Retrieve RRSIG from SKR

author Matthijs Mekking <matthijs@isc.org>

Wed, 19 Jun 2024 12:33:07 +0000 (14:33 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Thu, 22 Aug 2024 06:21:52 +0000 (08:21 +0200)
author Matthijs Mekking <matthijs@isc.org>
Wed, 19 Jun 2024 12:33:07 +0000 (14:33 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Thu, 22 Aug 2024 06:21:52 +0000 (08:21 +0200)
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h

index 35a80df65c8c58dff502086282add1911c94e994..422448a1a726c4bb63794aacefda2b5f5427eff2 100644 (file)
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -762,6 +762,15 @@ dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp);
   *\li  'zone' to be a valid zone.
   */
  
+dns_skrbundle_t *
+dns_zone_getskrbundle(dns_zone_t *zone);
+/*%<
+ *     Returns the current SKR bundle.
+ *
+ * Require:
+ *\li  'zone' to be a valid zone.
+ */
+
  void
  dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value);
  /*%<
@@ -2744,7 +2753,7 @@ dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db,
   *
   * Requires:
   * \li 'zone' to be a valid zone.
- * \li 'db'is not NULL.
+ * \li 'db' is not NULL.
   *
   * Returns:
   * \li 'true' if the check passes, that is the zone remains consistent,
diff --git a/lib/dns/update.c b/lib/dns/update.c

index 659c199378bd9bb1d038adcc1d1d9b36fcabecbb..17cc0d67d8e03788b924a07f62fc4679f67c3a69 100644 (file)
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -45,6 +45,7 @@
  #include <dns/rdatasetiter.h>
  #include <dns/rdatastruct.h>
  #include <dns/rdatatype.h>
+#include <dns/skr.h>
  #include <dns/soa.h>
  #include <dns/ssu.h>
  #include <dns/stats.h>
@@ -1113,10 +1114,12 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
         unsigned int i;
         bool added_sig = false;
         bool use_kasp = false;
+       bool offlineksk = false;
         isc_mem_t *mctx = diff->mctx;
  
         if (kasp != NULL) {
                 use_kasp = true;
+               offlineksk = dns_kasp_offlineksk(kasp);
         }
  
         dns_rdataset_init(&rdataset);
@@ -1230,8 +1233,19 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
                 }
  
                 /* Calculate the signature, creating a RRSIG RDATA. */
-               CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception,
-                                     &expire, mctx, &buffer, &sig_rdata));
+               if (offlineksk && dns_rdatatype_iskeymaterial(type)) {
+                       /* Look up the signature in the SKR bundle */
+                       dns_skrbundle_t *bundle = dns_zone_getskrbundle(zone);
+                       if (bundle == NULL) {
+                               CHECK(DNS_R_NOSKRBUNDLE);
+                       }
+                       CHECK(dns_skrbundle_getsig(bundle, keys[i], type,
+                                                  &sig_rdata));
+               } else {
+                       CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
+                                             &inception, &expire, mctx,
+                                             &buffer, &sig_rdata));
+               }
  
                 /* Update the database and journal with the RRSIG. */
                 /* XXX inefficient - will cause dataset merging */
diff --git a/lib/dns/zone.c b/lib/dns/zone.c

index e64a96869b3f54ed779d342bfa839f38528b2412..942855c2cd7e51a5adebc99c87049c80e611f2c5 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -5758,6 +5758,23 @@ dns_zone_setskr(dns_zone_t *zone, dns_skr_t *skr) {
         UNLOCK_ZONE(zone);
  }
  
+dns_skrbundle_t *
+dns_zone_getskrbundle(dns_zone_t *zone) {
+       dns_skrbundle_t *bundle;
+
+       REQUIRE(DNS_ZONE_VALID(zone));
+
+       LOCK_ZONE(zone);
+       if (inline_raw(zone) && zone->secure != NULL) {
+               bundle = zone->secure->skrbundle;
+       } else {
+               bundle = zone->skrbundle;
+       }
+       UNLOCK_ZONE(zone);
+
+       return (bundle);
+}
+
  void
  dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) {
         REQUIRE(DNS_ZONE_VALID(zone));
@@ -6780,9 +6797,11 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
         isc_buffer_t buffer;
         unsigned int i;
         bool use_kasp = false;
+       bool offlineksk = false;
  
         if (zone->kasp != NULL) {
                 use_kasp = true;
+               offlineksk = dns_kasp_offlineksk(zone->kasp);
         }
  
         dns_rdataset_init(&rdataset);
@@ -6912,8 +6931,20 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
  
                 /* Calculate the signature, creating a RRSIG RDATA. */
                 isc_buffer_clear(&buffer);
-               CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception,
-                                     &expire, mctx, &buffer, &sig_rdata));
+
+               if (offlineksk && dns_rdatatype_iskeymaterial(type)) {
+                       /* Look up the signature in the SKR bundle */
+                       dns_skrbundle_t *bundle = dns_zone_getskrbundle(zone);
+                       if (bundle == NULL) {
+                               CHECK(DNS_R_NOSKRBUNDLE);
+                       }
+                       CHECK(dns_skrbundle_getsig(bundle, keys[i], type,
+                                                  &sig_rdata));
+               } else {
+                       CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
+                                             &inception, &expire, mctx,
+                                             &buffer, &sig_rdata));
+               }
  
                 /* Update the database and journal with the RRSIG. */
                 /* XXX inefficient - will cause dataset merging */
@@ -7407,11 +7438,15 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
         dns_rdataset_t rdataset;
         dns_rdata_t rdata = DNS_RDATA_INIT;
         dns_stats_t *dnssecsignstats;
-
+       bool offlineksk = false;
         isc_buffer_t buffer;
         unsigned char data[1024];
         bool seen_soa, seen_ns, seen_rr, seen_nsec, seen_nsec3, seen_ds;
  
+       if (zone->kasp != NULL) {
+               offlineksk = dns_kasp_offlineksk(zone->kasp);
+       }
+
         result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator);
         if (result != ISC_R_SUCCESS) {
                 if (result == ISC_R_NOTFOUND) {
@@ -7515,8 +7550,19 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
  
                 /* Calculate the signature, creating a RRSIG RDATA. */
                 isc_buffer_clear(&buffer);
-               CHECK(dns_dnssec_sign(name, &rdataset, key, &inception, &expire,
-                                     mctx, &buffer, &rdata));
+               if (offlineksk && dns_rdatatype_iskeymaterial(rdataset.type)) {
+                       /* Look up the signature in the SKR bundle */
+                       dns_skrbundle_t *bundle = dns_zone_getskrbundle(zone);
+                       if (bundle == NULL) {
+                               CHECK(DNS_R_NOSKRBUNDLE);
+                       }
+                       CHECK(dns_skrbundle_getsig(bundle, key, rdataset.type,
+                                                  &rdata));
+               } else {
+                       CHECK(dns_dnssec_sign(name, &rdataset, key, &inception,
+                                             &expire, mctx, &buffer, &rdata));
+               }
+
                 /* Update the database and journal with the RRSIG. */
                 /* XXX inefficient - will cause dataset merging */
                 CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN,
author	Matthijs Mekking <matthijs@isc.org>
	Wed, 19 Jun 2024 12:33:07 +0000 (14:33 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Thu, 22 Aug 2024 06:21:52 +0000 (08:21 +0200)
lib/dns/include/dns/zone.h		patch \| blob \| blame \| history
lib/dns/update.c		patch \| blob \| blame \| history
lib/dns/zone.c		patch \| blob \| blame \| history