]> git.ipfire.org Git - thirdparty/pdns.git/commit
Add the 'CSK' (Combined Signing Key) nomenclature 3124/head
authorPieter Lexis <pieter.lexis@powerdns.com>
Tue, 19 Jan 2016 17:09:55 +0000 (18:09 +0100)
committerPieter Lexis <pieter.lexis@powerdns.com>
Tue, 19 Jan 2016 21:45:57 +0000 (22:45 +0100)
commitb6bd795cee1e9cf9e8cf03ce722a713ec9b5a429
tree046b9d4feadc7edd2e43842a57483d56f9467eb7
parent9091cf89ad9f6b473c6b19fec93ac227e211a742
Add the 'CSK' (Combined Signing Key) nomenclature

This commit removes the 'keyOrZone' boolean from
DNSSECKeeper::KeyMetaData and adds 'keyType' enum to it that can contain
one of 3 values (KSK, ZSK or CSK). A key is marked as a CSK when there
is no other key with the same algorithm for the zone, and if there is
another key, that it does not have a different SEP-bit set.

By default, we now also set the SEP-bit in `pdnsutil secure-zone` when
only a ZSK is created (this is the default) so we comply with the
recommendation in RFC 6781 ยง3.2.3.

Closes #3194
13 files changed:
modules/remotebackend/regression-tests/dnssec-keys/expected_result
pdns/dbdnsseckeeper.cc
pdns/dnsseckeeper.hh
pdns/dnssecsigner.cc
pdns/pdnsutil.cc
pdns/ws-auth.cc
regression-tests.api/runtests
regression-tests.api/test_Zones.py
regression-tests/tests/00dnssec-grabkeys/command
regression-tests/tests/axfr/expected_result.dnssec
regression-tests/tests/axfr/expected_result.nsec3
regression-tests/tests/axfr/expected_result.nsec3-optout
regression-tests/tests/direct-dnskey/expected_result.dnssec