#include <dns/lib.h>
#include <dns/master.h>
#include <dns/masterdump.h>
+#include <dns/nsec3.h>
#include <dns/nta.h>
#include <dns/order.h>
#include <dns/peer.h>
bool allow = false, maint = false;
bool sigvalinsecs;
- if (kasp) {
+ if (kasp != NULL) {
+ if (dns_kasp_nsec3(kasp)) {
+ result = dns_zone_setnsec3param(
+ zone, 1, dns_kasp_nsec3flags(kasp),
+ dns_kasp_nsec3iter(kasp),
+ dns_kasp_nsec3saltlen(kasp),
+ dns_kasp_nsec3salt(kasp), true);
+ } else {
+ unsigned char *salt;
+ DE_CONST("-", salt);
+ result = dns_zone_setnsec3param(zone, 0, 0, 0,
+ 0, salt, true);
+ }
+ INSIST(result == ISC_R_SUCCESS);
+ }
+
+ if (kasp != NULL) {
seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp);
} else {
obj = NULL;
}
dns_zone_setkeyvalidityinterval(zone, seconds);
- if (kasp) {
+ if (kasp != NULL) {
seconds = (uint32_t)dns_kasp_sigvalidity(kasp);
dns_zone_setsigvalidityinterval(zone, seconds);
seconds = (uint32_t)dns_kasp_sigrefresh(kasp);
mkeys \
names \
notify \
+ nsec3 \
nslookup \
padding \
pending \
mkeys
names
notify
+nsec3
nslookup
nsupdate
padding
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f dig.out.* rndc.signing.*
+rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
+
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+ // no need to change configuration: if no 'nsec3param' is set,
+ // NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+ nsec3param;
+};
+
+dnssec-policy "nsec3-other" {
+ nsec3param iterations 11 optout yes salt "deadbeef";
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+ type primary;
+ file "nsec-to-nsec3.kasp.db";
+ dnssec-policy "nsec";
+};
+
+/* This zone uses the default NSEC3 settings. */
+zone "nsec3.kasp" {
+ type primary;
+ file "nsec3.kasp.db";
+ dnssec-policy "nsec3";
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+ type primary;
+ file "nsec3-other.kasp.db";
+ dnssec-policy "nsec3-other";
+};
+
+/* The zone will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+ type primary;
+ file "nsec3-change.kasp.db";
+ dnssec-policy "nsec3";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+ type primary;
+ file "nsec3-to-nsec.kasp.db";
+ dnssec-policy "nsec3";
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+ // no need to change configuration: if no 'nsec3param' is set,
+ // NSEC will be used;
+};
+
+dnssec-policy "nsec3" {
+ nsec3param;
+};
+
+dnssec-policy "nsec3-other" {
+ nsec3param iterations 11 optout yes salt "deadbeef";
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+ type primary;
+ file "nsec-to-nsec3.kasp.db";
+ //dnssec-policy "nsec";
+ dnssec-policy "nsec3";
+};
+
+/* This zone uses the default NSEC3 settings. */
+zone "nsec3.kasp" {
+ type primary;
+ file "nsec3.kasp.db";
+ dnssec-policy "nsec3";
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+ type primary;
+ file "nsec3-other.kasp.db";
+ dnssec-policy "nsec3-other";
+};
+
+/* The zone will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+ type primary;
+ file "nsec3-change.kasp.db";
+ //dnssec-policy "nsec3";
+ dnssec-policy "nsec3-other";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+ type primary;
+ file "nsec3-to-nsec.kasp.db";
+ //dnssec-policy "nsec3";
+ dnssec-policy "nsec";
+};
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+setup() {
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ cp template.db.in "$zonefile"
+}
+
+for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec
+do
+ setup "${zn}.kasp"
+done
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns3
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
+
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns3/named.conf.in ns3/named.conf
+
+(
+ cd ns3
+ $SHELL setup.sh
+)
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+# Log errors and increment $ret.
+log_error() {
+ echo_i "error: $1"
+ ret=$((ret+1))
+}
+
+# Call dig with default options.
+dig_with_opts() {
+ $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+# Call rndc.
+rndccmd() {
+ "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+}
+
+# Set server key-directory ($1) and address ($2) for testing nsec3.
+set_server() {
+ DIR=$1
+ SERVER=$2
+}
+# Set zone name ($1) and policy ($2) for testing nsec3.
+set_zone_policy() {
+ ZONE=$1
+ POLICY=$2
+}
+# Set expected NSEC3 parameters: flags ($1), iterations ($2), and salt ($3).
+set_nsec3param() {
+ FLAGS=$1
+ ITERATIONS=$2
+ SALT=$3
+}
+
+# The apex NSEC3PARAM record indicates that it is signed.
+_wait_for_nsec3param() {
+ dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1
+ grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" > /dev/null || return 1
+ grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+ return 0
+}
+# The apex NSEC record indicates that it is signed.
+_wait_for_nsec() {
+ dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC > "dig.out.test$n.wait" || return 1
+ grep "NS SOA" "dig.out.test$n.wait" > /dev/null || return 1
+ grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+ grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" > /dev/null && return 1
+ return 0
+}
+
+# Wait for the zone to be signed.
+wait_for_zone_is_signed() {
+ n=$((n+1))
+ ret=0
+ echo_i "wait for ${ZONE} to be signed ($n)"
+
+ if [ "$1" = "nsec3" ]; then
+ retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed"
+ else
+ retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed"
+ fi
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
+
+# Test: dnssec-verify zone $1.
+dnssec_verify()
+{
+ n=$((n+1))
+ echo_i "dnssec-verify zone ${ZONE} ($n)"
+ ret=0
+ dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.test$n.axfr || log_error "dig ${ZONE} AXFR failed"
+ $VERIFY -z -o "$ZONE" dig.out.test$n.axfr > /dev/null || log_error "dnssec verify zone $ZONE failed"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
+
+# Test: check NSEC in answers
+_check_nsec_nsec3param()
+{
+ dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+ grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1
+ return 0
+}
+
+_check_nsec_nxdomain()
+{
+ dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+ grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+ grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1
+ return 0
+}
+
+check_nsec()
+{
+ n=$((n+1))
+ echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+
+ n=$((n+1))
+ echo_i "check NXDOMAIN response for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
+
+# Test: check NSEC3 parameters in answers
+_check_nsec3_nsec3param()
+{
+ dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+ grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1
+ return 0
+}
+
+_check_nsec3_nxdomain()
+{
+ dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+ grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+ return 0
+}
+
+check_nsec3()
+{
+ n=$((n+1))
+ echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+
+ n=$((n+1))
+ echo_i "check NSEC3 response for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
+
+start_time="$(TZ=UTC date +%s)"
+status=0
+n=0
+
+# Zone: nsec-to-nsec3.kasp.
+set_zone_policy "nsec-to-nsec3.kasp" "nsec"
+set_server "ns3" "10.53.0.3"
+echo_i "initial check zone ${ZONE}"
+check_nsec
+dnssec_verify
+
+# Zone: nsec3.kasp.
+set_zone_policy "nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "-"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-change.kasp.
+set_zone_policy "nsec3-change.kasp" "nsec3"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-to-nsec.kasp.
+set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-other.kasp.
+set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_nsec3param "1" "11" "DEADBEEF"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+
+# Reconfig named.
+echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+
+
+# Zone: nsec-to-nsec3.kasp. (reconfigured)
+set_zone_policy "nsec-to-nsec3.kasp" "nsec3"
+set_nsec3param "0" "5" "-"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3.kasp. (same)
+set_zone_policy "nsec3.kasp" "nsec3"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-change.kasp. (reconfigured)
+set_zone_policy "nsec3-change.kasp" "nsec3-other"
+set_nsec3param "1" "11" "DEADBEEF"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-to-nsec.kasp. (reconfigured)
+set_zone_policy "nsec3-to-nsec.kasp" "nsec"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec
+dnssec_verify
+
+# Zone: nsec3-other.kasp. (same)
+set_zone_policy "nsec3-other.kasp" "nsec3-other"
+set_nsec3param "1" "11" "DEADBEEF"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Using rndc signing -nsec3param
+set_zone_policy "nsec3-change.kasp" "nsec3-other"
+echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
+rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
+grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail"
+check_nsec3
+dnssec_verify
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
+
uint8_t role;
};
+struct dns_kasp_nsec3param {
+ unsigned char salt[255];
+ uint8_t saltlen;
+ uint8_t algorithm;
+ uint8_t iterations;
+ bool optout;
+};
+
/* Stores a DNSSEC policy */
struct dns_kasp {
unsigned int magic;
dns_kasp_keylist_t keys;
dns_ttl_t dnskey_ttl;
+ /* Configuration: Denial of existence */
+ bool nsec3;
+ dns_kasp_nsec3param_t nsec3param;
+
/* Configuration: Timings */
uint32_t publish_safety;
uint32_t retire_safety;
/* Parent settings */
dns_ttl_t parent_ds_ttl;
uint32_t parent_propagation_delay;
-
- /* TODO: The rest of the KASP configuration */
};
#define DNS_KASP_MAGIC ISC_MAGIC('K', 'A', 'S', 'P')
*
*/
+bool
+dns_kasp_nsec3(dns_kasp_t *kasp);
+/*%<
+ * Return true if NSEC3 chain should be used.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, frozen kasp.
+ *
+ */
+
+uint8_t
+dns_kasp_nsec3iter(dns_kasp_t *kasp);
+/*%<
+ * The number of NSEC3 iterations to use.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, frozen kasp.
+ *\li 'kasp->nsec3' is true.
+ *
+ */
+
+uint8_t
+dns_kasp_nsec3flags(dns_kasp_t *kasp);
+/*%<
+ * The NSEC3 flags field value.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, frozen kasp.
+ *\li 'kasp->nsec3' is true.
+ *
+ */
+
+uint8_t
+dns_kasp_nsec3saltlen(dns_kasp_t *kasp);
+/*%<
+ * The NSEC3 salt length.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, frozen kasp.
+ *\li 'kasp->nsec3' is true.
+ *
+ */
+
+unsigned char *
+dns_kasp_nsec3salt(dns_kasp_t *kasp);
+/*%<
+ * The NSEC3 salt used.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, frozen kasp.
+ *\li 'kasp->nsec3' is true.
+ *
+ */
+
+void
+dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3);
+/*%<
+ * Set to use NSEC3 if 'nsec3' is 'true', otherwise policy will use NSEC.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, unfrozen kasp.
+ *
+ */
+
+isc_result_t
+dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
+ const char *salt);
+/*%<
+ * Set the desired NSEC3 parameters.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, unfrozen kasp.
+ *\li 'kasp->nsec3' is true.
+ *
+ * Returns:
+ *
+ *\li ISC_R_SUCCESS, if NSEC3 parameters are set.
+ *\li Error, if isc_hex_decodestring() fails.
+ *
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_KASP_H */
typedef ISC_LIST(dns_kasp_t) dns_kasplist_t;
typedef struct dns_kasp_key dns_kasp_key_t;
typedef ISC_LIST(dns_kasp_key_t) dns_kasp_keylist_t;
-typedef uint16_t dns_keyflags_t;
-typedef struct dns_keynode dns_keynode_t;
+typedef struct dns_kasp_nsec3param dns_kasp_nsec3param_t;
+typedef uint16_t dns_keyflags_t;
+typedef struct dns_keynode dns_keynode_t;
typedef ISC_LIST(dns_keynode_t) dns_keynodelist_t;
typedef struct dns_keytable dns_keytable_t;
typedef uint16_t dns_keytag_t;
#include <string.h>
#include <isc/assertions.h>
+#include <isc/buffer.h>
#include <isc/file.h>
+#include <isc/hex.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/util.h>
kasp->parent_ds_ttl = DNS_KASP_DS_TTL;
kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY;
- /* TODO: The rest of the KASP configuration */
+ kasp->nsec3 = false;
kasp->magic = DNS_KASP_MAGIC;
*kaspp = kasp;
return (key->role & DNS_KASP_KEY_ROLE_ZSK);
}
+
+uint8_t
+dns_kasp_nsec3iter(dns_kasp_t *kasp) {
+ REQUIRE(kasp != NULL);
+ REQUIRE(kasp->frozen);
+ REQUIRE(kasp->nsec3);
+
+ return (kasp->nsec3param.iterations);
+}
+
+uint8_t
+dns_kasp_nsec3flags(dns_kasp_t *kasp) {
+ REQUIRE(kasp != NULL);
+ REQUIRE(kasp->frozen);
+ REQUIRE(kasp->nsec3);
+
+ if (kasp->nsec3param.optout) {
+ return (0x01);
+ }
+ return (0x00);
+}
+
+uint8_t
+dns_kasp_nsec3saltlen(dns_kasp_t *kasp) {
+ REQUIRE(kasp != NULL);
+ REQUIRE(kasp->frozen);
+ REQUIRE(kasp->nsec3);
+
+ return (kasp->nsec3param.saltlen);
+}
+
+unsigned char *
+dns_kasp_nsec3salt(dns_kasp_t *kasp) {
+ REQUIRE(kasp != NULL);
+ REQUIRE(kasp->frozen);
+ REQUIRE(kasp->nsec3);
+
+ return kasp->nsec3param.salt;
+}
+
+bool
+dns_kasp_nsec3(dns_kasp_t *kasp) {
+ REQUIRE(kasp != NULL);
+ REQUIRE(kasp->frozen);
+
+ return kasp->nsec3;
+}
+
+void
+dns_kasp_setnsec3(dns_kasp_t *kasp, bool nsec3) {
+ REQUIRE(kasp != NULL);
+ REQUIRE(!kasp->frozen);
+
+ kasp->nsec3 = nsec3;
+}
+
+isc_result_t
+dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
+ const char *salt) {
+ isc_buffer_t buf;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ REQUIRE(kasp != NULL);
+ REQUIRE(!kasp->frozen);
+ REQUIRE(kasp->nsec3);
+
+ kasp->nsec3param.iterations = iter;
+ kasp->nsec3param.optout = optout;
+ kasp->nsec3param.saltlen = 0;
+
+ if (salt != NULL && strcmp(salt, "-") != 0) {
+ isc_buffer_init(&buf, kasp->nsec3param.salt,
+ sizeof(kasp->nsec3param.salt));
+ ret = isc_hex_decodestring(salt, &buf);
+ if (ret == ISC_R_SUCCESS) {
+ kasp->nsec3param.saltlen = isc_buffer_usedlength(&buf);
+ }
+ }
+ return (ret);
+}
dns_kasp_key_zsk
dns_kasp_keylist_empty
dns_kasp_keys
+dns_kasp_nsec3
+dns_kasp_nsec3flags
+dns_kasp_nsec3iter
+dns_kasp_nsec3salt
+dns_kasp_nsec3saltlen
dns_kasp_parentpropagationdelay
dns_kasp_publishsafety
dns_kasp_retiresafety
dns_kasp_setdnskeyttl
dns_kasp_setdsttl
+dns_kasp_setnsec3
+dns_kasp_setnsec3param
dns_kasp_setparentpropagationdelay
dns_kasp_setpublishsafety
dns_kasp_setretiresafety
DNS_ZONEOPT_DNSKEYKSKONLY);
/* Determine which type of chain to build */
- CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
- &build_nsec3));
-
- /* If neither chain is found, default to NSEC */
- if (!build_nsec && !build_nsec3) {
- build_nsec = true;
+ if (kasp != NULL) {
+ build_nsec3 = dns_kasp_nsec3(kasp);
+ build_nsec = !build_nsec3;
+ } else {
+ CHECK(dns_private_chains(db, version, zone->privatetype,
+ &build_nsec, &build_nsec3));
+ /* If neither chain is found, default to NSEC */
+ if (!build_nsec && !build_nsec3) {
+ build_nsec = true;
+ }
}
while (signing != NULL && nodes-- > 0 && signatures > 0) {
if (hash == 0) {
np->length = 0;
np->nsec = true;
+ dnssec_log(zone, ISC_LOG_DEBUG(3), "setnsec3param:nsec");
} else {
param.common.rdclass = zone->rdclass;
param.common.rdtype = dns_rdatatype_nsec3param;
np->data, sizeof(np->data));
np->length = prdata.length;
np->nsec = false;
+
+ if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+ unsigned char text[255 * 2 + 1];
+ isc_buffer_t buf;
+ isc_result_t ret;
+ isc_region_t r;
+
+ r.base = salt;
+ r.length = (unsigned int)saltlen;
+ if (saltlen > 0) {
+ isc_buffer_init(&buf, text, sizeof(text));
+ ret = isc_hex_totext(&r, 2, "", &buf);
+ if (ret == ISC_R_SUCCESS) {
+ text[saltlen * 2] = 0;
+ } else {
+ text[0] = 0;
+ }
+ } else {
+ text[0] = '-';
+ text[1] = 0;
+ }
+ dnssec_log(zone, ISC_LOG_DEBUG(3),
+ "setnsec3param:nsec3 %u %u %u %s", hash,
+ flags, iter, text);
+ }
}
/*
#include <isccfg/kaspconf.h>
#include <isccfg/namedconf.h>
+#define DEFAULT_NSEC3PARAM_ITER 5
+
/*
* Utility function for getting a configuration option.
*/
return (result);
}
+static isc_result_t
+cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp) {
+ const cfg_obj_t *obj = NULL;
+ const char *salt = NULL;
+ uint8_t iter = DEFAULT_NSEC3PARAM_ITER;
+ bool optout = false;
+
+ /* How many iterations. */
+ obj = cfg_tuple_get(config, "iterations");
+ if (cfg_obj_isuint32(obj)) {
+ iter = cfg_obj_asuint32(obj);
+ }
+
+ /* Opt-out? */
+ obj = cfg_tuple_get(config, "optout");
+ if (cfg_obj_isboolean(obj)) {
+ optout = cfg_obj_asboolean(obj);
+ }
+
+ /* Salt */
+ obj = cfg_tuple_get(config, "salt");
+ if (cfg_obj_isstring(obj)) {
+ salt = cfg_obj_asstring(obj);
+ }
+
+ return dns_kasp_setnsec3param(kasp, iter, optout, salt);
+}
+
isc_result_t
cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *logctx,
dns_kasplist_t *kasplist, dns_kasp_t **kaspp) {
const cfg_obj_t *maps[2];
const cfg_obj_t *koptions = NULL;
const cfg_obj_t *keys = NULL;
+ const cfg_obj_t *nsec3 = NULL;
const cfg_listelt_t *element = NULL;
const char *kaspname = NULL;
dns_kasp_t *kasp = NULL;
}
INSIST(!(dns_kasp_keylist_empty(kasp)));
+ /* Configuration: NSEC3 */
+ (void)confget(maps, "nsec3param", &nsec3);
+ if (nsec3 == NULL) {
+ dns_kasp_setnsec3(kasp, false);
+ } else {
+ dns_kasp_setnsec3(kasp, true);
+ result = cfg_nsec3param_fromconfig(nsec3, kasp);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup;
+ }
+ }
+
/* Configuration: Zone settings */
dns_kasp_setzonemaxttl(
kasp, get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL));
kasp, get_duration(maps, "parent-propagation-delay",
DNS_KASP_PARENT_PROPDELAY));
- /* TODO: Rest of the configuration */
-
/* Append it to the list for future lookups. */
ISC_LIST_APPEND(*kasplist, kasp, link);
INSIST(!(ISC_LIST_EMPTY(*kasplist)));
./bin/tests/system/notify/ns4/named.port.in X 2014,2018,2019,2020
./bin/tests/system/notify/setup.sh SH 2000,2001,2004,2007,2012,2014,2016,2018,2019,2020
./bin/tests/system/notify/tests.sh SH 2000,2001,2004,2007,2011,2012,2013,2014,2015,2016,2018,2019,2020
+./bin/tests/system/nsec3/clean.sh SH 2020
+./bin/tests/system/nsec3/ns3/setup.sh SH 2020
+./bin/tests/system/nsec3/setup.sh SH 2020
+./bin/tests/system/nsec3/tests.sh SH 2020
./bin/tests/system/nslookup/clean.sh SH 2014,2015,2016,2018,2019,2020
./bin/tests/system/nslookup/setup.sh SH 2014,2016,2018,2019,2020
./bin/tests/system/nslookup/tests.sh SH 2014,2016,2018,2019,2020
projects / thirdparty / bind9.git / commitdiff
