | #ifdef HAVE_SQLITE3 |
fbe72b7a | 1993 | if(cmds.size() != 2) { |
fd5076c8 | 1994 | cerr << "Syntax: pdnsutil create-bind-db FNAME"<<endl; |
fbe72b7a BH |
1995 | return 0; |
1996 | } | |
080f5d57 | 1997 | try { |
a2b0e9b5 KM |
1998 | SSQLite3 db(cmds[1], true); // create=ok |
1999 | vector<string> statements; | |
2000 | stringtok(statements, sqlCreate, ";"); | |
ff05fd12 | 2001 | for(const string& statement : statements) { |
0f310932 AT |
2002 | db.execute(statement); |
2003 | } | |
080f5d57 | 2004 | } |
a2b0e9b5 KM |
2005 | catch(SSqlException& se) { |
2006 | throw PDNSException("Error creating database in BIND backend: "+se.txtReason()); | |
080f5d57 PD |
2007 | } |
2008 | return 0; | |
a2b0e9b5 | 2009 | #else |
bd6c6334 | 2010 | cerr<<"bind-dnssec-db requires building PowerDNS with SQLite3"<<endl; |
a2b0e9b5 KM |
2011 | return 1; |
2012 | #endif | |
2717b8b3 | 2013 | } |
9a798fb0 | 2014 | |
fbe72b7a BH |
2015 | DNSSECKeeper dk; |
2016 | ||
46d2e0d6 PD |
2017 | if (cmds[0] == "test-schema") { |
2018 | if(cmds.size() != 2) { | |
fd5076c8 | 2019 | cerr << "Syntax: pdnsutil test-schema ZONE"<<endl; |
46d2e0d6 PD |
2020 | return 0; |
2021 | } | |
b873e23a | 2022 | testSchema(dk, DNSName(cmds[1])); |
46d2e0d6 PD |
2023 | return 0; |
2024 | } | |
fbe72b7a | 2025 | if(cmds[0] == "rectify-zone") { |
d4904322 | 2026 | if(cmds.size() < 2) { |
fd5076c8 | 2027 | cerr << "Syntax: pdnsutil rectify-zone ZONE [ZONE..]"<<endl; |
81b39e4b BH |
2028 | return 0; |
2029 | } | |
032e3906 | 2030 | unsigned int exitCode = 0; |
d4904322 | 2031 | for(unsigned int n = 1; n < cmds.size(); ++n) |
b873e23a | 2032 | if (!rectifyZone(dk, DNSName(cmds[n]))) |
2033 | exitCode = 1; | |
032e3906 | 2034 | return exitCode; |
20002664 | 2035 | } |
1325e8a2 PD |
2036 | else if (cmds[0] == "rectify-all-zones") { |
2037 | rectifyAllZones(dk); | |
2038 | } | |
9abd98d3 | 2039 | else if(cmds[0] == "check-zone") { |
5d2e58b0 | 2040 | if(cmds.size() != 2) { |
fd5076c8 | 2041 | cerr << "Syntax: pdnsutil check-zone ZONE"<<endl; |
5d2e58b0 BH |
2042 | return 0; |
2043 | } | |
ba86110a | 2044 | UeberBackend B("default"); |
b873e23a | 2045 | exit(checkZone(dk, B, DNSName(cmds[1]))); |
5d2e58b0 | 2046 | } |
a0a6cb58 | 2047 | else if(cmds[0] == "bench-db") { |
2048 | dbBench(cmds.size() > 1 ? cmds[1] : ""); | |
2049 | } | |
1325e8a2 | 2050 | else if (cmds[0] == "check-all-zones") { |
f6eb8c48 | 2051 | bool exitOnError = ((cmds.size() >= 2 ? cmds[1] : "") == "exit-on-error"); |
d6ddb28a | 2052 | exit(checkAllZones(dk, exitOnError)); |
1325e8a2 | 2053 | } |
bd108049 | 2054 | else if (cmds[0] == "list-all-zones") { |
22c68348 | 2055 | if (cmds.size() > 2) { |
fd5076c8 | 2056 | cerr << "Syntax: pdnsutil list-all-zones [master|slave|native]"<<endl; |
22c68348 KM |
2057 | return 0; |
2058 | } | |
2059 | if (cmds.size() == 2) | |
2060 | return listAllZones(cmds[1]); | |
2061 | return listAllZones(); | |
bd108049 | 2062 | } |
81e9ba89 PD |
2063 | else if (cmds[0] == "test-zone") { |
2064 | cerr << "Did you mean check-zone?"<<endl; | |
2065 | return 0; | |
2066 | } | |
2067 | else if (cmds[0] == "test-all-zones") { | |
2068 | cerr << "Did you mean check-all-zones?"<<endl; | |
2069 | return 0; | |
2070 | } | |
49449751 BH |
2071 | #if 0 |
2072 | else if(cmds[0] == "signing-server" ) | |
2073 | { | |
2074 | signingServer(); | |
2075 | } | |
2076 | else if(cmds[0] == "signing-slave") | |
2077 | { | |
2078 | launchSigningService(0); | |
2079 | } | |
2080 | #endif | |
ea937fd4 | 2081 | else if(cmds[0] == "test-speed") { |
37fd8771 | 2082 | if(cmds.size() < 2) { |
fd5076c8 | 2083 | cerr << "Syntax: pdnsutil test-speed numcores [signing-server]"<<endl; |
ea937fd4 BH |
2084 | return 0; |
2085 | } | |
335da0ba | 2086 | testSpeed(dk, DNSName(cmds[1]), (cmds.size() > 3) ? cmds[3] : "", pdns_stou(cmds[2])); |
189bb9d2 | 2087 | } |
aa65a832 BH |
2088 | else if(cmds[0] == "verify-crypto") { |
2089 | if(cmds.size() != 2) { | |
fd5076c8 | 2090 | cerr << "Syntax: pdnsutil verify-crypto FILE"<<endl; |
aa65a832 BH |
2091 | return 0; |
2092 | } | |
2093 | verifyCrypto(cmds[1]); | |
2094 | } | |
da11ed0e | 2095 | else if(cmds[0] == "show-zone") { |
a0472099 | 2096 | if(cmds.size() != 2) { |
fd5076c8 | 2097 | cerr << "Syntax: pdnsutil show-zone ZONE"<<endl; |
a0472099 BH |
2098 | return 0; |
2099 | } | |
b873e23a | 2100 | if (!showZone(dk, DNSName(cmds[1]))) return 1; |
1d211b1b | 2101 | } |
5935cede BH |
2102 | else if(cmds[0] == "disable-dnssec") { |
2103 | if(cmds.size() != 2) { | |
fd5076c8 | 2104 | cerr << "Syntax: pdnsutil disable-dnssec ZONE"<<endl; |
5935cede BH |
2105 | return 0; |
2106 | } | |
b873e23a | 2107 | DNSName zone(cmds[1]); |
0b8e59ea AT |
2108 | if(!disableDNSSECOnZone(dk, zone)) { |
2109 | cerr << "Cannot disable DNSSEC on " << zone << endl; | |
032e3906 | 2110 | return 1; |
0b8e59ea | 2111 | } |
5935cede | 2112 | } |
bed962b5 | 2113 | else if(cmds[0] == "activate-zone-key") { |
37fd8771 | 2114 | if(cmds.size() != 3) { |
fd5076c8 | 2115 | cerr << "Syntax: pdnsutil activate-zone-key ZONE KEY-ID"<<endl; |
37fd8771 BH |
2116 | return 0; |
2117 | } | |
b873e23a | 2118 | DNSName zone(cmds[1]); |
335da0ba | 2119 | unsigned int id=pdns_stou(cmds[2]); |
77b909cc PD |
2120 | if(!id) |
2121 | { | |
2122 | cerr<<"Invalid KEY-ID"<<endl; | |
2123 | return 1; | |
2124 | } | |
a84a8203 PD |
2125 | if (!dk.activateKey(zone, id)) { |
2126 | cerr<<"Activation of key failed"<<endl; | |
2127 | return 1; | |
2128 | } | |
2129 | return 0; | |
bed962b5 BH |
2130 | } |
2131 | else if(cmds[0] == "deactivate-zone-key") { | |
37fd8771 | 2132 | if(cmds.size() != 3) { |
fd5076c8 | 2133 | cerr << "Syntax: pdnsutil deactivate-zone-key ZONE KEY-ID"<<endl; |
37fd8771 BH |
2134 | return 0; |
2135 | } | |
b873e23a | 2136 | DNSName zone(cmds[1]); |
335da0ba | 2137 | unsigned int id=pdns_stou(cmds[2]); |
77b909cc PD |
2138 | if(!id) |
2139 | { | |
2140 | cerr<<"Invalid KEY-ID"<<endl; | |
2141 | return 1; | |
2142 | } | |
a84a8203 PD |
2143 | if (!dk.deactivateKey(zone, id)) { |
2144 | cerr<<"Deactivation of key failed"<<endl; | |
2145 | return 1; | |
2146 | } | |
2147 | return 0; | |
bed962b5 BH |
2148 | } |
2149 | else if(cmds[0] == "add-zone-key") { | |
37fd8771 | 2150 | if(cmds.size() < 3 ) { |
fd5076c8 | 2151 | cerr << "Syntax: pdnsutil add-zone-key ZONE zsk|ksk [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]"<<endl; |
37fd8771 BH |
2152 | return 0; |
2153 | } | |
b873e23a | 2154 | DNSName zone(cmds[1]); |
032e3906 PD |
2155 | |
2156 | UeberBackend B("default"); | |
2157 | DomainInfo di; | |
2158 | ||
2159 | if (!B.getDomainInfo(zone, di)){ | |
2160 | cerr << "No such zone in the database" << endl; | |
2161 | return 0; | |
2162 | } | |
2163 | ||
36c394e5 BH |
2164 | // need to get algorithm, bits & ksk or zsk from commandline |
2165 | bool keyOrZone=false; | |
36758d25 | 2166 | int tmp_algo=0; |
36c394e5 | 2167 | int bits=0; |
0ba8e0f1 | 2168 | int algorithm=8; |
4af49b80 | 2169 | bool active=false; |
36c394e5 BH |
2170 | for(unsigned int n=2; n < cmds.size(); ++n) { |
2171 | if(pdns_iequals(cmds[n], "zsk")) | |
2172 | keyOrZone = false; | |
2173 | else if(pdns_iequals(cmds[n], "ksk")) | |
2174 | keyOrZone = true; | |
36758d25 PD |
2175 | else if((tmp_algo = shorthand2algorithm(cmds[n]))>0) { |
2176 | algorithm = tmp_algo; | |
4af49b80 | 2177 | } else if(pdns_iequals(cmds[n], "active")) { |
2178 | active=true; | |
d9db3d7e | 2179 | } else if(pdns_iequals(cmds[n], "inactive") || pdns_iequals(cmds[n], "passive")) { // 'passive' eventually needs to be removed |
4af49b80 | 2180 | active=false; |
335da0ba AT |
2181 | } else if(pdns_stou(cmds[n])) { |
2182 | bits = pdns_stou(cmds[n]); | |
4af49b80 | 2183 | } else { |
a254438f | 2184 | cerr<<"Unknown algorithm, key flag or size '"<<cmds[n]<<"'"<<endl; |
07bf35d1 | 2185 | exit(EXIT_FAILURE);; |
36c394e5 BH |
2186 | } |
2187 | } | |
07bf35d1 | 2188 | if(!dk.addKey(zone, keyOrZone, algorithm, bits, active)) { |
2189 | cerr<<"Adding key failed, perhaps DNSSEC not enabled in configuration?"<<endl; | |
2190 | exit(1); | |
2191 | } | |
2192 | else { | |
2193 | cerr<<"Added a " << (keyOrZone ? "KSK" : "ZSK")<<" with algorithm = "<<algorithm<<", active="<<active<<endl; | |
2194 | if(bits) | |
232f0877 | 2195 | cerr<<"Requested specific key size of "<<bits<<" bits"<<endl; |
07bf35d1 | 2196 | } |
bed962b5 BH |
2197 | } |
2198 | else if(cmds[0] == "remove-zone-key") { | |
471304cc | 2199 | if(cmds.size() < 3) { |
fd5076c8 | 2200 | cerr<<"Syntax: pdnsutil remove-zone-key ZONE KEY-ID"<<endl; |
471304cc BH |
2201 | return 0; |
2202 | } | |
b873e23a | 2203 | DNSName zone(cmds[1]); |
335da0ba | 2204 | unsigned int id=pdns_stou(cmds[2]); |
a84a8203 | 2205 | if (!dk.removeKey(zone, id)) { |
0b8e59ea | 2206 | cerr<<"Cannot remove key " << id << " from " << zone <<endl; |
a84a8203 PD |
2207 | return 1; |
2208 | } | |
2209 | return 0; | |
bed962b5 | 2210 | } |
51f6bca1 RA |
2211 | else if(cmds[0] == "delete-zone") { |
2212 | if(cmds.size() != 2) { | |
fd5076c8 | 2213 | cerr<<"Syntax: pdnsutil delete-zone ZONE"<<endl; |
51f6bca1 RA |
2214 | return 0; |
2215 | } | |
b873e23a | 2216 | exit(deleteZone(DNSName(cmds[1]))); |
51f6bca1 | 2217 | } |
c9865bc5 | 2218 | else if(cmds[0] == "create-zone") { |
66d34461 | 2219 | if(cmds.size() != 2 && cmds.size()!=3 ) { |
2220 | cerr<<"Syntax: pdnsutil create-zone ZONE [nsname]"<<endl; | |
2221 | return 0; | |
2222 | } | |
2223 | exit(createZone(DNSName(cmds[1]), cmds.size() > 2 ? DNSName(cmds[2]): DNSName())); | |
2224 | } | |
e85a76ad | 2225 | else if(cmds[0] == "create-slave-zone") { |
2226 | if(cmds.size() < 3 ) { | |
2227 | cerr<<"Syntax: pdnsutil create-slave-zone ZONE master-ip [master-ip..]"<<endl; | |
2228 | return 0; | |
2229 | } | |
2230 | exit(createSlaveZone(cmds)); | |
2231 | } | |
66d34461 | 2232 | else if(cmds[0] == "add-record") { |
2233 | if(cmds.size() < 5) { | |
2234 | cerr<<"Syntax: pdnsutil add-record ZONE name type [ttl] \"content\" [\"content\"...]"<<endl; | |
2235 | return 0; | |
2236 | } | |
2237 | exit(addOrReplaceRecord(true, cmds)); | |
2238 | } | |
2239 | else if(cmds[0] == "replace-rrset") { | |
2240 | if(cmds.size() < 5) { | |
2241 | cerr<<"Syntax: pdnsutil replace-record ZONE name type [ttl] \"content\" [\"content\"...]"<<endl; | |
2242 | return 0; | |
2243 | } | |
2244 | exit(addOrReplaceRecord(false , cmds)); | |
2245 | } | |
2246 | else if(cmds[0] == "delete-rrset") { | |
2247 | if(cmds.size() != 4) { | |
2248 | cerr<<"Syntax: pdnsutil delete-rrset ZONE name type"<<endl; | |
c9865bc5 | 2249 | return 0; |
2250 | } | |
66d34461 | 2251 | exit(deleteRRSet(cmds[1], cmds[2], cmds[3])); |
c9865bc5 | 2252 | } |
2253 | else if(cmds[0] == "list-zone") { | |
2254 | if(cmds.size() != 2) { | |
fd5076c8 | 2255 | cerr<<"Syntax: pdnsutil list-zone ZONE"<<endl; |
c9865bc5 | 2256 | return 0; |
2257 | } | |
2258 | if(cmds[1]==".") | |
2259 | cmds[1].clear(); | |
2260 | ||
b873e23a | 2261 | exit(listZone(DNSName(cmds[1]))); |
c9865bc5 | 2262 | } |
c2e0881c | 2263 | else if(cmds[0] == "edit-zone") { |
2264 | if(cmds.size() != 2) { | |
2265 | cerr<<"Syntax: pdnsutil edit-zone ZONE"<<endl; | |
2266 | return 0; | |
2267 | } | |
2268 | if(cmds[1]==".") | |
2269 | cmds[1].clear(); | |
2270 | ||
2271 | exit(editZone(dk, DNSName(cmds[1]))); | |
2272 | } | |
2273 | ||
597b9b3e PL |
2274 | else if(cmds[0] == "list-keys") { |
2275 | if(cmds.size() > 2) { | |
fd5076c8 | 2276 | cerr<<"Syntax: pdnsutil list-keys [ZONE]"<<endl; |
597b9b3e PL |
2277 | return 0; |
2278 | } | |
2279 | string zname = (cmds.size() == 2) ? cmds[1] : "all"; | |
2280 | exit(listKeys(zname, dk)); | |
2281 | } | |
c9865bc5 | 2282 | else if(cmds[0] == "load-zone") { |
2283 | if(cmds.size() != 3) { | |
fd5076c8 | 2284 | cerr<<"Syntax: pdnsutil load-zone ZONE FILENAME"<<endl; |
c9865bc5 | 2285 | return 0; |
2286 | } | |
2287 | if(cmds[1]==".") | |
2288 | cmds[1].clear(); | |
2289 | ||
b873e23a | 2290 | exit(loadZone(DNSName(cmds[1]), cmds[2])); |
c9865bc5 | 2291 | } |
c3c89361 | 2292 | else if(cmds[0] == "secure-zone") { |
ddac7145 | 2293 | if(cmds.size() < 2) { |
fd5076c8 | 2294 | cerr << "Syntax: pdnsutil secure-zone ZONE"<<endl; |
a9175ad6 BH |
2295 | return 0; |
2296 | } | |
b873e23a | 2297 | vector<DNSName> mustRectify; |
1325e8a2 | 2298 | unsigned int zoneErrors=0; |
ddac7145 | 2299 | for(unsigned int n = 1; n < cmds.size(); ++n) { |
b873e23a | 2300 | DNSName zone(cmds[n]); |
7da05748 | 2301 | dk.startTransaction(zone, -1); |
f60f4bcd | 2302 | if(secureZone(dk, zone)) { |
d6c16697 | 2303 | mustRectify.push_back(zone); |
1325e8a2 PD |
2304 | } else { |
2305 | zoneErrors++; | |
d6c16697 | 2306 | } |
7da05748 | 2307 | dk.commitTransaction(); |
f60f4bcd | 2308 | } |
1d211b1b | 2309 | |
b873e23a | 2310 | for(const auto& zone : mustRectify) |
d6c16697 | 2311 | rectifyZone(dk, zone); |
1325e8a2 PD |
2312 | |
2313 | if (zoneErrors) { | |
2314 | return 1; | |
2315 | } | |
2316 | return 0; | |
1d211b1b | 2317 | } |
fa377773 | 2318 | else if (cmds[0] == "secure-all-zones") { |
f84dba01 | 2319 | if (cmds.size() >= 2 && !pdns_iequals(cmds[1], "increase-serial")) { |
fd5076c8 | 2320 | cerr << "Syntax: pdnsutil secure-all-zones [increase-serial]"<<endl; |
f84dba01 KM |
2321 | return 0; |
2322 | } | |
2323 | ||
fa377773 KM |
2324 | UeberBackend B("default"); |
2325 | ||
fa377773 KM |
2326 | vector<DomainInfo> domainInfo; |
2327 | B.getAllDomains(&domainInfo); | |
2328 | ||
f84dba01 | 2329 | unsigned int zonesSecured=0, zoneErrors=0; |
ff05fd12 | 2330 | for(DomainInfo di : domainInfo) { |
fa377773 | 2331 | if(!dk.isSecuredZone(di.zone)) { |
675fa24c | 2332 | cout<<"Securing "<<di.zone.toString()<<": "; |
f84dba01 KM |
2333 | if (secureZone(dk, di.zone)) { |
2334 | zonesSecured++; | |
2335 | if (cmds.size() == 2) { | |
2336 | if (!increaseSerial(di.zone, dk)) | |
2337 | continue; | |
2338 | } else | |
2339 | continue; | |
2340 | } | |
2341 | zoneErrors++; | |
fa377773 KM |
2342 | } |
2343 | } | |
fa377773 | 2344 | |
f84dba01 | 2345 | cout<<"Secured: "<<zonesSecured<<" zones. Errors: "<<zoneErrors<<endl; |
fa377773 KM |
2346 | |
2347 | if (zoneErrors) { | |
2348 | return 1; | |
2349 | } | |
2350 | return 0; | |
2351 | } | |
bddc5d92 | 2352 | else if(cmds[0]=="set-kind") { |
2353 | if(cmds.size() != 3) { | |
2354 | cerr<<"Syntax: pdnsutil set-kind ZONE KIND"<<endl; | |
2355 | } | |
2356 | DNSName zone(cmds[1]); | |
2357 | auto kind=DomainInfo::stringToKind(cmds[2]); | |
2358 | exit(setZoneKind(zone, kind)); | |
2359 | } | |
da11ed0e | 2360 | else if(cmds[0]=="set-nsec3") { |
37fd8771 | 2361 | if(cmds.size() < 2) { |
fd5076c8 | 2362 | cerr<<"Syntax: pdnsutil set-nsec3 ZONE 'params' [narrow]"<<endl; |
37fd8771 BH |
2363 | return 0; |
2364 | } | |
b8adb30d | 2365 | string nsec3params = cmds.size() > 2 ? cmds[2] : "1 0 1 ab"; |
22c5aa60 | 2366 | bool narrow = cmds.size() > 3 && cmds[3]=="narrow"; |
da11ed0e | 2367 | NSEC3PARAMRecordContent ns3pr(nsec3params); |
7649cd71 | 2368 | |
675fa24c | 2369 | DNSName zone(cmds[1]); |
3155c04a PL |
2370 | if (zone.wirelength() > 222) { |
2371 | cerr<<"Cannot enable NSEC3 for " << zone.toString() << " as it is too long (" << zone.wirelength() << " bytes, maximum is 222 bytes)"<<endl; | |
2372 | return 1; | |
2373 | } | |
7649cd71 KM |
2374 | if (! dk.setNSEC3PARAM(zone, ns3pr, narrow)) { |
2375 | cerr<<"Cannot set NSEC3 param for " << zone.toString() << endl; | |
2376 | return 1; | |
775acd9e | 2377 | } |
7649cd71 | 2378 | |
b8adb30d | 2379 | if (!ns3pr.d_flags) |
7649cd71 | 2380 | cerr<<"NSEC3 set, "; |
b8adb30d | 2381 | else |
7649cd71 KM |
2382 | cerr<<"NSEC3 (opt-out) set, "; |
2383 | ||
2384 | if(dk.isSecuredZone(zone)) | |
2385 | cerr<<"please rectify your zone if your backend needs it"<<endl; | |
2386 | else | |
2387 | cerr<<"please secure and rectify your zone."<<endl; | |
2388 | ||
2389 | return 0; | |
da11ed0e | 2390 | } |
d3e7090c | 2391 | else if(cmds[0]=="set-presigned") { |
5935cede | 2392 | if(cmds.size() < 2) { |
fd5076c8 | 2393 | cerr<<"Syntax: pdnsutil set-presigned ZONE"<<endl; |
37fd8771 | 2394 | return 0; |
5935cede | 2395 | } |
b873e23a | 2396 | if (! dk.setPresigned(DNSName(cmds[1]))) { |
e15dce0c | 2397 | cerr << "Could not set presigned on for " << cmds[1] << endl; |
a84a8203 PD |
2398 | return 1; |
2399 | } | |
2400 | return 0; | |
d3e7090c | 2401 | } |
088370cd PL |
2402 | else if(cmds[0]=="set-publish-cdnskey") { |
2403 | if(cmds.size() < 2) { | |
fd5076c8 | 2404 | cerr<<"Syntax: pdnsutil set-publish-cdnskey ZONE"<<endl; |
088370cd PL |
2405 | return 0; |
2406 | } | |
da347642 | 2407 | if (! dk.setPublishCDNSKEY(DNSName(cmds[1]))) { |
088370cd PL |
2408 | cerr << "Could not set publishing for CDNSKEY records for "<< cmds[1]<<endl; |
2409 | return 1; | |
2410 | } | |
2411 | return 0; | |
2412 | } | |
ef542223 PL |
2413 | else if(cmds[0]=="set-publish-cds") { |
2414 | if(cmds.size() < 2) { | |
fd5076c8 | 2415 | cerr<<"Syntax: pdnsutil set-publish-cds ZONE [DIGESTALGOS]"<<endl; |
ef542223 PL |
2416 | return 0; |
2417 | } | |
2418 | ||
2419 | // If DIGESTALGOS is unset | |
2420 | if(cmds.size() == 2) | |
2421 | cmds.push_back("1,2"); | |
2422 | ||
da347642 | 2423 | if (! dk.setPublishCDS(DNSName(cmds[1]), cmds[2])) { |
ef542223 PL |
2424 | cerr << "Could not set publishing for CDS records for "<< cmds[1]<<endl; |
2425 | return 1; | |
2426 | } | |
2427 | return 0; | |
2428 | } | |
d3e7090c | 2429 | else if(cmds[0]=="unset-presigned") { |
37fd8771 | 2430 | if(cmds.size() < 2) { |
fd5076c8 | 2431 | cerr<<"Syntax: pdnsutil unset-presigned ZONE"<<endl; |
f60f4bcd | 2432 | return 0; |
37fd8771 | 2433 | } |
b873e23a | 2434 | if (! dk.unsetPresigned(DNSName(cmds[1]))) { |
e15dce0c | 2435 | cerr << "Could not unset presigned on for " << cmds[1] << endl; |
a84a8203 PD |
2436 | return 1; |
2437 | } | |
2438 | return 0; | |
d3e7090c | 2439 | } |
088370cd PL |
2440 | else if(cmds[0]=="unset-publish-cdnskey") { |
2441 | if(cmds.size() < 2) { | |
fd5076c8 | 2442 | cerr<<"Syntax: pdnsutil unset-publish-cdnskey ZONE"<<endl; |
088370cd PL |
2443 | return 0; |
2444 | } | |
da347642 | 2445 | if (! dk.unsetPublishCDNSKEY(DNSName(cmds[1]))) { |
088370cd PL |
2446 | cerr << "Could not unset publishing for CDNSKEY records for "<< cmds[1]<<endl; |
2447 | return 1; | |
2448 | } | |
2449 | return 0; | |
2450 | } | |
ef542223 PL |
2451 | else if(cmds[0]=="unset-publish-cds") { |
2452 | if(cmds.size() < 2) { | |
fd5076c8 | 2453 | cerr<<"Syntax: pdnsutil unset-publish-cds ZONE"<<endl; |
ef542223 PL |
2454 | return 0; |
2455 | } | |
da347642 | 2456 | if (! dk.unsetPublishCDS(DNSName(cmds[1]))) { |
ef542223 PL |
2457 | cerr << "Could not unset publishing for CDS records for "<< cmds[1]<<endl; |
2458 | return 1; | |
2459 | } | |
2460 | return 0; | |
2461 | } | |
65c87942 BH |
2462 | else if(cmds[0]=="hash-zone-record") { |
2463 | if(cmds.size() < 3) { | |
fd5076c8 | 2464 | cerr<<"Syntax: pdnsutil hash-zone-record ZONE RNAME"<<endl; |
65c87942 BH |
2465 | return 0; |
2466 | } | |
675fa24c | 2467 | DNSName zone(cmds[1]); |
b873e23a | 2468 | DNSName record(cmds[2]); |
65c87942 BH |
2469 | NSEC3PARAMRecordContent ns3pr; |
2470 | bool narrow; | |
2471 | if(!dk.getNSEC3PARAM(zone, &ns3pr, &narrow)) { | |
675fa24c | 2472 | cerr<<"The '"<<zone.toString()<<"' zone does not use NSEC3"<<endl; |
65c87942 BH |
2473 | return 0; |
2474 | } | |
5e42374c | 2475 | if(narrow) { |
675fa24c | 2476 | cerr<<"The '"<<zone.toString()<<"' zone uses narrow NSEC3, but calculating hash anyhow"<<endl; |
65c87942 BH |
2477 | } |
2478 | ||
28e2e78e | 2479 | cout<<toBase32Hex(hashQNameWithSalt(ns3pr, record))<<endl; |
65c87942 | 2480 | } |
da11ed0e | 2481 | else if(cmds[0]=="unset-nsec3") { |
37fd8771 | 2482 | if(cmds.size() < 2) { |
fd5076c8 | 2483 | cerr<<"Syntax: pdnsutil unset-nsec3 ZONE"<<endl; |
a84a8203 | 2484 | return 0; |
37fd8771 | 2485 | } |
b873e23a | 2486 | if ( ! dk.unsetNSEC3PARAM(DNSName(cmds[1]))) { |
e15dce0c | 2487 | cerr<<"Cannot unset NSEC3 param for " << cmds[1] << endl; |
a84a8203 PD |
2488 | return 1; |
2489 | } | |
2490 | return 0; | |
da11ed0e BH |
2491 | } |
2492 | else if(cmds[0]=="export-zone-key") { | |
7ddd79a7 | 2493 | if(cmds.size() < 3) { |
fd5076c8 | 2494 | cerr<<"Syntax: pdnsutil export-zone-key ZONE KEY-ID"<<endl; |
a84a8203 | 2495 | return 0; |
7ddd79a7 BH |
2496 | } |
2497 | ||
da11ed0e | 2498 | string zone=cmds[1]; |
335da0ba | 2499 | unsigned int id=pdns_stou(cmds[2]); |
b873e23a | 2500 | DNSSECPrivateKey dpk=dk.getKeyById(DNSName(zone), id); |
189bb9d2 | 2501 | cout << dpk.getKey()->convertToISC() <<endl; |
4496f66f | 2502 | } |
04576eed RA |
2503 | else if(cmds[0]=="increase-serial") { |
2504 | if (cmds.size() < 2) { | |
fd5076c8 | 2505 | cerr<<"Syntax: pdnsutil increase-serial ZONE"<<endl; |
04576eed RA |
2506 | return 0; |
2507 | } | |
b873e23a | 2508 | return increaseSerial(DNSName(cmds[1]), dk); |
04576eed | 2509 | } |
ed3f8559 BH |
2510 | else if(cmds[0]=="import-zone-key-pem") { |
2511 | if(cmds.size() < 4) { | |
fd5076c8 | 2512 | cerr<<"Syntax: pdnsutil import-zone-key-pem ZONE FILE ALGORITHM {ksk|zsk}"<<endl; |
ed3f8559 BH |
2513 | exit(1); |
2514 | } | |
2515 | string zone=cmds[1]; | |
2516 | string fname=cmds[2]; | |
2517 | string line; | |
2518 | ifstream ifs(fname.c_str()); | |
2519 | string tmp, interim, raw; | |
2520 | while(getline(ifs, line)) { | |
2521 | if(line[0]=='-') | |
2522 | continue; | |
2523 | trim(line); | |
2524 | interim += line; | |
2525 | } | |
2526 | B64Decode(interim, raw); | |
2527 | DNSSECPrivateKey dpk; | |
699e6e37 | 2528 | DNSKEYRecordContent drc; |
8d9f38f2 | 2529 | shared_ptr<DNSCryptoKeyEngine> key(DNSCryptoKeyEngine::makeFromPEMString(drc, raw)); |
699e6e37 | 2530 | dpk.setKey(key); |
ed3f8559 | 2531 | |
335da0ba | 2532 | dpk.d_algorithm = pdns_stou(cmds[3]); |
ed3f8559 BH |
2533 | |
2534 | if(dpk.d_algorithm == 7) | |
2535 | dpk.d_algorithm = 5; | |
2536 | ||
2537 | cerr<<(int)dpk.d_algorithm<<endl; | |
2538 | ||
2539 | if(cmds.size() > 4) { | |
2540 | if(pdns_iequals(cmds[4], "ZSK")) | |
2541 | dpk.d_flags = 256; | |
2542 | else if(pdns_iequals(cmds[4], "KSK")) | |
2543 | dpk.d_flags = 257; | |
2544 | else { | |
451ba512 | 2545 | cerr<<"Unknown key flag '"<<cmds[4]<<"'"<<endl; |
ed3f8559 BH |
2546 | exit(1); |
2547 | } | |
2548 | } | |
2549 | else | |
2550 | dpk.d_flags = 257; // ksk | |
2551 | ||
b873e23a | 2552 | if(!dk.addKey(DNSName(zone), dpk)) { |
07bf35d1 | 2553 | cerr<<"Adding key failed, perhaps DNSSEC not enabled in configuration?"<<endl; |
2554 | exit(1); | |
2555 | } | |
ed3f8559 BH |
2556 | |
2557 | } | |
976b6541 | 2558 | else if(cmds[0]=="import-zone-key") { |
d1eacbeb | 2559 | if(cmds.size() < 3) { |
d9db3d7e | 2560 | cerr<<"Syntax: pdnsutil import-zone-key ZONE FILE [ksk|zsk] [active|inactive]"<<endl; |
4496f66f BH |
2561 | exit(1); |
2562 | } | |
976b6541 BH |
2563 | string zone=cmds[1]; |
2564 | string fname=cmds[2]; | |
2565 | DNSSECPrivateKey dpk; | |
699e6e37 | 2566 | DNSKEYRecordContent drc; |
8d9f38f2 | 2567 | shared_ptr<DNSCryptoKeyEngine> key(DNSCryptoKeyEngine::makeFromISCFile(drc, fname.c_str())); |
699e6e37 | 2568 | dpk.setKey(key); |
7ddd79a7 BH |
2569 | dpk.d_algorithm = drc.d_algorithm; |
2570 | ||
2571 | if(dpk.d_algorithm == 7) | |
2572 | dpk.d_algorithm = 5; | |
aa952078 | 2573 | |
4af49b80 | 2574 | dpk.d_flags = 257; |
4cec6ac5 | 2575 | bool active=true; |
4af49b80 | 2576 | |
2577 | for(unsigned int n = 3; n < cmds.size(); ++n) { | |
2578 | if(pdns_iequals(cmds[n], "ZSK")) | |
232f0877 | 2579 | dpk.d_flags = 256; |
4af49b80 | 2580 | else if(pdns_iequals(cmds[n], "KSK")) |
232f0877 | 2581 | dpk.d_flags = 257; |
4af49b80 | 2582 | else if(pdns_iequals(cmds[n], "active")) |
232f0877 | 2583 | active = 1; |
d9db3d7e | 2584 | else if(pdns_iequals(cmds[n], "passive") || pdns_iequals(cmds[n], "inactive")) // passive eventually needs to be removed |
232f0877 | 2585 | active = 0; |
4af49b80 | 2586 | else { |
232f0877 CH |
2587 | cerr<<"Unknown key flag '"<<cmds[n]<<"'"<<endl; |
2588 | exit(1); | |
2589 | } | |
aa952078 | 2590 | } |
b873e23a | 2591 | if(!dk.addKey(DNSName(zone), dpk, active)) { |
07bf35d1 | 2592 | cerr<<"Adding key failed, perhaps DNSSEC not enabled in configuration?"<<endl; |
2593 | exit(1); | |
2594 | } | |
976b6541 | 2595 | } |
da11ed0e | 2596 | else if(cmds[0]=="export-zone-dnskey") { |
7ddd79a7 | 2597 | if(cmds.size() < 3) { |
fd5076c8 | 2598 | cerr<<"Syntax: pdnsutil export-zone-dnskey ZONE KEY-ID"<<endl; |
7ddd79a7 BH |
2599 | exit(1); |
2600 | } | |
2601 | ||
b873e23a | 2602 | DNSName zone(cmds[1]); |
335da0ba | 2603 | unsigned int id=pdns_stou(cmds[2]); |
da11ed0e BH |
2604 | DNSSECPrivateKey dpk=dk.getKeyById(zone, id); |
2605 | cout << zone<<" IN DNSKEY "<<dpk.getDNSKEY().getZoneRepresentation() <<endl; | |
f8b25763 BH |
2606 | if(dpk.d_flags == 257) { |
2607 | cout << zone << " IN DS "<<makeDSFromDNSKey(zone, dpk.getDNSKEY(), 1).getZoneRepresentation() << endl; | |
2608 | cout << zone << " IN DS "<<makeDSFromDNSKey(zone, dpk.getDNSKEY(), 2).getZoneRepresentation() << endl; | |
2609 | } | |
da11ed0e | 2610 | } |
950bdddf PD |
2611 | else if(cmds[0] == "generate-zone-key") { |
2612 | if(cmds.size() < 2 ) { | |
fd5076c8 | 2613 | cerr << "Syntax: pdnsutil generate-zone-key zsk|ksk [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384] [bits]"<<endl; |
950bdddf PD |
2614 | return 0; |
2615 | } | |
2616 | // need to get algorithm, bits & ksk or zsk from commandline | |
2617 | bool keyOrZone=false; | |
2618 | int tmp_algo=0; | |
2619 | int bits=0; | |
2620 | int algorithm=8; | |
2621 | for(unsigned int n=1; n < cmds.size(); ++n) { | |
2622 | if(pdns_iequals(cmds[n], "zsk")) | |
2623 | keyOrZone = false; | |
2624 | else if(pdns_iequals(cmds[n], "ksk")) | |
2625 | keyOrZone = true; | |
2626 | else if((tmp_algo = shorthand2algorithm(cmds[n]))>0) { | |
2627 | algorithm = tmp_algo; | |
335da0ba AT |
2628 | } else if(pdns_stou(cmds[n])) |
2629 | bits = pdns_stou(cmds[n]); | |
950bdddf PD |
2630 | else { |
2631 | cerr<<"Unknown algorithm, key flag or size '"<<cmds[n]<<"'"<<endl; | |
2632 | return 0; | |
2633 | } | |
2634 | } | |
2635 | cerr<<"Generating a " << (keyOrZone ? "KSK" : "ZSK")<<" with algorithm = "<<algorithm<<endl; | |
2636 | if(bits) | |
2637 | cerr<<"Requesting specific key size of "<<bits<<" bits"<<endl; | |
2638 | ||
2639 | DNSSECPrivateKey dspk; | |
2640 | shared_ptr<DNSCryptoKeyEngine> dpk(DNSCryptoKeyEngine::make(algorithm)); // defaults to RSA for now, could be smart w/algorithm! XXX FIXME | |
2641 | if(!bits) { | |
2642 | if(algorithm <= 10) | |
2643 | bits = keyOrZone ? 2048 : 1024; | |
2644 | else { | |
2645 | if(algorithm == 12 || algorithm == 13 || algorithm == 250) // ECDSA, GOST, ED25519 | |
2646 | bits = 256; | |
2647 | else if(algorithm == 14) | |
2648 | bits = 384; | |
2649 | else { | |
335da0ba | 2650 | throw runtime_error("Can't guess key size for algorithm "+std::to_string(algorithm)); |
950bdddf PD |
2651 | } |
2652 | } | |
2653 | } | |
2654 | dpk->create(bits); | |
2655 | dspk.setKey(dpk); | |
2656 | dspk.d_algorithm = algorithm; | |
2657 | dspk.d_flags = keyOrZone ? 257 : 256; | |
2658 | ||
2659 | // print key to stdout | |
2660 | cout << "Flags: " << dspk.d_flags << endl << | |
2661 | dspk.getKey()->convertToISC() << endl; | |
79b4ea54 | 2662 | } else if (cmds[0]=="generate-tsig-key") { |
6f872b78 AT |
2663 | if (cmds.size() < 3) { |
2664 | cerr << "Syntax: " << cmds[0] << " name (hmac-md5|hmac-sha1|hmac-sha224|hmac-sha256|hmac-sha384|hmac-sha512)" << endl; | |
2665 | return 0; | |
2666 | } | |
b873e23a | 2667 | DNSName name(cmds[1]); |
6f872b78 AT |
2668 | string algo = cmds[2]; |
2669 | string key; | |
2670 | char tmpkey[64]; | |
2671 | ||
d885cea7 | 2672 | size_t klen = 0; |
6f872b78 AT |
2673 | if (algo == "hmac-md5") { |
2674 | klen = 32; | |
2675 | } else if (algo == "hmac-sha1") { | |
2676 | klen = 32; | |
2677 | } else if (algo == "hmac-sha224") { | |
2678 | klen = 32; | |
2679 | } else if (algo == "hmac-sha256") { | |
2680 | klen = 64; | |
2681 | } else if (algo == "hmac-sha384") { | |
2682 | klen = 64; | |
2683 | } else if (algo == "hmac-sha512") { | |
2684 | klen = 64; | |
d885cea7 AT |
2685 | } else { |
2686 | cerr << "Cannot generate key for " << algo << endl; | |
2687 | return 1; | |
6f872b78 AT |
2688 | } |
2689 | ||
7e5b2860 | 2690 | cerr << "Generating new key with " << klen << " bytes (this can take a while)" << endl; |
a56bc64d AT |
2691 | for(size_t i = 0; i < klen; i+=4) { |
2692 | *(unsigned int*)(tmpkey+i) = dns_random(0xffffffff); | |
2693 | } | |
6f872b78 AT |
2694 | key = Base64Encode(std::string(tmpkey, klen)); |
2695 | ||
2696 | UeberBackend B("default"); | |
b873e23a | 2697 | if (B.setTSIGKey(name, DNSName(algo), key)) { // you are feeling bored, put up DNSName(algo) up earlier |
6f872b78 AT |
2698 | cout << "Create new TSIG key " << name << " " << algo << " " << key << endl; |
2699 | } else { | |
694ea7ae | 2700 | cerr << "Failure storing new TSIG key " << name << " " << algo << " " << key << endl; |
6f872b78 AT |
2701 | return 1; |
2702 | } | |
2703 | return 0; | |
2704 | } else if (cmds[0]=="import-tsig-key") { | |
2705 | if (cmds.size() < 4) { | |
2706 | cerr << "Syntax: " << cmds[0] << " name algorithm key" << endl; | |
2707 | return 0; | |
2708 | } | |
b873e23a | 2709 | DNSName name(cmds[1]); |
6f872b78 AT |
2710 | string algo = cmds[2]; |
2711 | string key = cmds[3]; | |
2712 | ||
2713 | UeberBackend B("default"); | |
b873e23a | 2714 | if (B.setTSIGKey(name, DNSName(algo), key)) { |
6f872b78 AT |
2715 | cout << "Imported TSIG key " << name << " " << algo << endl; |
2716 | } else { | |
694ea7ae | 2717 | cerr << "Failure importing TSIG key " << name << " " << algo << endl; |
6f872b78 AT |
2718 | return 1; |
2719 | } | |
2720 | return 0; | |
2721 | } else if (cmds[0]=="delete-tsig-key") { | |
2722 | if (cmds.size() < 2) { | |
2723 | cerr << "Syntax: " << cmds[0] << " name" << endl; | |
2724 | return 0; | |
2725 | } | |
b873e23a | 2726 | DNSName name(cmds[1]); |
6f872b78 AT |
2727 | |
2728 | UeberBackend B("default"); | |
2729 | if (B.deleteTSIGKey(name)) { | |
2730 | cout << "Deleted TSIG key " << name << endl; | |
2731 | } else { | |
694ea7ae | 2732 | cerr << "Failure deleting TSIG key " << name << endl; |
6f872b78 AT |
2733 | return 1; |
2734 | } | |
2735 | return 0; | |
2736 | } else if (cmds[0]=="list-tsig-keys") { | |
2737 | std::vector<struct TSIGKey> keys; | |
2738 | UeberBackend B("default"); | |
2739 | if (B.getTSIGKeys(keys)) { | |
ff05fd12 | 2740 | for(const struct TSIGKey &key : keys) { |
675fa24c | 2741 | cout << key.name.toString() << " " << key.algorithm.toString() << " " << key.key << endl; |
6f872b78 AT |
2742 | } |
2743 | } | |
2744 | return 0; | |
79b4ea54 | 2745 | } else if (cmds[0]=="activate-tsig-key") { |
4831df57 AT |
2746 | string metaKey; |
2747 | if (cmds.size() < 4) { | |
ec53ae22 | 2748 | cerr << "Syntax: " << cmds[0] << " ZONE NAME {master|slave}" << endl; |
6f872b78 AT |
2749 | return 0; |
2750 | } | |
b873e23a | 2751 | DNSName zname(cmds[1]); |
6f872b78 | 2752 | string name = cmds[2]; |
4831df57 AT |
2753 | if (cmds[3] == "master") |
2754 | metaKey = "TSIG-ALLOW-AXFR"; | |
2755 | else if (cmds[3] == "slave") | |
2756 | metaKey = "AXFR-MASTER-TSIG"; | |
2757 | else { | |
2758 | cerr << "Invalid parameter '" << cmds[3] << "', expected master or slave" << endl; | |
2759 | return 1; | |
2760 | } | |
6f872b78 AT |
2761 | UeberBackend B("default"); |
2762 | std::vector<std::string> meta; | |
4831df57 | 2763 | if (!B.getDomainMetadata(zname, metaKey, meta)) { |
694ea7ae | 2764 | cerr << "Failure enabling TSIG key " << name << " for " << zname << endl; |
6f872b78 AT |
2765 | return 1; |
2766 | } | |
2767 | bool found = false; | |
ff05fd12 | 2768 | for(std::string tmpname : meta) { |
6f872b78 AT |
2769 | if (tmpname == name) { found = true; break; } |
2770 | } | |
2771 | if (!found) meta.push_back(name); | |
4831df57 | 2772 | if (B.setDomainMetadata(zname, metaKey, meta)) { |
6f872b78 AT |
2773 | cout << "Enabled TSIG key " << name << " for " << zname << endl; |
2774 | } else { | |
694ea7ae | 2775 | cerr << "Failure enabling TSIG key " << name << " for " << zname << endl; |
6f872b78 AT |
2776 | return 1; |
2777 | } | |
2778 | return 0; | |
79b4ea54 | 2779 | } else if (cmds[0]=="deactivate-tsig-key") { |
4831df57 AT |
2780 | string metaKey; |
2781 | if (cmds.size() < 4) { | |
ec53ae22 | 2782 | cerr << "Syntax: " << cmds[0] << " ZONE NAME {master|slave}" << endl; |
6f872b78 AT |
2783 | return 0; |
2784 | } | |
b873e23a | 2785 | DNSName zname(cmds[1]); |
6f872b78 | 2786 | string name = cmds[2]; |
4831df57 AT |
2787 | if (cmds[3] == "master") |
2788 | metaKey = "TSIG-ALLOW-AXFR"; | |
2789 | else if (cmds[3] == "slave") | |
2790 | metaKey = "AXFR-MASTER-TSIG"; | |
2791 | else { | |
2792 | cerr << "Invalid parameter '" << cmds[3] << "', expected master or slave" << endl; | |
2793 | return 1; | |
2794 | } | |
6f872b78 AT |
2795 | |
2796 | UeberBackend B("default"); | |
2797 | std::vector<std::string> meta; | |
4831df57 | 2798 | if (!B.getDomainMetadata(zname, metaKey, meta)) { |
694ea7ae | 2799 | cerr << "Failure disabling TSIG key " << name << " for " << zname << endl; |
6f872b78 AT |
2800 | return 1; |
2801 | } | |
2802 | std::vector<std::string>::iterator iter = meta.begin(); | |
2803 | for(;iter != meta.end(); iter++) if (*iter == name) break; | |
2804 | if (iter != meta.end()) meta.erase(iter); | |
4831df57 | 2805 | if (B.setDomainMetadata(zname, metaKey, meta)) { |
6f872b78 AT |
2806 | cout << "Disabled TSIG key " << name << " for " << zname << endl; |
2807 | } else { | |
694ea7ae | 2808 | cerr << "Failure disabling TSIG key " << name << " for " << zname << endl; |
6f872b78 AT |
2809 | return 1; |
2810 | } | |
2811 | return 0; | |
451ba512 AT |
2812 | } else if (cmds[0]=="get-meta") { |
2813 | UeberBackend B("default"); | |
2814 | if (cmds.size() < 2) { | |
2815 | cerr << "Syntax: " << cmds[0] << " zone [kind kind ..]" << endl; | |
2816 | return 1; | |
2817 | } | |
b873e23a | 2818 | DNSName zone(cmds[1]); |
451ba512 AT |
2819 | vector<string> keys; |
2820 | DomainInfo di; | |
2821 | ||
2822 | if (!B.getDomainInfo(zone, di)) { | |
2823 | cerr << "Invalid zone '" << zone << "'" << endl; | |
2824 | return 1; | |
2825 | } | |
2826 | ||
2827 | if (cmds.size() > 2) { | |
2e050d2c AT |
2828 | keys.assign(cmds.begin() + 2, cmds.end()); |
2829 | std::cout << "Metadata for '" << zone << "'" << endl; | |
ff05fd12 | 2830 | for(const string kind : keys) { |
2e050d2c AT |
2831 | vector<string> meta; |
2832 | meta.clear(); | |
2833 | if (B.getDomainMetadata(zone, kind, meta)) { | |
2834 | cout << kind << " = " << boost::join(meta, ", ") << endl; | |
2835 | } | |
2836 | } | |
451ba512 | 2837 | } else { |
2e050d2c AT |
2838 | std::map<std::string, std::vector<std::string> > meta; |
2839 | std::cout << "Metadata for '" << zone << "'" << endl; | |
2840 | B.getAllDomainMetadata(zone, meta); | |
2841 | for(std::map<std::string, std::vector<std::string> >::const_iterator each_meta = meta.begin(); each_meta != meta.end(); each_meta++) { | |
2842 | cout << each_meta->first << " = " << boost::join(each_meta->second, ", ") << endl; | |
451ba512 | 2843 | } |
2e050d2c AT |
2844 | } |
2845 | return 0; | |
2846 | ||
451ba512 AT |
2847 | } else if (cmds[0]=="set-meta") { |
2848 | UeberBackend B("default"); | |
2849 | if (cmds.size() < 3) { | |
2850 | cerr << "Syntax: " << cmds[0] << " zone kind [value value ..]" << endl; | |
2851 | return 1; | |
2852 | } | |
b873e23a | 2853 | DNSName zone(cmds[1]); |
451ba512 AT |
2854 | string kind = cmds[2]; |
2855 | vector<string> meta(cmds.begin() + 3, cmds.end()); | |
2856 | ||
2857 | if (!B.setDomainMetadata(zone, kind, meta)) { | |
2858 | cerr << "Unable to set meta for '" << zone << "'" << endl; | |
2859 | return 1; | |
2860 | } else { | |
b9d63cb9 | 2861 | cout << "Set '" << zone.toStringNoDot() << "' meta " << kind << " = " << boost::join(meta, ", ") << endl; |
451ba512 | 2862 | } |
8daea594 | 2863 | } else if (cmds[0]=="hsm") { |
3c12a7e9 | 2864 | #ifdef HAVE_P11KIT1 |
8daea594 AT |
2865 | UeberBackend B("default"); |
2866 | if (cmds[1] == "assign") { | |
2867 | DNSCryptoKeyEngine::storvector_t storvect; | |
2868 | DomainInfo di; | |
629b6616 | 2869 | std::vector<DNSBackend::KeyData> keys; |
829035c1 AT |
2870 | |
2871 | if (cmds.size() < 9) { | |
fd5076c8 | 2872 | std::cout << "Usage: pdnsutil hsm assign ZONE ALGORITHM {ksk|zsk} MODULE TOKEN PIN LABEL" << std::endl; |
829035c1 AT |
2873 | return 1; |
2874 | } | |
2875 | ||
e8afb726 | 2876 | DNSName zone(cmds[2]); |
829035c1 | 2877 | |
8daea594 AT |
2878 | // verify zone |
2879 | if (!B.getDomainInfo(zone, di)) { | |
2880 | cerr << "Unable to assign module to unknown zone '" << zone << "'" << std::endl; | |
2881 | return 1; | |
2882 | } | |
2883 | ||
2884 | int algorithm = shorthand2algorithm(cmds[3]); | |
5dce7548 AT |
2885 | if (algorithm<0) { |
2886 | cerr << "Unable to use unknown algorithm '" << cmds[3] << "'" << std::endl; | |
2887 | return 1; | |
2888 | } | |
2889 | ||
829035c1 | 2890 | int id; |
8daea594 AT |
2891 | bool keyOrZone = (cmds[4] == "ksk" ? true : false); |
2892 | string module = cmds[5]; | |
2893 | string slot = cmds[6]; | |
2894 | string pin = cmds[7]; | |
2895 | string label = cmds[8]; | |
2896 | ||
2897 | std::ostringstream iscString; | |
2898 | iscString << "Private-key-format: v1.2" << std::endl << | |
2899 | "Algorithm: " << algorithm << std::endl << | |
2900 | "Engine: " << module << std::endl << | |
2901 | "Slot: " << slot << std::endl << | |
2902 | "PIN: " << pin << std::endl << | |
2903 | "Label: " << label << std::endl; | |
2904 | ||
2905 | DNSKEYRecordContent drc; | |
2906 | DNSSECPrivateKey dpk; | |
2907 | dpk.d_flags = (keyOrZone ? 257 : 256); | |
2908 | dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(drc, iscString.str()))); | |
829035c1 | 2909 | |
629b6616 AT |
2910 | // make sure this key isn't being reused. |
2911 | B.getDomainKeys(zone, 0, keys); | |
2912 | id = -1; | |
2913 | ||
ff05fd12 | 2914 | for(DNSBackend::KeyData& kd : keys) { |
629b6616 AT |
2915 | if (kd.content == iscString.str()) { |
2916 | // it's this one, I guess... | |
2917 | id = kd.id; | |
2918 | break; | |
2919 | } | |
2920 | } | |
2921 | ||
2922 | if (id > -1) { | |
2923 | cerr << "You have already assigned this key with ID=" << id << std::endl; | |
2924 | return 1; | |
2925 | } | |
2926 | ||
829035c1 | 2927 | if (!(id = dk.addKey(zone, dpk))) { |
8daea594 AT |
2928 | cerr << "Unable to assign module slot to zone" << std::endl; |
2929 | return 1; | |
2930 | } | |
2931 | ||
86c979f5 AT |
2932 | // figure out key id. |
2933 | ||
86c979f5 AT |
2934 | B.getDomainKeys(zone, 0, keys); |
2935 | ||
2936 | // validate which one got the key... | |
ff05fd12 | 2937 | for(DNSBackend::KeyData& kd : keys) { |
86c979f5 AT |
2938 | if (kd.content == iscString.str()) { |
2939 | // it's this one, I guess... | |
2940 | id = kd.id; | |
2941 | break; | |
2942 | } | |
2943 | } | |
2944 | ||
829035c1 | 2945 | cerr << "Module " << module << " slot " << slot << " assigned to " << zone << " with key id " << id << endl; |
86c979f5 | 2946 | |
8daea594 AT |
2947 | return 0; |
2948 | } else if (cmds[1] == "create-key") { | |
70f0f8c4 AT |
2949 | |
2950 | if (cmds.size() < 4) { | |
fd5076c8 | 2951 | cerr << "Usage: pdnsutil hsm create-key ZONE KEY-ID [BITS]" << endl; |
70f0f8c4 AT |
2952 | return 1; |
2953 | } | |
8daea594 | 2954 | DomainInfo di; |
e8afb726 | 2955 | DNSName zone(cmds[2]); |
8daea594 | 2956 | unsigned int id; |
70f0f8c4 | 2957 | int bits = 2048; |
8daea594 AT |
2958 | // verify zone |
2959 | if (!B.getDomainInfo(zone, di)) { | |
2960 | cerr << "Unable to create key for unknown zone '" << zone << "'" << std::endl; | |
2961 | return 1; | |
2962 | } | |
2963 | ||
335da0ba | 2964 | id = pdns_stou(cmds[3]); |
8daea594 AT |
2965 | std::vector<DNSBackend::KeyData> keys; |
2966 | if (!B.getDomainKeys(zone, 0, keys)) { | |
2967 | cerr << "No keys found for zone " << zone << std::endl; | |
2968 | return 1; | |
2969 | } | |
2970 | ||
2971 | DNSCryptoKeyEngine *dke = NULL; | |
2972 | // lookup correct key | |
ff05fd12 | 2973 | for(DNSBackend::KeyData &kd : keys) { |
8daea594 AT |
2974 | if (kd.id == id) { |
2975 | // found our key. | |
2976 | DNSKEYRecordContent dkrc; | |
2977 | dke = DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content); | |
2978 | } | |
2979 | } | |
2980 | ||
2981 | if (!dke) { | |
2982 | cerr << "Could not find key with ID " << id << endl; | |
2983 | return 1; | |
2984 | } | |
70f0f8c4 | 2985 | if (cmds.size() > 4) { |
335da0ba | 2986 | bits = pdns_stou(cmds[4]); |
70f0f8c4 AT |
2987 | } |
2988 | if (bits < 1) { | |
2989 | cerr << "Invalid bit size " << bits << "given, must be positive integer"; | |
2990 | return 1; | |
2991 | } | |
829035c1 | 2992 | try { |
70f0f8c4 AT |
2993 | dke->create(bits); |
2994 | } catch (PDNSException& e) { | |
2995 | cerr << e.reason << endl; | |
829035c1 AT |
2996 | return 1; |
2997 | } | |
8daea594 | 2998 | |
70f0f8c4 | 2999 | cerr << "Key of size " << bits << " created" << std::endl; |
8daea594 AT |
3000 | return 0; |
3001 | } | |
3c12a7e9 AT |
3002 | #else |
3003 | cerr<<"PKCS#11 support not enabled"<<endl; | |
3004 | return 1; | |
3005 | #endif | |
90c2c8e9 AT |
3006 | } else if (cmds[0] == "b2b-migrate") { |
3007 | if (cmds.size() < 3) { | |
ec53ae22 | 3008 | cerr<<"Usage: b2b-migrate OLD NEW"<<endl; |
90c2c8e9 AT |
3009 | return 1; |
3010 | } | |
3011 | ||
3012 | DNSBackend *src,*tgt; | |
3013 | src = tgt = NULL; | |
3014 | ||
3015 | for(DNSBackend *b : BackendMakers().all()) { | |
3016 | if (b->getPrefix() == cmds[1]) src = b; | |
3017 | if (b->getPrefix() == cmds[2]) tgt = b; | |
3018 | } | |
3019 | if (!src) { | |
3020 | cerr<<"Unknown source backend '"<<cmds[1]<<"'"<<endl; | |
3021 | return 1; | |
3022 | } | |
3023 | if (!tgt) { | |
3024 | cerr<<"Unknown target backend '"<<cmds[2]<<"'"<<endl; | |
3025 | return 1; | |
3026 | } | |
3027 | ||
3028 | cout<<"Moving zone(s) from "<<src->getPrefix()<<" to "<<tgt->getPrefix()<<endl; | |
3029 | ||
3030 | vector<DomainInfo> domains; | |
3031 | ||
3032 | tgt->getAllDomains(&domains, true); | |
3033 | if (domains.size()>0) | |
3034 | throw PDNSException("Target backend has domain(s), please clean it first"); | |
3035 | ||
3036 | src->getAllDomains(&domains, true); | |
3037 | // iterate zones | |
3038 | for(const DomainInfo& di: domains) { | |
3039 | size_t nr,nc,nm,nk; | |
3040 | DNSResourceRecord rr; | |
21a3792f | 3041 | cout<<"Processing '"<<di.zone.toString()<<"'"<<endl; |
90c2c8e9 AT |
3042 | // create zone |
3043 | if (!tgt->createDomain(di.zone)) throw PDNSException("Failed to create zone"); | |
3044 | tgt->setKind(di.zone, di.kind); | |
3045 | tgt->setAccount(di.zone,di.account); | |
3046 | for(const string& master: di.masters) { | |
3047 | tgt->setMaster(di.zone, master); | |
3048 | } | |
3049 | // move records | |
3050 | if (!src->list(di.zone, di.id, true)) throw PDNSException("Failed to list records"); | |
3051 | nr=0; | |
3052 | while(src->get(rr)) { | |
3053 | if (!tgt->feedRecord(rr)) throw PDNSException("Failed to feed record"); | |
3054 | nr++; | |
3055 | } | |
3056 | // move comments | |
3057 | nc=0; | |
3058 | if (src->listComments(di.id)) { | |
3059 | Comment c; | |
3060 | while(src->getComment(c)) { | |
3061 | tgt->feedComment(c); | |
3062 | nc++; | |
3063 | } | |
3064 | } | |
3065 | // move metadata | |
3066 | nm=0; | |
3067 | std::map<std::string, std::vector<std::string> > meta; | |
3068 | if (src->getAllDomainMetadata(di.zone, meta)) { | |
3069 | std::map<std::string, std::vector<std::string> >::iterator i; | |
3070 | for(i=meta.begin(); i != meta.end(); i++) { | |
3071 | if (!tgt->setDomainMetadata(di.zone, i->first, i->second)) throw PDNSException("Failed to feed domain metadata"); | |
3072 | nm++; | |
3073 | } | |
3074 | } | |
3075 | // move keys | |
3076 | nk=0; | |
3077 | std::vector<DNSBackend::KeyData> keys; | |
3078 | if (src->getDomainKeys(di.zone, 0, keys)) { | |
3079 | for(const DNSBackend::KeyData& k: keys) { | |
3080 | tgt->addDomainKey(di.zone, k); | |
3081 | nk++; | |
3082 | } | |
3083 | } | |
3084 | cout<<"Moved "<<nr<<" record(s), "<<nc<<" comment(s), "<<nm<<" metadata(s) and "<<nk<<" cryptokey(s)"<<endl; | |
3085 | } | |
3086 | ||
3087 | int ntk=0; | |
3088 | // move tsig keys | |
3089 | std::vector<struct TSIGKey> tkeys; | |
3090 | if (src->getTSIGKeys(tkeys)) { | |
3091 | for(const struct TSIGKey& tk: tkeys) { | |
3092 | if (!tgt->setTSIGKey(tk.name, tk.algorithm, tk.key)) throw PDNSException("Failed to feed TSIG key"); | |
3093 | ntk++; | |
3094 | } | |
3095 | } | |
3096 | cout<<"Moved "<<ntk<<" TSIG key(s)"<<endl; | |
3097 | ||
3098 | cout<<"Remember to drop the old backend and run rectify-all-zones"<<endl; | |
3099 | ||
f641c3b7 PD |
3100 | return 0; |
3101 | } else if (cmds[0] == "backend-cmd") { | |
3102 | if (cmds.size() < 3) { | |
3103 | cerr<<"Usage: backend-cmd BACKEND CMD [CMD..]"<<endl; | |
3104 | return 1; | |
3105 | } | |
3106 | ||
3107 | DNSBackend *db; | |
3108 | db = NULL; | |
3109 | ||
3110 | for(DNSBackend *b : BackendMakers().all()) { | |
3111 | if (b->getPrefix() == cmds[1]) db = b; | |
3112 | } | |
3113 | ||
3114 | if (!db) { | |
3115 | cerr<<"Unknown backend '"<<cmds[1]<<"'"<<endl; | |
3116 | return 1; | |
3117 | } | |
3118 | ||
3119 | for(auto i=next(begin(cmds),2); i != end(cmds); ++i) { | |
3120 | cerr<<"== "<<*i<<endl; | |
3121 | cout<<db->directBackendCmd(*i); | |
3122 | } | |
3123 | ||
90c2c8e9 | 3124 | return 0; |
451ba512 | 3125 | } else { |
5cde65f4 | 3126 | cerr<<"Unknown command '"<<cmds[0] <<"'"<< endl; |
1d211b1b BH |
3127 | return 1; |
3128 | } | |
3129 | return 0; | |
3130 | } | |
3f81d239 | 3131 | catch(PDNSException& ae) { |
20002664 | 3132 | cerr<<"Error: "<<ae.reason<<endl; |
0c4c552d | 3133 | return 1; |
20002664 | 3134 | } |
14133ba3 BH |
3135 | catch(std::exception& e) { |
3136 | cerr<<"Error: "<<e.what()<<endl; | |
0c4c552d | 3137 | return 1; |
14133ba3 | 3138 | } |
38392ad7 | 3139 | catch(...) |
3140 | { | |
3141 | cerr<<"Caught an unknown exception"<<endl; | |
3142 | return 1; | |
3143 | } |