return (false);
}
+static isc_result_t
+delete_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
+ dns_rdataset_t *cds, unsigned int digesttype, dns_diff_t *diff,
+ isc_mem_t *mctx) {
+ isc_result_t r = ISC_R_SUCCESS;
+ unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+ dns_rdata_t cdsrdata = DNS_RDATA_INIT;
+ dns_name_t *origin = dst_key_name(key->key);
+
+ r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf, &cdsrdata);
+ if (r != ISC_R_SUCCESS) {
+ return (r);
+ }
+
+ cdsrdata.type = dns_rdatatype_cds;
+ if (exists(cds, &cdsrdata)) {
+ char algbuf[DNS_DSDIGEST_FORMATSIZE];
+ dns_dsdigest_format(digesttype, algbuf,
+ DNS_DSDIGEST_FORMATSIZE);
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+ "CDS (%s) for key %s is now deleted", algbuf,
+ keystr);
+ r = delrdata(&cdsrdata, diff, origin, cds->ttl, mctx);
+ }
+ return (r);
+}
+
isc_result_t
dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
- isc_stdtime_t now, dns_ttl_t ttl, dns_diff_t *diff,
- isc_mem_t *mctx) {
- unsigned char dsbuf1[DNS_DS_BUFFERSIZE];
- unsigned char dsbuf2[DNS_DS_BUFFERSIZE];
+ isc_stdtime_t now, unsigned int digesttype, dns_ttl_t ttl,
+ dns_diff_t *diff, isc_mem_t *mctx) {
+ unsigned char dsbuf[DNS_DS_BUFFERSIZE];
unsigned char keybuf[DST_KEY_MAXSIZE];
isc_result_t result;
dns_dnsseckey_t *key;
for (key = ISC_LIST_HEAD(*keys); key != NULL;
key = ISC_LIST_NEXT(key, link))
{
- dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
- dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
+ dns_rdata_t cdsrdata = DNS_RDATA_INIT;
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf),
&cdnskeyrdata));
-
- /*
- * We construct the SHA-1 version of the record so we can
- * delete any old records generated by previous versions of
- * BIND. We only add SHA-256 records.
- *
- * XXXMPA we need to be able to specify the DS algorithms
- * to be used here and below with rmkeys.
- */
- RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
- DNS_DSDIGEST_SHA1, dsbuf1, &cds_sha1));
- RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
- DNS_DSDIGEST_SHA256, dsbuf2,
- &cds_sha256));
+ RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata, digesttype,
+ dsbuf, &cdsrdata));
/*
* Now that the we have created the DS records convert
* the rdata to CDNSKEY and CDS for comparison.
*/
cdnskeyrdata.type = dns_rdatatype_cdnskey;
- cds_sha1.type = dns_rdatatype_cds;
- cds_sha256.type = dns_rdatatype_cds;
+ cdsrdata.type = dns_rdatatype_cds;
if (syncpublish(key->key, now)) {
char keystr[DST_KEY_FORMATSIZE];
if (!dns_rdataset_isassociated(cdnskey) ||
!exists(cdnskey, &cdnskeyrdata))
{
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_DNSSEC,
- ISC_LOG_INFO,
- "CDNSKEY for key %s is now published",
- keystr);
+ isc_log_write(
+ dns_lctx, DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+ "CDNSKEY for key %s is now published",
+ keystr);
RETERR(addrdata(&cdnskeyrdata, diff, origin,
ttl, mctx));
}
- /* Only publish SHA-256 (SHA-1 is deprecated) */
+
if (!dns_rdataset_isassociated(cds) ||
- !exists(cds, &cds_sha256))
+ !exists(cds, &cdsrdata))
{
- isc_log_write(
- dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
- "CDS for key %s is now published",
- keystr);
- RETERR(addrdata(&cds_sha256, diff, origin, ttl,
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_INFO,
+ "CDS for key %s is now published",
+ keystr);
+ RETERR(addrdata(&cdsrdata, diff, origin, ttl,
mctx));
}
}
dst_key_format(key->key, keystr, sizeof(keystr));
if (dns_rdataset_isassociated(cds)) {
- /* Delete both SHA-1 and SHA-256 */
- if (exists(cds, &cds_sha1)) {
- isc_log_write(dns_lctx,
- DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_DNSSEC,
- ISC_LOG_INFO,
- "CDS (SHA-1) for key %s "
- "is now deleted",
- keystr);
- RETERR(delrdata(&cds_sha1, diff, origin,
- cds->ttl, mctx));
- }
- if (exists(cds, &cds_sha256)) {
- isc_log_write(dns_lctx,
- DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_DNSSEC,
- ISC_LOG_INFO,
- "CDS (SHA-256) for key "
- "%s is now deleted",
- keystr);
- RETERR(delrdata(&cds_sha256, diff,
- origin, cds->ttl,
- mctx));
- }
+ /* Delete all possible CDS records */
+ delete_cds(key, &cdnskeyrdata,
+ (const char *)keystr, cds,
+ DNS_DSDIGEST_SHA1, diff, mctx);
+ delete_cds(key, &cdnskeyrdata,
+ (const char *)keystr, cds,
+ DNS_DSDIGEST_SHA256, diff, mctx);
+ delete_cds(key, &cdnskeyrdata,
+ (const char *)keystr, cds,
+ DNS_DSDIGEST_SHA384, diff, mctx);
}
if (dns_rdataset_isassociated(cdnskey)) {
for (key = ISC_LIST_HEAD(*rmkeys); key != NULL;
key = ISC_LIST_NEXT(key, link))
{
- dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
- dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
&cdnskeyrdata));
if (dns_rdataset_isassociated(cds)) {
- RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
- DNS_DSDIGEST_SHA1, dsbuf1,
- &cds_sha1));
- RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
- DNS_DSDIGEST_SHA256, dsbuf2,
- &cds_sha256));
- if (exists(cds, &cds_sha1)) {
- isc_log_write(
- dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
- "CDS (SHA-1) for key %s is now deleted",
- keystr);
- RETERR(delrdata(&cds_sha1, diff, origin,
- cds->ttl, mctx));
- }
- if (exists(cds, &cds_sha256)) {
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_DNSSEC,
- ISC_LOG_INFO,
- "CDS (SHA-256) for key %s is now "
- "deleted",
- keystr);
- RETERR(delrdata(&cds_sha256, diff, origin,
- cds->ttl, mctx));
- }
+ delete_cds(key, &cdnskeyrdata, (const char *)keystr,
+ cds, DNS_DSDIGEST_SHA1, diff, mctx);
+ delete_cds(key, &cdnskeyrdata, (const char *)keystr,
+ cds, DNS_DSDIGEST_SHA256, diff, mctx);
+ delete_cds(key, &cdnskeyrdata, (const char *)keystr,
+ cds, DNS_DSDIGEST_SHA384, diff, mctx);
}
if (dns_rdataset_isassociated(cdnskey)) {
projects / thirdparty / bind9.git / commitdiff
