Add the concept of allowed key tag ranges to kasp

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 26af4695465af2bd531d9cff4cfb5636fc701028..674e733551c242be7be44d7b9c077068de12541c 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -58,6 +58,8 @@ struct dns_kasp_key {
        uint8_t         algorithm;
        int             length;
        uint8_t         role;
+       uint16_t        tag_min;
+       uint16_t        tag_max;
 };
 
 struct dns_kasp_nsec3param {
@@ -721,6 +723,26 @@ dns_kasp_key_zsk(dns_kasp_key_t *key);
  *
  */
 
+uint16_t
+dns_kasp_key_tagmin(dns_kasp_key_t *key);
+/*%<
+ * Returns the minimum permitted key tag value.
+ *
+ * Requires:
+ *
+ *\li  key != NULL
+ */
+
+uint16_t
+dns_kasp_key_tagmax(dns_kasp_key_t *key);
+/*%<
+ * Returns the maximum permitted key tag value.
+ *
+ * Requires:
+ *
+ *\li  key != NULL
+ */
+
 bool
 dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey);
 /*%<

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 50ecba05d6fca127fb466695f2ff4ee22dcae110..03308b44b67608bdb5abd920dc275f88966aafb2 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -401,7 +401,7 @@ dns_kasp_addkey(dns_kasp_t *kasp, dns_kasp_key_t *key) {
 isc_result_t
 dns_kasp_key_create(dns_kasp_t *kasp, dns_kasp_key_t **keyp) {
        dns_kasp_key_t *key = NULL;
-       dns_kasp_key_t k = { .length = -1 };
+       dns_kasp_key_t k = { .tag_max = 0xffff, .length = -1 };
 
        REQUIRE(DNS_KASP_VALID(kasp));
        REQUIRE(keyp != NULL && *keyp == NULL);
@@ -507,6 +507,18 @@ dns_kasp_key_zsk(dns_kasp_key_t *key) {
        return (key->role & DNS_KASP_KEY_ROLE_ZSK);
 }
 
+uint16_t
+dns_kasp_key_tagmin(dns_kasp_key_t *key) {
+       REQUIRE(key != NULL);
+       return (key->tag_min);
+}
+
+uint16_t
+dns_kasp_key_tagmax(dns_kasp_key_t *key) {
+       REQUIRE(key != NULL);
+       return (key->tag_min);
+}
+
 bool
 dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey) {
        isc_result_t ret;

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 3eb61185e898a87941be92a9c8390487e1133bd6..782941c3960d7efb046fb70a7cc649aada4dc79f 100644 (file)
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -426,11 +426,19 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
 }
 
 static bool
-keymgr_keyid_conflict(dst_key_t *newkey, dns_dnsseckeylist_t *keys) {
+keymgr_keyid_conflict(dst_key_t *newkey, uint16_t min, uint16_t max,
+                     dns_dnsseckeylist_t *keys) {
        uint16_t id = dst_key_id(newkey);
        uint32_t rid = dst_key_rid(newkey);
        uint32_t alg = dst_key_alg(newkey);
 
+       if (id < min || id > max) {
+               return (true);
+       }
+       if (rid < min || rid > max) {
+               return (true);
+       }
+
        for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keys); dkey != NULL;
             dkey = ISC_LIST_NEXT(dkey, link))
        {
@@ -484,9 +492,11 @@ keymgr_createkey(dns_kasp_key_t *kkey, const dns_name_t *origin,
                }
 
                /* Key collision? */
-               conflict = keymgr_keyid_conflict(newkey, keylist);
+               conflict = keymgr_keyid_conflict(newkey, kkey->tag_min,
+                                                kkey->tag_max, keylist);
                if (!conflict) {
-                       conflict = keymgr_keyid_conflict(newkey, newkeys);
+                       conflict = keymgr_keyid_conflict(
+                               newkey, kkey->tag_min, kkey->tag_max, newkeys);
                }
                if (conflict) {
                        /* Try again. */