+3177. [func] 'rndc keydone', remove the indicator record that
+ named has finished signing the zone with the
+ corresponding key. [RT #26206]
+
3176. [doc] Corrected example code and added a README to the
sample external DLZ module in contrib/dlz/example.
[RT #26215]
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-dsfromkey.c,v 1.23 2011/09/03 05:51:29 each Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.24 2011/10/25 01:54:18 marka Exp $ */
/*! \file */
static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static isc_mem_t *mctx = NULL;
+static isc_uint32_t ttl;
static isc_result_t
initname(char *setname) {
isc_buffer_usedregion(&nameb, &r);
printf("%.*s ", (int)r.length, r.base);
+ if (ttl != 0U)
+ printf("%u ", ttl);
+
isc_buffer_usedregion(&classb, &r);
printf("%.*s", (int)r.length, r.base);
fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n");
fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n");
+ fprintf(stderr, " -T TTL\n");
fprintf(stderr, " -f file: read keyset from zone file\n");
fprintf(stderr, " -A: when used with -f, "
"include all keys in DS set, not just KSKs\n");
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
- "12Aa:c:d:Ff:K:l:sv:h")) != -1) {
+ "12Aa:c:d:Ff:K:l:sT:v:h")) != -1) {
switch (ch) {
case '1':
dtype = DNS_DSDIGEST_SHA1;
case 's':
usekeyset = ISC_TRUE;
break;
+ case 'T':
+ ttl = atol(isc_commandline_argument);
+ break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-dsfromkey.docbook,v 1.16 2011/03/27 06:39:59 marka Exp $ -->
+<!-- $Id: dnssec-dsfromkey.docbook,v 1.17 2011/10/25 01:54:18 marka Exp $ -->
<refentry id="man.dnssec-dsfromkey">
<refentryinfo>
<date>August 26, 2009</date>
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+ <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
<cmdsynopsis>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-s</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg><option>-A</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-T <replaceable class="parameter">TTL</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the TTL of the DS records.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: control.c,v 1.44 2011/08/02 20:36:11 each Exp $ */
+/* $Id: control.c,v 1.45 2011/10/25 01:54:18 marka Exp $ */
/*! \file */
result = ns_server_add_zone(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_DELZONE)) {
result = ns_server_del_zone(ns_g_server, command);
+ } else if (command_compare(command, NS_COMMAND_KEYDONE)) {
+ result = ns_server_keydone(ns_g_server, command);
} else {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: control.h,v 1.34 2011/08/02 20:36:12 each Exp $ */
+/* $Id: control.h,v 1.35 2011/10/25 01:54:19 marka Exp $ */
#ifndef NAMED_CONTROL_H
#define NAMED_CONTROL_H 1
#define NS_COMMAND_ADDZONE "addzone"
#define NS_COMMAND_DELZONE "delzone"
#define NS_COMMAND_SYNC "sync"
+#define NS_COMMAND_KEYDONE "keydone"
isc_result_t
ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.h,v 1.113 2011/08/02 20:36:12 each Exp $ */
+/* $Id: server.h,v 1.114 2011/10/25 01:54:19 marka Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
isc_result_t
ns_server_del_zone(ns_server_t *server, char *args);
+/*%
+ * Deletes the matching key done private record from the zone.
+ */
+isc_result_t
+ns_server_keydone(ns_server_t *server, char *args);
+
#endif /* NAMED_SERVER_H */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.622 2011/10/14 05:38:49 marka Exp $ */
+/* $Id: server.c,v 1.623 2011/10/25 01:54:19 marka Exp $ */
/*! \file */
*/
static isc_result_t
zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
- const char **zonename)
+ const char **zonename, isc_boolean_t skip)
{
char *input, *ptr;
const char *zonetxt;
input = args;
- /* Skip the command name. */
- ptr = next_token(&input, " \t");
- if (ptr == NULL)
- return (ISC_R_UNEXPECTEDEND);
+ if (skip) {
+ /* Skip the command name. */
+ ptr = next_token(&input, " \t");
+ if (ptr == NULL)
+ return (ISC_R_UNEXPECTEDEND);
+ }
/* Look for the zone name. */
zonetxt = next_token(&input, " \t");
dns_zone_t *zone = NULL;
dns_zonetype_t type;
- result = zone_from_args(server, args, &zone, NULL);
+ result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL)
dns_zonetype_t type;
const char *msg = NULL;
- result = zone_from_args(server, args, &zone, NULL);
+ result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL) {
dns_zone_t *zone = NULL;
const unsigned char msg[] = "zone notify queued";
- result = zone_from_args(server, args, &zone, NULL);
+ result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL)
const unsigned char msg2[] = "not a slave or stub zone";
dns_zonetype_t type;
- result = zone_from_args(server, args, &zone, NULL);
+ result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL)
if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0)
fullsign = ISC_TRUE;
- result = zone_from_args(server, args, &zone, NULL);
+ result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL)
(void) next_token(&args, " \t");
}
- result = zone_from_args(server, args, &zone, NULL);
+ result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
isc_boolean_t frozen;
const char *msg = NULL;
- result = zone_from_args(server, args, &zone, NULL);
+ result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL) {
FILE *ifp = NULL, *ofp = NULL;
/* Parse parameters */
- CHECK(zone_from_args(server, args, &zone, &zonename));
+ CHECK(zone_from_args(server, args, &zone, &zonename, ISC_TRUE));
if (result != ISC_R_SUCCESS)
return (result);
if (zone == NULL) {
isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));
*cfgp = NULL;
}
+
+/*
+ * Act on a "keydone" command from the command channel.
+ */
+isc_result_t
+ns_server_keydone(ns_server_t *server, char *args) {
+ isc_result_t result;
+ dns_zone_t *zone = NULL;
+ const char *ptr = NULL;
+
+ ptr = next_token(&args, " \t");
+ if (ptr == NULL)
+ return (ISC_R_UNEXPECTEDEND);
+
+ ptr = next_token(&args, " \t");
+ if (ptr == NULL)
+ return (ISC_R_UNEXPECTEDEND);
+ /*
+ * Is the rdata sane?
+ */
+ if (strspn(ptr, "0123456789ABCDEFabcdef") != 10U ||
+ strncmp(ptr, "00", 2) == 0 || strcmp(ptr + 6, "0001") != 0)
+ return (DNS_R_SYNTAX);
+
+ /*
+ * Find the zone.
+ */
+ result = zone_from_args(server, args, &zone, NULL, ISC_FALSE);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ if (zone == NULL)
+ return(ISC_R_NOTFOUND);
+
+ if (dns_zone_gettype(zone) != dns_zone_master) {
+ result = DNS_R_NOTMASTER;
+ goto cleanup;
+ }
+
+ result = dns_zone_keydone(zone, ptr);
+
+ cleanup:
+ dns_zone_detach(&zone);
+ return (result);
+}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rndc.c,v 1.134 2011/03/21 15:39:05 each Exp $ */
+/* $Id: rndc.c,v 1.135 2011/10/25 01:54:19 marka Exp $ */
/*! \file */
Add zone to given view. Requires new-zone-file option.\n\
delzone [\"file\"] zone [class [view]]\n\
Removes zone from given view. Requires new-zone-file option.\n\
+ keydone rdata zone [class [view]]\n\
+ Remove the private record with the corresponding rdata from\n\
+ the given zone.\n\
\n\
* == not yet implemented\n\
Version: %s\n",
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
+# $Id: clean.sh,v 1.4 2011/10/25 01:54:19 marka Exp $
rm -f */named.memstats
rm -f */named.run
rm -f */trusted.conf
+rm -f ns1/K*
+rm -f ns1/dsset-*
+rm -f ns1/root.db
+rm -f ns1/root.db.signed
rm -f ns2/bits.db
rm -f ns2/bits.db.jnl
rm -f ns3/K*
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.2 2011/08/30 23:46:52 tbox Exp $ */
+/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */
// NS1
file "root.db.signed";
};
-// include "trusted.conf";
+include "trusted.conf";
--- /dev/null
+; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2000, 2001 Internet Software Consortium.
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db.in,v 1.2 2011/10/25 01:54:20 marka Exp $
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+
+bits. NS ns3.bits.
+ns3.bits. A 10.53.0.3
+bits. NS ns4.bits.
+ns4.bits. A 10.53.0.4
+
+noixfr. NS ns3.noixfr.
+ns3.noixfr. A 10.53.0.3
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2 2011/10/25 01:54:20 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=.
+rm -f K.+*+*.key
+rm -f K.+*+*.private
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+$SIGNER -S -x -T 1200 -o ${zone} root.db
+
+cat ${keyname}.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+ "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+
+cp trusted.conf ../ns6/trusted.conf
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.2 2011/08/30 23:46:52 tbox Exp $ */
+/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */
-// NS2
+// NS3
-controls { /* empty */ };
+include "../../common/rndc.key";
+
+controls { inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; };
options {
query-source address 10.53.0.3;
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $
+# $Id: sign.sh,v 1.3 2011/10/25 01:54:20 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
zone=noixfr
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
--- /dev/null
+/*
+ * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2011/10/25 01:54:21 marka Exp $ */
+
+// NS6
+
+include "../../common/rndc.key";
+
+controls { inet 10.53.0.6 port 9953 allow { any; } keys { rndc_key; }; };
+
+options {
+ query-source address 10.53.0.6;
+ notify-source 10.53.0.6;
+ transfer-source 10.53.0.6;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.6; };
+ listen-on-v6 { none; };
+ recursion yes;
+ notify yes;
+ notify-delay 0;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+include "trusted.conf";
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: setup.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
+# $Id: setup.sh,v 1.4 2011/10/25 01:54:19 marka Exp $
sh clean.sh
+cp ns1/root.db.in ns1/root.db
+rm -f ns1/root.db.signed
+
touch ns2/trusted.conf
cp ns2/bits.db.in ns2/bits.db
rm -f ns2/bits.db.jnl
../../../tools/genrandom 400 random.data
(cd ns3; sh -e sign.sh)
+(cd ns1; sh -e sign.sh)
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
+# $Id: tests.sh,v 1.4 2011/10/25 01:54:20 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
- records=`grep "TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001" dig.out.ns3.test$n | wc -l`
+ records=`grep 'TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001$' dig.out.ns3.test$n | wc -l`
[ $records = 2 ] || ret=1
if [ $ret = 0 ]; then break; fi
sleep 1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo "I:checking removal of private type record via 'rndc keydone' ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
+records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n`
+for record in $records
+do
+ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" bits || ret=1
+ break; # We only want to remove 1 record for now.
+done 2>&1 |sed 's/^/I:ns3 /'
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
+ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+ [ $ans = 1 ] || break
+ sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking private type was properly signed ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
+grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking removal of remaining private type record via 'rndc keydone' ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
+records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n`
+for record in $records
+do
+ $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" bits || ret=1
+done 2>&1 |sed 's/^/I:ns3 /'
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+ ans=0
+ $DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
+ grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ans=1
+ grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
+ [ $ans = 1 ] || break
+ sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking negative private type response was properly signed ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
+grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns6.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
$NSUPDATE << EOF
zone bits
server 10.53.0.2 5300
n=`expr $n + 1`
echo "I:restart bump in the wire signer server ($n)"
ret=0
-$PERL ../start.pl --noclean . ns3 || ret=1
+$PERL ../start.pl --noclean --restart . ns3 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.506 2011/10/13 23:44:47 tbox Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.507 2011/10/25 01:54:21 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><userinput>keydone
+ <replaceable>rdata</replaceable>
+ <replaceable>zone</replaceable>
+ <optional><replaceable>class</replaceable>
+ <optional><replaceable>view</replaceable></optional></optional>
+ </userinput></term>
+ <listitem>
+ <para>
+ Remove the <command>sig-signing-type</command> record
+ which matches the <replaceable>rdata</replaceable>
+ (in hexadecimal) from the specified zone. Only
+ <replaceable>rdata</replaceable> that
+ indicate that named has finished signing the zone
+ with the corresponding key will be removed. (i.e.
+ the first two characters are not "00", the
+ last four characters are "0001" and the total
+ length is 10 hexadecimal characters.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
<para>
It is expected that this parameter may be removed
in a future version once there is a standard type.
</para>
+ <para>
+ These records can be removed from the zone once named
+ has completed signing the zone with the matching key
+ using <command>nsupdate</command> or
+ <command>rndc keydone</command>.
+ <command>rndc keydone</command> is the only supported
+ way to remove these records from
+ <command>inline-signing</command> zones.
+ </para>
</listitem>
</varlistentry>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: events.h,v 1.59 2011/09/02 21:15:36 each Exp $ */
+/* $Id: events.h,v 1.60 2011/10/25 01:54:22 marka Exp $ */
#ifndef DNS_EVENTS_H
#define DNS_EVENTS_H 1
#define DNS_EVENT_ZONESECURESERIAL (ISC_EVENTCLASS_DNS + 47)
#define DNS_EVENT_ZONESECUREDB (ISC_EVENTCLASS_DNS + 48)
#define DNS_EVENT_ZONELOAD (ISC_EVENTCLASS_DNS + 49)
+#define DNS_EVENT_KEYDONE (ISC_EVENTCLASS_DNS + 50)
#define DNS_EVENT_FIRSTEVENT (ISC_EVENTCLASS_DNS + 0)
#define DNS_EVENT_LASTEVENT (ISC_EVENTCLASS_DNS + 65535)
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.h,v 1.194 2011/09/06 22:29:33 smann Exp $ */
+/* $Id: zone.h,v 1.195 2011/10/25 01:54:22 marka Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
void
dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw);
+isc_result_t
+dns_zone_keydone(dns_zone_t *zone, const char *data);
+
ISC_LANG_ENDDECLS
#endif /* DNS_ZONE_H */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.c,v 1.636 2011/10/20 21:20:02 marka Exp $ */
+/* $Id: zone.c,v 1.637 2011/10/25 01:54:22 marka Exp $ */
/*! \file */
#include <errno.h>
#include <isc/file.h>
+#include <isc/hex.h>
#include <isc/mutex.h>
#include <isc/print.h>
#include <isc/random.h>
#include <isc/refcount.h>
#include <isc/rwlock.h>
#include <isc/serial.h>
-#include <isc/strerror.h>
#include <isc/stats.h>
#include <isc/stdtime.h>
+#include <isc/strerror.h>
#include <isc/string.h>
#include <isc/taskpool.h>
#include <isc/timer.h>
dns_zone_attach(zone->raw, raw);
UNLOCK(&zone->lock);
}
+
+struct keydone {
+ isc_event_t event;
+ unsigned int data[5];
+};
+
+static void
+keydone(isc_task_t *task, isc_event_t *event) {
+ const char *me = "keydone";
+ isc_boolean_t commit = ISC_FALSE;
+ isc_result_t result;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_dbversion_t *oldver = NULL, *newver = NULL;
+ dns_zone_t *zone;
+ dns_db_t *db = NULL;
+ dns_dbnode_t *node = NULL;
+ dns_rdataset_t rdataset;
+ dns_diff_t diff;
+ isc_boolean_t have_rr = ISC_FALSE;
+ struct keydone *keydone = (struct keydone *)event;
+ dns_update_log_t log = { update_log_cb, NULL };
+
+ UNUSED(task);
+
+ zone = event->ev_arg;
+ INSIST(DNS_ZONE_VALID(zone));
+
+ ENTER;
+
+ dns_rdataset_init(&rdataset);
+ dns_diff_init(zone->mctx, &diff);
+
+ ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+ if (zone->db != NULL) {
+ dns_db_attach(zone->db, &db);
+ dns_db_currentversion(db, &oldver);
+ result = dns_db_newversion(db, &newver);
+ if (result != ISC_R_SUCCESS) {
+ dns_zone_log(zone, ISC_LOG_ERROR,
+ "keydone:dns_db_newversion -> %s\n",
+ dns_result_totext(result));
+ goto failure;
+ }
+ }
+ ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+ if (db == NULL)
+ goto failure;
+
+ result = dns_db_getoriginnode(db, &node);
+ if (result != ISC_R_SUCCESS)
+ goto failure;
+
+ result = dns_db_findrdataset(db, node, newver, zone->privatetype,
+ dns_rdatatype_none, 0, &rdataset, NULL);
+ if (result == ISC_R_NOTFOUND) {
+ INSIST(!dns_rdataset_isassociated(&rdataset));
+ goto failure;
+ }
+ if (result != ISC_R_SUCCESS) {
+ INSIST(!dns_rdataset_isassociated(&rdataset));
+ goto failure;
+ }
+ for (result = dns_rdataset_first(&rdataset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&rdataset)) {
+ dns_rdataset_current(&rdataset, &rdata);
+ if (rdata.length != 5 ||
+ memcmp(rdata.data, keydone->data, 5) != 0) {
+ dns_rdata_reset(&rdata);
+ continue;
+ }
+ CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL,
+ &zone->origin, rdataset.ttl, &rdata));
+ dns_rdata_reset(&rdata);
+ }
+
+ if (!ISC_LIST_EMPTY(diff.tuples)) {
+ /* Write changes to journal file. */
+ CHECK(update_soa_serial(db, newver, &diff, zone->mctx,
+ zone->updatemethod));
+ CHECK(dns_update_signatures(&log, zone, db, oldver, newver,
+ &diff, zone->sigvalidityinterval));
+ CHECK(zone_journal(zone, &diff, NULL, "keydone"));
+ commit = ISC_TRUE;
+
+ LOCK_ZONE(zone);
+ DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+ zone_needdump(zone, 30);
+ UNLOCK_ZONE(zone);
+ }
+
+ failure:
+ if (dns_rdataset_isassociated(&rdataset))
+ dns_rdataset_disassociate(&rdataset);
+ if (db != NULL) {
+ if (node != NULL)
+ dns_db_detachnode(db, &node);
+ if (oldver != NULL)
+ dns_db_closeversion(db, &oldver, ISC_FALSE);
+ if (newver != NULL)
+ dns_db_closeversion(db, &newver, commit);
+ dns_db_detach(&db);
+ }
+ dns_diff_clear(&diff);
+ isc_event_free(&event);
+ dns_zone_idetach(&zone);
+}
+
+isc_result_t
+dns_zone_keydone(dns_zone_t *zone, const char *data) {
+ isc_result_t result;
+ isc_event_t *e;
+ isc_buffer_t b;
+ dns_zone_t *dummy = NULL;
+
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ LOCK_ZONE(zone);
+
+ e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_KEYDONE, keydone,
+ zone, sizeof(struct keydone));
+ if (e == NULL) {
+ result = ISC_R_NOMEMORY;
+ goto failure;
+ }
+
+ isc_buffer_init(&b, ((struct keydone*)e)->data,
+ sizeof(((struct keydone*)e)->data));
+ result = isc_hex_decodestring(data, &b);
+ if (result != ISC_R_SUCCESS)
+ goto failure;
+
+ zone_iattach(zone, &dummy);
+ isc_task_send(zone->task, &e);
+
+ failure:
+ if (e != NULL)
+ isc_event_free(&e);
+ UNLOCK_ZONE(zone);
+ return (result);
+}
projects / thirdparty / bind9.git / commitdiff
