+1589. [func] DNSSEC lookaside validation.
+
1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
1587. [bug] dns_message_settsigkey() failed to clear existing key.
than 32 elements. [RT #10381]
1581. [func] Disable DNSSEC support by default. To enable
- DNSSEC specify "enable-dnssec yes;" in named.conf.
+ DNSSEC specify "dnssec-enable yes;" in named.conf.
1580. [bug] Zone destuction on final detach takes a long time.
[RT #3746]
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.65 2004/03/05 05:48:18 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.66 2004/03/10 02:19:51 marka Exp $ */
#include <config.h>
"records with (default: 0)\n");
fprintf(stderr, " -r <randomdev>: a file containing random data\n");
fprintf(stderr, " -v <verbose level>\n");
+ fprintf(stderr, " -k : generate a TYPE=KEY key\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
dns_rdataclass_t rdclass;
+ int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
if (argc == 1)
usage();
dns_result_register();
while ((ch = isc_commandline_parse(argc, argv,
- "a:b:c:ef:g:n:t:p:s:r:v:h")) != -1)
+ "a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1)
{
switch (ch) {
case 'a':
if (*endp != '\0' || generator <= 0)
fatal("-g requires a positive number");
break;
+ case 'k':
+ options |= DST_TYPE_KEY;
+ break;
case 'n':
nametype = isc_commandline_argument;
break;
fatal("cannot generate a null key when a key with id 0 "
"already exists");
- ret = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, NULL);
+ ret = dst_key_tofile(key, options, NULL);
if (ret != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(key, keystr, sizeof(keystr));
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.176 2004/03/05 05:48:19 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.177 2004/03/10 02:19:51 marka Exp $ */
#include <config.h>
static isc_boolean_t removefile = ISC_FALSE;
static isc_boolean_t generateds = ISC_FALSE;
static isc_boolean_t ignoreksk = ISC_FALSE;
+static dns_name_t *dlv = NULL;
+static dns_fixedname_t dlv_fixed;
+static dns_master_style_t *dsstyle = NULL;
#define INCSTAT(counter) \
if (printstats) { \
if (rdataset.type != dns_rdatatype_nsec &&
rdataset.type != dns_rdatatype_ds)
goto skip;
+#if 0
+ /*
+ * The current draft allows DS not at a zone cut.
+ * This is a bad idea. Update once the RFC is published.
+ * XXXMPA.
+ */
} else if (rdataset.type == dns_rdatatype_ds) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(name, namebuf, sizeof(namebuf));
fatal("'%s': found DS RRset without NS RRset\n",
namebuf);
+#endif
}
signset(&diff, node, name, &rdataset);
}
static void
-writekeyset(void) {
+writeset(const char *prefix, dns_rdatatype_t type) {
+ char *filename;
char namestr[DNS_NAME_FORMATSIZE];
- isc_buffer_t namebuf;
- unsigned int filenamelen;
- char *keyfile;
- signer_key_t *key;
- unsigned char keybuf[DST_KEY_MAXSIZE];
- dns_diff_t diff;
- dns_difftuple_t *tuple = NULL;
dns_db_t *db = NULL;
dns_dbversion_t *version = NULL;
- dns_rdata_t rdata;
+ dns_diff_t diff;
+ dns_difftuple_t *tuple = NULL;
+ dns_fixedname_t fixed;
+ dns_name_t *name;
+ dns_rdata_t rdata, ds;
+ isc_boolean_t have_ksk = ISC_FALSE;
+ isc_boolean_t have_non_ksk = ISC_FALSE;
isc_buffer_t b;
+ isc_buffer_t namebuf;
isc_region_t r;
isc_result_t result;
- isc_boolean_t have_non_ksk = ISC_FALSE;
- isc_boolean_t have_ksk = ISC_FALSE;
+ signer_key_t *key;
+ unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+ unsigned char keybuf[DST_KEY_MAXSIZE];
+ unsigned int filenamelen;
+ const dns_master_style_t *style =
+ (type == dns_rdatatype_dnskey) ? masterstyle : dsstyle;
isc_buffer_init(&namebuf, namestr, sizeof(namestr));
result = dns_name_tofilenametext(gorigin, ISC_FALSE, &namebuf);
check_result(result, "dns_name_tofilenametext");
isc_buffer_putuint8(&namebuf, 0);
- filenamelen = strlen("keyset-") + strlen(namestr);
+ filenamelen = strlen(prefix) + strlen(namestr);
if (directory != NULL)
filenamelen += strlen(directory) + 1;
- keyfile = isc_mem_get(mctx, filenamelen + 1);
- if (keyfile == NULL)
+ filename = isc_mem_get(mctx, filenamelen + 1);
+ if (filename == NULL)
fatal("out of memory");
if (directory != NULL)
- sprintf(keyfile, "%s/", directory);
+ sprintf(filename, "%s/", directory);
else
- keyfile[0] = 0;
- strcat(keyfile, "keyset-");
- strcat(keyfile, namestr);
+ filename[0] = 0;
+ strcat(filename, prefix);
+ strcat(filename, namestr);
dns_diff_init(mctx, &diff);
break;
}
+ if (type == dns_rdatatype_dlv) {
+ dns_name_t tname;
+ unsigned int labels;
+
+ dns_name_init(&tname, NULL);
+ dns_fixedname_init(&fixed);
+ name = dns_fixedname_name(&fixed);
+ labels = dns_name_countlabels(gorigin);
+ dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname);
+ result = dns_name_concatenate(&tname, dlv, name, NULL);
+ check_result(result, "dns_name_concatenate");
+ } else
+ name = gorigin;
+
for (key = ISC_LIST_HEAD(keylist);
key != NULL;
key = ISC_LIST_NEXT(key, link))
if (have_ksk && have_non_ksk && !key->isksk)
continue;
dns_rdata_init(&rdata);
+ dns_rdata_init(&ds);
isc_buffer_init(&b, keybuf, sizeof(keybuf));
result = dst_key_todns(key->key, &b);
check_result(result, "dst_key_todns");
isc_buffer_usedregion(&b, &r);
dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r);
- result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, gorigin,
- zonettl, &rdata, &tuple);
+ if (type != dns_rdatatype_dnskey) {
+ result = dns_ds_buildrdata(gorigin, &rdata,
+ DNS_DSDIGEST_SHA1,
+ dsbuf, &ds);
+ check_result(result, "dns_ds_buildrdata");
+ if (type == dns_rdatatype_dlv)
+ ds.type = dns_rdatatype_dlv;
+ result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+ name, 0, &ds, &tuple);
+ } else
+ result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+ gorigin, zonettl,
+ &rdata, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(&diff, &tuple);
}
check_result(result, "dns_diff_apply");
dns_diff_clear(&diff);
- result = dns_master_dump(mctx, db, version, masterstyle, keyfile);
+ result = dns_master_dump(mctx, db, version, style, filename);
check_result(result, "dns_master_dump");
- isc_mem_put(mctx, keyfile, filenamelen + 1);
+ isc_mem_put(mctx, filename, filenamelen + 1);
dns_db_closeversion(db, &version, ISC_FALSE);
dns_db_detach(&db);
fprintf(stderr, "print statistics\n");
fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
fprintf(stderr, "\t-k key_signing_key\n");
+ fprintf(stderr, "\t-l lookasidezone\n");
fprintf(stderr, "\n");
dns_rdataclass_t rdclass;
dns_db_t *udb = NULL;
isc_task_t **tasks = NULL;
+ isc_buffer_t b;
+ int len;
+
masterstyle = &dns_master_style_explicitttl;
check_result(isc_app_start(), "isc_app_start");
dns_result_register();
while ((ch = isc_commandline_parse(argc, argv,
- "ac:d:e:f:ghi:k:n:o:pr:s:Stv:z"))
+ "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"))
!= -1) {
switch (ch) {
case 'a':
"positive");
break;
+ case 'l':
+ dns_fixedname_init(&dlv_fixed);
+ len = strlen(isc_commandline_argument);
+ isc_buffer_init(&b, isc_commandline_argument, len);
+ isc_buffer_add(&b, len);
+
+ dns_fixedname_init(&dlv_fixed);
+ dlv = dns_fixedname_name(&dlv_fixed);
+ result = dns_name_fromtext(dlv, &b, dns_rootname,
+ ISC_FALSE, NULL);
+ check_result(result, "dns_name_fromtext(dlv)");
+ break;
+
case 'k':
if (ndskeys == MAXDSKEYS)
fatal("too many key-signing keys specified");
sprintf(output, "%s.signed", file);
}
+ result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL,
+ 0, 24, 0, 0, 0, 8, mctx);
+ check_result(result, "dns_master_stylecreate");
+
+
gdb = NULL;
TIME_NOW(&timer_start);
loadzone(file, origin, rdclass, &gdb);
nsecify();
- if (!nokeys)
- writekeyset();
+ if (!nokeys) {
+ writeset("keyset-", dns_rdatatype_dnskey);
+ writeset("dsset-", dns_rdatatype_ds);
+ if (dlv != NULL) {
+ writeset("dlvset-", dns_rdatatype_dlv);
+ }
+ }
tempfilelen = strlen(output) + 20;
tempfile = isc_mem_get(mctx, tempfilelen);
if (free_output)
isc_mem_free(mctx, output);
+ dns_master_styledestroy(&dsstyle, mctx);
+
cleanup_logging(&log);
dst_lib_destroy();
cleanup_entropy(&ectx);
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.docbook,v 1.9 2004/03/05 04:57:41 marka Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.10 2004/03/10 02:19:51 marka Exp $ -->
<refentry>
<refentryinfo>
<arg><option>-g</option></arg>
<arg><option>-h</option></arg>
<arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
+ <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-l <replaceable class="parameter">domain</replaceable></term>
+ <listitem>
+ <para>
+ Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+ The domain is appended to the name of the records.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.45 2004/03/05 04:57:46 marka Exp $ */
+/* $Id: config.c,v 1.46 2004/03/10 02:19:52 marka Exp $ */
#include <config.h>
check-names master fail;\n\
check-names slave warn;\n\
check-names response ignore;\n\
- enable-dnssec no; /* Make yes for 9.4. */ \n\
+ dnssec-enable no; /* Make yes for 9.4. */ \n\
\n\
/* zone */\n\
allow-query {any;};\n\
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.256 2004/03/05 04:57:48 marka Exp $ */
+/* $Id: query.c,v 1.257 2004/03/10 02:19:52 marka Exp $ */
#include <config.h>
static inline isc_result_t
query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
- dns_ttl_t ttl, dns_name_t **anamep, dns_rdatatype_t type)
+ dns_trust_t trust, dns_name_t **anamep, dns_rdatatype_t type)
{
dns_rdataset_t *rdataset;
dns_rdatalist_t *rdatalist;
rdatalist->type = type;
rdatalist->covers = 0;
rdatalist->rdclass = client->message->rdclass;
- rdatalist->ttl = ttl;
+ rdatalist->ttl = 0;
dns_name_toregion(tname, &r);
rdata->data = r.base;
ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
== ISC_R_SUCCESS);
+ rdataset->trust = trust;
query_addrrset(client, anamep, &rdataset, NULL, NULL,
DNS_SECTION_ANSWER);
*/
dns_name_init(tname, NULL);
(void)query_addcnamelike(client, client->query.qname, fname,
- 0, &tname, dns_rdatatype_cname);
+ trdataset->trust, &tname,
+ dns_rdatatype_cname);
if (tname != NULL)
dns_message_puttempname(client->message, &tname);
/*
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.416 2004/03/05 04:57:48 marka Exp $ */
+/* $Id: server.c,v 1.417 2004/03/10 02:19:52 marka Exp $ */
#include <config.h>
view->provideixfr = cfg_obj_asboolean(obj);
obj = NULL;
- result = ns_config_get(maps, "enable-dnssec", &obj);
+ result = ns_config_get(maps, "dnssec-enable", &obj);
INSIST(result == ISC_R_SUCCESS);
view->enablednssec = cfg_obj_asboolean(obj);
+ obj = NULL;
+ result = ns_config_get(maps, "dnssec-lookaside", &obj);
+ if (result == ISC_R_SUCCESS) {
+ const char *dlv;
+ isc_buffer_t b;
+ dlv = cfg_obj_asstring(obj);
+ isc_buffer_init(&b, dlv, strlen(dlv));
+ isc_buffer_add(&b, strlen(dlv));
+ CHECK(dns_name_fromtext(dns_fixedname_name(&view->dlv_fixed),
+ &b, dns_rootname, ISC_TRUE, NULL));
+ view->dlv = dns_fixedname_name(&view->dlv_fixed);
+ } else
+ view->dlv = NULL;
+
/*
* For now, there is only one kind of trusted keys, the
* "security roots".
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.19 2004/03/05 05:00:12 marka Exp $ */
+/* $Id: named.conf,v 1.20 2004/03/10 02:19:53 marka Exp $ */
// NS1
listen-on-v6 { none; };
recursion no;
notify yes;
- enable-dnssec yes;
+ dnssec-enable yes;
};
zone "." {
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db.in,v 1.7 2004/03/05 05:00:12 marka Exp $
+; $Id: root.db.in,v 1.8 2004/03/10 02:19:53 marka Exp $
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
example. NS ns2.example.
ns2.example. A 10.53.0.2
+dlv. NS ns2.dlv.
+ns2.dlv. A 10.53.0.2
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.18 2004/03/05 05:00:12 marka Exp $
+# $Id: sign.sh,v 1.19 2004/03/10 02:19:53 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
(cd ../ns2 && sh sign.sh )
cp ../ns2/keyset-example. .
+cp ../ns2/keyset-dlv. .
keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.22 2004/03/05 05:00:16 marka Exp $ */
+/* $Id: named.conf,v 1.23 2004/03/10 02:19:53 marka Exp $ */
// NS2
listen-on-v6 { none; };
recursion no;
notify yes;
- enable-dnssec yes;
+ dnssec-enable yes;
};
zone "." {
file "../../common/root.hint";
};
+zone "dlv" {
+ type master;
+ file "dlv.db.signed";
+};
+
zone "example" {
type master;
file "example.db.signed";
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.23 2004/03/05 05:00:16 marka Exp $
+# $Id: sign.sh,v 1.24 2004/03/10 02:19:53 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
cat $privinfile $privkeyname.key >$privzonefile
-$SIGNER -g -r $RANDFILE -o $privzone $privzonefile > /dev/null
+$SIGNER -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
+
+# Sign the DLV secure zone.
+
+
+dlvzone=dlv.
+dlvinfile=dlv.db.in
+dlvzonefile=dlv.db
+
+dlvkeyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $dlvzone`
+
+cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
+
+$SIGNER -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.24 2004/03/05 05:00:20 marka Exp $ */
+/* $Id: named.conf,v 1.25 2004/03/10 02:19:54 marka Exp $ */
// NS3
listen-on-v6 { none; };
recursion no;
notify yes;
- enable-dnssec yes;
+ dnssec-enable yes;
};
zone "." {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.21 2004/03/05 05:00:24 marka Exp $ */
+/* $Id: named.conf,v 1.22 2004/03/10 02:19:54 marka Exp $ */
// NS4
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
- enable-dnssec yes;
+ dnssec-enable yes;
};
zone "." {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.19 2004/03/05 05:00:31 marka Exp $ */
+/* $Id: named.conf,v 1.20 2004/03/10 02:19:54 marka Exp $ */
// NS5
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
- enable-dnssec yes;
+ dnssec-enable yes;
};
zone "." {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.5 2004/03/05 05:00:35 marka Exp $ */
+/* $Id: named.conf,v 1.6 2004/03/10 02:19:54 marka Exp $ */
// NS6
recursion yes;
notify yes;
disable-algorithms . { DSA; };
- enable-dnssec yes;
+ dnssec-enable yes;
+ dnssec-lookaside dlv;
};
zone "." {
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.43 2004/03/05 05:00:09 marka Exp $
+# $Id: tests.sh,v 1.44 2004/03/10 02:19:53 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking dnssec-lookaside-validation works ($n)"
+ret=0
+$DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \
+ > dig.out.ns6.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1
+
# Run a minimal update test if possible. This is really just
# a regression test for RT #2399; more tests should be added.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: ifconfig.sh,v 1.44 2004/03/05 04:59:12 marka Exp $
+# $Id: ifconfig.sh,v 1.45 2004/03/10 02:19:52 marka Exp $
#
# Set up interface aliases for bind9 system tests.
case `uname -a` in
*HP-UX*) sys=hpux ;;
- *) sys=`$config_guess` ;;
+ *) sys=`sh $config_guess` ;;
esac
case "$2" in
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.14 2004/03/05 05:01:27 marka Exp $ */
+/* $Id: named.conf,v 1.15 2004/03/10 02:19:54 marka Exp $ */
controls { /* empty */ };
listen-on-v6 { none; };
recursion no;
notify no;
- enable-dnssec yes;
+ dnssec-enable yes;
};
zone "." {
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: start.pl,v 1.4 2004/03/05 04:59:13 marka Exp $
+# $Id: start.pl,v 1.5 2004/03/10 02:19:52 marka Exp $
# Framework for starting test servers.
# Based on the type of server specified, check for port availability, remove
if ($options) {
$command .= "$options";
} else {
- $command .= "-c named.conf -d 99 -g";
+ $command .= "-m record -c named.conf -d 99 -g";
}
$command .= " >named.run 2>&1 &";
$pid_file = "named.pid";
if ($options) {
$command .= "$options";
} else {
- $command .= "-C resolv.conf -d 99 -g -i lwresd.pid -P 9210 -p 5300";
+ $command .= "-m record -C resolv.conf -d 99 -g -i lwresd.pid -P 9210 -p 5300";
}
$command .= " >lwresd.run 2>&1 &";
$pid_file = "lwresd.pid";
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
-AC_REVISION($Revision: 1.353 $)
+AC_REVISION($Revision: 1.354 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.13)
# UnixWare
use_threads=true ;;
*-netbsd*)
- # Socket I/O optimizations introduced in 9.2 expose a
- # bug in unproven-pthreads; see PR #12650
- use_threads=false ;;
+ if test -r /usr/lib/libpthread.so ; then
+ use_threads=true
+ else
+ # Socket I/O optimizations introduced in 9.2 expose a
+ # bug in unproven-pthreads; see PR #12650
+ use_threads=false
+ fi
+ ;;
*-openbsd*)
# OpenBSD users have reported that named dumps core on
# startup when built with threads.
[linking with PTL2 is highly experimental and not expected to work])
CC=ptlgcc
else
- if test ! -d $LOCALBASE/pthreads
+ if test -r /usr/lib/libpthread.so
then
- AC_MSG_RESULT(none)
- AC_MSG_ERROR("could not find thread libraries")
- fi
+ AC_MSG_RESULT(native)
+ LIBS="-lpthread $LIBS"
+ else
+ if test ! -d $LOCALBASE/pthreads
+ then
+ AC_MSG_RESULT(none)
+ AC_MSG_ERROR("could not find thread libraries")
+ fi
- if $use_threads
- then
- AC_MSG_RESULT(mit-pthreads/unproven-pthreads)
- pkg="$LOCALBASE/pthreads"
- lib1="-L$pkg/lib -Wl,-R$pkg/lib"
- lib2="-lpthread -lm -lgcc -lpthread"
- LIBS="$lib1 $lib2 $LIBS"
- CPPFLAGS="$CPPFLAGS -I$pkg/include"
- STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
+ if $use_threads
+ then
+ AC_MSG_RESULT(mit-pthreads/unproven-pthreads)
+ pkg="$LOCALBASE/pthreads"
+ lib1="-L$pkg/lib -Wl,-R$pkg/lib"
+ lib2="-lpthread -lm -lgcc -lpthread"
+ LIBS="$lib1 $lib2 $LIBS"
+ CPPFLAGS="$CPPFLAGS -I$pkg/include"
+ STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
+ fi
fi
fi
;;
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
-<!-- File: $Id: Bv9ARM-book.xml,v 1.239 2004/03/05 10:53:24 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.240 2004/03/10 02:19:55 marka Exp $ -->
<book>
<title>BIND 9 Administrator Reference Manual</title>
<optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
<optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
- <optional> enable-dnssec <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> dnssec-lookaside <replaceable>domain</replaceable>; </optional>
<optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
<optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
Multiple <command>disable-algorithms</command> statements are allowed.
Only the most specific will be applied.
</para></listitem></varlistentry>
+
+<varlistentry><term><command>dnssec-lookaside</command></term>
+<listitem><para>
+When set <command>dnssec-lookaside</command> provides the
+validator with an alternate method to validate DNSKEY records at the
+top of a zone. When set the domain specified by
+<command>dnssec-lookaside</command> is appended to DNSKEY's
+name and a DLV record is looked up. If the DLV record validates
+a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted.
+</para></listitem></varlistentry>
+
</variablelist>
<sect3 id="boolean_options"><title>Boolean Options</title>
has. The default is <userinput>no</userinput>.
</para></listitem></varlistentry>
-<varlistentry><term><command>enable-dnssec</command></term>
+<varlistentry><term><command>dnssec-enable</command></term>
<listitem>
<para>
Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.c,v 1.43 2004/03/05 05:09:04 marka Exp $ */
+/* $Id: check.c,v 1.44 2004/03/10 02:19:55 marka Exp $ */
#include <config.h>
}
}
+ /*
+ * Check the DLV zone name.
+ */
+ obj = NULL;
+ (void)cfg_map_get(options, "dnssec-lookaside", &obj);
+ if (obj != NULL) {
+ dns_fixedname_t fixedname;
+ const char *dlv;
+ isc_buffer_t b;
+
+ dlv = cfg_obj_asstring(obj);
+ dns_fixedname_init(&fixedname);
+ isc_buffer_init(&b, dlv, strlen(dlv));
+ isc_buffer_add(&b, strlen(dlv));
+ tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
+ dns_rootname, ISC_TRUE, NULL);
+ if (tresult != ISC_R_SUCCESS) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "bad domain name '%s'", dlv);
+ result = tresult;
+ }
+ }
return (result);
}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: adb.c,v 1.214 2004/03/05 05:09:17 marka Exp $ */
+/* $Id: adb.c,v 1.215 2004/03/10 02:19:55 marka Exp $ */
/*
* Implementation notes
nameservers = NULL;
dns_rdataset_init(&rdataset);
- options = 0;
+ options = DNS_FETCHOPT_NOVALIDATE;
if (start_at_zone) {
DP(ENTER_LEVEL,
"fetch_name: starting at zone for name %p",
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.h,v 1.26 2004/03/05 05:09:47 marka Exp $ */
+/* $Id: validator.h,v 1.27 2004/03/10 02:19:56 marka Exp $ */
#ifndef DNS_VALIDATOR_H
#define DNS_VALIDATOR_H 1
dns_fixedname_t fname;
dns_fixedname_t wild;
ISC_LINK(dns_validator_t) link;
+ dns_rdataset_t * dlv;
};
ISC_LANG_BEGINDECLS
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: view.h,v 1.90 2004/03/05 05:09:47 marka Exp $ */
+/* $Id: view.h,v 1.91 2004/03/10 02:19:56 marka Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
#include <isc/stdtime.h>
#include <dns/acl.h>
+#include <dns/fixedname.h>
#include <dns/types.h>
ISC_LANG_BEGINDECLS
isc_boolean_t rootdelonly;
dns_namelist_t * rootexclude;
isc_boolean_t checknames;
+ dns_name_t * dlv;
+ dns_fixedname_t dlv_fixed;
/*
* Configurable data for server use only,
--- /dev/null
+/*
+ * Copyright (C) 1999-2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlv_65323.c,v 1.2 2004/03/10 02:19:56 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+
+#ifndef RDATA_GENERIC_DLV_65323_C
+#define RDATA_GENERIC_DLV_65323_C
+
+#define RRTYPE_DLV_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_dlv(ARGS_FROMTEXT) {
+ isc_token_t token;
+
+ REQUIRE(type == 65323);
+
+ UNUSED(type);
+ UNUSED(rdclass);
+ UNUSED(origin);
+ UNUSED(options);
+ UNUSED(callbacks);
+
+ /*
+ * Key tag.
+ */
+ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+ ISC_FALSE));
+ if (token.value.as_ulong > 0xffff)
+ RETTOK(ISC_R_RANGE);
+ RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+ /*
+ * Algorithm.
+ */
+ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+ ISC_FALSE));
+ if (token.value.as_ulong > 0xff)
+ RETTOK(ISC_R_RANGE);
+ RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+ /*
+ * Digest type.
+ */
+ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+ ISC_FALSE));
+ if (token.value.as_ulong > 0xff)
+ RETTOK(ISC_R_RANGE);
+ RETERR(uint8_tobuffer(token.value.as_ulong, target));
+ type = (isc_uint16_t) token.value.as_ulong;
+
+ /*
+ * Digest.
+ */
+ return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_dlv(ARGS_TOTEXT) {
+ isc_region_t sr;
+ char buf[sizeof("64000 ")];
+ unsigned int n;
+
+ REQUIRE(rdata->type == 65323);
+ REQUIRE(rdata->length != 0);
+
+ UNUSED(tctx);
+
+ dns_rdata_toregion(rdata, &sr);
+
+ /*
+ * Key tag.
+ */
+ n = uint16_fromregion(&sr);
+ isc_region_consume(&sr, 2);
+ sprintf(buf, "%u ", n);
+ RETERR(str_totext(buf, target));
+
+ /*
+ * Algorithm.
+ */
+ n = uint8_fromregion(&sr);
+ isc_region_consume(&sr, 1);
+ sprintf(buf, "%u ", n);
+ RETERR(str_totext(buf, target));
+
+ /*
+ * Digest type.
+ */
+ n = uint8_fromregion(&sr);
+ isc_region_consume(&sr, 1);
+ sprintf(buf, "%u", n);
+ RETERR(str_totext(buf, target));
+
+ /*
+ * Digest.
+ */
+ if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+ RETERR(str_totext(" (", target));
+ RETERR(str_totext(tctx->linebreak, target));
+ RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+ if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+ RETERR(str_totext(" )", target));
+ return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_dlv(ARGS_FROMWIRE) {
+ isc_region_t sr;
+
+ REQUIRE(type == 65323);
+
+ UNUSED(type);
+ UNUSED(rdclass);
+ UNUSED(dctx);
+ UNUSED(options);
+
+ isc_buffer_activeregion(source, &sr);
+ if (sr.length < 4)
+ return (ISC_R_UNEXPECTEDEND);
+
+ isc_buffer_forward(source, sr.length);
+ return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_dlv(ARGS_TOWIRE) {
+ isc_region_t sr;
+
+ REQUIRE(rdata->type == 65323);
+ REQUIRE(rdata->length != 0);
+
+ UNUSED(cctx);
+
+ dns_rdata_toregion(rdata, &sr);
+ return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_dlv(ARGS_COMPARE) {
+ isc_region_t r1;
+ isc_region_t r2;
+
+ REQUIRE(rdata1->type == rdata2->type);
+ REQUIRE(rdata1->rdclass == rdata2->rdclass);
+ REQUIRE(rdata1->type == 65323);
+ REQUIRE(rdata1->length != 0);
+ REQUIRE(rdata2->length != 0);
+
+ dns_rdata_toregion(rdata1, &r1);
+ dns_rdata_toregion(rdata2, &r2);
+ return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_dlv(ARGS_FROMSTRUCT) {
+ dns_rdata_dlv_t *dlv = source;
+
+ REQUIRE(type == 65323);
+ REQUIRE(source != NULL);
+ REQUIRE(dlv->common.rdtype == type);
+ REQUIRE(dlv->common.rdclass == rdclass);
+
+ UNUSED(type);
+ UNUSED(rdclass);
+
+ RETERR(uint16_tobuffer(dlv->key_tag, target));
+ RETERR(uint8_tobuffer(dlv->algorithm, target));
+ RETERR(uint8_tobuffer(dlv->digest_type, target));
+
+ return (mem_tobuffer(target, dlv->digest, dlv->length));
+}
+
+static inline isc_result_t
+tostruct_dlv(ARGS_TOSTRUCT) {
+ dns_rdata_dlv_t *dlv = target;
+ isc_region_t region;
+
+ REQUIRE(rdata->type == 65323);
+ REQUIRE(target != NULL);
+ REQUIRE(rdata->length != 0);
+
+ dlv->common.rdclass = rdata->rdclass;
+ dlv->common.rdtype = rdata->type;
+ ISC_LINK_INIT(&dlv->common, link);
+
+ dns_rdata_toregion(rdata, ®ion);
+
+ dlv->key_tag = uint16_fromregion(®ion);
+ isc_region_consume(®ion, 2);
+ dlv->algorithm = uint8_fromregion(®ion);
+ isc_region_consume(®ion, 1);
+ dlv->digest_type = uint8_fromregion(®ion);
+ isc_region_consume(®ion, 1);
+ dlv->length = region.length;
+
+ dlv->digest = mem_maybedup(mctx, region.base, region.length);
+ if (dlv->digest == NULL)
+ return (ISC_R_NOMEMORY);
+
+ dlv->mctx = mctx;
+ return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_dlv(ARGS_FREESTRUCT) {
+ dns_rdata_dlv_t *dlv = source;
+
+ REQUIRE(dlv != NULL);
+ REQUIRE(dlv->common.rdtype == 65323);
+
+ if (dlv->mctx == NULL)
+ return;
+
+ if (dlv->digest != NULL)
+ isc_mem_free(dlv->mctx, dlv->digest);
+ dlv->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_dlv(ARGS_ADDLDATA) {
+ REQUIRE(rdata->type == 65323);
+
+ UNUSED(rdata);
+ UNUSED(add);
+ UNUSED(arg);
+
+ return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dlv(ARGS_DIGEST) {
+ isc_region_t r;
+
+ REQUIRE(rdata->type == 65323);
+
+ dns_rdata_toregion(rdata, &r);
+
+ return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_dlv(ARGS_CHECKOWNER) {
+
+ REQUIRE(type == 65323);
+
+ UNUSED(name);
+ UNUSED(type);
+ UNUSED(rdclass);
+ UNUSED(wildcard);
+
+ return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_dlv(ARGS_CHECKNAMES) {
+
+ REQUIRE(rdata->type == 65323);
+
+ UNUSED(rdata);
+ UNUSED(owner);
+ UNUSED(bad);
+
+ return (ISC_TRUE);
+}
+
+#endif /* RDATA_GENERIC_DLV_65323_C */
--- /dev/null
+/*
+ * Copyright (C) 1999-2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlv_65323.h,v 1.2 2004/03/10 02:19:57 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+#ifndef GENERIC_DLV_65323_H
+#define GENERIC_DLV_65323_H 1
+
+typedef struct dns_rdata_dlv {
+ dns_rdatacommon_t common;
+ isc_mem_t *mctx;
+ isc_uint16_t key_tag;
+ isc_uint8_t algorithm;
+ isc_uint8_t digest_type;
+ isc_uint16_t length;
+ unsigned char *digest;
+} dns_rdata_dlv_t;
+
+#endif /* GENERIC_DLV_65323_H */
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.112 2004/03/05 05:48:23 marka Exp $
+ * $Id: dst_api.c,v 1.113 2004/03/10 02:19:58 marka Exp $
*/
#include <config.h>
static isc_result_t read_public_key(const char *filename,
isc_mem_t *mctx,
dst_key_t **keyp);
-static isc_result_t write_public_key(const dst_key_t *key,
+static isc_result_t write_public_key(const dst_key_t *key, int type,
const char *directory);
static isc_result_t buildfilename(dns_name_t *name,
dns_keytag_t id,
return (DST_R_UNSUPPORTEDALG);
if (type & DST_TYPE_PUBLIC) {
- ret = write_public_key(key, directory);
+ ret = write_public_key(key, type, directory);
if (ret != ISC_R_SUCCESS)
return (ret);
}
* Writes a public key to disk in DNS format.
*/
static isc_result_t
-write_public_key(const dst_key_t *key, const char *directory) {
+write_public_key(const dst_key_t *key, int type, const char *directory) {
FILE *fp;
isc_buffer_t keyb, textb, fileb, classb;
isc_region_t r;
isc_buffer_usedregion(&classb, &r);
fwrite(r.base, 1, r.length, fp);
- fprintf(fp, " DNSKEY ");
+ if ((type & DST_TYPE_KEY) != 0)
+ fprintf(fp, " KEY ");
+ else
+ fprintf(fp, " DNSKEY ");
isc_buffer_usedregion(&textb, &r);
fwrite(r.base, 1, r.length, fp);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst.h,v 1.46 2004/03/05 05:10:38 marka Exp $ */
+/* $Id: dst.h,v 1.47 2004/03/10 02:19:58 marka Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
#define DST_KEY_MAXTEXTSIZE 2048
/* 'Type' for dst_read_key() */
+#define DST_TYPE_KEY 0x1000000 /* KEY key */
#define DST_TYPE_PRIVATE 0x2000000
#define DST_TYPE_PUBLIC 0x4000000
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.118 2004/03/05 05:09:26 marka Exp $ */
+/* $Id: validator.c,v 1.119 2004/03/10 02:19:56 marka Exp $ */
#include <config.h>
#define VALATTR_TRIEDVERIFY 0x0004
#define VALATTR_NEGATIVE 0x0008
#define VALATTR_INSECURITY 0x0010
+#define VALATTR_DLV 0x0020
+#define VALATTR_DLVTRIED 0x0040
#define VALATTR_NEEDNOQNAME 0x0100
#define VALATTR_NEEDNOWILDCARD 0x0200
#define VALATTR_FOUNDNOWILDCARD 0x2000
#define VALATTR_FOUNDNODATA 0x4000
+
#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
+#define DLV(val) ((val->attributes & VALATTR_DLV) != 0)
+#define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
validate(dns_validator_t *val, isc_boolean_t resume);
static isc_result_t
-validatezonekey(dns_validator_t *val, isc_boolean_t resume);
+validatezonekey(dns_validator_t *val);
static isc_result_t
nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
dns_name_t *name, dns_rdatatype_t type,
const char *caller, const char *operation);
+static isc_result_t
+dlv_validatezonekey(dns_validator_t *val);
+
static void
validator_done(dns_validator_t *val, isc_result_t result) {
isc_task_t *task;
validator_log(val, ISC_LOG_DEBUG(3),
"dsset with trust %d", rdataset->trust);
val->dsset = &val->frdataset;
- result = validatezonekey(val, ISC_TRUE);
+ result = validatezonekey(val);
+ if (result != DNS_R_WAIT)
+ validator_done(val, result);
+ } else if (val->view->dlv != NULL && !DLVTRIED(val) &&
+ (eresult == DNS_R_NXRRSET ||
+ eresult == DNS_R_NCACHENXRRSET) &&
+ !dns_name_issubdomain(val->event->name,
+ val->view->dlv))
+ {
+ validator_log(val, ISC_LOG_DEBUG(2),
+ "no DS record: looking for DLV");
+
+ result = dlv_validatezonekey(val);
if (result != DNS_R_WAIT)
validator_done(val, result);
} else if (eresult == DNS_R_NXRRSET ||
if ((val->attributes & VALATTR_INSECURITY) != 0)
result = proveunsecure(val, ISC_TRUE);
else
- result = validatezonekey(val, ISC_TRUE);
+ result = validatezonekey(val);
if (result != DNS_R_WAIT)
validator_done(val, result);
} else {
return (DNS_R_NOVALIDSIG);
}
+
+static void
+dlv_validated(isc_task_t *task, isc_event_t *event) {
+ dns_validatorevent_t *devent;
+ dns_validator_t *val;
+ isc_boolean_t want_destroy;
+ isc_result_t result;
+ isc_result_t eresult;
+
+ UNUSED(task);
+ INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+ devent = (dns_validatorevent_t *)event;
+ val = devent->ev_arg;
+ eresult = devent->result;
+
+ isc_event_free(&event);
+ dns_validator_destroy(&val->subvalidator);
+
+ INSIST(val->event != NULL);
+
+ validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
+ LOCK(&val->lock);
+ if (eresult == ISC_R_SUCCESS) {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "dlv with trust %d", val->frdataset.trust);
+ if ((val->attributes & VALATTR_INSECURITY) != 0)
+ result = proveunsecure(val, ISC_TRUE);
+ else
+ result = validatezonekey(val);
+ if (result != DNS_R_WAIT)
+ validator_done(val, result);
+ } else {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "dlv_validated: got %s",
+ isc_result_totext(eresult));
+ validator_done(val, eresult);
+ }
+ want_destroy = exit_check(val);
+ UNLOCK(&val->lock);
+ if (want_destroy)
+ destroy(val);
+}
+
+static void
+dlv_fetched(isc_task_t *task, isc_event_t *event) {
+ dns_fetchevent_t *devent;
+ dns_validator_t *val;
+ dns_rdataset_t *rdataset;
+ isc_boolean_t want_destroy;
+ isc_result_t result;
+ isc_result_t eresult;
+
+ UNUSED(task);
+ INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+ devent = (dns_fetchevent_t *)event;
+ val = devent->ev_arg;
+ rdataset = &val->frdataset;
+ eresult = devent->result;
+
+ isc_event_free(&event);
+ dns_resolver_destroyfetch(&val->fetch);
+
+ INSIST(val->event != NULL);
+
+ validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched");
+ LOCK(&val->lock);
+ if (eresult == ISC_R_SUCCESS) {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "dlv set with trust %d", rdataset->trust);
+ val->dlv = &val->frdataset;
+ result = dlv_validatezonekey(val);
+ if (result != DNS_R_WAIT)
+ validator_done(val, result);
+ } else if (eresult == DNS_R_NXRRSET ||
+ eresult == DNS_R_NCACHENXRRSET)
+ {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "falling back to insecurity proof");
+ val->attributes |= VALATTR_INSECURITY;
+ result = proveunsecure(val, ISC_FALSE);
+ if (result != DNS_R_WAIT)
+ validator_done(val, result);
+ } else {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "dlv_fetched: got %s",
+ isc_result_totext(eresult));
+ if (eresult == ISC_R_CANCELED)
+ validator_done(val, eresult);
+ else
+ validator_done(val, DNS_R_NOVALIDDS);
+ }
+ want_destroy = exit_check(val);
+ UNLOCK(&val->lock);
+ if (want_destroy)
+ destroy(val);
+}
+
+static isc_result_t
+dlv_validatezonekey(dns_validator_t *val) {
+ dns_fixedname_t fixed;
+ dns_keytag_t keytag;
+ dns_name_t *name;
+ dns_name_t tname;
+ dns_rdata_dlv_t dlv;
+ dns_rdata_dnskey_t key;
+ dns_rdata_rrsig_t sig;
+ dns_rdata_t dlvrdata = DNS_RDATA_INIT;
+ dns_rdata_t keyrdata = DNS_RDATA_INIT;
+ dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
+ dns_rdataset_t trdataset;
+ dst_key_t *dstkey;
+ isc_boolean_t supported_algorithm;
+ isc_result_t result;
+ unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+ unsigned int labels;
+
+ val->attributes |= VALATTR_DLVTRIED;
+
+ dns_name_init(&tname, NULL);
+ dns_fixedname_init(&fixed);
+ name = dns_fixedname_name(&fixed);
+ labels = dns_name_countlabels(val->event->name);
+ dns_name_getlabelsequence(val->event->name, 0, labels - 1, &tname);
+ result = dns_name_concatenate(&tname, val->view->dlv, name, NULL);
+ if (result != ISC_R_SUCCESS) {
+ validator_log(val, ISC_LOG_DEBUG(2),
+ "DLV concatenate failed");
+ return (DNS_R_NOVALIDSIG);
+ }
+ if (val->dlv == NULL) {
+ result = view_find(val, name, dns_rdatatype_dlv);
+ if (result == ISC_R_SUCCESS) {
+ /*
+ * We have DLV records.
+ */
+ val->dsset = &val->frdataset;
+ if (val->frdataset.trust == dns_trust_pending &&
+ dns_rdataset_isassociated(&val->fsigrdataset))
+ {
+ result = create_validator(val,
+ val->event->name,
+ dns_rdatatype_ds,
+ &val->frdataset,
+ &val->fsigrdataset,
+ dlv_validated,
+ "dlv_validatezonekey");
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ return (DNS_R_WAIT);
+ } else if (val->frdataset.trust == dns_trust_pending) {
+ /*
+ * There should never be an unsigned DLV.
+ */
+ dns_rdataset_disassociate(&val->frdataset);
+ validator_log(val, ISC_LOG_DEBUG(2),
+ "unsigned DLV record");
+ return (DNS_R_NOVALIDSIG);
+ } else
+ result = ISC_R_SUCCESS;
+ } else if (result == ISC_R_NOTFOUND) {
+ result = create_fetch(val, name, dns_rdatatype_dlv,
+ dlv_fetched,
+ "dlv_validatezonekey");
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ return (DNS_R_WAIT);
+ } else if (result == DNS_R_NCACHENXDOMAIN ||
+ result == DNS_R_NCACHENXRRSET ||
+ result == DNS_R_NXDOMAIN ||
+ result == DNS_R_NXRRSET)
+ {
+ /*
+ * The DS does not exist.
+ */
+ if (dns_rdataset_isassociated(&val->frdataset))
+ dns_rdataset_disassociate(&val->frdataset);
+ if (dns_rdataset_isassociated(&val->fsigrdataset))
+ dns_rdataset_disassociate(&val->fsigrdataset);
+ validator_log(val, ISC_LOG_DEBUG(2), "no DLV record");
+ return (DNS_R_NOVALIDSIG);
+ }
+ }
+
+ /*
+ * We have a DLV set.
+ */
+ INSIST(val->dlv != NULL);
+
+ if (val->dlv->trust < dns_trust_secure) {
+ val->event->rdataset->trust = dns_trust_answer;
+ val->event->sigrdataset->trust = dns_trust_answer;
+ return (ISC_R_SUCCESS);
+ }
+
+ /*
+ * Look through the DLV record and find the keys that can sign the
+ * key set and the matching signature. For each such key, attempt
+ * verification.
+ */
+
+ supported_algorithm = ISC_FALSE;
+
+ for (result = dns_rdataset_first(val->dlv);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(val->dlv))
+ {
+ dns_rdata_reset(&dlvrdata);
+ dns_rdataset_current(val->dlv, &dlvrdata);
+ (void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
+
+ if (!dns_resolver_algorithm_supported(val->view->resolver,
+ val->event->name,
+ dlv.algorithm))
+ continue;
+
+ supported_algorithm = ISC_TRUE;
+
+ dns_rdataset_init(&trdataset);
+ dns_rdataset_clone(val->event->rdataset, &trdataset);
+
+ for (result = dns_rdataset_first(&trdataset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&trdataset))
+ {
+ dns_rdata_reset(&keyrdata);
+ dns_rdataset_current(&trdataset, &keyrdata);
+ (void)dns_rdata_tostruct(&keyrdata, &key, NULL);
+ keytag = compute_keytag(&keyrdata, &key);
+ if (dlv.key_tag != keytag ||
+ dlv.algorithm != key.algorithm)
+ continue;
+ dns_rdata_reset(&newdsrdata);
+ result = dns_ds_buildrdata(val->event->name,
+ &keyrdata, dlv.digest_type,
+ dsbuf, &newdsrdata);
+ if (result != ISC_R_SUCCESS)
+ continue;
+ /* Covert to DLV */
+ newdsrdata.type = dns_rdatatype_dlv;
+ if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
+ break;
+ }
+ if (result != ISC_R_SUCCESS) {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "no KEY matching DLV");
+ continue;
+ }
+
+ for (result = dns_rdataset_first(val->event->sigrdataset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(val->event->sigrdataset))
+ {
+ dns_rdata_reset(&sigrdata);
+ dns_rdataset_current(val->event->sigrdataset,
+ &sigrdata);
+ (void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
+ if (dlv.key_tag != sig.keyid &&
+ dlv.algorithm != sig.algorithm)
+ continue;
+
+ dstkey = NULL;
+ result = dns_dnssec_keyfromrdata(val->event->name,
+ &keyrdata,
+ val->view->mctx,
+ &dstkey);
+ if (result != ISC_R_SUCCESS)
+ /*
+ * This really shouldn't happen, but...
+ */
+ continue;
+
+ result = verify(val, dstkey, &sigrdata);
+ dst_key_free(&dstkey);
+ if (result == ISC_R_SUCCESS)
+ break;
+ }
+ dns_rdataset_disassociate(&trdataset);
+ if (result == ISC_R_SUCCESS)
+ break;
+ validator_log(val, ISC_LOG_DEBUG(3), "no SIG matching DLV key");
+ }
+ if (result == ISC_R_SUCCESS) {
+ val->event->rdataset->trust = dns_trust_secure;
+ val->event->sigrdataset->trust = dns_trust_secure;
+ validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
+ return (result);
+ } else if (result == ISC_R_NOMORE && !supported_algorithm) {
+ val->event->rdataset->trust = dns_trust_answer;
+ val->event->sigrdataset->trust = dns_trust_answer;
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "no supported algorithm (dlv)");
+ return (ISC_R_SUCCESS);
+ } else
+ return (DNS_R_NOVALIDSIG);
+}
+
/*
* Attempts positive response validation of an RRset containing zone keys.
*
* Other return codes are possible and all indicate failure.
*/
static isc_result_t
-validatezonekey(dns_validator_t *val, isc_boolean_t resume) {
+validatezonekey(dns_validator_t *val) {
isc_result_t result;
dns_validatorevent_t *event;
dns_rdataset_t trdataset;
dst_key_t *dstkey;
isc_boolean_t supported_algorithm;
- UNUSED(resume);
-
/*
* Caller must be holding the validator lock.
*/
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
- } else if (result == DNS_R_NCACHENXDOMAIN ||
+ } else if (val->view->dlv != NULL && !DLVTRIED(val) &&
+ (result == DNS_R_NCACHENXRRSET ||
+ result == DNS_R_NXRRSET) &&
+ !dns_name_issubdomain(val->event->name,
+ val->view->dlv))
+ {
+
+ if (dns_rdataset_isassociated(&val->frdataset))
+ dns_rdataset_disassociate(&val->frdataset);
+ if (dns_rdataset_isassociated(&val->fsigrdataset))
+ dns_rdataset_disassociate(&val->fsigrdataset);
+
+ validator_log(val, ISC_LOG_DEBUG(2),
+ "no DS record: looking for DLV");
+
+ return (dlv_validatezonekey(val));
+ } else if (result == DNS_R_NCACHENXDOMAIN ||
result == DNS_R_NCACHENXRRSET ||
result == DNS_R_NXDOMAIN ||
result == DNS_R_NXRRSET)
event->sigrdataset->trust = dns_trust_secure;
validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
return (result);
+ } else if (result == ISC_R_NOMORE && val->view->dlv != NULL &&
+ !DLVTRIED(val) && !dns_name_issubdomain(val->event->name,
+ val->view->dlv))
+ {
+ validator_log(val, ISC_LOG_DEBUG(2),
+ "no DS/DNSKEY pair: looking for DLV");
+
+ return (dlv_validatezonekey(val));
} else if (result == ISC_R_NOMORE && !supported_algorithm) {
val->event->rdataset->trust = dns_trust_answer;
val->event->sigrdataset->trust = dns_trust_answer;
if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
return (validate(val, ISC_FALSE));
- return (validatezonekey(val, ISC_FALSE));
+ return (validatezonekey(val));
}
static isc_result_t
val->currentset = NULL;
val->keyset = NULL;
val->dsset = NULL;
+ val->dlv = NULL;
val->soaset = NULL;
val->nsecset = NULL;
val->soaname = NULL;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: view.c,v 1.125 2004/03/05 05:09:26 marka Exp $ */
+/* $Id: view.c,v 1.126 2004/03/10 02:19:56 marka Exp $ */
#include <config.h>
view->dstport = 53;
view->preferred_glue = 0;
view->flush = ISC_FALSE;
+ view->dlv = NULL;
+ dns_fixedname_init(&view->dlv_fixed);
result = dns_order_create(view->mctx, &view->order);
if (result != ISC_R_SUCCESS)
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: namedconf.c,v 1.29 2004/03/05 05:12:22 marka Exp $ */
+/* $Id: namedconf.c,v 1.30 2004/03/10 02:19:58 marka Exp $ */
#include <config.h>
{ "root-delegation-only", &cfg_type_optional_exclude, 0 },
{ "disable-algorithms", &cfg_type_disablealgorithm,
CFG_CLAUSEFLAG_MULTI },
- { "enable-dnssec", &cfg_type_boolean, 0 },
+ { "dnssec-enable", &cfg_type_boolean, 0 },
+ { "dnssec-lookaside", &cfg_type_astring, 0 },
{ NULL, NULL, 0 }
};
projects / thirdparty / bind9.git / commitdiff
