const cfg_obj_t *kasps;
dns_kasp_t *kasp = NULL;
dns_kasp_t *kasp_next = NULL;
+ dns_kasp_t *default_kasp = NULL;
dns_kasplist_t tmpkasplist, kasplist;
const cfg_obj_t *views;
dns_view_t *view = NULL;
(void)configure_session_key(maps, server, named_g_mctx, first_time);
/*
- * Create the DNSSEC key and signing policies (KASP).
+ * Create the built-in kasp policies ("default", "insecure").
*/
kasps = NULL;
- (void)cfg_map_get(config, "dnssec-policy", &kasps);
+ (void)cfg_map_get(named_g_config, "dnssec-policy", &kasps);
for (element = cfg_list_first(kasps); element != NULL;
element = cfg_list_next(element))
{
named_g_lctx, &kasplist, &kasp));
INSIST(kasp != NULL);
dns_kasp_freeze(kasp);
+ if (strcmp(dns_kasp_getname(kasp), "default") == 0) {
+ dns_kasp_attach(kasp, &default_kasp);
+ }
dns_kasp_detach(&kasp);
}
+ INSIST(default_kasp != NULL);
+
/*
- * Create the built-in kasp policies ("default", "insecure").
+ * Create the DNSSEC key and signing policies (KASP).
*/
- kasp = NULL;
- CHECK(cfg_kasp_fromconfig(NULL, "default", named_g_mctx, named_g_lctx,
- &kasplist, &kasp));
- INSIST(kasp != NULL);
- dns_kasp_freeze(kasp);
- dns_kasp_detach(&kasp);
-
- kasp = NULL;
- CHECK(cfg_kasp_fromconfig(NULL, "insecure", named_g_mctx, named_g_lctx,
- &kasplist, &kasp));
- INSIST(kasp != NULL);
- dns_kasp_freeze(kasp);
- dns_kasp_detach(&kasp);
+ kasps = NULL;
+ (void)cfg_map_get(config, "dnssec-policy", &kasps);
+ for (element = cfg_list_first(kasps); element != NULL;
+ element = cfg_list_next(element))
+ {
+ cfg_obj_t *kconfig = cfg_listelt_value(element);
+ kasp = NULL;
+ CHECK(cfg_kasp_fromconfig(kconfig, default_kasp, named_g_mctx,
+ named_g_lctx, &kasplist, &kasp));
+ INSIST(kasp != NULL);
+ dns_kasp_freeze(kasp);
+ dns_kasp_detach(&kasp);
+ }
+ dns_kasp_detach(&default_kasp);
tmpkasplist = server->kasplist;
server->kasplist = kasplist;
kasplist = tmpkasplist;
ISC_LANG_BEGINDECLS
isc_result_t
-cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
- isc_log_t *logctx, dns_kasplist_t *kasplist,
- dns_kasp_t **kaspp);
+cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
+ isc_mem_t *mctx, isc_log_t *logctx,
+ dns_kasplist_t *kasplist, dns_kasp_t **kaspp);
/*%<
- * Create and configure a KASP. If 'config' is NULL, a built-in configuration
- * is used, referred to by 'name'. If a 'kasplist' is provided, a lookup
- * happens and if a KASP already exists with the same name, no new KASP is
- * created, and no attach to 'kaspp' happens.
+ * Create and configure a KASP. If 'default_kasp' is not NULL, the built-in
+ * default configuration is used to set values that are not explicitly set in
+ * the policy. If a 'kasplist' is provided, a lookup happens and if a KASP
+ * already exists with the same name, no new KASP is created, and no attach to
+ * 'kaspp' happens.
*
* Requires:
*
}
isc_result_t
-cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
- isc_log_t *logctx, dns_kasplist_t *kasplist,
- dns_kasp_t **kaspp) {
+cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
+ isc_mem_t *mctx, isc_log_t *logctx,
+ dns_kasplist_t *kasplist, dns_kasp_t **kaspp) {
isc_result_t result;
const cfg_obj_t *maps[2];
const cfg_obj_t *koptions = NULL;
kaspname = cfg_obj_asstring(cfg_tuple_get(config, "name"));
INSIST(kaspname != NULL);
+ cfg_obj_log(config, logctx, ISC_LOG_DEBUG(1),
+ "dnssec-policy: load policy '%s'", kaspname);
+
result = dns_kasplist_find(kasplist, kaspname, &kasp);
if (result == ISC_R_SUCCESS) {
goto cleanup;
}
}
- INSIST(!(dns_kasp_keylist_empty(kasp)));
dns_kasp_freeze(kasp);
for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
kkey = ISC_LIST_NEXT(kkey, link))
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
- } else if (strcmp(kaspname, "insecure") == 0) {
+ } else if (default_kasp && strcmp(kaspname, "insecure") != 0) {
+ dns_kasp_key_t *key, *new_key;
+
+ /*
+ * If there are no specific keys configured in the policy,
+ * inherit from the default policy (except for the built-in
+ * "insecure" policy).
+ */
+ for (key = ISC_LIST_HEAD(dns_kasp_keys(default_kasp));
+ key != NULL; key = ISC_LIST_NEXT(key, link))
+ {
+ /* Create a new key reference. */
+ new_key = NULL;
+ result = dns_kasp_key_create(kasp, &new_key);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup;
+ }
+
+ if (dns_kasp_key_ksk(key)) {
+ new_key->role |= DNS_KASP_KEY_ROLE_KSK;
+ }
+ if (dns_kasp_key_zsk(key)) {
+ new_key->role |= DNS_KASP_KEY_ROLE_ZSK;
+ }
+ new_key->lifetime = dns_kasp_key_lifetime(key);
+ new_key->algorithm = dns_kasp_key_algorithm(key);
+ new_key->length = dns_kasp_key_size(key);
+ dns_kasp_addkey(kasp, new_key);
+ }
+ }
+
+ if (strcmp(kaspname, "insecure") == 0) {
/* "dnssec-policy insecure": key list must be empty */
- INSIST(strcmp(kaspname, "insecure") == 0);
INSIST(dns_kasp_keylist_empty(kasp));
- } else {
- /* No keys clause configured, use the "default". */
- result = cfg_kaspkey_fromconfig(NULL, kasp, logctx, 0, 0);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ } else if (default_kasp != NULL) {
+ /* There must be keys configured. */
INSIST(!(dns_kasp_keylist_empty(kasp)));
}
/* Configuration: NSEC3 */
(void)confget(maps, "nsec3param", &nsec3);
if (nsec3 == NULL) {
- dns_kasp_setnsec3(kasp, false);
+ if (default_kasp != NULL && dns_kasp_nsec3(default_kasp)) {
+ dns_kasp_setnsec3param(
+ kasp, dns_kasp_nsec3iter(default_kasp),
+ (dns_kasp_nsec3flags(default_kasp) == 0x01),
+ dns_kasp_nsec3saltlen(default_kasp));
+ } else {
+ dns_kasp_setnsec3(kasp, false);
+ }
} else {
dns_kasp_setnsec3(kasp, true);
result = cfg_nsec3param_fromconfig(nsec3, kasp, logctx);
projects / thirdparty / bind9.git / commitdiff
