+4360. [bug] Silence spurious 'bad key type' message when there is
+ a existing TSIG key. [RT #42195]
+
4359. [bug] Inherited 'also-notify' lists were not being checked
by named-checkconf. [RT #42174]
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/entropy.h>
+#include <isc/file.h>
#include <isc/heap.h>
#include <isc/list.h>
#include <isc/mem.h>
isc_uint16_t id, oldid;
isc_uint32_t rid, roldid;
dns_secalg_t alg;
+ char filename[ISC_DIR_NAMEMAX];
+ isc_buffer_t fileb;
if (exact != NULL)
*exact = ISC_FALSE;
rid = dst_key_rid(dstkey);
alg = dst_key_alg(dstkey);
+ /*
+ * For HMAC and Diffie Hellman just check if there is a
+ * direct collision as they can't be revoked. Additionally
+ * dns_dnssec_findmatchingkeys only handles DNSKEY which is
+ * not used for HMAC.
+ */
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ case DST_ALG_HMACSHA1:
+ case DST_ALG_HMACSHA224:
+ case DST_ALG_HMACSHA256:
+ case DST_ALG_HMACSHA384:
+ case DST_ALG_HMACSHA512:
+ case DST_ALG_DH:
+ isc_buffer_init(&fileb, filename, sizeof(filename));
+ result = dst_key_buildfilename(dstkey, DST_TYPE_PRIVATE,
+ dir, &fileb);
+ if (result != ISC_R_SUCCESS)
+ return (ISC_TRUE);
+ return (isc_file_exists(filename));
+ }
+
ISC_LIST_INIT(matchkeys);
result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
if (result == ISC_R_NOTFOUND)
rm -f */named.memstats
rm -f */named.run
rm -f ns*/named.lock
+rm -f Kexample.net.+163+*
+rm -f keygen.out?
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+sh clean.sh
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
-exit $status
+echo "I:check that multiple dnssec-keygen calls don't emit dns_dnssec_findmatchingkeys warning"
+ret=0
+$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out1 2>&1 || ret=1
+grep dns_dnssec_findmatchingkeys keygen.out1 > /dev/null && ret=1
+$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out2 2>&1 || ret=1
+grep dns_dnssec_findmatchingkeys keygen.out2 > /dev/null && ret=1
+if [ $ret -eq 1 ] ; then
+ echo "I: failed"; status=1
+fi
+exit $status
isc_stdtime_t now, isc_mem_t *mctx,
dns_dnsseckeylist_t *keylist)
{
+ const char *digits = "0123456789";
isc_result_t result = ISC_R_SUCCESS;
isc_boolean_t dir_open = ISC_FALSE;
dns_dnsseckeylist_t list;
dst_key_t *dstkey = NULL;
char namebuf[DNS_NAME_FORMATSIZE];
isc_buffer_t b;
- unsigned int len, i;
+ unsigned int len, i, alg;
REQUIRE(keylist != NULL);
ISC_LIST_INIT(list);
strncasecmp(dir.entry.name + 1, namebuf, len) != 0)
continue;
- for (i = len + 1 + 1; i < dir.entry.length ; i++)
+ alg = 0;
+ for (i = len + 1 + 1; i < dir.entry.length ; i++) {
if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
break;
+ alg *= 10;
+ alg += strchr(digits, dir.entry.name[i]) - digits;
+ }
- if (i == len + 1 + 1 || i >= dir.entry.length ||
+ /*
+ * Did we not read exactly 3 digits?
+ * Did we overflow?
+ * Did we correctly terminate?
+ */
+ if (i != len + 1 + 1 + 3 || i >= dir.entry.length ||
dir.entry.name[i] != '+')
continue;
if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
break;
- if (strcmp(dir.entry.name + i, ".private") != 0)
+ /*
+ * Did we not read exactly 5 more digits?
+ * Did we overflow?
+ * Did we correctly terminate?
+ */
+ if (i != len + 1 + 1 + 3 + 1 + 5 || i >= dir.entry.length ||
+ strcmp(dir.entry.name + i, ".private") != 0)
continue;
dstkey = NULL;
DST_TYPE_PRIVATE,
mctx, &dstkey);
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ case DST_ALG_HMACSHA1:
+ case DST_ALG_HMACSHA224:
+ case DST_ALG_HMACSHA256:
+ case DST_ALG_HMACSHA384:
+ case DST_ALG_HMACSHA512:
+ if (result == DST_R_BADKEYTYPE)
+ continue;
+ }
+
if (result != ISC_R_SUCCESS) {
isc_log_write(dns_lctx,
DNS_LOGCATEGORY_GENERAL,