dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) {
isc_result_t result;
isc_stdtime_t publish, active, revoke, remove;
- bool hint_publish, hint_sign, hint_revoke, hint_remove;
+ bool hint_publish, hint_zsign, hint_ksign, hint_revoke, hint_remove;
int major, minor;
+ bool ksk = false, zsk = false;
+ isc_result_t ret;
/* Is this an old-style key? */
result = dst_key_getprivateformat(key, &major, &minor);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ /* Is this a KSK? */
+ ret = dst_key_getbool(key, DST_BOOL_KSK, &ksk);
+ if (ret != ISC_R_SUCCESS) {
+ ksk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) != 0);
+ }
+ ret = dst_key_getbool(key, DST_BOOL_ZSK, &zsk);
+ if (ret != ISC_R_SUCCESS) {
+ zsk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0);
+ }
+
/*
* Smart signing started with key format 1.3; prior to that, all
* keys are assumed active.
return (true);
hint_publish = dst_key_is_published(key, now, &publish);
- hint_sign = dst_key_is_signing(key, now, &active);
+ hint_zsign = dst_key_is_signing(key, DST_BOOL_ZSK, now, &active);
+ hint_ksign = dst_key_is_signing(key, DST_BOOL_KSK, now, &active);
hint_revoke = dst_key_is_revoked(key, now, &revoke);
hint_remove = dst_key_is_removed(key, now, &remove);
if (hint_publish && hint_revoke) {
return (true);
}
- if (hint_sign) {
+ if (hint_zsign && zsk) {
+ return (true);
+ }
+ if (hint_ksign && ksk) {
return (true);
}
return (false);
REQUIRE(key != NULL && key->key != NULL);
key->hint_publish = dst_key_is_published(key->key, now, &publish);
- key->hint_sign = dst_key_is_signing(key->key, now, &active);
+ key->hint_sign = dst_key_is_signing(key->key, DST_BOOL_ZSK, now,
+ &active);
key->hint_revoke = dst_key_is_revoked(key->key, now, &revoke);
key->hint_remove = dst_key_is_removed(key->key, now, &remove);
bool
-dst_key_is_signing(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *active)
+dst_key_is_signing(dst_key_t *key, int role, isc_stdtime_t now, isc_stdtime_t *active)
{
dst_key_state_t state;
isc_result_t result;
* If the RRSIG state is RUMOURED or OMNIPRESENT, it means the key
* is active.
*/
- if (ksk) {
+ if (ksk && role == DST_BOOL_KSK) {
result = dst_key_getstate(key, DST_KEY_KRRSIG, &state);
if (result == ISC_R_SUCCESS) {
krrsig_ok = ((state == DST_KEY_STATE_RUMOURED) ||
time_ok = true;
inactive = false;
}
- }
- if (zsk) {
+ } else if (zsk && role == DST_BOOL_ZSK) {
result = dst_key_getstate(key, DST_KEY_ZRRSIG, &state);
if (result == ISC_R_SUCCESS) {
zrrsig_ok = ((state == DST_KEY_STATE_RUMOURED) ||
*/
bool
-dst_key_is_signing(dst_key_t *key, isc_stdtime_t now, isc_stdtime_t *active);
+dst_key_is_signing(dst_key_t *key, int role, isc_stdtime_t now,
+ isc_stdtime_t *active);
/*%<
- * Check if it is safe to use this key for signing.
+ * Check if it is safe to use this key for signing, given the role.
*
* Requires:
* 'key' to be valid.
* A dnssec-policy is found. Check what RRsets this
* key should sign.
*/
+ isc_stdtime_t when;
isc_result_t kresult;
bool ksk = false;
bool zsk = false;
* Other RRsets are signed with ZSK.
*/
continue;
+ } else if (zsk && !dst_key_is_signing(keys[i],
+ DST_BOOL_ZSK,
+ inception,
+ &when)) {
+ /*
+ * This key is not active for zone-signing.
+ */
+ continue;
}
/*
* key should sign.
*/
isc_result_t kresult;
+ isc_stdtime_t when;
bool ksk = false;
bool zsk = false;
* Other RRsets are signed with ZSK.
*/
continue;
+ } else if (!dst_key_is_signing(keys[i], DST_BOOL_ZSK,
+ inception, &when)) {
+ /*
+ * This key is not active for zone-signing.
+ */
+ continue;
}
/*
if (kasp) {
dns_kasp_key_t* kkey;
- int ksk_count = 0, zsk_count = 0;
- bool approved = false;
+ int zsk_count = 0;
+ bool approved;
for (kkey = ISC_LIST_HEAD(kasp->keys); kkey != NULL;
kkey = ISC_LIST_NEXT(kkey, link))
if (dns_kasp_key_algorithm(kkey) != dst_key_alg(key)) {
continue;
}
- if (dns_kasp_key_ksk(kkey)) {
- ksk_count++;
- }
if (dns_kasp_key_zsk(kkey)) {
zsk_count++;
}
* be signed with a key in the current DS RRset,
* which would only include KSK's.)
*/
- approved = (ksk_count == count);
+ approved = false;
} else {
approved = (zsk_count == count);
}
dns_diff_t *diff, int32_t *signatures, isc_mem_t *mctx)
{
isc_result_t result;
+ dns_kasp_t *kasp = dns_zone_getkasp(zone);
dns_rdatasetiter_t *iterator = NULL;
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
}
result = dns_rdatasetiter_first(iterator);
while (result == ISC_R_SUCCESS) {
+ isc_stdtime_t when;
+
dns_rdatasetiter_current(iterator, &rdataset);
if (rdataset.type == dns_rdatatype_soa ||
rdataset.type == dns_rdatatype_rrsig)
}
} else if (!is_zsk) {
goto next_rdataset;
+ } else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK,
+ inception, &when)) {
+ /* Only applies to dnssec-policy. */
+ if (kasp != NULL) {
+ goto next_rdataset;
+ }
}
+
if (seen_ns && !seen_soa &&
rdataset.type != dns_rdatatype_ds &&
rdataset.type != dns_rdatatype_nsec)
projects / thirdparty / bind9.git / commitdiff
