From: Matthijs Mekking Date: Wed, 19 Jun 2024 12:33:07 +0000 (+0200) Subject: Retrieve RRSIG from SKR X-Git-Tag: v9.21.1~23^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=61cf599fbff7e6a821062eafe928bf6d07e4b756;p=thirdparty%2Fbind9.git Retrieve RRSIG from SKR When it is time to generate a new signature (dns_dnssec_sign), rather than create a new one, retrieve it from the SKR. --- diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 35a80df65c8..422448a1a72 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -762,6 +762,15 @@ dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp); *\li 'zone' to be a valid zone. */ +dns_skrbundle_t * +dns_zone_getskrbundle(dns_zone_t *zone); +/*%< + * Returns the current SKR bundle. + * + * Require: + *\li 'zone' to be a valid zone. + */ + void dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value); /*%< @@ -2744,7 +2753,7 @@ dns_zone_check_dnskey_nsec3(dns_zone_t *zone, dns_db_t *db, * * Requires: * \li 'zone' to be a valid zone. - * \li 'db'is not NULL. + * \li 'db' is not NULL. * * Returns: * \li 'true' if the check passes, that is the zone remains consistent, diff --git a/lib/dns/update.c b/lib/dns/update.c index 659c199378b..17cc0d67d8e 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include @@ -1113,10 +1114,12 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, unsigned int i; bool added_sig = false; bool use_kasp = false; + bool offlineksk = false; isc_mem_t *mctx = diff->mctx; if (kasp != NULL) { use_kasp = true; + offlineksk = dns_kasp_offlineksk(kasp); } dns_rdataset_init(&rdataset); @@ -1230,8 +1233,19 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, } /* Calculate the signature, creating a RRSIG RDATA. */ - CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception, - &expire, mctx, &buffer, &sig_rdata)); + if (offlineksk && dns_rdatatype_iskeymaterial(type)) { + /* Look up the signature in the SKR bundle */ + dns_skrbundle_t *bundle = dns_zone_getskrbundle(zone); + if (bundle == NULL) { + CHECK(DNS_R_NOSKRBUNDLE); + } + CHECK(dns_skrbundle_getsig(bundle, keys[i], type, + &sig_rdata)); + } else { + CHECK(dns_dnssec_sign(name, &rdataset, keys[i], + &inception, &expire, mctx, + &buffer, &sig_rdata)); + } /* Update the database and journal with the RRSIG. */ /* XXX inefficient - will cause dataset merging */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index e64a96869b3..942855c2cd7 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -5758,6 +5758,23 @@ dns_zone_setskr(dns_zone_t *zone, dns_skr_t *skr) { UNLOCK_ZONE(zone); } +dns_skrbundle_t * +dns_zone_getskrbundle(dns_zone_t *zone) { + dns_skrbundle_t *bundle; + + REQUIRE(DNS_ZONE_VALID(zone)); + + LOCK_ZONE(zone); + if (inline_raw(zone) && zone->secure != NULL) { + bundle = zone->secure->skrbundle; + } else { + bundle = zone->skrbundle; + } + UNLOCK_ZONE(zone); + + return (bundle); +} + void dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) { REQUIRE(DNS_ZONE_VALID(zone)); @@ -6780,9 +6797,11 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, isc_buffer_t buffer; unsigned int i; bool use_kasp = false; + bool offlineksk = false; if (zone->kasp != NULL) { use_kasp = true; + offlineksk = dns_kasp_offlineksk(zone->kasp); } dns_rdataset_init(&rdataset); @@ -6912,8 +6931,20 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, /* Calculate the signature, creating a RRSIG RDATA. */ isc_buffer_clear(&buffer); - CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception, - &expire, mctx, &buffer, &sig_rdata)); + + if (offlineksk && dns_rdatatype_iskeymaterial(type)) { + /* Look up the signature in the SKR bundle */ + dns_skrbundle_t *bundle = dns_zone_getskrbundle(zone); + if (bundle == NULL) { + CHECK(DNS_R_NOSKRBUNDLE); + } + CHECK(dns_skrbundle_getsig(bundle, keys[i], type, + &sig_rdata)); + } else { + CHECK(dns_dnssec_sign(name, &rdataset, keys[i], + &inception, &expire, mctx, + &buffer, &sig_rdata)); + } /* Update the database and journal with the RRSIG. */ /* XXX inefficient - will cause dataset merging */ @@ -7407,11 +7438,15 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, dns_rdataset_t rdataset; dns_rdata_t rdata = DNS_RDATA_INIT; dns_stats_t *dnssecsignstats; - + bool offlineksk = false; isc_buffer_t buffer; unsigned char data[1024]; bool seen_soa, seen_ns, seen_rr, seen_nsec, seen_nsec3, seen_ds; + if (zone->kasp != NULL) { + offlineksk = dns_kasp_offlineksk(zone->kasp); + } + result = dns_db_allrdatasets(db, node, version, 0, 0, &iterator); if (result != ISC_R_SUCCESS) { if (result == ISC_R_NOTFOUND) { @@ -7515,8 +7550,19 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, /* Calculate the signature, creating a RRSIG RDATA. */ isc_buffer_clear(&buffer); - CHECK(dns_dnssec_sign(name, &rdataset, key, &inception, &expire, - mctx, &buffer, &rdata)); + if (offlineksk && dns_rdatatype_iskeymaterial(rdataset.type)) { + /* Look up the signature in the SKR bundle */ + dns_skrbundle_t *bundle = dns_zone_getskrbundle(zone); + if (bundle == NULL) { + CHECK(DNS_R_NOSKRBUNDLE); + } + CHECK(dns_skrbundle_getsig(bundle, key, rdataset.type, + &rdata)); + } else { + CHECK(dns_dnssec_sign(name, &rdataset, key, &inception, + &expire, mctx, &buffer, &rdata)); + } + /* Update the database and journal with the RRSIG. */ /* XXX inefficient - will cause dataset merging */ CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN,