* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.262.110.5 2011/03/22 03:21:17 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.262.110.6 2011/05/06 21:07:49 each Exp $ */
/*! \file */
/*%
* Verify that certain things are sane:
*
- * The apex has a DNSKEY record with at least one KSK, and at least
+ * The apex has a DNSKEY RRset with at least one KSK, and at least
* one ZSK if the -x flag was not used.
*
- * The DNSKEY record was signed with at least one of the KSKs in this
- * set.
+ * The DNSKEY record was signed with at least one of the KSKs in
+ * the DNSKEY RRset.
*
* The rest of the zone was signed with at least one of the ZSKs
- * present in the DNSKEY RRSET.
+ * present in the DNSKEY RRset.
*/
static void
verifyzone(void) {
dns_name_t *name, *nextname, *zonecut;
dns_rdata_dnskey_t dnskey;
dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdataset_t rdataset;
- dns_rdataset_t sigrdataset;
+ dns_rdataset_t keyset, soaset;
+ dns_rdataset_t keysigs, soasigs;
int i;
isc_boolean_t done = ISC_FALSE;
isc_boolean_t first = ISC_TRUE;
fatal("failed to find the zone's origin: %s",
isc_result_totext(result));
- dns_rdataset_init(&rdataset);
- dns_rdataset_init(&sigrdataset);
+ dns_rdataset_init(&keyset);
+ dns_rdataset_init(&keysigs);
+ dns_rdataset_init(&soaset);
+ dns_rdataset_init(&soasigs);
+
result = dns_db_findrdataset(gdb, node, gversion,
dns_rdatatype_dnskey,
- 0, 0, &rdataset, &sigrdataset);
- dns_db_detachnode(gdb, &node);
+ 0, 0, &keyset, &keysigs);
if (result != ISC_R_SUCCESS)
fatal("cannot find DNSKEY rrset\n");
- if (!dns_rdataset_isassociated(&sigrdataset))
+ result = dns_db_findrdataset(gdb, node, gversion,
+ dns_rdatatype_soa,
+ 0, 0, &soaset, &soasigs);
+ dns_db_detachnode(gdb, &node);
+ if (result != ISC_R_SUCCESS)
+ fatal("cannot find SOA rrset\n");
+
+ if (!dns_rdataset_isassociated(&keysigs))
fatal("cannot find DNSKEY RRSIGs\n");
+ if (!dns_rdataset_isassociated(&soasigs))
+ fatal("cannot find SOA RRSIGs\n");
+
memset(revoked_ksk, 0, sizeof(revoked_ksk));
memset(revoked_zsk, 0, sizeof(revoked_zsk));
memset(standby_ksk, 0, sizeof(standby_ksk));
* and one ZSK per algorithm in it (or, if -x was used, one
* self-signing KSK).
*/
- for (result = dns_rdataset_first(&rdataset);
+ for (result = dns_rdataset_first(&keyset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
- dns_rdataset_current(&rdataset, &rdata);
+ result = dns_rdataset_next(&keyset)) {
+ dns_rdataset_current(&keyset, &rdata);
result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
check_result(result, "dns_rdata_tostruct");
;
else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
- !dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
- &sigrdataset, ISC_FALSE,
+ !dns_dnssec_selfsigns(&rdata, gorigin, &keyset,
+ &keysigs, ISC_FALSE,
mctx)) {
char namebuf[DNS_NAME_FORMATSIZE];
char buffer[1024];
revoked_zsk[dnskey.algorithm] != 255)
revoked_zsk[dnskey.algorithm]++;
} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
- if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
- &sigrdataset, ISC_FALSE, mctx)) {
+ if (dns_dnssec_selfsigns(&rdata, gorigin, &keyset,
+ &keysigs, ISC_FALSE, mctx)) {
if (ksk_algorithms[dnskey.algorithm] != 255)
ksk_algorithms[dnskey.algorithm]++;
goodksk = ISC_TRUE;
if (standby_ksk[dnskey.algorithm] != 255)
standby_ksk[dnskey.algorithm]++;
}
- } else if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
- &sigrdataset, ISC_FALSE,
+ } else if (dns_dnssec_selfsigns(&rdata, gorigin, &keyset,
+ &keysigs, ISC_FALSE,
mctx)) {
#ifdef ALLOW_KSKLESS_ZONES
if (self_algorithms[dnskey.algorithm] != 255)
#endif
if (zsk_algorithms[dnskey.algorithm] != 255)
zsk_algorithms[dnskey.algorithm]++;
+ } else if (dns_dnssec_signs(&rdata, gorigin, &soaset,
+ &soasigs, ISC_FALSE, mctx)) {
+ if (zsk_algorithms[dnskey.algorithm] != 255)
+ zsk_algorithms[dnskey.algorithm]++;
} else {
if (standby_zsk[dnskey.algorithm] != 255)
standby_zsk[dnskey.algorithm]++;
dns_rdata_freestruct(&dnskey);
dns_rdata_reset(&rdata);
}
- dns_rdataset_disassociate(&sigrdataset);
+ dns_rdataset_disassociate(&keysigs);
+ dns_rdataset_disassociate(&soaset);
+ dns_rdataset_disassociate(&soasigs);
#ifdef ALLOW_KSKLESS_ZONES
if (!goodksk) {
}
#else
if (!goodksk) {
- fatal("no self signed KSK's found");
+ fatal("No self signed KSK's found");
}
#endif
dns_name_copy(name, zonecut, NULL);
isdelegation = ISC_TRUE;
}
- verifynode(name, node, isdelegation, &rdataset,
+ verifynode(name, node, isdelegation, &keyset,
ksk_algorithms, bad_algorithms);
result = dns_dbiterator_next(dbiter);
nextnode = NULL;
result = dns_dbiterator_next(dbiter) ) {
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
- verifynode(name, node, ISC_FALSE, &rdataset,
+ verifynode(name, node, ISC_FALSE, &keyset,
ksk_algorithms, bad_algorithms);
dns_db_detachnode(gdb, &node);
}
dns_dbiterator_destroy(&dbiter);
- dns_rdataset_disassociate(&rdataset);
+ dns_rdataset_disassociate(&keyset);
/*
* If we made it this far, we have what we consider a properly signed
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.6 2010/08/16 22:21:06 marka Exp $
+# $Id: tests.sh,v 1.6.70.1 2011/05/06 21:07:49 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:rechecking dnssec-signzone output with -x"
+ret=0
+# use an alternate output file so -x doesn't interfere with later checks
+pzoneout=`$SIGNER -Sxg -r $RANDFILE -o $pzone -f ${pzone}2.signed $pfile 2>&1`
+czoneout=`$SIGNER -Sxg -r $RANDFILE -o $czone -f ${czone}2.signed $cfile 2>&1`
+echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$pzoneout"| grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1
+echo "$czoneout"| grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
+echo "$czoneout"| grep 'ZSKs: 1 active, 2 present, 0 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:checking parent zone DNSKEY set"
ret=0
grep "key id = $pzid" $pfile.signed > /dev/null || ret=1
grep "$czpublished" dnskey.sigs > /dev/null && ret=1
grep "$czinactive" dnskey.sigs > /dev/null && ret=1
grep "$czgenerated" dnskey.sigs > /dev/null && ret=1
-# now check other signatures first
+# now check other signatures
awk '$2 == "RRSIG" && $3 != "DNSKEY" { getline; print $2 }' $cfile.signed | sort -un > other.sigs
# should not be there:
grep "$ckactive" other.sigs > /dev/null && ret=1
*/
/*
- * $Id: dnssec.c,v 1.119.170.3 2011/03/17 01:20:49 marka Exp $
+ * $Id: dnssec.c,v 1.119.170.4 2011/05/06 21:07:50 each Exp $
*/
/*! \file */
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
isc_boolean_t ignoretime, isc_mem_t *mctx)
{
- dst_key_t *dstkey = NULL;
- dns_keytag_t keytag;
- dns_rdata_dnskey_t key;
- dns_rdata_rrsig_t sig;
- dns_rdata_t sigrdata = DNS_RDATA_INIT;
- isc_result_t result;
-
INSIST(rdataset->type == dns_rdatatype_key ||
rdataset->type == dns_rdatatype_dnskey);
if (rdataset->type == dns_rdatatype_key) {
INSIST(sigrdataset->covers == dns_rdatatype_dnskey);
}
+ return (dns_dnssec_signs(rdata, name, rdataset, sigrdataset,
+ ignoretime, mctx));
+
+}
+
+isc_boolean_t
+dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name,
+ dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+ isc_boolean_t ignoretime, isc_mem_t *mctx)
+{
+ dst_key_t *dstkey = NULL;
+ dns_keytag_t keytag;
+ dns_rdata_dnskey_t key;
+ dns_rdata_rrsig_t sig;
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
+ isc_result_t result;
+
+ INSIST(sigrdataset->type == dns_rdatatype_rrsig);
+ if (sigrdataset->covers != rdataset->type)
+ return (ISC_FALSE);
+
result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey);
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
projects / thirdparty / bind9.git / commitdiff
