.. option:: -x
This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys,
- and should omit signatures from zone-signing keys. (This is similar to the
- ``dnssec-dnskey-kskonly yes;`` zone option in :iscman:`named`.)
+ and should omit signatures from zone-signing keys.
.. option:: -z
This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes
KSK-flagged keys to sign all records, not just the DNSKEY RRset.
- (This is similar to the ``update-check-ksk no;`` zone option in
- :iscman:`named`.)
.. option:: -3 salt
check-srv-cname warn;\n\
check-wildcard yes;\n\
dialup no;\n\
- dnssec-dnskey-kskonly yes;\n\
dnssec-loadkeys-interval 60;\n\
dnssec-update-mode maintain;\n\
# forward <none>\n\
transfer-source *;\n\
transfer-source-v6 *;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
- update-check-ksk yes;\n\
zero-no-soa-ttl yes;\n\
zone-statistics terse;\n\
};\n\
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
- obj = NULL;
- result = named_config_get(maps, "update-check-ksk", &obj);
- INSIST(result == ISC_R_SUCCESS && obj != NULL);
- dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
- cfg_obj_asboolean(obj));
- /*
- * This setting will be ignored if dnssec-policy is used.
- * named-checkconf will error if both are configured.
- */
-
- obj = NULL;
- result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
- INSIST(result == ISC_R_SUCCESS && obj != NULL);
- dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
- cfg_obj_asboolean(obj));
- /*
- * This setting will be ignored if dnssec-policy is used.
- * named-checkconf will error if both are configured.
- */
-
obj = NULL;
result = named_config_get(maps, "dnssec-loadkeys-interval",
&obj);
type secondary;
primaries { 127.0.0.1; };
inline-signing no;
- dnssec-dnskey-kskonly yes;
- update-check-ksk yes;
dnssec-loadkeys-interval 10;
};
type secondary;
primaries { 127.0.0.1; };
inline-signing yes;
- dnssec-dnskey-kskonly yes;
- update-check-ksk yes;
dnssec-loadkeys-interval 10;
};
type primary;
file "nsec3.db";
dnssec-policy "test";
- dnssec-dnskey-kskonly yes;
dnssec-update-mode maintain;
inline-signing no;
- update-check-ksk yes;
};
n=$((n + 1))
echo_i "checking options allowed in inline-signing secondaries ($n)"
ret=0
-$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 && ret=1
-l=$(grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l)
-[ $l -eq 1 ] || ret=1
$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 && ret=1
l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l)
[ $l -eq 1 ] || ret=1
-$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 && ret=1
-l=$(grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l)
-[ $l -eq 1 ] || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
-grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
dnssec-policy "default";
};
+zone "step1.going-straight-to-none-dynamic.kasp" {
+ type primary;
+ file "step1.going-straight-to-none-dynamic.kasp.db.signed";
+ dnssec-policy "default";
+ allow-update { any; };
+};
+
/* These are alorithm rollover test zones. */
zone "step1.algorithm-roll.kasp" {
type primary;
dnssec-policy "none";
};
+zone "step1.going-straight-to-none-dynamic.kasp" {
+ type primary;
+ file "step1.going-straight-to-none-dynamic.kasp.db.signed";
+ dnssec-policy "none";
+ allow-update { any; };
+};
+
/*
* Zones for testing KSK/ZSK algorithm roll.
*/
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+# This zone is going straight to "none" policy. This is undefined behavior.
+setup step1.going-straight-to-none-dynamic.kasp
+echo "$zone" >> zones
+TactN="now"
+csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
+CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
#
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
# algorithm rollover.
check_subdomain
dnssec_verify
+#
+# Zone step1.going-straight-to-none-dynamic.kasp
+#
+set_zone "step1.going-straight-to-none-dynamic.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+# This policy only has one key.
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The first key is immediately published and activated.
+created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED" "${created}"
+set_keytime "KEY1" "ACTIVE" "${created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${created}"
+# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
+check_keytimes
+
+check_apex
+check_subdomain
+dnssec_verify
+
# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
# changes).
echo_i "reconfig dnssec-policy to trigger algorithm rollover"
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
dnssec_verify
+#
+# Zone: step1.going-straight-to-none-dynamic.kasp
+#
+set_zone "step1.going-straight-to-none-dynamic.kasp"
+set_policy "none" "1" "3600"
+set_server "ns6" "10.53.0.6"
+
+# The zone will go bogus after signatures expire, but remains validly signed for now.
+
+# Key properties.
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
+# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+# This policy only has one key.
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+dnssec_verify
+
#
# Testing KSK/ZSK algorithm rollover.
#
The default is ``no``.
.. namedconf:statement:: update-check-ksk
- :tags: zone, dnssec
- :short: Specifies whether to check the KSK bit to determine how a key should be used, when generating RRSIGs for a secure zone.
-
- When set to the default value of ``yes``, check the KSK bit in each
- key to determine how the key should be used when generating RRSIGs
- for a secure zone.
-
- Ordinarily, zone-signing keys (that is, keys without the KSK bit set)
- are used to sign the entire zone, while key-signing keys (keys with
- the KSK bit set) are only used to sign the DNSKEY RRset at the zone
- apex. However, if this option is set to ``no``, then the KSK bit is
- ignored; KSKs are treated as if they were ZSKs and are used to sign
- the entire zone. This is similar to the :option:`dnssec-signzone -z`
- command-line option.
-
- When this option is set to ``yes``, there must be at least two active
- keys for every algorithm represented in the DNSKEY RRset: at least
- one KSK and one ZSK per algorithm. If there is any algorithm for
- which this requirement is not met, this option is ignored for
- that algorithm.
+ :tags: obsolete
-.. namedconf:statement:: dnssec-dnskey-kskonly
- :tags: dnssec
- :short: Specifies that only key-signing keys are used to sign the DNSKEY, CDNSKEY, and CDS RRsets at a zone's apex.
+ This option no longer has any effect.
- When this option and :any:`update-check-ksk` are both set to ``yes``,
- only key-signing keys (that is, keys with the KSK bit set) are
- used to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex.
- Zone-signing keys (keys without the KSK bit set) are used to sign
- the remainder of the zone, but not the DNSKEY RRset. This is similar
- to the :option:`dnssec-signzone -x` command-line option.
+.. namedconf:statement:: dnssec-dnskey-kskonly
+ :tags: obsolete
- The default is ``yes``. If :any:`update-check-ksk` is set to ``no``, this
- option is ignored.
+ This option no longer has any effect.
.. namedconf:statement:: try-tcp-refresh
:tags: transfer
dnsrps-library <quoted_string>; // not configured
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
- dnssec-dnskey-kskonly <boolean>;
+ dnssec-dnskey-kskonly <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
try-tcp-refresh <boolean>;
udp-receive-buffer <integer>;
udp-send-buffer <integer>;
- update-check-ksk <boolean>;
+ update-check-ksk <boolean>; // obsolete
update-quota <integer>;
use-v4-udp-ports { <portrange>; ... }; // deprecated
use-v6-udp-ports { <portrange>; ... }; // deprecated
dnsrps-enable <boolean>; // not configured
dnsrps-options { <unspecified-text> }; // not configured
dnssec-accept-expired <boolean>;
- dnssec-dnskey-kskonly <boolean>;
+ dnssec-dnskey-kskonly <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
try-tcp-refresh <boolean>;
- update-check-ksk <boolean>;
+ update-check-ksk <boolean>; // obsolete
v6-bias <integer>;
validate-except { <string>; ... };
zero-no-soa-ttl <boolean>;
dialup ( notify | notify-passive | passive | refresh | <boolean> );
dlz <string>;
dnskey-sig-validity <integer>; // obsolete
- dnssec-dnskey-kskonly <boolean>;
+ dnssec-dnskey-kskonly <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>; // obsolete
sig-signing-signatures <integer>;
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ]; // obsolete
- update-check-ksk <boolean>;
+ update-check-ksk <boolean>; // obsolete
update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
zero-no-soa-ttl <boolean>;
zone-statistics ( full | terse | none | <boolean> );
dialup ( notify | notify-passive | passive | refresh | <boolean> );
dlz <string>;
dnskey-sig-validity <integer>; // obsolete
- dnssec-dnskey-kskonly <boolean>;
+ dnssec-dnskey-kskonly <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
dnssec-update-mode ( maintain | no-resign );
transfer-source ( <ipv4_address> | * );
transfer-source-v6 ( <ipv6_address> | * );
try-tcp-refresh <boolean>;
- update-check-ksk <boolean>;
+ update-check-ksk <boolean>; // obsolete
zero-no-soa-ttl <boolean>;
zone-statistics ( full | terse | none | <boolean> );
};
add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
- isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk,
- bool keyset_kskonly) {
+ isc_stdtime_t inception, isc_stdtime_t expire) {
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_kasp_t *kasp = dns_zone_getkasp(zone);
isc_mem_t *mctx = diff->mctx;
if (kasp != NULL) {
- check_ksk = false;
- keyset_kskonly = true;
use_kasp = true;
}
continue;
}
- if (check_ksk && !REVOKE(keys[i])) {
+ if (!REVOKE(keys[i])) {
/*
* Don't consider inactive keys, however the KSK may be
* temporary offline, so do consider KSKs which private
* CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
*/
if (dns_rdatatype_iskeymaterial(type)) {
- if (!KSK(keys[i]) && keyset_kskonly) {
+ if (!KSK(keys[i])) {
continue;
}
} else if (KSK(keys[i])) {
add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *ver, dns_name_t *name, bool cut,
dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
- isc_stdtime_t inception, isc_stdtime_t expire, bool check_ksk,
- bool keyset_kskonly, unsigned int *sigs) {
+ isc_stdtime_t inception, isc_stdtime_t expire,
+ unsigned int *sigs) {
isc_result_t result;
dns_dbnode_t *node;
dns_rdatasetiter_t *iter;
continue;
}
result = add_sigs(log, zone, db, ver, name, type, diff, keys,
- nkeys, inception, expire, check_ksk,
- keyset_kskonly);
+ nkeys, inception, expire);
if (result != ISC_R_SUCCESS) {
goto cleanup_iterator;
}
unsigned int nkeys;
isc_stdtime_t inception, expire, soaexpire, keyexpire;
dns_ttl_t nsecttl;
- bool check_ksk, keyset_kskonly, build_nsec3;
+ bool build_nsec3;
enum {
sign_updates,
remove_orphaned,
state->keyexpire += now;
}
- /*
- * Do we look at the KSK flag on the DNSKEY to determining which
- * keys sign which RRsets? First check the zone option then
- * check the keys flags to make sure at least one has a ksk set
- * and one doesn't.
- */
- state->check_ksk = ((dns_zone_getoptions(zone) &
- DNS_ZONEOPT_UPDATECHECKKSK) != 0);
- state->keyset_kskonly = ((dns_zone_getoptions(zone) &
- DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
-
/*
* Calculate the NSEC/NSEC3 TTL as a minimum of the SOA TTL and
* MINIMUM field.
log, zone, db, newver, name,
type, &state->sig_diff,
state->zone_keys, state->nkeys,
- state->inception, exp,
- state->check_ksk,
- state->keyset_kskonly));
+ state->inception, exp));
sigs++;
}
skip:
log, zone, db, newver, name, cut,
&state->sig_diff, state->zone_keys,
state->nkeys, state->inception,
- state->expire, state->check_ksk,
- state->keyset_kskonly, &sigs));
+ state->expire, &sigs));
}
unlink:
ISC_LIST_UNLINK(state->affected.tuples, t, link);
dns_rdatatype_nsec, NULL,
&state->sig_diff));
} else if (t->op == DNS_DIFFOP_ADD) {
- CHECK(add_sigs(log, zone, db, newver, &t->name,
- dns_rdatatype_nsec,
- &state->sig_diff,
- state->zone_keys, state->nkeys,
- state->inception, state->expire,
- state->check_ksk,
- state->keyset_kskonly));
+ CHECK(add_sigs(
+ log, zone, db, newver, &t->name,
+ dns_rdatatype_nsec, &state->sig_diff,
+ state->zone_keys, state->nkeys,
+ state->inception, state->expire));
sigs++;
} else {
UNREACHABLE();
log, zone, db, newver, name, cut,
&state->sig_diff, state->zone_keys,
state->nkeys, state->inception,
- state->expire, state->check_ksk,
- state->keyset_kskonly, &sigs));
+ state->expire, &sigs));
CHECK(dns_nsec3_addnsec3sx(
db, newver, name, state->nsecttl,
unsecure, privatetype,
dns_rdatatype_nsec3, NULL,
&state->sig_diff));
} else if (t->op == DNS_DIFFOP_ADD) {
- CHECK(add_sigs(log, zone, db, newver, &t->name,
- dns_rdatatype_nsec3,
- &state->sig_diff,
- state->zone_keys, state->nkeys,
- state->inception, state->expire,
- state->check_ksk,
- state->keyset_kskonly));
+ CHECK(add_sigs(
+ log, zone, db, newver, &t->name,
+ dns_rdatatype_nsec3, &state->sig_diff,
+ state->zone_keys, state->nkeys,
+ state->inception, state->expire));
sigs++;
} else {
UNREACHABLE();
add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
- isc_stdtime_t expire, bool check_ksk, bool keyset_kskonly) {
+ isc_stdtime_t expire) {
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_stats_t *dnssecsignstats;
bool use_kasp = false;
if (zone->kasp != NULL) {
- check_ksk = false;
- keyset_kskonly = true;
use_kasp = true;
}
continue;
}
- if (check_ksk && !REVOKE(keys[i])) {
+ if (!REVOKE(keys[i])) {
/*
* Don't consider inactive keys, however the KSK may be
* temporary offline, so do consider keys which private
* CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
*/
if (dns_rdatatype_iskeymaterial(type)) {
- if (!KSK(keys[i]) && keyset_kskonly) {
+ if (!KSK(keys[i])) {
continue;
}
} else if (KSK(keys[i])) {
dns_rdataset_t rdataset;
dns_rdatatype_t covers;
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
- bool check_ksk, keyset_kskonly = false;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire, fullexpire, stop;
uint32_t sigvalidityinterval, expiryinterval;
}
stop = now + 5;
- check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
-
name = dns_fixedname_initname(&fixed);
result = dns_db_getsigningtime(db, &rdataset, name);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
result = add_sigs(db, version, name, zone, covers,
zonediff.diff, zone_keys, nkeys, zone->mctx,
inception,
- resign > (now - 300) ? expire : fullexpire,
- check_ksk, keyset_kskonly);
+ resign > (now - 300) ? expire : fullexpire);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"zone_resigninc:add_sigs -> %s",
*/
result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
zonediff.diff, zone_keys, nkeys, zone->mctx,
- inception, soaexpire, check_ksk, keyset_kskonly);
+ inception, soaexpire);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"zone_resigninc:add_sigs -> %s",
sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
dns_dbnode_t *node, dns_dbversion_t *version, bool build_nsec3,
bool build_nsec, dst_key_t *key, isc_stdtime_t inception,
- isc_stdtime_t expire, dns_ttl_t nsecttl, bool is_ksk, bool is_zsk,
- bool keyset_kskonly, bool is_bottom_of_zone, dns_diff_t *diff,
+ isc_stdtime_t expire, dns_ttl_t nsecttl, bool both, bool is_ksk,
+ bool is_zsk, bool is_bottom_of_zone, dns_diff_t *diff,
int32_t *signatures, isc_mem_t *mctx) {
isc_result_t result;
dns_rdatasetiter_t *iterator = NULL;
* be signed with a key in the current DS RRset,
* which would only include KSK's.)
*/
- if (!is_ksk && keyset_kskonly) {
+ if (!is_ksk && both) {
goto next_rdataset;
}
- } else if (!is_zsk) {
+ } else if (!is_zsk && both) {
goto next_rdataset;
} else if (is_zsk && !dst_key_is_signing(key, DST_BOOL_ZSK,
inception, &when))
dst_key_t *zone_keys[], unsigned int nkeys,
dns_zone_t *zone, isc_stdtime_t inception,
isc_stdtime_t expire, isc_stdtime_t keyexpire,
- isc_stdtime_t now, bool check_ksk, bool keyset_kskonly,
- dns__zonediff_t *zonediff) {
+ isc_stdtime_t now, dns__zonediff_t *zonediff) {
dns_difftuple_t *tuple;
isc_result_t result;
}
result = add_sigs(db, version, &tuple->name, zone,
tuple->rdata.type, zonediff->diff, zone_keys,
- nkeys, zone->mctx, inception, exp, check_ksk,
- keyset_kskonly);
+ nkeys, zone->mctx, inception, exp);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"dns__zone_updatesigs:add_sigs -> %s",
dns_nsec3chainlist_t cleanup;
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
int32_t signatures;
- bool check_ksk, keyset_kskonly;
bool delegation;
bool first;
isc_result_t result;
expire = soaexpire - 1;
}
- check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
-
/*
* We keep pulling nodes off each iterator in turn until
* we have no more nodes to pull off or we reach the limits
}
result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys,
nkeys, zone, inception, expire, 0, now,
- check_ksk, keyset_kskonly, &zonediff);
+ &zonediff);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"zone_nsec3chain:dns__zone_updatesigs -> %s",
*/
result = dns__zone_updatesigs(¶m_diff, db, version, zone_keys,
nkeys, zone, inception, expire, 0, now,
- check_ksk, keyset_kskonly, &zonediff);
+ &zonediff);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"zone_nsec3chain:dns__zone_updatesigs -> %s",
result = dns__zone_updatesigs(&nsec_diff, db, version, zone_keys, nkeys,
zone, inception, expire, 0, now,
- check_ksk, keyset_kskonly, &zonediff);
+ &zonediff);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"zone_nsec3chain:dns__zone_updatesigs -> %s",
result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
zonediff.diff, zone_keys, nkeys, zone->mctx,
- inception, soaexpire, check_ksk, keyset_kskonly);
+ inception, soaexpire);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"zone_nsec3chain:add_sigs -> %s",
dns_signinglist_t cleanup;
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
int32_t signatures;
- bool check_ksk, keyset_kskonly, is_ksk, is_zsk;
+ bool is_ksk, is_zsk;
bool with_ksk, with_zsk;
bool commit = false;
bool is_bottom_of_zone;
first = true;
if (kasp != NULL) {
- check_ksk = false;
- keyset_kskonly = true;
use_kasp = true;
- } else {
- check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- keyset_kskonly = DNS_ZONE_OPTION(zone,
- DNS_ZONEOPT_DNSKEYKSKONLY);
}
dnssec_log(zone, ISC_LOG_DEBUG(3), "zone_sign:use kasp -> %s",
use_kasp ? "yes" : "no");
for (i = 0; !has_alg && i < nkeys; i++) {
bool both = false;
-
/*
* Find the keys we want to sign with.
*/
}
/*
- * Do we do KSK processing?
+ * We do KSK processing.
*/
- if (check_ksk && !REVOKE(zone_keys[i])) {
+ if (!REVOKE(zone_keys[i])) {
/*
* Don't consider inactive keys, however the key
* may be temporary offline, so do consider KSKs
is_zsk = true;
}
}
- /* Treat as if we have both KSK and ZSK. */
both = true;
- } else if (both || REVOKE(zone_keys[i])) {
- is_ksk = KSK(zone_keys[i]);
- is_zsk = !KSK(zone_keys[i]);
} else {
- is_ksk = false;
- is_zsk = true;
+ is_ksk = KSK(zone_keys[i]);
+ is_zsk = !is_ksk;
+
+ /*
+ * Don't consider inactive keys, however the key
+ * may be temporary offline, so do consider KSKs
+ * which private key files are unavailable.
+ */
+ both = dst_key_have_ksk_and_zsk(
+ zone_keys, nkeys, i, false, is_ksk,
+ is_zsk, NULL, NULL);
+ if (both || REVOKE(zone_keys[i])) {
+ is_ksk = KSK(zone_keys[i]);
+ is_zsk = !KSK(zone_keys[i]);
+ } else {
+ is_ksk = false;
+ is_zsk = false;
+ }
}
/*
continue;
}
- CHECK(sign_a_node(
- db, zone, name, node, version, build_nsec3,
- build_nsec, zone_keys[i], inception, expire,
- zone_nsecttl(zone), is_ksk, is_zsk,
- (both && keyset_kskonly), is_bottom_of_zone,
- zonediff.diff, &signatures, zone->mctx));
+ CHECK(sign_a_node(db, zone, name, node, version,
+ build_nsec3, build_nsec, zone_keys[i],
+ inception, expire, zone_nsecttl(zone),
+ both, is_ksk, is_zsk,
+ is_bottom_of_zone, zonediff.diff,
+ &signatures, zone->mctx));
/*
* If we are adding we are done. Look for other keys
* of the same algorithm if deleting.
if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
result = dns__zone_updatesigs(&post_diff, db, version,
zone_keys, nkeys, zone, inception,
- expire, 0, now, check_ksk,
- keyset_kskonly, &zonediff);
+ expire, 0, now, &zonediff);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"zone_sign:dns__zone_updatesigs -> %s",
*/
result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
zonediff.diff, zone_keys, nkeys, zone->mctx,
- inception, soaexpire, check_ksk, keyset_kskonly);
+ inception, soaexpire);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s",
isc_result_totext(result));
dns_dbversion_t *ver, isc_stdtime_t now, dns_diff_t *diff,
dns__zonediff_t *zonediff, dst_key_t **keys,
unsigned int nkeys, isc_stdtime_t inception,
- isc_stdtime_t keyexpire, bool check_ksk,
- bool keyset_kskonly) {
+ isc_stdtime_t keyexpire) {
dns_difftuple_t *tuple;
isc_result_t result;
}
result = add_sigs(db, ver, &zone->origin, zone, rrtype,
zonediff->diff, keys, nkeys, zone->mctx,
- inception, keyexpire, check_ksk,
- keyset_kskonly);
+ inception, keyexpire);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"sign_apex:add_sigs -> %s",
isc_stdtime_t now, dns_diff_t *diff, dns__zonediff_t *zonediff) {
isc_result_t result;
isc_stdtime_t inception, soaexpire, keyexpire;
- bool check_ksk, keyset_kskonly;
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
unsigned int nkeys = 0, i;
keyexpire += now;
}
- check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
- keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
-
/*
* See if dns__zone_updatesigs() will update DNSKEY/CDS/CDNSKEY
* signature and if not cause them to sign so that newly activated
*/
result = tickle_apex_rrset(dns_rdatatype_dnskey, zone, db, ver, now,
diff, zonediff, zone_keys, nkeys, inception,
- keyexpire, check_ksk, keyset_kskonly);
+ keyexpire);
if (result != ISC_R_SUCCESS) {
goto failure;
}
result = tickle_apex_rrset(dns_rdatatype_cds, zone, db, ver, now, diff,
zonediff, zone_keys, nkeys, inception,
- keyexpire, check_ksk, keyset_kskonly);
+ keyexpire);
if (result != ISC_R_SUCCESS) {
goto failure;
}
result = tickle_apex_rrset(dns_rdatatype_cdnskey, zone, db, ver, now,
diff, zonediff, zone_keys, nkeys, inception,
- keyexpire, check_ksk, keyset_kskonly);
+ keyexpire);
if (result != ISC_R_SUCCESS) {
goto failure;
}
result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone,
inception, soaexpire, keyexpire, now,
- check_ksk, keyset_kskonly, zonediff);
+ zonediff);
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
dst_key_t *zone_keys[], unsigned int nkeys,
dns_zone_t *zone, isc_stdtime_t inception,
isc_stdtime_t expire, isc_stdtime_t keyxpire,
- isc_stdtime_t now, bool check_ksk, bool keyset_kskonly,
- dns__zonediff_t *zonediff);
+ isc_stdtime_t now, dns__zonediff_t *zonediff);
isc_result_t
dns__zone_lookup_nsec3param(dns_zone_t *zone, dns_rdata_nsec3param_t *lookup,
}
}
- obj = NULL;
- res1 = cfg_map_get(zoptions, "dnssec-dnskey-kskonly", &obj);
- if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
- !signing)
- {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "dnssec-dnskey-kskonly: requires "
- "inline-signing when used in secondary "
- "zone");
- result = ISC_R_FAILURE;
- }
- if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "dnssec-dnskey-kskonly: cannot be "
- "configured if dnssec-policy is also set");
- result = ISC_R_FAILURE;
- }
-
obj = NULL;
res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj);
if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
result = ISC_R_FAILURE;
}
- obj = NULL;
- res1 = cfg_map_get(zoptions, "update-check-ksk", &obj);
- if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
- !signing)
- {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "update-check-ksk: requires "
- "inline-signing when used in secondary "
- "zone");
- result = ISC_R_FAILURE;
- }
- if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "update-check-ksk: cannot be configured "
- "if dnssec-policy is also set");
- result = ISC_R_FAILURE;
- }
-
obj = NULL;
res1 = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
{ "dialup", &cfg_type_dialuptype,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_STUB },
{ "dnssec-dnskey-kskonly", &cfg_type_boolean,
- CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+ CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE },
{ "dnssec-loadkeys-interval", &cfg_type_uint32,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
{ "dnssec-policy", &cfg_type_astring,
{ "try-tcp-refresh", &cfg_type_boolean,
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
{ "update-check-ksk", &cfg_type_boolean,
- CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+ CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE },
{ "use-alt-transfer-source", &cfg_type_boolean,
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
CFG_CLAUSEFLAG_ANCIENT },
*/
result = dns__zone_updatesigs(&raw_diff, db, version, zone_keys, nkeys,
zone, now - 3600, now + 3600, 0, now,
- true, false, &zonediff);
+ &zonediff);
assert_int_equal(result, ISC_R_SUCCESS);
assert_true(ISC_LIST_EMPTY(raw_diff.tuples));
assert_false(ISC_LIST_EMPTY(zone_diff.tuples));
projects / thirdparty / bind9.git / commitdiff
