From: Willem Toorop Date: Fri, 20 Nov 2020 14:36:45 +0000 (+0100) Subject: Allow ZONEMD generation without DNSSEC X-Git-Tag: 1.8.0-rc.1~45^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8359c373e368d32109df07ae6e5a24aeceadcae;p=thirdparty%2Fldns.git Allow ZONEMD generation without DNSSEC With -Z option to ldns-signzone --- diff --git a/dnssec_sign.c b/dnssec_sign.c index d68d0e2c..3c8856f5 100644 --- a/dnssec_sign.c +++ b/dnssec_sign.c @@ -1407,7 +1407,13 @@ ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, return result; } /* check whether we need to add nsecs */ - if (zone->names && !((ldns_dnssec_name *)zone->names->root->data)->nsec) { + if ((flags & LDNS_SIGN_NO_KEYS_NO_NSECS) + && ldns_key_list_key_count(key_list) < 1) + ; /* pass */ + + else if (zone->names + && !((ldns_dnssec_name *)zone->names->root->data)->nsec) { + result = ldns_dnssec_zone_create_nsecs(zone, new_rrs); if (result != LDNS_STATUS_OK) { return result; @@ -1487,7 +1493,13 @@ ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, } nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec; - if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) { + + /* check whether we need to add nsecs */ + if ((signflags & LDNS_SIGN_NO_KEYS_NO_NSECS) + && ldns_key_list_key_count(key_list) < 1) + ; /* pass */ + + else if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) { /* no need to recreate */ } else { if (!ldns_dnssec_zone_find_rrset(zone, diff --git a/examples/ldns-signzone.1 b/examples/ldns-signzone.1 index 5f80b43f..174bd71a 100644 --- a/examples/ldns-signzone.1 +++ b/examples/ldns-signzone.1 @@ -79,6 +79,10 @@ Calculate the zone's digest and add those as ZONEMD RRs. The (optional) `scheme' must be `simple` (or 1) and `hash' should be `sha384' (or 1) or `sha512' (or 2). This option can be given more than once. +.TP +\fB-Z\fR +Allow ZONEMDs to be added without signing + .TP \fB-A\fR Sign the DNSKEY record with all keys. By default it is signed with a diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c index d14526de..53954af2 100644 --- a/examples/ldns-signzone.c +++ b/examples/ldns-signzone.c @@ -48,6 +48,7 @@ usage(FILE *fp, const char *prog) { fprintf(fp, "\t\t should be \"simple\" (or 1)\n"); fprintf(fp, "\t\t should be \"sha384\" or \"sha512\" (or 1 or 2)\n"); fprintf(fp, "\t\tthis option can be given more than once\n"); + fprintf(fp, " -Z\t\tAllow ZONEMDs to be added without signing\n"); fprintf(fp, " -A\t\tsign DNSKEY with all keys instead of minimal\n"); fprintf(fp, " -U\t\tSign with every unique algorithm in the provided keys\n"); #ifndef OPENSSL_NO_ENGINE @@ -668,7 +669,7 @@ main(int argc, char *argv[]) keys = ldns_key_list_new(); - while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:uvz:AUE:K:")) != -1) { + while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:uvz:ZAUE:K:")) != -1) { switch (c) { case 'a': nsec3_algorithm = (uint8_t) atoi(optarg); @@ -772,6 +773,9 @@ main(int argc, char *argv[]) exit(EXIT_FAILURE); } break; + case 'Z': + signflags |= LDNS_SIGN_NO_KEYS_NO_NSECS; + break; case 'A': signflags |= LDNS_SIGN_DNSKEY_WITH_ZSK; break; @@ -986,8 +990,9 @@ main(int argc, char *argv[]) inception, expiration ); #endif - - if (ldns_key_list_key_count(keys) < 1) { + if (ldns_key_list_key_count(keys) < 1 + && !(signflags & LDNS_SIGN_NO_KEYS_NO_NSECS)) { + fprintf(stderr, "Error: no keys to sign with. Aborting.\n\n"); usage(stderr, prog); exit(EXIT_FAILURE); diff --git a/keys.c b/keys.c index ddff6f35..d8d18817 100644 --- a/keys.c +++ b/keys.c @@ -1446,7 +1446,7 @@ ldns_key_set_keytag(ldns_key *k, uint16_t tag) size_t ldns_key_list_key_count(const ldns_key_list *key_list) { - return key_list->_key_count; + return key_list ? key_list->_key_count : 0; } ldns_key * diff --git a/ldns/dnssec_sign.h b/ldns/dnssec_sign.h index 96bc8cdd..2f1e5c60 100644 --- a/ldns/dnssec_sign.h +++ b/ldns/dnssec_sign.h @@ -12,10 +12,11 @@ extern "C" { /* sign functions */ /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/ -#define LDNS_SIGN_DNSKEY_WITH_ZSK 1 -#define LDNS_SIGN_WITH_ALL_ALGORITHMS 2 -#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 4 -#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 8 +#define LDNS_SIGN_DNSKEY_WITH_ZSK 1 +#define LDNS_SIGN_WITH_ALL_ALGORITHMS 2 +#define LDNS_SIGN_NO_KEYS_NO_NSECS 4 +#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 8 +#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 16 /** * Create an empty RRSIG RR (i.e. without the actual signature data)