programs.
+ 358. [cleanup] Rename the intermediate files used by the dnssec
+ programs.
+
357. [bug] The zone file parser crashed when seeing a quoted
$INCLUDE.
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-makekeyset.8,v 1.5 2000/07/27 09:42:33 tale Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.6 2000/07/31 15:28:19 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
If
.Nm dnssec-makekeyset
is successful, it creates a file name of the form
-.Ar nnnn.keyset .
+.Ar keyset-nnnn. .
This file contains the KEY and SIG records for domain
.Dv nnnn ,
the domain name part from the key file identifier produced when
.Nm dnssec-keygen
created the domain's public and private keys.
The
-.Ar .keyset
+.Ar keyset
file can then be transferred to the DNS administrator of the parent
zone for them to sign the contents with
.Xr dnssec-signkey 8 .
.Pp
.Nm dnssec-makekeyset
will create a file called
-.Pa example.com.keyset
+.Pa keyset-example.com.
containing a SIG and KEY record for
.Dv example.com.
These records will have a TTL of 86400 seconds (1 day).
The DNS administrator for
.Dv example.com
could then send
-.Pa example.com.keyset
+.Pa keyset-example.com.
to the DNS administrator for
.Dv .com
so that they could sign the resource records in the file.
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-makekeyset.c,v 1.29 2000/07/30 20:53:49 bwelling Exp $ */
+/* $Id: dnssec-makekeyset.c,v 1.30 2000/07/31 15:28:12 bwelling Exp $ */
#include <config.h>
fprintf(stderr, "\t\tSIG end time - "
"absolute|from start|from now (now + 30 days)\n");
fprintf(stderr, "\t-t ttl\n");
+ fprintf(stderr, "\t-p\n");
+ fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
fprintf(stderr, "\t-r randomdev:\n");
fprintf(stderr, "\t\ta file containing random data\n");
fprintf(stderr, "\t-v level:\n");
isc_log_t *log = NULL;
keynode_t *keynode;
dns_name_t *savedname = NULL;
+ unsigned int eflags;
+ isc_boolean_t pseudorandom = ISC_FALSE;
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
dns_result_register();
- while ((ch = isc_commandline_parse(argc, argv, "s:e:t:r:v:h")) != -1)
+ while ((ch = isc_commandline_parse(argc, argv, "s:e:t:r:v:ph")) != -1)
{
switch (ch) {
case 's':
fatal("verbose level must be numeric");
break;
+ case 'p':
+ pseudorandom = ISC_TRUE;
+ break;
+
case 'h':
default:
usage();
setup_entropy(mctx, randomfile, &ectx);
if (randomfile != NULL)
isc_mem_free(mctx, randomfile);
- result = dst_lib_init(mctx, ectx,
- ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ eflags = ISC_ENTROPY_BLOCKING;
+ if (!pseudorandom)
+ eflags |= ISC_ENTROPY_GOODONLY;
+ result = dst_lib_init(mctx, ectx, eflags);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst");
}
if (output == NULL) {
output = isc_mem_allocate(mctx,
- strlen(namestr) +
- strlen("keyset") + 1);
+ strlen("keyset-") +
+ strlen(namestr) + 1);
if (output == NULL)
fatal("out of memory");
- strcpy(output, namestr);
- strcat(output, "keyset");
+ strcpy(output, "keyset-");
+ strcat(output, namestr);
}
if (domain == NULL) {
dns_fixedname_init(&fdomain);
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-signkey.8,v 1.6 2000/07/27 09:42:34 tale Exp $
+.\" $Id: dnssec-signkey.8,v 1.7 2000/07/31 15:28:20 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
.Nm dnssec-signkey
is used to sign a key set for a child zone.
Typically this would be provided by a
-.Ar .keyset
+.Ar keyset
file generated by
.Xr dnssec-makekeyset 8 .
This provides a mechanism for a DNSSEC-aware zone to sign the keys of
zone.
.Ar keyset
will be the pathname of the child zone's
-.Ar .keyset
+.Ar keyset
file.
Each
.Ar keyfile
When
.Nm dnssec-signkey
completes successfully, it generates a file called
-.Ar nnnn.signedkey
+.Ar signedkey-nnnn.
containing the signed keys for child zone
.Ar nnnn .
The keys from the
zone would use the following command to make
.Nm dnssec-signkey
sign the
-.Ar .keyset
+.Ar keyset
file for
.Dv example.com
created in the example shown in the man page for
.Xr dnssec-makekeyset 8 :
.Pp
-.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944
+.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
.Pp
where
.Dv Kcom.+003+51944
.Pp
.Nm dnssec-signkey
will produce a file called
-.Dv example.com.signedkey
+.Dv signedkey-example.com.
which has the keys for
.Dv example.com
signed by the
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signkey.c,v 1.28 2000/06/22 21:49:03 tale Exp $ */
+/* $Id: dnssec-signkey.c,v 1.29 2000/07/31 15:28:13 bwelling Exp $ */
#include <config.h>
setup_logging(verbose, mctx, &log);
- if (strlen(argv[0]) < 8 ||
- strcmp(argv[0] + strlen(argv[0]) - 7, ".keyset") != 0)
- fatal("keyset file must end in .keyset");
+ if (strlen(argv[0]) < 8 || strncmp(argv[0], "keyset-", 7) != 0)
+ fatal("keyset file '%s' must start with keyset-", argv[0]);
dns_fixedname_init(&fdomain);
domain = dns_fixedname_name(&fdomain);
- isc_buffer_init(&b, argv[0], strlen(argv[0]) - 7);
- isc_buffer_add(&b, strlen(argv[0]) - 7);
+ isc_buffer_init(&b, argv[0] + strlen("keyset-"),
+ strlen(argv[0]) - strlen("keyset-"));
+ isc_buffer_add(&b, strlen(argv[0]) - strlen("keyset-"));
result = dns_name_fromtext(domain, &b, dns_rootname, ISC_FALSE, NULL);
if (result != ISC_R_SUCCESS)
fatal("'%s' does not contain a valid domain name", argv[0]);
tdomain[r.length] = 0;
output = isc_mem_allocate(mctx,
- strlen(tdomain) + strlen("signedkey") + 1);
+ strlen("signedkey-") + strlen(tdomain) + 1);
if (output == NULL)
fatal("out of memory");
- strcpy(output, tdomain);
- strcat(output, "signedkey");
+ strcpy(output, "signedkey-");
+ strcat(output, tdomain);
db = NULL;
result = dns_db_create(mctx, "rbt", domain, dns_dbtype_zone,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-signzone.8,v 1.8 2000/07/27 09:42:35 tale Exp $
+.\" $Id: dnssec-signzone.8,v 1.9 2000/07/31 15:28:21 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
.Nm dnssec-signzone
is used to sign a zone.
Any
-.Ar .signedkey
+.Ar signedkey
files for the zone to be signed should be present in the current
directory, along with the keys that will be used to sign the zone.
If no
argument would be an identification string for a key created with
.Xr dnssec-keygen 8 .
If the zone to be signed has any secure subzones, the
-.Ar .signedkey
+.Ar signedkey
files for those subzones need to be available in the
current working directory used by
.Nm dnssec-signzone .
which is the same as the origin, so there is no need to use the
.Fl o
option to set the origin.
-This zone file contains the keyset for
-.Dv example.com
-that was created by
-.Xr dnssec-makekeyset 8 .
The zone's keys were either appended to the zone file or
incorporated using a
.Dv $INCLUDE
statement.
If there was a
-.Ar .signedkey
+.Ar signedkey
file from the parent zone - i.e.
-.Dv example.com.signedkey
+.Dv signedkey-example.com.
- it should be present in the current directory.
This allows the parent zone's signature to be included in the signed
version of the
.Sh SEE ALSO
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
-.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 .
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.81 2000/06/22 21:49:04 tale Exp $ */
+/* $Id: dnssec-signzone.c,v 1.82 2000/07/31 15:28:14 bwelling Exp $ */
#include <config.h>
{
unsigned char filename[256];
isc_buffer_t b;
- isc_region_t r;
dns_db_t *newdb = NULL;
dns_dbnode_t *newnode = NULL;
dns_rdataset_t newset, sigset;
dns_rdata_t rdata, newrdata;
isc_result_t result;
- isc_buffer_init(&b, filename, sizeof(filename) - 10);
+ isc_buffer_init(&b, filename, sizeof(filename));
+ isc_buffer_putstr(&b, "signedkey-");
result = dns_name_totext(name, ISC_FALSE, &b);
check_result(result, "dns_name_totext()");
- isc_buffer_usedregion(&b, &r);
- strcpy((char *)r.base + r.length, "signedkey");
+ if (isc_buffer_availablelength(&b) == 0)
+ fatal("name '%s' is too long", nametostr(name));
+ isc_buffer_putmem(&b, "", 1);
result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
dns_db_class(db), 0, NULL, &newdb);
check_result(result, "dns_db_create()");
haschildkey(dns_db_t *db, dns_name_t *name) {
unsigned char filename[256];
isc_buffer_t b;
- isc_region_t r;
dns_db_t *newdb = NULL;
dns_dbnode_t *newnode = NULL;
dns_rdataset_t set, sigset;
dns_rdataset_init(&set);
dns_rdataset_init(&sigset);
- isc_buffer_init(&b, filename, sizeof(filename) - 10);
+ isc_buffer_init(&b, filename, sizeof(filename));
+ isc_buffer_putstr(&b, "signedkey-");
result = dns_name_totext(name, ISC_FALSE, &b);
check_result(result, "dns_name_totext()");
- isc_buffer_usedregion(&b, &r);
- strcpy((char *)r.base + r.length, "signedkey");
+ if (isc_buffer_availablelength(&b) == 0)
+ fatal("name '%s' is too long", nametostr(name));
+ isc_buffer_putmem(&b, "", 1);
result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
dns_db_class(db), 0, NULL, &newdb);
check_result(result, "dns_db_create()");
signset(db, version, node, name, &keyset);
alreadyhavenullkey:
dns_rdataset_disassociate(&keyset);
+ } else if (isdelegation) {
+ vbprintf(2, "child key for %s found\n",
+ nametostr(name));
+
}
#endif
}
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.6 2000/07/27 09:39:19 tale Exp $
+# $Id: clean.sh,v 1.7 2000/07/31 15:28:15 bwelling Exp $
-rm -f */K* */.keyset */*.keyset */*.signedkey */*.signed */trusted.conf
+rm -f */K* */keyset-* */signedkey-* */*.signed */trusted.conf
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns3/unsecure.example.db ns3/bogus.example.db
rm -f dig.out.*
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.8 2000/07/27 09:39:24 tale Exp $
+# $Id: sign.sh,v 1.9 2000/07/31 15:28:16 bwelling Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
(cd ../ns2 && sh sign.sh )
-cp ../ns2/example.keyset .
+cp ../ns2/keyset-example. .
-$KEYSIGNER -r $RANDFILE example.keyset $keyname
+$KEYSIGNER -r $RANDFILE keyset-example. $keyname
-cat example.signedkey >> ../ns2/example.db.signed
+cat signedkey-example. >> ../ns2/example.db.signed
$KEYSETTOOL -r $RANDFILE -t 3600 $keyname
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.11 2000/07/27 09:39:31 tale Exp $
+# $Id: sign.sh,v 1.12 2000/07/31 15:28:18 bwelling Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
( cd ../ns3 && sh sign.sh )
-cp ../ns3/secure.example.keyset .
+cp ../ns3/keyset-secure.example. .
-$KEYSIGNER -r $RANDFILE secure.example.keyset $keyname
+$KEYSIGNER -r $RANDFILE keyset-secure.example. $keyname
# This will leave two copies of the child's zone key in the signed db file;
# that shouldn't cause any problems.
-cat secure.example.signedkey >>../ns3/secure.example.db.signed
+cat signedkey-secure.example. >>../ns3/secure.example.db.signed
-cp ../ns3/bogus.example.keyset .
+cp ../ns3/keyset-bogus.example. .
-$KEYSIGNER -r $RANDFILE bogus.example.keyset $keyname
+$KEYSIGNER -r $RANDFILE keyset-bogus.example. $keyname
# This will leave two copies of the child's zone key in the signed db file;
# that shouldn't cause any problems.
-cat bogus.example.signedkey >>../ns3/bogus.example.db.signed
+cat signedkey-bogus.example. >>../ns3/bogus.example.db.signed
$KEYSETTOOL -r $RANDFILE -t 3600 $keyname
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-makekeyset.8,v 1.5 2000/07/27 09:42:33 tale Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.6 2000/07/31 15:28:19 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
If
.Nm dnssec-makekeyset
is successful, it creates a file name of the form
-.Ar nnnn.keyset .
+.Ar keyset-nnnn. .
This file contains the KEY and SIG records for domain
.Dv nnnn ,
the domain name part from the key file identifier produced when
.Nm dnssec-keygen
created the domain's public and private keys.
The
-.Ar .keyset
+.Ar keyset
file can then be transferred to the DNS administrator of the parent
zone for them to sign the contents with
.Xr dnssec-signkey 8 .
.Pp
.Nm dnssec-makekeyset
will create a file called
-.Pa example.com.keyset
+.Pa keyset-example.com.
containing a SIG and KEY record for
.Dv example.com.
These records will have a TTL of 86400 seconds (1 day).
The DNS administrator for
.Dv example.com
could then send
-.Pa example.com.keyset
+.Pa keyset-example.com.
to the DNS administrator for
.Dv .com
so that they could sign the resource records in the file.
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-signkey.8,v 1.6 2000/07/27 09:42:34 tale Exp $
+.\" $Id: dnssec-signkey.8,v 1.7 2000/07/31 15:28:20 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
.Nm dnssec-signkey
is used to sign a key set for a child zone.
Typically this would be provided by a
-.Ar .keyset
+.Ar keyset
file generated by
.Xr dnssec-makekeyset 8 .
This provides a mechanism for a DNSSEC-aware zone to sign the keys of
zone.
.Ar keyset
will be the pathname of the child zone's
-.Ar .keyset
+.Ar keyset
file.
Each
.Ar keyfile
When
.Nm dnssec-signkey
completes successfully, it generates a file called
-.Ar nnnn.signedkey
+.Ar signedkey-nnnn.
containing the signed keys for child zone
.Ar nnnn .
The keys from the
zone would use the following command to make
.Nm dnssec-signkey
sign the
-.Ar .keyset
+.Ar keyset
file for
.Dv example.com
created in the example shown in the man page for
.Xr dnssec-makekeyset 8 :
.Pp
-.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944
+.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
.Pp
where
.Dv Kcom.+003+51944
.Pp
.Nm dnssec-signkey
will produce a file called
-.Dv example.com.signedkey
+.Dv signedkey-example.com.
which has the keys for
.Dv example.com
signed by the
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: dnssec-signzone.8,v 1.8 2000/07/27 09:42:35 tale Exp $
+.\" $Id: dnssec-signzone.8,v 1.9 2000/07/31 15:28:21 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
.Nm dnssec-signzone
is used to sign a zone.
Any
-.Ar .signedkey
+.Ar signedkey
files for the zone to be signed should be present in the current
directory, along with the keys that will be used to sign the zone.
If no
argument would be an identification string for a key created with
.Xr dnssec-keygen 8 .
If the zone to be signed has any secure subzones, the
-.Ar .signedkey
+.Ar signedkey
files for those subzones need to be available in the
current working directory used by
.Nm dnssec-signzone .
which is the same as the origin, so there is no need to use the
.Fl o
option to set the origin.
-This zone file contains the keyset for
-.Dv example.com
-that was created by
-.Xr dnssec-makekeyset 8 .
The zone's keys were either appended to the zone file or
incorporated using a
.Dv $INCLUDE
statement.
If there was a
-.Ar .signedkey
+.Ar signedkey
file from the parent zone - i.e.
-.Dv example.com.signedkey
+.Dv signedkey-example.com.
- it should be present in the current directory.
This allows the parent zone's signature to be included in the signed
version of the
.Sh SEE ALSO
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
-.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 .
projects / thirdparty / bind9.git / commitdiff
