dns_kasp_detach(&kasp);
}
/*
- * Create the built-in kasp policies ("default", "none").
+ * Create the built-in kasp policies ("default", "insecure").
*/
kasp = NULL;
CHECK(cfg_kasp_fromconfig(NULL, "default", named_g_mctx, named_g_lctx,
dns_kasp_detach(&kasp);
kasp = NULL;
- CHECK(cfg_kasp_fromconfig(NULL, "none", named_g_mctx, named_g_lctx,
+ CHECK(cfg_kasp_fromconfig(NULL, "insecure", named_g_mctx, named_g_lctx,
&kasplist, &kasp));
INSIST(kasp != NULL);
dns_kasp_freeze(kasp);
CHECK(ISC_R_UNEXPECTEDEND);
}
- if (dns_zone_use_kasp(zone)) {
+ if (dns_zone_getkasp(zone) != NULL) {
(void)putstr(text, "zone uses dnssec-policy, use rndc dnssec "
"command instead");
(void)putnull(text);
result = named_config_get(maps, "dnssec-policy", &obj);
if (result == ISC_R_SUCCESS) {
kaspname = cfg_obj_asstring(obj);
- result = dns_kasplist_find(kasplist, kaspname, &kasp);
- if (result != ISC_R_SUCCESS) {
- cfg_obj_log(obj, named_g_lctx, ISC_LOG_ERROR,
- "'dnssec-policy '%s' not found ",
- kaspname);
- RETERR(result);
+ if (strcmp(kaspname, "none") != 0) {
+ result = dns_kasplist_find(kasplist, kaspname,
+ &kasp);
+ if (result != ISC_R_SUCCESS) {
+ cfg_obj_log(
+ obj, named_g_lctx,
+ ISC_LOG_ERROR,
+ "dnssec-policy '%s' not found ",
+ kaspname);
+ RETERR(result);
+ }
+ dns_zone_setkasp(zone, kasp);
+ use_kasp = true;
}
- dns_zone_setkasp(zone, kasp);
- use_kasp = dns_zone_use_kasp(zone);
+ }
+ if (!use_kasp) {
+ dns_zone_setkasp(zone, NULL);
}
obj = NULL;
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
- if (kasp != NULL && strcmp(dns_kasp_getname(kasp), "none") != 0)
- {
+ if (kasp != NULL) {
+ bool s2i = (strcmp(dns_kasp_getname(kasp),
+ "insecure") != 0);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
- dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
+ dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
} else if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
- } else {
- bool s2i = dns_zone_secure_to_insecure(zone, false);
- dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, s2i);
- dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
- dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, s2i);
}
}
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"inline-signing: "
"implicitly through dnssec-policy");
- } else {
- inline_signing = dns_zone_secure_to_insecure(zone,
- true);
- dns_zone_log(
- zone, ISC_LOG_DEBUG(1), "inline-signing: %s",
- inline_signing ? "transitioning to insecure"
- : "no");
}
}
if (strcmp(kaspname, "default") == 0) {
has_dnssecpolicy = true;
+ } else if (strcmp(kaspname, "insecure") == 0) {
+ has_dnssecpolicy = true;
} else if (strcmp(kaspname, "none") == 0) {
has_dnssecpolicy = false;
} else {
*\li 'zone' to be a valid zone.
*/
-bool
-dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig);
-/*%<
- * Returns true if the zone is transitioning to insecure.
- * Only can happen if a zone previously used a dnssec-policy,
- * but changed the value to "none" (or removed the configuration
- * option). If 'reconfig' is true, only check the key files,
- * because the zone structure is not yet updated with the
- * newest configuration.
- *
- * Require:
- *\li 'zone' to be a valid zone.
- */
-
-bool
-dns_zone_use_kasp(dns_zone_t *zone);
-/*%<
- * Check if zone needs to use kasp.
- * True if there is a policy that is not "none",
- * or if there are state files associated with the keys
- * related to this zone.
- *
- * Require:
- *\li 'zone' to be a valid zone.
- */
-
void
dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp);
/*%<
bool keyset_kskonly) {
isc_result_t result;
dns_dbnode_t *node = NULL;
+ dns_kasp_t *kasp = dns_zone_getkasp(zone);
dns_rdataset_t rdataset;
dns_rdata_t sig_rdata = DNS_RDATA_INIT;
dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone);
bool use_kasp = false;
isc_mem_t *mctx = diff->mctx;
- if (dns_zone_use_kasp(zone)) {
+ if (kasp != NULL) {
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;
dns_zone_replacedb
dns_zone_rpz_enable
dns_zone_rpz_enable_db
-dns_zone_secure_to_insecure
dns_zone_set_parentcatz
dns_zone_setadded
dns_zone_setalsonotify
dns_zone_signwithkey
dns_zone_synckeyzone
dns_zone_unload
-dns_zone_use_kasp
dns_zone_verifydb
dns_zonekey_iszonekey
dns_zonemgr_attach
return (zone->kasp);
}
-static bool
-statefile_exist(dns_zone_t *zone) {
- isc_result_t ret;
- dns_dnsseckeylist_t keys;
- dns_dnsseckey_t *key = NULL;
- isc_stdtime_t now;
- isc_time_t timenow;
- bool found = false;
-
- TIME_NOW(&timenow);
- now = isc_time_seconds(&timenow);
-
- ISC_LIST_INIT(keys);
-
- ret = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone),
- dns_zone_getkeydirectory(zone), now,
- dns_zone_getmctx(zone), &keys);
- if (ret == ISC_R_SUCCESS) {
- for (key = ISC_LIST_HEAD(keys); key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- if (dst_key_haskasp(key->key)) {
- found = true;
- break;
- }
- }
- }
-
- /* Clean up keys */
- while (!ISC_LIST_EMPTY(keys)) {
- key = ISC_LIST_HEAD(keys);
- ISC_LIST_UNLINK(keys, key, link);
- dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
- }
-
- return (found);
-}
-
-bool
-dns_zone_secure_to_insecure(dns_zone_t *zone, bool reconfig) {
- REQUIRE(DNS_ZONE_VALID(zone));
-
- /*
- * If checking during reconfig, the zone is not yet updated
- * with the new kasp configuration, so only check the key
- * files.
- */
- if (reconfig) {
- return (statefile_exist(zone));
- }
-
- if (zone->kasp == NULL) {
- return (false);
- }
- if (strcmp(dns_kasp_getname(zone->kasp), "none") != 0) {
- return (false);
- }
- /*
- * "dnssec-policy none", but if there are key state files
- * this zone used to be secure but is transitioning back to
- * insecure.
- */
- return (statefile_exist(zone));
-}
-
-bool
-dns_zone_use_kasp(dns_zone_t *zone) {
- dns_kasp_t *kasp = dns_zone_getkasp(zone);
-
- if (kasp == NULL) {
- return (false);
- } else if (strcmp(dns_kasp_getname(kasp), "none") != 0) {
- return (true);
- }
- return dns_zone_secure_to_insecure(zone, false);
-}
-
void
dns_zone_setoption(dns_zone_t *zone, dns_zoneopt_t option, bool value) {
REQUIRE(DNS_ZONE_VALID(zone));
unsigned int i, j;
bool use_kasp = false;
- if (dns_zone_use_kasp(zone)) {
+ if (dns_zone_getkasp(zone) != NULL) {
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;
dns_rdata_reset(&rdata);
}
- if (dns_zone_use_kasp(zone)) {
+ if (dns_zone_getkasp(zone) != NULL) {
dns_kasp_key_t *kkey;
int zsk_count = 0;
bool approved;
} else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK,
inception, &when)) {
/* Only applies to dnssec-policy. */
- if (dns_zone_use_kasp(zone)) {
+ if (dns_zone_getkasp(zone) != NULL) {
goto next_rdataset;
}
}
signing = ISC_LIST_HEAD(zone->signing);
first = true;
- if (dns_zone_use_kasp(zone)) {
+ if (dns_zone_getkasp(zone) != NULL) {
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;
* Allow DNSSEC records with dnssec-policy.
* WMM: Perhaps add config option for it.
*/
- if (!dns_zone_use_kasp(zone)) {
+ if (dns_zone_getkasp(zone) == NULL) {
dns_rdataset_disassociate(&rdataset);
continue;
}
dns__zonediff_t zonediff;
bool commit = false, newactive = false;
bool newalg = false;
- bool fullsign, use_kasp;
+ bool fullsign;
dns_ttl_t ttl = 3600;
const char *dir = NULL;
isc_mem_t *mctx = NULL;
fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
kasp = dns_zone_getkasp(zone);
- use_kasp = dns_zone_use_kasp(zone);
if (kasp != NULL) {
LOCK(&kasp->lock);
}
isc_result_totext(result));
}
- if (use_kasp && (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND)) {
+ if (kasp != NULL &&
+ (result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND)) {
result = dns_keymgr_run(&zone->origin, zone->rdclass, dir, mctx,
&keys, kasp, now, &nexttime);
if (result != ISC_R_SUCCESS) {
+ if (kasp != NULL) {
+ UNLOCK(&kasp->lock);
+ }
dnssec_log(zone, ISC_LOG_ERROR,
"zone_rekey:dns_dnssec_keymgr failed: %s",
isc_result_totext(result));
}
if (result == ISC_R_SUCCESS) {
+ bool cds_delete = false;
+ isc_stdtime_t when;
+
/*
* Publish CDS/CDNSKEY DELETE records if the zone is
* transitioning from secure to insecure.
*/
- bool cds_delete = dns_zone_secure_to_insecure(zone, false);
- isc_stdtime_t when;
+ if (kasp != NULL &&
+ strcmp(dns_kasp_getname(kasp), "insecure") == 0) {
+ cds_delete = true;
+ }
/*
* Only update DNSKEY TTL if we have a policy.
/*
* If keymgr provided a next time, use the calculated next rekey time.
*/
- if (use_kasp) {
+ if (kasp != NULL) {
isc_time_t timenext;
uint32_t nexttime_seconds;
}
}
INSIST(!(dns_kasp_keylist_empty(kasp)));
- } else if (strcmp(kaspname, "none") == 0) {
- /* "dnssec-policy none": key list must be empty */
- INSIST(strcmp(kaspname, "none") == 0);
+ } else if (strcmp(kaspname, "insecure") == 0) {
+ /* "dnssec-policy insecure": key list must be empty */
+ INSIST(strcmp(kaspname, "insecure") == 0);
INSIST(dns_kasp_keylist_empty(kasp));
} else {
/* No keys clause configured, use the "default". */
projects / thirdparty / bind9.git / commitdiff
