/* variables for -checkds */
bool checkds = false, dspublish = false, use_keyid = false;
dns_keytag_t keyid = 0;
+ uint8_t algorithm = 0;
/* variables for -status */
bool status = false;
char output[4096];
if (ptr == NULL) {
msg = "Bad format";
CHECK(ISC_R_UNEXPECTEDEND);
- }
- if (argcheck(ptr, "key")) {
+ } else if (argcheck(ptr, "alg")) {
+ isc_consttextregion_t alg;
+ ptr = next_token(lex, text);
+ if (ptr == NULL) {
+ msg = "No key algorithm specified";
+ CHECK(ISC_R_UNEXPECTEDEND);
+ }
+ alg.base = ptr;
+ alg.length = strlen(alg.base);
+ result = dns_secalg_fromtext(
+ &algorithm, (isc_textregion_t *)&alg);
+ if (result != ISC_R_SUCCESS) {
+ msg = "Bad algorithm";
+ CHECK(DNS_R_SYNTAX);
+ }
+ continue;
+ } else if (argcheck(ptr, "key")) {
uint16_t id;
ptr = next_token(lex, text);
if (ptr == NULL) {
* No arguments provided, so we must be
* parsing "published|withdrawn".
*/
- if (strcasecmp(ptr, "publish") == 0) {
+ if (strcasecmp(ptr, "published") == 0) {
dspublish = true;
- } else if (strcasecmp(ptr, "withdraw") != 0) {
+ } else if (strcasecmp(ptr, "withdrawn") != 0) {
CHECK(DNS_R_SYNTAX);
}
}
break;
}
+
+ if (algorithm > 0 && !use_keyid) {
+ msg = "Key id is required when setting algorithm";
+ CHECK(DNS_R_SYNTAX);
+ }
} else {
CHECK(DNS_R_SYNTAX);
}
LOCK(&kasp->lock);
if (use_keyid) {
result = dns_keymgr_checkds_id(kasp, &keys, dir, when,
- dspublish, keyid);
+ dspublish, keyid,
+ (unsigned int)algorithm);
} else {
result = dns_keymgr_checkds(kasp, &keys, dir, when,
dspublish);
Add zone to given view. Requires allow-new-zones option.\n\
delzone [-clean] zone [class [view]]\n\
Removes zone from given view.\n\
- dnssec -checkds [-key id] [-when time] (published|withdrawn) zone [class [view]]\n\
+ dnssec -checkds [-key id [-alg algorithm] [-when time] (published|withdrawn) zone [class [view]]\n\
Mark the DS record for the KSK of the given zone as seen\n\
in the parent. If the zone has multiple KSKs, select a\n\
- specific key by providing the keytag with -key id.\n\
+ specific key by providing the keytag with -key id and\n\
+ optionally the key's algorithm with -alg algorithm.\n\
Requires the zone to have a dnssec-policy.\n\
dnssec -status zone [class [view]]\n\
Show the DNSSEC signing state for the specified zone.\n\
See also ``rndc addzone`` and ``rndc modzone``.
-``dnssec`` ( **-status** | **-checkds** [**-key** *id*] [**-when** *time*] ( *published* | *withdrawn* )) *zone* [*class* [*view*]]
+``dnssec`` ( **-status** | **-checkds** [**-key** *id* [**-alg** *algorithm*]] [**-when** *time*] ( *published* | *withdrawn* )) *zone* [*class* [*view*]]
This command allows you to interact with the "dnssec-policy" of a given
zone.
key has been seen published into or withdrawn from the parent. This is
required in order to complete a KSK rollover. If the ``-key id`` argument
is specified, look for the key with the given identifier, otherwise if there
- is only one key acting as a KSK in the zone, assume the DS of that key.
- The time that the DS has been published or withdrawn is set to now, unless
- otherwise specified with the argument ``-when time``.
+ is only one key acting as a KSK in the zone, assume the DS of that key (if
+ there are multiple keys with the same tag, use ``-alg algorithm`` to
+ select the correct algorithm). The time that the DS has been published or
+ withdrawn is set to now, unless otherwise specified with the argument ``-when time``.
``dnstap`` ( **-reopen** | **-roll** [*number*] )
This command closes and re-opens DNSTAP output files. ``rndc dnstap -reopen`` allows
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
+n=$((n+1))
+echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)"
+rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n
+grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)"
+rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n
+grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
n=$((n+1))
echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)"
rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "20190102121314" "published" "$ZONE"
.sp
See also \fBrndc addzone\fP and \fBrndc modzone\fP\&.
.TP
-\fBdnssec\fP ( \fB\-status\fP | \fB\-checkds\fP [\fB\-key\fP \fIid\fP] [\fB\-when\fP \fItime\fP] ( \fIpublished\fP | \fIwithdrawn\fP )) \fIzone\fP [\fIclass\fP [\fIview\fP]]
+\fBdnssec\fP ( \fB\-status\fP | \fB\-checkds\fP [\fB\-key\fP \fIid\fP [\fB\-alg\fP \fIalgorithm\fP]] [\fB\-when\fP \fItime\fP] ( \fIpublished\fP | \fIwithdrawn\fP )) \fIzone\fP [\fIclass\fP [\fIview\fP]]
This command allows you to interact with the "dnssec\-policy" of a given
zone.
.sp
key has been seen published into or withdrawn from the parent. This is
required in order to complete a KSK rollover. If the \fB\-key id\fP argument
is specified, look for the key with the given identifier, otherwise if there
-is only one key acting as a KSK in the zone, assume the DS of that key.
-The time that the DS has been published or withdrawn is set to now, unless
-otherwise specified with the argument \fB\-when time\fP\&.
+is only one key acting as a KSK in the zone, assume the DS of that key (if
+there are multiple keys with the same tag, use \fB\-alg algorithm\fP to
+select the correct algorithm). The time that the DS has been published or
+withdrawn is set to now, unless otherwise specified with the argument \fB\-when time\fP\&.
.TP
\fBdnstap\fP ( \fB\-reopen\fP | \fB\-roll\fP [\fInumber\fP] )
This command closes and re\-opens DNSTAP output files. \fBrndc dnstap \-reopen\fP allows
isc_result_t
dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now, bool dspublish,
- dns_keytag_t id);
+ dns_keytag_t id, unsigned int algorithm);
/*%<
* Check DS for one key in 'keyring'. The key must have the KSK role.
* If 'dspublish' is set to true, set the DS Publish time to 'now'.
* If 'dspublish' is set to false, set the DS Removed time to 'now'.
* If a specific key 'id' is given it must match the keytag.
+ * If the 'algorithm' is non-zero, it must match the key's algorithm.
* The result is stored in the key state file.
*
* Requires:
static isc_result_t
keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now, bool dspublish,
- dns_keytag_t id, bool check_id) {
+ dns_keytag_t id, unsigned int alg, bool check_id) {
int options = (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC | DST_TYPE_STATE);
isc_dir_t dir;
isc_result_t result;
if (check_id && dst_key_id(dkey->key) != id) {
continue;
}
+ if (alg > 0 && dst_key_alg(dkey->key) != alg) {
+ continue;
+ }
if (ksk_key != NULL) {
/*
isc_result_t
dns_keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now, bool dspublish) {
- return (keymgr_checkds(kasp, keyring, directory, now, dspublish, 0,
+ return (keymgr_checkds(kasp, keyring, directory, now, dspublish, 0, 0,
false));
}
isc_result_t
dns_keymgr_checkds_id(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
const char *directory, isc_stdtime_t now, bool dspublish,
- dns_keytag_t id) {
+ dns_keytag_t id, unsigned int alg) {
return (keymgr_checkds(kasp, keyring, directory, now, dspublish, id,
- true));
+ alg, true));
}
static void
projects / thirdparty / bind9.git / commitdiff
