records by dig to be suppressed (dig +nocrypto).
[RT #34534]
+3629. [func] Allow the printing of cryptographic fields in DNSSEC
+ records by dig to be suppressed (dig +nocrypto).
+ [RT #34534]
+
3628. [func] Report DNSKEY key id's when dumping the cache.
[RT #34533]
static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE,
- onesoa = ISC_FALSE, rrcomments = ISC_FALSE, use_usec = ISC_FALSE;
+ onesoa = ISC_FALSE, rrcomments = ISC_FALSE, use_usec = ISC_FALSE,
+ nocrypto = ISC_FALSE;
static isc_uint32_t splitwidth = 0xffffffff;
/*% opcode text */
" +[no]comments (Control display of comment lines)\n"
" +[no]rrcomments (Control display of per-record "
"comments)\n"
+" +[no]crypto (Control display of cryptographic "
+ "fields in records)\n"
" +[no]question (Control display of question)\n"
" +[no]answer (Control display of answer)\n"
" +[no]authority (Control display of authority)\n"
isc_uint64_t diff;
isc_time_t now;
char store[sizeof("12345678901234567890")];
+ unsigned int styleflags = 0;
if (query->lookup->trace || query->lookup->ns_search_only) {
result = dns_rdatatype_totext(rdata->type, buf);
return (result);
ADD_STRING(buf, " ");
}
- result = dns_rdata_totext(rdata, NULL, buf);
+
+ if (nocrypto)
+ styleflags |= DNS_STYLEFLAG_NOCRYPTO;
+ result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0, 60, " ", buf);
if (result == ISC_R_NOSPACE)
return (result);
check_result(result, "dns_rdata_totext");
styleflags |= DNS_STYLEFLAG_NO_CLASS;
if (rrcomments)
styleflags |= DNS_STYLEFLAG_RRCOMMENT;
+ if (nocrypto)
+ styleflags |= DNS_STYLEFLAG_NOCRYPTO;
if (multiline) {
styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
styleflags |= DNS_STYLEFLAG_NO_TTL;
if (noclass)
styleflags |= DNS_STYLEFLAG_NO_CLASS;
+ if (nocrypto)
+ styleflags |= DNS_STYLEFLAG_NOCRYPTO;
if (multiline) {
styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
if (lookup == default_lookup)
pluscomm = state;
break;
+ case 'r':
+ FULLCHECK("crypto");
+ nocrypto = ISC_TF(!state);
+ break;
default:
goto invalid_option;
}
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>+[no]crypto</option></term>
+ <listitem>
+ <para>
+ Toggle the display of cryptographic fields in DNSSEC records.
+ The contents of these field are unnecessary to debug most DNSSEC
+ validation failures and removing them makes it easier to see
+ the common failures. The default is to display the fields.
+ When omitted they are replaced by the string "[omitted]" or
+ in the DNSKEY case the key id is displayed as the replacement,
+ e.g. "[ key id = value ]".
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>+split=W</option></term>
<listitem>
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:check dig's +nocrypto flag ($n)"
+ret=0
+$DIG $DIGOPTS +norec +nocrypto DNSKEY . \
+ @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
+grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +norec +nocrypto DS example \
+ @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
+grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
/*% Report re-signing time. */
#define DNS_STYLEFLAG_RESIGN 0x04000000U
+/*% Don't printout the cryptographic parts of DNSSEC records. */
+#define DNS_STYLEFLAG_NOCRYPTO 0x08000000U
+
ISC_LANG_BEGINDECLS
/***
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" (", target));
RETERR(str_totext(tctx->linebreak, target));
- if (tctx->width == 0) /* No splitting */
- RETERR(isc_hex_totext(&sr, 0, "", target));
- else
- RETERR(isc_hex_totext(&sr, tctx->width - 2,
- tctx->linebreak, target));
+ if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+ if (tctx->width == 0) /* No splitting */
+ RETERR(isc_hex_totext(&sr, 0, "", target));
+ else
+ RETERR(isc_hex_totext(&sr, tctx->width - 2,
+ tctx->linebreak, target));
+ } else
+ RETERR(str_totext("[omitted]", target));
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" )", target));
return (ISC_R_SUCCESS);
static inline isc_result_t
totext_dnskey(ARGS_TOTEXT) {
isc_region_t sr;
- char buf[sizeof("64000")];
+ char buf[sizeof("[key id = 64000]")];
unsigned int flags;
unsigned char algorithm;
char algbuf[DNS_NAME_FORMATSIZE];
const char *keyinfo;
+ isc_region_t tmpr;
REQUIRE(rdata->type == 48);
REQUIRE(rdata->length != 0);
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" (", target));
RETERR(str_totext(tctx->linebreak, target));
- if (tctx->width == 0) /* No splitting */
- RETERR(isc_base64_totext(&sr, 0, "", target));
- else
- RETERR(isc_base64_totext(&sr, tctx->width - 2,
- tctx->linebreak, target));
+
+ if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+ if (tctx->width == 0) /* No splitting */
+ RETERR(isc_base64_totext(&sr, 0, "", target));
+ else
+ RETERR(isc_base64_totext(&sr, tctx->width - 2,
+ tctx->linebreak, target));
+ } else {
+ dns_rdata_toregion(rdata, &tmpr);
+ snprintf(buf, sizeof(buf), "[key id = %u]",
+ dst_region_computeid(&tmpr, algorithm));
+ RETERR(str_totext(buf, target));
+ }
if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0)
RETERR(str_totext(tctx->linebreak, target));
RETERR(str_totext(")", target));
if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
- isc_region_t tmpr;
RETERR(str_totext(" ; ", target));
RETERR(str_totext(keyinfo, target));
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" (", target));
RETERR(str_totext(tctx->linebreak, target));
- if (tctx->width == 0) /* No splitting */
- RETERR(isc_hex_totext(&sr, 0, "", target));
- else
- RETERR(isc_hex_totext(&sr, tctx->width - 2,
- tctx->linebreak, target));
+ if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+ if (tctx->width == 0) /* No splitting */
+ RETERR(isc_hex_totext(&sr, 0, "", target));
+ else
+ RETERR(isc_hex_totext(&sr, tctx->width - 2,
+ tctx->linebreak, target));
+ } else
+ RETERR(str_totext("[omitted]", target));
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" )", target));
return (ISC_R_SUCCESS);
* Sig.
*/
RETERR(str_totext(tctx->linebreak, target));
- if (tctx->width == 0) /* No splitting */
- RETERR(isc_base64_totext(&sr, 60, "", target));
- else
- RETERR(isc_base64_totext(&sr, tctx->width - 2,
- tctx->linebreak, target));
+ if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+ if (tctx->width == 0) /* No splitting */
+ RETERR(isc_base64_totext(&sr, 60, "", target));
+ else
+ RETERR(isc_base64_totext(&sr, tctx->width - 2,
+ tctx->linebreak, target));
+ } else
+ RETERR(str_totext("[omitted]", target));
+
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" )", target));