flags |= DNS_KEYOWNER_ZONE; /* DNSKEY: name type ZONE */
flags |= kskflag;
flags |= revflag;
- } else {
- flags |= DNS_KEYOWNER_ENTITY; /* KEY: name type HOST */
}
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
char filename[255];
char algstr[DNS_SECALG_FORMATSIZE];
uint16_t flags = 0;
- bool null_key = false;
bool conflict = false;
bool show_progress = false;
isc_buffer_t buf;
if ((ctx->options & DST_TYPE_KEY) == 0) {
flags |= DNS_KEYOWNER_ZONE; /* DNSKEY: name type ZONE */
- } else {
- flags |= DNS_KEYOWNER_ENTITY; /* KEY: name type HOST */
}
if (ctx->directory == NULL) {
break;
}
- if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY &&
- (ctx->options & DST_TYPE_KEY) != 0)
- {
- null_key = true;
- }
-
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
do {
ctx->tag_min, ctx->tag_max, NULL))
{
conflict = true;
- if (null_key) {
- dst_key_free(&key);
- break;
- }
-
if (verbose > 0) {
isc_buffer_clear(&buf);
result = dst_key_buildfilename(
}
} while (conflict);
- if (conflict) {
- fatal("cannot generate a null key due to possible key ID "
- "collision");
- }
-
if (ctx->predecessor != NULL && prevkey != NULL) {
dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
return false;
}
-#define is_zone_key(key) \
- ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE)
+#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYOWNER_ZONE) != 0)
isc_result_t
dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
bool
dns_dnssec_iszonekey(dns_rdata_dnskey_t *key) {
- return (key->flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+ return (key->flags & DNS_KEYOWNER_ZONE) != 0 &&
(key->protocol == DNS_KEYPROTO_DNSSEC ||
key->protocol == DNS_KEYPROTO_ANY);
}
RETERR(write_key_state(key, type, directory));
}
- if (((type & DST_TYPE_PRIVATE) != 0) &&
- (key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
- {
+ if ((type & DST_TYPE_PRIVATE) != 0) {
return key->func->tofile(key, directory);
}
return ISC_R_SUCCESS;
CHECK(result);
}
- if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
- (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
- {
+ if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC) {
CHECK(computeid(pubkey));
pubkey->modified = false;
*keyp = pubkey;
isc_buffer_putuint8(target,
(uint8_t)dst_algorithm_tosecalg(key->key_alg));
- if (key->keydata.generic == NULL) { /*%< NULL KEY */
+ if (key->keydata.generic == NULL) {
return ISC_R_SUCCESS;
}
key->label = isc_mem_strdup(mctx, label);
}
- if (bits == 0) { /*%< NULL KEY */
- key->key_flags |= DNS_KEYTYPE_NOKEY;
- *keyp = key;
- return ISC_R_SUCCESS;
- }
-
if (key->func->generate == NULL) {
dst_key_free(&key);
return DST_R_UNSUPPORTEDALG;
/*! \file dns/keyvalues.h */
/*
- * Flags field of the KEY rdata. Also used by DNSKEY, CDNSKEY, RKEY,
- * KEYDATA. Some values are only defined for KEY and not the others,
- * and vice versa.
+ * Flags field of the DNSKEY rdata. Also used by KEY, CDNSKEY, RKEY,
+ * and KEYDATA, which share DNSKEY's wire format.
+ *
+ * The following flags were removed by RFC 3445 and MUST be zero.
+ * Any use of these flags will break backwards compatibility with
+ * old software. As long as they are zero they are safe:
+ * - 1 << 15: Formerly DNS_KEYTYPE_NOAUTH.
+ * - 1 << 14: Formerly DNS_KEYTYPE_NOCONF.
+ * - 1 << 12: Formerly DNS_KEYFLAG_EXTENDED.
+ * - 1 << 9: Formerly DNS_KEYOWNER_ENTITY.
+ *
+ * The following flags are reserved and MUST be zero.
+ * - 1 << 13, 1 << 11, 1 << 10, 1 << 6 through 1 << 2
*/
enum {
- /* valid for KEY only. if both are set, there is no key data. */
- DNS_KEYTYPE_NOAUTH = 1 << 15, /* cannot be used for authentication. */
- DNS_KEYTYPE_NOCONF = 1 << 14, /* cannot be used for confidentiality. */
-
- DNS_KEYFLAG_RESERVED2 = 1 << 13, /* reserved: must be zero. */
- DNS_KEYFLAG_DONOTUSE3 = 1 << 12, /* unused: must be zero.
- formerly DNS_KEYFLAG_EXTENDED,
- which was removed by RFC 3445 */
- DNS_KEYFLAG_RESERVED4 = 1 << 11, /* reserved: must be zero. */
- DNS_KEYFLAG_RESERVED5 = 1 << 10, /* reserved: must be zero. */
-
- /* if nether of these is set, this is a user key (valid for KEY only) */
- DNS_KEYOWNER_ENTITY = 1 << 9, /* host key (valid for KEY only). */
- DNS_KEYOWNER_ZONE = 1 << 8, /* zone key (mandatory for DNSKEY). */
-
- DNS_KEYFLAG_REVOKE = 1 << 7, /* key revoked (per rfc5011) */
- DNS_KEYFLAG_RESERVED9 = 1 << 6, /* reserved: must be zero. */
- DNS_KEYFLAG_RESERVED10 = 1 << 5, /* reserved: must be zero. */
- DNS_KEYFLAG_RESERVED11 = 1 << 4, /* reserved: must be zero. */
-
- DNS_KEYFLAG_RESERVED12 = 1 << 3, /* reserved: must be zero. */
- DNS_KEYFLAG_RESERVED13 = 1 << 4, /* reserved: must be zero. */
- DNS_KEYFLAG_RESERVED14 = 1 << 2, /* reserved: must be zero. */
-
- DNS_KEYFLAG_KSK = 1 << 0, /* key signing key */
+ DNS_KEYOWNER_ZONE = 1 << 8, /* zone key (mandatory for DNSKEY). */
+ DNS_KEYFLAG_REVOKE = 1 << 7, /* key revoked (per rfc5011) */
+ DNS_KEYFLAG_KSK = 1 << 0, /* key signing key */
};
-#define DNS_KEYFLAG_OWNERMASK (DNS_KEYOWNER_ENTITY | DNS_KEYOWNER_ZONE)
-#define DNS_KEYFLAG_TYPEMASK (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF)
-#define DNS_KEYTYPE_NOKEY DNS_KEYFLAG_TYPEMASK
-
/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
enum {
DNS_KEYALG_RSAMD5 = 1, /*%< RSA with MD5 */
dst_key_iszonekey(const dst_key_t *key) {
REQUIRE(VALID_KEY(key));
- if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
+ if ((key->key_flags & DNS_KEYOWNER_ZONE) == 0) {
return false;
}
if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
#define RRTYPE_KEY_ATTRIBUTES \
(DNS_RDATATYPEATTR_ATCNAME | DNS_RDATATYPEATTR_ZONECUTAUTH)
-/*
- * RFC 2535 section 3.1.2 says that if bits 0-1 of the Flags field are
- * both set, it means there is no key information and the RR stops after
- * the algorithm octet. However, this only applies to KEY records, as
- * indicated by the specifications of the RR types based on KEY:
- *
- * CDNSKEY - RFC 7344
- * DNSKEY - RFC 4034
- * RKEY - draft-reid-dnsext-rkey-00
- */
-static bool
-generic_key_nokey(dns_rdatatype_t type, unsigned int flags) {
- switch (type) {
- case dns_rdatatype_cdnskey:
- case dns_rdatatype_dnskey:
- case dns_rdatatype_rkey:
- return false;
- case dns_rdatatype_key:
- default:
- return (flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY;
- }
-}
-
static isc_result_t
generic_fromtext_key(ARGS_FROMTEXT) {
isc_token_t token;
RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &alg, 1));
- /* No Key? */
- if (generic_key_nokey(type, flags)) {
- return ISC_R_SUCCESS;
- }
-
/*
* Save the current used value. It will become the current
* value when we parse the keydata field.
isc_region_consume(&sr, 1);
RETERR(str_totext(buf, target));
- /* No Key? */
- if (generic_key_nokey(rdata->type, flags)) {
- return ISC_R_SUCCESS;
- }
-
if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0 &&
algorithm == DNS_KEYALG_PRIVATEDNS)
{
isc_region_consume(&sr, 4);
isc_buffer_forward(source, 4);
- if (generic_key_nokey(type, flags)) {
- return ISC_R_SUCCESS;
- }
if (sr.length == 0) {
return ISC_R_UNEXPECTEDEND;
}
return DNS_R_BADALG;
}
- RETERR(dst_key_restore(name, dstalg, DNS_KEYOWNER_ENTITY,
- DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
- ring->mctx, keystr, &dstkey));
+ RETERR(dst_key_restore(name, dstalg, 0, DNS_KEYPROTO_DNSSEC,
+ dns_rdataclass_in, ring->mctx, keystr, &dstkey));
result = dns_tsigkey_createfromkey(name, dstalg, dstkey, true, true,
creator, inception, expire,
isc_buffer_init(&b, secret, length);
isc_buffer_add(&b, length);
RETERR(dst_key_frombuffer(
- name, algorithm, DNS_KEYOWNER_ENTITY,
- DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, &b,
- mctx, &dstkey));
+ name, algorithm, 0, DNS_KEYPROTO_DNSSEC,
+ dns_rdataclass_in, &b, mctx, &dstkey));
}
} else if (length > 0) {
return DNS_R_BADALG;
/*%
* Key flags
*/
-#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
-#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
-#define ID(x) dst_key_id(x)
-#define ALG(x) dst_key_alg(x)
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
+#define ZONEKEY(x) ((dst_key_flags(x) & DNS_KEYOWNER_ZONE) != 0)
+#define ID(x) dst_key_id(x)
+#define ALG(x) dst_key_alg(x)
/*%
* KASP flags
return result;
}
-#define is_zone_key(key) \
- ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE)
-
static isc_result_t
findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, const dns_name_t *name, isc_stdtime_t now,
CHECK(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
dst_key_setttl(pubkey, rdataset.ttl);
- if (!is_zone_key(pubkey)) {
+ if (!ZONEKEY(pubkey)) {
goto next;
}
/* Corrupted .key file? */
result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if ((dnskey.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
- {
+ if ((dnskey.flags & DNS_KEYOWNER_ZONE) == 0) {
ISC_LIST_UNLINK(diff->tuples, tuple, link);
ISC_LIST_APPEND(tuples, tuple, link);
continue;
* - 1 octet for Algorithm,
* - variable number of octets for Public Key.
*
- * RFC 2535 section 3.1.2 states that if bits
+ * RFC 2535 section 3.1.2 stated that if bits
* 0-1 of Flags are both set, the RR stops after
* the algorithm octet and thus its length must
* be 4 octets. In any other case, though, the
- * Public Key part must not be empty.
+ * Public Key part must not be empty. This was
+ * modified by RFC 3445 which removed
+ * flags 0-1, and hence the concept of NOKEY.
*
* Algorithms PRIVATEDNS (253) and PRIVATEOID (254)
- * have an algorithm identifier embedded and the start
+ * have an algorithm identifier embedded at the start
* of the public key.
*/
WIRE_INVALID(0x00), WIRE_INVALID(0x00, 0x00),
WIRE_INVALID(0x00, 0x00, 0x00),
- WIRE_VALID(0xc0, 0x00, 0x00, 0x00),
- WIRE_INVALID(0xc0, 0x00, 0x00, 0x00, 0x00),
+ WIRE_INVALID(0xc0, 0x00, 0x00, 0x00),
+ WIRE_VALID(0xc0, 0x00, 0x00, 0x00, 0x00),
WIRE_INVALID(0x00, 0x00, 0x00, 0x00),
WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00),
/* PRIVATEDNS example. without key data */
projects / thirdparty / bind9.git / commitdiff
