]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
3629. [func] Allow the printing of cryptographic fields in DNSSEC
authorMark Andrews <marka@isc.org>
Mon, 12 Aug 2013 05:37:51 +0000 (15:37 +1000)
committerMark Andrews <marka@isc.org>
Mon, 12 Aug 2013 05:37:51 +0000 (15:37 +1000)
                        records by dig to be suppressed (dig +nocrypto).
                        [RT #34534]

CHANGES
bin/dig/dig.c
bin/dig/dig.docbook
bin/tests/system/dnssec/tests.sh
lib/dns/include/dns/masterdump.h
lib/dns/rdata/generic/dlv_32769.c
lib/dns/rdata/generic/dnskey_48.c
lib/dns/rdata/generic/ds_43.c
lib/dns/rdata/generic/rrsig_46.c

diff --git a/CHANGES b/CHANGES
index 809748baa77d93b4a85b3701fb09695c8165eb77..249f09e65406c8854d27c17c019b081372ad9796 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3629.  [func]          Allow the printing of cryptographic fields in DNSSEC
+                       records by dig to be suppressed (dig +nocrypto).
+                       [RT #34534]
+
 3628.  [func]          Report DNSKEY key id's when dumping the cache.
                        [RT #34533]
 
index 6ed7d9bc7616c23e4faa5215f89f41b9b753c853..2b84161ebdf864dddd5a48e5d38abd0b03976c89 100644 (file)
@@ -67,7 +67,8 @@ static char domainopt[DNS_NAME_MAXTEXT];
 static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
        ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
        multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE,
-       onesoa = ISC_FALSE, rrcomments = ISC_FALSE, use_usec = ISC_FALSE;
+       onesoa = ISC_FALSE, rrcomments = ISC_FALSE, use_usec = ISC_FALSE,
+       nocrypto = ISC_FALSE;
 static isc_uint32_t splitwidth = 0xffffffff;
 
 /*% opcode text */
@@ -205,6 +206,8 @@ help(void) {
 "                 +[no]comments       (Control display of comment lines)\n"
 "                 +[no]rrcomments     (Control display of per-record "
                                       "comments)\n"
+"                 +[no]crypto         (Control display of cryptographic "
+                                      "fields in records)\n"
 "                 +[no]question       (Control display of question)\n"
 "                 +[no]answer         (Control display of answer)\n"
 "                 +[no]authority      (Control display of authority)\n"
@@ -321,6 +324,7 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
        isc_uint64_t diff;
        isc_time_t now;
        char store[sizeof("12345678901234567890")];
+       unsigned int styleflags = 0;
 
        if (query->lookup->trace || query->lookup->ns_search_only) {
                result = dns_rdatatype_totext(rdata->type, buf);
@@ -328,7 +332,10 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
                        return (result);
                ADD_STRING(buf, " ");
        }
-       result = dns_rdata_totext(rdata, NULL, buf);
+
+       if (nocrypto)
+               styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+       result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0, 60, " ", buf);
        if (result == ISC_R_NOSPACE)
                return (result);
        check_result(result, "dns_rdata_totext");
@@ -416,6 +423,8 @@ printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
                styleflags |= DNS_STYLEFLAG_NO_CLASS;
        if (rrcomments)
                styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+       if (nocrypto)
+               styleflags |= DNS_STYLEFLAG_NOCRYPTO;
        if (multiline) {
                styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
                styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
@@ -471,6 +480,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
                styleflags |= DNS_STYLEFLAG_NO_TTL;
        if (noclass)
                styleflags |= DNS_STYLEFLAG_NO_CLASS;
+       if (nocrypto)
+               styleflags |= DNS_STYLEFLAG_NOCRYPTO;
        if (multiline) {
                styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
                styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
@@ -863,6 +874,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
                        if (lookup == default_lookup)
                                pluscomm = state;
                        break;
+               case 'r':
+                       FULLCHECK("crypto");
+                       nocrypto = ISC_TF(!state);
+                       break;
                default:
                        goto invalid_option;
                }
index 028f0fcd7324aba656e156a5c3cf5f89ae848880..77f869476769560fc37d51d74ca92278e75eb966 100644 (file)
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term><option>+[no]crypto</option></term>
+          <listitem>
+            <para>
+             Toggle the display of cryptographic fields in DNSSEC records.
+             The contents of these field are unnecessary to debug most DNSSEC
+             validation failures and removing them makes it easier to see
+             the common failures.  The default is to display the fields.
+             When omitted they are replaced by the string "[omitted]" or
+             in the DNSKEY case the key id is displayed as the replacement,
+             e.g. "[ key id = value ]".
+            </para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term><option>+split=W</option></term>
           <listitem>
index 1e92dd20a40ac89369077db969b25589af91700a..40c46967594a8edf914af1ea2c4b222ccbb74e42 100644 (file)
@@ -2282,5 +2282,18 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:check dig's +nocrypto flag ($n)"
+ret=0
+$DIG $DIGOPTS +norec +nocrypto DNSKEY . \
+       @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
+grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +norec +nocrypto DS example \
+       @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
+grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
index 8631248cc2eee9ec38fd40232a5f366082a9fba4..c229b983aca68152a36c55a2455a98094d441824 100644 (file)
@@ -100,6 +100,9 @@ typedef struct dns_master_style dns_master_style_t;
 /*% Report re-signing time. */
 #define        DNS_STYLEFLAG_RESIGN            0x04000000U
 
+/*% Don't printout the cryptographic parts of DNSSEC records. */
+#define        DNS_STYLEFLAG_NOCRYPTO          0x08000000U
+
 ISC_LANG_BEGINDECLS
 
 /***
index ae7e7d7832913fd62f230d0dc4828224d392936d..08d0ed4cf1a9134ea2e333d0532f478c77b1ac71 100644 (file)
@@ -136,11 +136,14 @@ totext_dlv(ARGS_TOTEXT) {
        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
                RETERR(str_totext(" (", target));
        RETERR(str_totext(tctx->linebreak, target));
-       if (tctx->width == 0) /* No splitting */
-               RETERR(isc_hex_totext(&sr, 0, "", target));
-       else
-               RETERR(isc_hex_totext(&sr, tctx->width - 2,
-                                     tctx->linebreak, target));
+       if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+               if (tctx->width == 0) /* No splitting */
+                       RETERR(isc_hex_totext(&sr, 0, "", target));
+               else
+                       RETERR(isc_hex_totext(&sr, tctx->width - 2,
+                                             tctx->linebreak, target));
+       } else
+               RETERR(str_totext("[omitted]", target));
        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
                RETERR(str_totext(" )", target));
        return (ISC_R_SUCCESS);
index 688e7ac5e18f3329cd9a41f2c641eb8dd65d5d1a..42c14b17f4b9cc235547a085d8da3610acab77a9 100644 (file)
@@ -73,11 +73,12 @@ fromtext_dnskey(ARGS_FROMTEXT) {
 static inline isc_result_t
 totext_dnskey(ARGS_TOTEXT) {
        isc_region_t sr;
-       char buf[sizeof("64000")];
+       char buf[sizeof("[key id = 64000]")];
        unsigned int flags;
        unsigned char algorithm;
        char algbuf[DNS_NAME_FORMATSIZE];
        const char *keyinfo;
+       isc_region_t tmpr;
 
        REQUIRE(rdata->type == 48);
        REQUIRE(rdata->length != 0);
@@ -129,11 +130,19 @@ totext_dnskey(ARGS_TOTEXT) {
        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
                RETERR(str_totext(" (", target));
        RETERR(str_totext(tctx->linebreak, target));
-       if (tctx->width == 0)   /* No splitting */
-               RETERR(isc_base64_totext(&sr, 0, "", target));
-       else
-               RETERR(isc_base64_totext(&sr, tctx->width - 2,
-                                        tctx->linebreak, target));
+
+       if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+               if (tctx->width == 0)   /* No splitting */
+                       RETERR(isc_base64_totext(&sr, 0, "", target));
+               else
+                       RETERR(isc_base64_totext(&sr, tctx->width - 2,
+                                                tctx->linebreak, target));
+       } else {
+               dns_rdata_toregion(rdata, &tmpr);
+               snprintf(buf, sizeof(buf), "[key id = %u]",
+                        dst_region_computeid(&tmpr, algorithm));
+               RETERR(str_totext(buf, target));
+       }
 
        if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0)
                RETERR(str_totext(tctx->linebreak, target));
@@ -144,7 +153,6 @@ totext_dnskey(ARGS_TOTEXT) {
                RETERR(str_totext(")", target));
 
        if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
-               isc_region_t tmpr;
 
                RETERR(str_totext(" ; ", target));
                RETERR(str_totext(keyinfo, target));
index bbcadc43f4ec09e6ae26447a0f1e56f8c45448bd..d81a2288b31d0351ed2c55ab6759d749fcddc2cc 100644 (file)
@@ -135,11 +135,14 @@ totext_ds(ARGS_TOTEXT) {
        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
                RETERR(str_totext(" (", target));
        RETERR(str_totext(tctx->linebreak, target));
-       if (tctx->width == 0) /* No splitting */
-               RETERR(isc_hex_totext(&sr, 0, "", target));
-       else
-               RETERR(isc_hex_totext(&sr, tctx->width - 2,
-                                     tctx->linebreak, target));
+       if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+               if (tctx->width == 0) /* No splitting */
+                       RETERR(isc_hex_totext(&sr, 0, "", target));
+               else
+                       RETERR(isc_hex_totext(&sr, tctx->width - 2,
+                                             tctx->linebreak, target));
+       } else 
+               RETERR(str_totext("[omitted]", target));
        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
                RETERR(str_totext(" )", target));
        return (ISC_R_SUCCESS);
index 58a327c02ed79a93719c7c104d3b0e37c5047024..01551e303d38c7e11160c8fdc4bf8447c5bcb83a 100644 (file)
@@ -223,11 +223,15 @@ totext_rrsig(ARGS_TOTEXT) {
         * Sig.
         */
        RETERR(str_totext(tctx->linebreak, target));
-       if (tctx->width == 0)   /* No splitting */
-               RETERR(isc_base64_totext(&sr, 60, "", target));
-       else
-               RETERR(isc_base64_totext(&sr, tctx->width - 2,
-                                        tctx->linebreak, target));
+       if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+               if (tctx->width == 0)   /* No splitting */
+                       RETERR(isc_base64_totext(&sr, 60, "", target));
+               else
+                       RETERR(isc_base64_totext(&sr, tctx->width - 2,
+                                                tctx->linebreak, target));
+       } else
+               RETERR(str_totext("[omitted]", target));
+       
        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
                RETERR(str_totext(" )", target));