2183. [bug] dnssec-signzone didn't handle offline private keys

                        well.  [RT #16832]

diff --git a/CHANGES b/CHANGES
index b81d7a3651767ee92a2460aae6c4002df5a6780c..83bad686e4d89d3afc2399d805c2f9f9116f3c27 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2183.  [bug]           dnssec-signzone didn't handle offline private keys
+                       well.  [RT #16832]
+
 2182.  [bug]           dns_dispatch_createtcp() and dispatch_createudp()
                        could return ISC_R_SUCCESS when they ran out of
                        memory. [RT #16365]

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 1f5b53842e238b32d5d907df2a3be24d717d9547..8d577575f2c19431e65a57cd526f0a181b456696 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.177.18.21 2006/08/30 23:01:54 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.177.18.22 2007/05/18 05:59:26 marka Exp $ */
 
 /*! \file */
 
@@ -1481,7 +1481,7 @@ loadzonekeys(dns_db_t *db) {
        for (i = 0; i < nkeys; i++) {
                signer_key_t *key;
 
-               key = newkeystruct(keys[i], ISC_TRUE);
+               key = newkeystruct(keys[i], dst_key_isprivate(keys[i]));
                ISC_LIST_APPEND(keylist, key, link);
        }
        dns_db_detachnode(db, &node);

diff --git a/bin/named/update.c b/bin/named/update.c
index 054776100912de91bf9c78aa0a602e27f1b9edae..37f963c861d64f47806256a8f6de5b52987c6fd6 100644 (file)
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.109.18.19 2006/03/06 01:38:00 marka Exp $ */
+/* $Id: update.c,v 1.109.18.20 2007/05/18 05:59:26 marka Exp $ */
 
 #include <config.h>
 
@@ -1675,6 +1675,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                if (check_ksk && type != dns_rdatatype_dnskey &&
                    (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
                        continue;
+
+               if (!dst_key_isprivate(keys[i]))
+                       continue;
                
                /* Calculate the signature, creating a RRSIG RDATA. */
                CHECK(dns_dnssec_sign(name, &rdataset, keys[i],

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index c0339a123c7a245b65eefc853d7946a88d96bdad..9f6e94354b4d82675e1edf8809b9214aa3933c3a 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.81.18.6 2006/03/07 00:34:53 marka Exp $
+ * $Id: dnssec.c,v 1.81.18.7 2007/05/18 05:59:26 marka Exp $
  */
 
 /*! \file */
@@ -531,6 +531,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
        dst_key_t *pubkey = NULL;
        unsigned int count = 0;
 
+       REQUIRE(nkeys != NULL);
+       REQUIRE(keys != NULL);
+
        *nkeys = 0;
        dns_rdataset_init(&rdataset);
        RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
@@ -540,7 +543,8 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
                pubkey = NULL;
                dns_rdataset_current(&rdataset, &rdata);
                RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
-               if (!is_zone_key(pubkey))
+               if (!is_zone_key(pubkey) ||
+                   (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
                        goto next;
                keys[count] = NULL;
                result = dst_key_fromfile(dst_key_name(pubkey),
@@ -549,17 +553,23 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
                                          DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
                                          directory,
                                          mctx, &keys[count]);
-               if (result == ISC_R_FILENOTFOUND)
+               if (result == ISC_R_FILENOTFOUND) {
+                       keys[count] = pubkey;
+                       pubkey = NULL;
+                       count++;
                        goto next;
+               }
                if (result != ISC_R_SUCCESS)
                        goto failure;
                if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
+                       /* We should never get here. */
                        dst_key_free(&keys[count]);
                        goto next;
                }
                count++;
  next:
-               dst_key_free(&pubkey);
+               if (pubkey != NULL)
+                       dst_key_free(&pubkey);
                dns_rdata_reset(&rdata);
                result = dns_rdataset_next(&rdataset);
        }
@@ -575,6 +585,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
                dns_rdataset_disassociate(&rdataset);
        if (pubkey != NULL)
                dst_key_free(&pubkey);
+       if (result != ISC_R_SUCCESS)
+               while (count > 0)
+                       dst_key_free(&keys[--count]);
        *nkeys = count;
        return (result);
 }