--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+ keys {
+ csk lifetime unlimited algorithm ceasarscipher;
+ };
+};
+
+zone "example.net" {
+ type master;
+ file "example.db";
+ dnssec-policy "badalg";
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+ keys {
+ csk lifetime unlimited algorithm 8 4097;
+ };
+};
+
+zone "example.net" {
+ type master;
+ file "example.db";
+ dnssec-policy "badalg";
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+ keys {
+ csk lifetime unlimited algorithm rsasha512 1023;
+ };
+};
+
+zone "example.net" {
+ type master;
+ file "example.db";
+ dnssec-policy "badalg";
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+ keys {
+ csk lifetime unlimited algorithm 5 511;
+ };
+};
+
+zone "example.net" {
+ type master;
+ file "example.db";
+ dnssec-policy "badalg";
+};
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
- ksk key-directory lifetime P1Y algorithm 13;
+ ksk key-directory lifetime P1Y algorithm ecdsa256;
zsk lifetime P30D algorithm 13;
- csk key-directory lifetime unlimited algorithm 8 2048;
+ csk key-directory lifetime unlimited algorithm rsasha256 2048;
};
max-zone-ttl 86400;
parent-ds-ttl 7200;
dnssec-policy "warn-length" {
keys {
// Algorithm 13 has predefined length, warn about length param.
- csk lifetime unlimited algorithm 13 2048;
- // Algorithm 5 length out of range, warn about length param.
- csk lifetime unlimited algorithm 5 4097;
+ csk lifetime unlimited algorithm ecdsa256 2048;
};
};
status=`expr $status + $ret`
n=`expr $n + 1`
-echo_i "checking named-checkconf kasp warnings ($n)"
+echo_i "checking named-checkconf kasp errors ($n)"
ret=0
-$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1
+$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
status=`expr $status + $ret`
n=`expr $n + 1`
-echo_i "checking named-checkconf kasp key warnings ($n)"
+echo_i "checking named-checkconf kasp predefined key lengths ($n)"
ret=0
-$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1
-grep "dnssec-policy: key algorithm 13 has predefined length, ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-policy: key with algorithm 5 has invalid key length, ignoring length value 4097" < checkconf.out$n > /dev/null || ret=1
+$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1
+grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
</para>
<programlisting>keys {
- ksk key-directory lifetime unlimited algorithm 8 2048;
+ ksk key-directory lifetime unlimited algorithm rsasha1 2048;
zsk key-directory lifetime P30D algorithm 8;
- csk key-directory lifetime P6MT12H3M15S algorithm 13;
+ csk key-directory lifetime P6MT12H3M15S algorithm ecdsa256;
};
</programlisting>
</para>
<para>
The <command>algorithm</command> parameter(s) are the key's
- algorithm, expressed numerically, and its size in bits. The
- size may be omitted, as shown in the example for the
- second and third keys; in this case an appropriate
- default size will be used.
+ algorithm, expressed either as a string ("rsasha256",
+ "ecdsa384", etc) or as a decimal number, and the key's
+ size in bits. The size may be omitted, as shown in
+ the example for the second and third keys; in this case
+ an appropriate default size will be used.
</para>
</listitem>
</varlistentry>
if (obj != NULL) {
bool bad_kasp = false;
bool bad_name = false;
+
if (optlevel != optlevel_config && !cfg_obj_isstring(obj)) {
bad_kasp = true;
} else if (optlevel == optlevel_config) {
dns_kasplist_t list;
- dns_kasp_t* kasp, *kasp_next;
+ dns_kasp_t *kasp = NULL, *kasp_next = NULL;
ISC_LIST_INIT(list);
element != NULL;
element = cfg_list_next(element))
{
+ isc_result_t ret;
cfg_obj_t *kconfig =
cfg_listelt_value(element);
- if (!cfg_obj_istuple(kconfig))
- {
+ if (!cfg_obj_istuple(kconfig)) {
bad_kasp = true;
continue;
}
bad_name = true;
continue;
}
- kasp = NULL;
- (void)cfg_kasp_fromconfig(kconfig, mctx,
+
+ ret = cfg_kasp_fromconfig(kconfig, mctx,
logctx,
&list, &kasp);
+ if (ret != ISC_R_SUCCESS) {
+ if (result == ISC_R_SUCCESS) {
+ result = ret;
+ }
+ }
+
if (kasp != NULL) {
dns_kasp_detach(&kasp);
}
}
}
- for (kasp = ISC_LIST_HEAD(list); kasp != NULL;
+ for (kasp = ISC_LIST_HEAD(list);
+ kasp != NULL;
kasp = kasp_next)
{
kasp_next = ISC_LIST_NEXT(kasp, link);
/* Configuration */
uint32_t lifetime;
- uint32_t algorithm;
+ uint8_t algorithm;
int length;
uint8_t role;
};
#include <isc/mem.h>
#include <isc/print.h>
+#include <isc/region.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/kasp.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
/*
* Create a new kasp key derived from configuration.
*/
static isc_result_t
-cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t* kasp,
+cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
isc_log_t *logctx)
{
isc_result_t result;
} else {
const char *rolestr = NULL;
const cfg_obj_t *obj = NULL;
+ isc_consttextregion_t alg;
rolestr = cfg_obj_asstring(cfg_tuple_get(config, "role"));
if (strcmp(rolestr, "ksk") == 0) {
}
obj = cfg_tuple_get(config, "algorithm");
- key->algorithm = cfg_obj_asuint32(obj);
+ alg.base = cfg_obj_asstring(obj);
+ alg.length = strlen(alg.base);
+ result = dns_secalg_fromtext(&key->algorithm,
+ (isc_textregion_t *) &alg);
+ if (result != ISC_R_SUCCESS) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "dnssec-policy: bad algorithm %s",
+ alg.base);
+ result = DNS_R_BADALG;
+ goto cleanup;
+ }
obj = cfg_tuple_get(config, "length");
if (cfg_obj_isuint32(obj)) {
cfg_obj_log(obj, logctx,
ISC_LOG_ERROR,
"dnssec-policy: key with "
- "algorithm %u has invalid "
- "key length",
- key->algorithm);
- return (ISC_R_RANGE);
+ "algorithm %s has invalid "
+ "key length %u",
+ alg.base, size);
+ result = ISC_R_RANGE;
+ goto cleanup;
}
break;
case DNS_KEYALG_ECDSA256:
case DNS_KEYALG_ED25519:
case DNS_KEYALG_ED448:
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
- "dnssec-policy: key algorithm %u "
+ "dnssec-policy: key algorithm %s "
"has predefined length; ignoring "
- "length value %u", key->algorithm,
- size);
+ "length value %u", alg.base, size);
default:
break;
}
}
dns_kasp_addkey(kasp, key);
+ return (ISC_R_SUCCESS);
+
+cleanup:
+
+ dns_kasp_key_destroy(key);
return (result);
+
}
isc_result_t
/*%
* A dnssec key, as used in the "keys" statement in a "dnssec-policy".
*/
-static keyword_type_t algorithm_kw = { "algorithm", &cfg_type_uint32 };
+static keyword_type_t algorithm_kw = { "algorithm", &cfg_type_ustring };
static cfg_type_t cfg_type_algorithm = {
"algorithm", parse_keyvalue, print_keyvalue,
- doc_keyvalue, &cfg_rep_uint32, &algorithm_kw
+ doc_keyvalue, &cfg_rep_string, &algorithm_kw
};
static keyword_type_t lifetime_kw = { "lifetime",
projects / thirdparty / bind9.git / commitdiff
