From: Aki Tuomi <cmouse@desteem.org>
Date: Sat, 15 Jun 2013 15:58:29 +0000 (+0300)
Subject: BIND backend support for TSIG Key management
X-Git-Tag: rec-3.6.0-rc1~468^2~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e5b28606fca1ea6f44fa69e1ab2bfb506a017f6;p=thirdparty%2Fpdns.git

BIND backend support for TSIG Key management
---

diff --git a/pdns/backends/bind/bindbackend2.hh b/pdns/backends/bind/bindbackend2.hh
index 87559bf835..36a2769c84 100644
--- a/pdns/backends/bind/bindbackend2.hh
+++ b/pdns/backends/bind/bindbackend2.hh
@@ -156,6 +156,9 @@ public:
   virtual bool activateDomainKey(const string& name, unsigned int id);
   virtual bool deactivateDomainKey(const string& name, unsigned int id);
   virtual bool getTSIGKey(const string& name, string* algorithm, string* content);
+  virtual bool setTSIGKey(const string& name, const string& algorithm, const string& content);
+  virtual bool deleteTSIGKey(const string& name);
+  virtual bool getTSIGKeys(std::vector< struct TSIGKey > &keys);
   static void createDNSSECDB(const string& fname);
   virtual bool doesDNSSEC();
   // end of DNSSEC 
diff --git a/pdns/backends/bind/binddnssec.cc b/pdns/backends/bind/binddnssec.cc
index 715dc8ca99..a36c93af4a 100644
--- a/pdns/backends/bind/binddnssec.cc
+++ b/pdns/backends/bind/binddnssec.cc
@@ -62,6 +62,15 @@ bool Bind2Backend::deactivateDomainKey(const string& name, unsigned int id)
 
 bool Bind2Backend::getTSIGKey(const string& name, string* algorithm, string* content)
 { return false; }
+
+bool Bind2Backend::setTSIGKey(const string& name, const string& algorithm, const string& content)
+{ return false; }
+
+bool Bind2Backend::deleteTSIGKey(const string& name)
+{ return false; }
+
+bool Bind2Backend::getTSIGKeys(std::vector< struct TSIGKey > &keys)
+{ return false; }
 #else
 
 #include "pdns/ssqlite3.hh"
@@ -280,4 +289,61 @@ bool Bind2Backend::getTSIGKey(const string& name, string* algorithm, string* con
   return !content->empty();
 
 }
+
+bool Bind2Backend::setTSIGKey(const string& name, const string& algorithm, const string& content)
+{
+  if(!d_dnssecdb)
+    return false;
+  boost::format fmt("insert or update into tsigkeys (name,algorithm,secret) values('%s', '%s', '%s')");
+  try {
+    d_dnssecdb->doCommand( (fmt % d_dnssecdb->escape(name) % d_dnssecdb->escape(algorithm) % d_dnssecdb->escape(content)).str() );
+  }
+  catch (SSqlException &e) {
+    throw AhuException("BindBackend unable to retrieve named TSIG key: "+e.txtReason());
+  }
+
+  return true;
+}
+
+bool Bind2Backend::deleteTSIGKey(const string& name) 
+{
+  if(!d_dnssecdb)
+    return false;
+  boost::format fmt("delete from tsigkeys where name='%s'");
+
+  try {
+    d_dnssecdb->doCommand( (fmt % d_dnssecdb->escape(name)).str());
+  }
+  catch (SSqlException &e) {
+    throw AhuException("BindBackend unable to retrieve named TSIG key: "+e.txtReason());
+  }
+
+  return true;
+}
+
+bool Bind2Backend::getTSIGKeys(std::vector< struct TSIGKey > &keys)
+{
+  if(!d_dnssecdb)
+    return false;
+
+  try {
+    d_dnssecdb->doQuery( "select name,algorithm,secret from tsigkeys" );
+  }
+  catch (SSqlException &e) {
+    throw AhuException("GSQLBackend unable to retrieve named TSIG key: "+e.txtReason());
+  }
+
+  SSql::row_t row;
+
+  while(d_dnssecdb->getRow(row)) {
+     struct TSIGKey key;
+     key.name = row[0];
+     key.algorithm = row[1];
+     key.key = row[2];
+  }
+
+  return keys.empty();
+}
+
+
 #endif
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 173eaba512..57ed3ab9e3 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -945,7 +945,7 @@ try
     cerr<<"disable-dnssec ZONE                Deactivate all keys and unset PRESIGNED in ZONE\n";
     cerr<<"export-zone-dnskey ZONE KEY-ID     Export to stdout the public DNSKEY described\n";
     cerr<<"export-zone-key ZONE KEY-ID        Export to stdout the private key described\n";
-    cerr<<"generate-zone-key zsk|ksk [bits] [algorithm]\n";
+    cerr<<"generate-zone-key zsk|ksk [algorithm] [bits]\n";
     cerr<<"                                   Generate a ZSK or KSK to stdout with specified algo&bits\n";
     cerr<<"hash-zone-record ZONE RNAME        Calculate the NSEC3 hash for RNAME in ZONE\n";
     cerr<<"increase-serial ZONE               Increases the SOA-serial by 1. Uses SOA-EDIT\n";
@@ -961,7 +961,12 @@ try
     cerr<<"unset-nsec3 ZONE                   Switch back to NSEC\n";
     cerr<<"unset-presigned ZONE               No longer use presigned RRSIGs\n";
     cerr<<"test-schema ZONE                   Test DB schema - will create ZONE\n";
-    cerr<<"import-tsig-key ZONE ALGORITHM KEY Import TSIG key for zone\n\n";
+    cerr<<"import-tsig-key NAME ALGORITHM KEY Import TSIG key\n";
+    cerr<<"generate-tsig-key NAME ALGORITHM   Generate new TSIG key\n";
+    cerr<<"list-tsig-keys                     List all TSIG keys\n";
+    cerr<<"delete-tsig-key NAME               Delete TSIG key (warning! will not unmap key!)\n";
+    cerr<<"enable-tsig-key NAME ZONE          Enable TSIG key for a zone\n";
+    cerr<<"disable-tsig-key NAME ZONE         Remove TSIG key from a zone\n";
     cerr<<desc<<endl;
     return 0;
   }
@@ -1397,7 +1402,7 @@ try
   }
   else if(cmds[0] == "generate-zone-key") {
     if(cmds.size() < 2 ) {
-      cerr << "Syntax: pdnssec generate-zone-key zsk|ksk [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]"<<endl;
+      cerr << "Syntax: pdnssec generate-zone-key zsk|ksk [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384] [bits]"<<endl;
       return 0;
     }
     // need to get algorithm, bits & ksk or zsk from commandline
@@ -1471,6 +1476,8 @@ try
        klen = 64;
      }
 
+     cerr << "Generating new key with " << klen << " bytes (this can take a while)" << endl;
+
      ifstream keyin("/dev/random", ifstream::in|ifstream::binary);
      // read and hash data
      keyin.read(tmpkey, klen);