}
static isc_result_t
-dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
- bool managed, dst_key_t **target, const char **keynamestrp,
- isc_mem_t *mctx)
+dstkey_fromconfig(const cfg_obj_t *key, bool *initialp, dst_key_t **target,
+ const char **keynamestrp, isc_mem_t *mctx)
{
- dns_rdataclass_t viewclass;
dns_rdata_dnskey_t keystruct;
uint32_t flags, proto, alg;
const char *keystr, *keynamestr;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
*keynamestrp = keynamestr;
- if (managed) {
+ if (*initialp) {
const char *initmethod;
initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
- if (strcasecmp(initmethod, "initial-key") != 0) {
+ if (strcasecmp(initmethod, "static-key") == 0) {
+ *initialp = false;
+ } else if (strcasecmp(initmethod, "initial-key") != 0) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
- "managed key '%s': "
+ "key '%s': "
"invalid initialization method '%s'",
keynamestr, initmethod);
result = ISC_R_FAILURE;
}
}
- if (vconfig == NULL)
- viewclass = dns_rdataclass_in;
- else {
- const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
- CHECK(named_config_getclass(classobj, dns_rdataclass_in,
- &viewclass));
- }
- keystruct.common.rdclass = viewclass;
+ /*
+ * This function should never be reached for non-IN classes.
+ */
+ keystruct.common.rdclass = dns_rdataclass_in;
keystruct.common.rdtype = dns_rdatatype_dnskey;
+
/*
* The key data in keystruct is not dynamically allocated.
*/
if ((keystruct.algorithm == DST_ALG_RSASHA1) &&
r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
+ {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
- "%s key '%s' has a weak exponent",
- managed ? "managed" : "trusted",
+ "%s '%s' has a weak exponent",
+ *initialp ? "initial-key" : "static-key",
keynamestr);
+ }
CHECK(dns_rdata_fromstruct(NULL,
keystruct.common.rdclass,
isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
isc_buffer_add(&namebuf, strlen(keynamestr));
CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
- CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
+ CHECK(dst_key_fromdns(keyname, dns_rdataclass_in, &rrdatabuf,
mctx, &dstkey));
*target = dstkey;
* the memory context to use for allocating memory.
*/
static isc_result_t
-process_key(const cfg_obj_t *key, const cfg_obj_t *vconfig,
- dns_keytable_t *secroots, const dns_name_t *keyname_match,
- dns_resolver_t *resolver, bool managed, isc_mem_t *mctx)
+process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
+ const dns_name_t *keyname_match, dns_resolver_t *resolver,
+ bool managed, isc_mem_t *mctx)
{
const dns_name_t *keyname = NULL;
const char *keynamestr = NULL;
dst_key_t *dstkey = NULL;
unsigned int keyalg;
isc_result_t result;
+ bool initializing = managed;
- result = dstkey_fromconfig(vconfig, key, managed, &dstkey, &keynamestr,
- mctx);
+ result = dstkey_fromconfig(key, &initializing,
+ &dstkey, &keynamestr, mctx);
switch (result) {
case ISC_R_SUCCESS:
* but do not prevent any further ones from being processed.
*/
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
- "ignoring %s key for '%s': %s",
- managed ? "managed" : "trusted",
+ "ignoring %s for '%s': %s",
+ initializing ? "initial-key" : "static-key",
keynamestr, isc_result_totext(result));
return (ISC_R_SUCCESS);
case DST_R_NOCRYPTO:
* Crypto support is not available.
*/
cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
- "ignoring %s key for '%s': no crypto support",
- managed ? "managed" : "trusted",
+ "ignoring %s for '%s': no crypto support",
+ initializing ? "initial-key" : "static-key",
keynamestr);
return (result);
default:
* is interrupted.
*/
cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
- "configuring %s key for '%s': %s",
- managed ? "managed" : "trusted",
+ "configuring %s for '%s': %s",
+ initializing ? "initial-key" : "static-key",
keynamestr, isc_result_totext(result));
return (ISC_R_FAILURE);
}
*/
if (!dns_resolver_algorithm_supported(resolver, keyname, keyalg)) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
- "ignoring %s key for '%s': algorithm is disabled",
- managed ? "managed" : "trusted", keynamestr);
+ "ignoring %s for '%s': algorithm is disabled",
+ initializing ? "initial-key" : "static-key",
+ keynamestr);
goto done;
}
/*
- * Add the key to 'secroots'. This key is taken from the
- * configuration, so if it's a managed key then it's an initializing
- * key; that's why 'managed' is duplicated below.
+ * Add the key to 'secroots'. Keys from a "dnssec-keys" or
+ * "managed-keys" * statement may be either static or initializing
+ * keys. If it's not initializing, we don't want to treat it as
+ * managed, so we use 'initializing' twice here, for both the
+ * 'managed' and 'initializing' arguments to dns_keytable_add().
*/
- result = dns_keytable_add(secroots, managed, managed, &dstkey);
+ result = dns_keytable_add(secroots, initializing,
+ initializing, &dstkey);
done:
/*
* an initializing key.
*/
static isc_result_t
-load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
- dns_view_t *view, bool managed,
+load_view_keys(const cfg_obj_t *keys, dns_view_t *view, bool managed,
const dns_name_t *keyname, isc_mem_t *mctx)
{
const cfg_listelt_t *elt, *elt2;
elt2 != NULL;
elt2 = cfg_list_next(elt2))
{
- CHECK(process_key(cfg_listelt_value(elt2), vconfig,
+ CHECK(process_key(cfg_listelt_value(elt2),
secroots, keyname, view->resolver,
managed, mctx));
}
if (auto_root && view->rdclass == dns_rdataclass_in) {
const cfg_obj_t *builtin_keys = NULL;
- const cfg_obj_t *builtin_managed_keys = NULL;
/*
* If bind.keys exists and is populated, it overrides
"from '%s'",
view->name, named_g_server->bindkeysfile);
- (void)cfg_map_get(bindkeys, "trusted-keys",
- &builtin_keys);
(void)cfg_map_get(bindkeys, "managed-keys",
- &builtin_managed_keys);
+ &builtin_keys);
- if ((builtin_keys == NULL) &&
- (builtin_managed_keys == NULL))
+ if (builtin_keys == NULL) {
isc_log_write(named_g_lctx,
DNS_LOGCATEGORY_SECURITY,
NAMED_LOGMODULE_SERVER,
"dnssec-validation auto: "
"WARNING: root zone key "
"not found");
+ }
}
- if ((builtin_keys == NULL) &&
- (builtin_managed_keys == NULL))
- {
+ if (builtin_keys == NULL) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
"using built-in root key for view %s",
view->name);
- (void)cfg_map_get(named_g_config, "trusted-keys",
- &builtin_keys);
(void)cfg_map_get(named_g_config, "managed-keys",
- &builtin_managed_keys);
+ &builtin_keys);
}
- if (builtin_keys != NULL)
- CHECK(load_view_keys(builtin_keys, vconfig, view,
- false, dns_rootname, mctx));
- if (builtin_managed_keys != NULL)
- CHECK(load_view_keys(builtin_managed_keys, vconfig,
- view, true, dns_rootname,
- mctx));
+ if (builtin_keys != NULL) {
+ CHECK(load_view_keys(builtin_keys, view, true,
+ dns_rootname, mctx));
+ }
if (!keyloaded(view, dns_rootname)) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
}
}
- CHECK(load_view_keys(view_keys, vconfig, view, false,
- NULL, mctx));
- CHECK(load_view_keys(view_managed_keys, vconfig, view, true,
- NULL, mctx));
+ CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
+ CHECK(load_view_keys(view_managed_keys, view, true, NULL, mctx));
if (view->rdclass == dns_rdataclass_in) {
- CHECK(load_view_keys(global_keys, vconfig, view, false,
+ CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
+ CHECK(load_view_keys(global_managed_keys, view, true,
NULL, mctx));
- CHECK(load_view_keys(global_managed_keys, vconfig, view,
- true, NULL, mctx));
}
/*
* A managed key initialization specifier, as used in the
* "managed-keys" statement.
*/
+static const char *init_enums[] = { "static-key", "initial-key", NULL };
+static cfg_type_t cfg_type_keyinit = {
+ "keyinit", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+ &cfg_rep_string, &init_enums
+};
+
static cfg_tuplefielddef_t managedkey_fields[] = {
{ "name", &cfg_type_astring, 0 },
- { "init", &cfg_type_ustring, 0 }, /* must be literal "initial-key" */
+ { "init", &cfg_type_keyinit, 0 },
{ "flags", &cfg_type_uint32, 0 },
{ "protocol", &cfg_type_uint32, 0 },
{ "algorithm", &cfg_type_uint32, 0 },
cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
};
-/*% A list of dnssec keys, as in "trusted-keys" */
+/*% A list of dnssec keys, as in "trusted-keys". Deprecated. */
static cfg_type_t cfg_type_dnsseckeys = {
"dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_dnsseckey
};
/*%
- * A list of managed key entries, as in "trusted-keys". Currently
- * (9.7.0) this has a format similar to dnssec keys, except the keyname
- * is followed by the keyword "initial-key". In future releases, this
- * keyword may take other values indicating different methods for the
- * key to be initialized.
+ * A list of key entries, as in "trusted-keys". This has a format similar
+ * to dnssec keys, except the keyname is followed by keyword, either
+ * "initial-key" or "static-key". If "initial-key", then the key is
+ * RFC 5011 managed; if "static-key", then the key never changes.
*/
-
static cfg_type_t cfg_type_managedkeys = {
"managedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_managedkey
{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
{ "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI },
{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
- { "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+ { "trusted-keys", &cfg_type_dnsseckeys,
+ CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
{ NULL, NULL, 0 }
};
projects / thirdparty / bind9.git / commitdiff
