to dnssec-keygen and dnssec-keyfromlabel.
const char *program = "dnssec-keyfromlabel";
+static uint16_t tag_min = 0, tag_max = 0xffff;
+
ISC_NORETURN static void
usage(void);
"key files\n");
fprintf(stderr, " -k: generate a TYPE=KEY key\n");
fprintf(stderr, " -L ttl: default key TTL\n");
+ fprintf(stderr, " -M <min>:<max>: allowed Key ID range\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | "
"OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
isc_commandline_errprint = false;
-#define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:n:P:p:R:S:t:v:Vy"
+#define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:M:n:P:p:R:S:t:v:Vy"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case '3':
case 'l':
label = isc_mem_strdup(mctx, isc_commandline_argument);
break;
+ case 'M': {
+ unsigned long ul;
+ tag_min = ul = strtoul(isc_commandline_argument, &endp,
+ 10);
+ if (*endp != ':' || ul > 0xffff) {
+ fatal("-M range invalid");
+ }
+ tag_max = ul = strtoul(endp + 1, &endp, 10);
+ if (*endp != '\0' || ul > 0xffff || tag_max <= tag_min)
+ {
+ fatal("-M range invalid");
+ }
+ break;
+ }
case 'n':
nametype = isc_commandline_argument;
break;
* is a risk of ID collision due to this key or another key
* being revoked.
*/
- if (key_collision(key, name, directory, mctx, &exact)) {
+ if (key_collision(key, name, directory, mctx, tag_min, tag_max, &exact))
+ {
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, directory, &buf);
if (ret != ISC_R_SUCCESS) {
char *type;
int protocol;
int size;
+ uint16_t tag_min;
+ uint16_t tag_max;
int signatory;
dns_rdataclass_t rdclass;
int options;
fprintf(stderr, " -f <keyflag>: ZSK | KSK | REVOKE\n");
fprintf(stderr, " -F: FIPS mode\n");
fprintf(stderr, " -L <ttl>: default key TTL\n");
+ fprintf(stderr, " -M <min>:<max>: allowed Key ID range\n");
fprintf(stderr, " -p <protocol>: (default: 3 [dnssec])\n");
fprintf(stderr, " -s <strength>: strength value this key signs DNS "
"records with (default: 0)\n");
* if there is a risk of ID collision due to this key
* or another key being revoked.
*/
- if (key_collision(key, name, ctx->directory, mctx, NULL)) {
+ if (key_collision(key, name, ctx->directory, mctx, ctx->tag_min,
+ ctx->tag_max, NULL))
+ {
conflict = true;
if (null_key) {
dst_key_free(&key);
/*
* Process memory debugging argument first.
*/
-#define CMDLINE_FLAGS \
- "3A:a:b:Cc:D:d:E:Ff:GhI:i:K:k:L:l:m:n:P:p:qR:r:S:s:" \
+#define CMDLINE_FLAGS \
+ "3A:a:b:Cc:D:d:E:Ff:GhI:i:K:k:L:l:M:m:n:P:p:qR:r:S:s:" \
"T:t:v:V"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'n':
ctx.nametype = isc_commandline_argument;
break;
+ case 'M': {
+ unsigned long ul;
+ ctx.tag_min = ul = strtoul(isc_commandline_argument,
+ &endp, 10);
+ if (*endp != ':' || ul > 0xffff) {
+ fatal("-M range invalid");
+ }
+ ctx.tag_max = ul = strtoul(endp + 1, &endp, 10);
+ if (*endp != '\0' || ul > 0xffff ||
+ ctx.tag_max <= ctx.tag_min)
+ {
+ fatal("-M range invalid");
+ }
+ break;
+ }
case 'm':
break;
case 'p':
}
/* Do not overwrite an existing key. */
- if (key_collision(key, name, ksr->keydir, mctx, NULL)) {
+ if (key_collision(key, name, ksr->keydir, mctx, 0, 0xffff,
+ NULL))
+ {
conflict = true;
if (verbose > 0) {
isc_buffer_clear(&buf);
bool
key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
- isc_mem_t *mctx, bool *exact) {
+ isc_mem_t *mctx, uint16_t min, uint16_t max, bool *exact) {
isc_result_t result;
bool conflict = false;
dns_dnsseckeylist_t matchkeys;
rid = dst_key_rid(dstkey);
alg = dst_key_alg(dstkey);
+ if (min != max) {
+ if (id < min || id > max) {
+ fprintf(stderr, "Key ID %d outside of [%u..%u]\n", id,
+ min, max);
+ return (true);
+ }
+ if (rid < min || rid > max) {
+ fprintf(stderr,
+ "Revoked Key ID %d (for tag %d) outside of "
+ "[%u..%u]\n",
+ rid, id, min, max);
+ return (true);
+ }
+ }
+
ISC_LIST_INIT(matchkeys);
result = dns_dnssec_findmatchingkeys(name, NULL, dir, NULL, now, mctx,
&matchkeys);
bool
key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
- isc_mem_t *mctx, bool *exact);
+ isc_mem_t *mctx, uint16_t min, uint16_t max, bool *exact);
bool
isoptarg(const char *arg, char **argv, void (*usage)(void));
projects / thirdparty / bind9.git / commitdiff
