static char *anchorfile = NULL;
static char *trust_anchor = NULL;
static char *dlv_anchor = NULL;
-static int trusted_keys = 0;
+static int num_keys = 0;
static dns_fixedname_t afn, dfn;
static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
/* Default bind.keys contents */
-static char anchortext[] = MANAGED_KEYS;
+static char anchortext[] = DNSSEC_KEYS;
/*
* Static function prototypes
CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
keyname, &rrdatabuf));
- trusted_keys++;
+ num_keys++;
cleanup:
if (result == DST_R_NOCRYPTO)
setup_dnsseckeys(dns_client_t *client) {
isc_result_t result;
cfg_parser_t *parser = NULL;
- const cfg_obj_t *keys = NULL;
+ const cfg_obj_t *trusted_keys = NULL;
const cfg_obj_t *managed_keys = NULL;
+ const cfg_obj_t *dnssec_keys = NULL;
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
- if (!root_validation && !dlv_validation)
+ if (!root_validation && !dlv_validation) {
return (ISC_R_SUCCESS);
+ }
if (filename == NULL) {
#ifndef WIN32
if (trust_anchor == NULL) {
trust_anchor = isc_mem_strdup(mctx, ".");
- if (trust_anchor == NULL)
+ if (trust_anchor == NULL) {
fatal("out of memory");
+ }
}
- if (trust_anchor != NULL)
+ if (trust_anchor != NULL) {
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
- if (dlv_anchor != NULL)
+ }
+ if (dlv_anchor != NULL) {
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
+ }
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
if (access(filename, R_OK) != 0) {
- if (anchorfile != NULL)
+ if (anchorfile != NULL) {
fatal("Unable to read key file '%s'", anchorfile);
+ }
} else {
result = cfg_parse_file(parser, filename,
&cfg_type_bindkeys, &bindkeys);
- if (result != ISC_R_SUCCESS)
- if (anchorfile != NULL)
+ if (result != ISC_R_SUCCESS) {
+ if (anchorfile != NULL) {
fatal("Unable to load keys from '%s'",
anchorfile);
+ }
+ }
}
if (bindkeys == NULL) {
isc_buffer_add(&b, sizeof(anchortext) - 1);
result = cfg_parse_buffer(parser, &b, NULL, 0,
&cfg_type_bindkeys, 0, &bindkeys);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
fatal("Unable to parse built-in keys");
+ }
}
INSIST(bindkeys != NULL);
- cfg_map_get(bindkeys, "trusted-keys", &keys);
+ cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
cfg_map_get(bindkeys, "managed-keys", &managed_keys);
+ cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
- if (keys != NULL)
- CHECK(load_keys(keys, client));
- if (managed_keys != NULL)
+ if (trusted_keys != NULL) {
+ CHECK(load_keys(trusted_keys, client));
+ }
+ if (managed_keys != NULL) {
CHECK(load_keys(managed_keys, client));
+ }
+ if (dnssec_keys != NULL) {
+ CHECK(load_keys(dnssec_keys, client));
+ }
result = ISC_R_SUCCESS;
- if (trusted_keys == 0)
+ if (num_keys == 0) {
fatal("No trusted keys were loaded");
+ }
- if (dlv_validation)
+ if (dlv_validation) {
dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
+ }
cleanup:
if (parser != NULL) {
cfg_parser_destroy(&parser);
}
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
isc_result_totext(result));
+ }
return (result);
}
# \"dnssec-validation auto;\" is set and\n\
# sysconfdir/bind.keys doesn't exist).\n\
#\n\
-# BEGIN MANAGED KEYS\n"
+# BEGIN DNSSEC KEYS\n"
/* Imported from bind.keys.h: */
-MANAGED_KEYS
+DNSSEC_KEYS
"# END MANAGED KEYS\n\
\n\
/*
* Add the key to 'secroots'. Keys from a "dnssec-keys" or
- * "managed-keys" * statement may be either static or initializing
+ * "managed-keys" statement may be either static or initializing
* keys. If it's not initializing, we don't want to treat it as
* managed, so we use 'initializing' twice here, for both the
* 'managed' and 'initializing' arguments to dns_keytable_add().
const cfg_obj_t *view_keys = NULL;
const cfg_obj_t *global_keys = NULL;
const cfg_obj_t *view_managed_keys = NULL;
+ const cfg_obj_t *view_dnssec_keys = NULL;
const cfg_obj_t *global_managed_keys = NULL;
+ const cfg_obj_t *global_dnssec_keys = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
if (voptions != NULL) {
(void) cfg_map_get(voptions, "trusted-keys",
&view_keys);
+
+ /* managed-keys and dnssec-keys are synonyms. */
(void) cfg_map_get(voptions, "managed-keys",
&view_managed_keys);
+ (void) cfg_map_get(voptions, "dnssec-keys",
+ &view_dnssec_keys);
+
maps[i++] = voptions;
}
}
if (config != NULL) {
(void)cfg_map_get(config, "trusted-keys", &global_keys);
+
+ /* managed-keys and dnssec-keys are synonyms. */
(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
+ (void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
+
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
maps[i++] = options;
/*
* If bind.keys exists and is populated, it overrides
- * the managed-keys clause hard-coded in named_g_config.
+ * the dnssec-keys clause hard-coded in named_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
"from '%s'",
view->name, named_g_server->bindkeysfile);
- (void)cfg_map_get(bindkeys, "managed-keys",
+ (void)cfg_map_get(bindkeys, "dnssec-keys",
&builtin_keys);
if (builtin_keys == NULL) {
"using built-in root key for view %s",
view->name);
- (void)cfg_map_get(named_g_config, "managed-keys",
+ (void)cfg_map_get(named_g_config, "dnssec-keys",
&builtin_keys);
}
CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
CHECK(load_view_keys(view_managed_keys, view, true, NULL, mctx));
+ CHECK(load_view_keys(view_dnssec_keys, view, true, NULL, mctx));
if (view->rdclass == dns_rdataclass_in) {
CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
CHECK(load_view_keys(global_managed_keys, view, true,
NULL, mctx));
+ CHECK(load_view_keys(global_dnssec_keys, view, true,
+ NULL, mctx));
}
/*
dnssec-validation yes;
};
-managed-keys {
+dnssec-keys {
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
* information regarding copyright ownership.
*/
-managed-keys {
+dnssec-keys {
dlv.isc.org static-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE
n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8
+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ
* information regarding copyright ownership.
*/
-managed-keys {
+dnssec-keys {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
* information regarding copyright ownership.
*/
-managed-keys {
+dnssec-keys {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
* information regarding copyright ownership.
*/
-managed-keys {
+dnssec-keys {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
* information regarding copyright ownership.
*/
-managed-keys {
+dnssec-keys {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
* information regarding copyright ownership.
*/
-managed-keys {
+dnssec-keys {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
dnssec-validation yes;
};
-managed-keys {
+dnssec-keys {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
ret=0
$CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] || ret=1
-grep "entry for dlv.isc.org still present" checkconf.out$n > /dev/null || ret=1
+grep "trust anchor for dlv.isc.org is present" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
for keyname in $*; do
awk '!/^; /{
printf "\t\""$1"\" "
- printf "'"$key_prefix"'"
+ printf "'"$key_prefix "'"
printf $4 " " $5 " " $6 " \""
for (i=7; i<=NF; i++) printf $i
printf "\";\n"
}
# keyfile_to_trusted_keys: convert key data contained in the keyfile(s)
-# provided to a *static* "managed-keys" section suitable for including in a
+# provided to a *static* "dnssec-keys" section suitable for including in a
# resolver's configuration file
keyfile_to_trusted_keys() {
- keyfile_to_keys_section "managed-keys" "static-key" $*
+ keyfile_to_keys_section "dnssec-keys" "static-key" $*
}
# keyfile_to_managed_keys: convert key data contained in the keyfile(s)
-# provided to a "managed-keys" section suitable for including in a
+# provided to a "dnssec-keys" section suitable for including in a
# resolver's configuration file
keyfile_to_managed_keys() {
- keyfile_to_keys_section "managed-keys" "initial-key" $*
+ keyfile_to_keys_section "dnssec-keys" "initial-key" $*
}
# nextpart*() - functions for reading files incrementally
; type 65280-65534 (private use)
-; keydata (internal type used for managed-keys)
+; keydata (internal type used for managed keys)
keydata TYPE65533 \# 0
keydata TYPE65533 \# 6 010203040506
keydata TYPE65533 \# 18 010203040506010203040506010203040506
-managed-keys {
+dnssec-keys {
"edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
};
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-This is for testing managed-keys, in particular with problems
-with RFC 5011 Automated Updates of DNSSEC Trust Anchors.
+This is for testing RFC 5011 Automated Updates of DNSSEC Trust Anchors.
ns1 is the root server that offers new KSKs and hosts one record for
testing. The TTL for the zone's records is 2 seconds.
-ns2 is a validator that uses managed-keys. "-T mkeytimers=2/20/40"
+ns2 is a validator that uses managed keys. "-T mkeytimers=2/20/40"
is used so it will attempt do automated updates frequently. "-T tat=1"
is used so it will send TAT queries once per second.
-ns3 is a validator with a broken key in managed-keys.
+ns3 is a validator with a broken initializing key in dnssec-keys.
ns4 is a validator with a deliberately broken managed-keys.bind and
managed-keys.jnl, causing RFC 5011 initialization to fail.
};
# purposely broken key for testing
-managed-keys {
+dnssec-keys {
"." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
};
KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
cat $1/$3 $1/$KEYNAME.key > $1/tmp
$SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
- sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/managed-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
+ sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
DSFILENAME=dsset-${2}${TP}
rm $DSFILENAME $1/tmp
}
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.
-managed-keys {
+dnssec-keys {
# This key (20326) was published in the root zone in 2017.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
#ifndef BIND_KEYS_H
#define BIND_KEYS_H 1
-#define TRUSTED_KEYS "\
+#define DNSSEC_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. The only trust anchors it contains\n\
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
# anchor information for the root zone.\n\
\n\
-trusted-keys {\n\
- # This key (20326) was published in the root zone in 2017.\n\
- . 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
- +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
- ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
- 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
- oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
- RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
- R1AkUTV74bU=\";\n\
-};\n\
-"
-
-#define MANAGED_KEYS "\
-# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9. The only trust anchors it contains\n\
-# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
-# be configured elsewhere; if they are configured here, they will not be\n\
-# recognized or used by named.\n\
-#\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
-# named.conf options, or else leave \"dnssec-validation\" unset. If\n\
-# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
-# ignored; keys will need to be explicitly configured in named.conf for\n\
-# validation to work. \"auto\" is the default setting, unless named is\n\
-# built with \"configure --disable-auto-validation\", in which case the\n\
-# default is \"yes\".\n\
-#\n\
-# This file is NOT expected to be user-configured.\n\
-#\n\
-# Servers being set up for the first time can use the contents of this file\n\
-# as initializing keys; thereafter, the keys in the managed key database\n\
-# will be trusted and maintained automatically.\n\
-#\n\
-# These keys are current as of Mar 2019. If any key fails to initialize\n\
-# correctly, it may have expired. In that event you should replace this\n\
-# file with a current version. The latest version of bind.keys can always\n\
-# be obtained from ISC at https://www.isc.org/bind-keys.\n\
-#\n\
-# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
-# anchor information for the root zone.\n\
-\n\
-managed-keys {\n\
+dnssec-keys {\n\
# This key (20326) was published in the root zone in 2017.\n\
. initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
const cfg_obj_t *opts = NULL;
const cfg_obj_t *plugin_list = NULL;
bool autovalidation = false;
- unsigned int tflags, mflags;
+ bool enablednssec, enablevalidation;
+ const char *valstr = "no";
+ unsigned int tflags = 0, dflags = 0, mflags = 0;
/*
* Get global options block
isc_symtab_destroy(&symtab);
/*
- * Check trusted-keys and managed-keys.
+ * Check trusted-keys and dnssec-keys/managed-keys.
*/
tkeys = NULL;
if (voptions != NULL) {
(void)cfg_map_get(config, "trusted-keys", &tkeys);
}
- tflags = 0;
for (element = cfg_list_first(tkeys);
element != NULL;
element = cfg_list_next(element))
}
if ((tflags & ROOT_KSK_STATIC) != 0) {
- cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+ cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
"trusted-keys entry for the root zone "
"WILL FAIL after key rollover - use "
- "managed-keys with initial-key instead.");
+ "dnssec-keys with initial-key instead.");
}
if ((tflags & DLV_KSK_KEY) != 0) {
+ cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
+ "trust anchor for dlv.isc.org is present; "
+ "dlv.isc.org has been shut down");
+ }
+
+ keys = NULL;
+ if (voptions != NULL) {
+ (void)cfg_map_get(voptions, "dnssec-keys", &keys);
+ }
+ if (keys == NULL) {
+ (void)cfg_map_get(config, "dnssec-keys", &keys);
+ }
+
+ for (element = cfg_list_first(keys);
+ element != NULL;
+ element = cfg_list_next(element))
+ {
+ const cfg_obj_t *keylist = cfg_listelt_value(element);
+ for (element2 = cfg_list_first(keylist);
+ element2 != NULL;
+ element2 = cfg_list_next(element2))
+ {
+ obj = cfg_listelt_value(element2);
+ tresult = check_trusted_key(obj, true, &dflags,
+ logctx);
+ if (tresult != ISC_R_SUCCESS) {
+ result = tresult;
+ }
+ }
+ }
+
+ if ((dflags & ROOT_KSK_STATIC) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
- "trusted-keys entry for dlv.isc.org is still "
- "present: dlv.isc.org has been shut down");
+ "static-key entry for the root zone "
+ "WILL FAIL after key rollover - use "
+ "dnssec-keys with initial-key instead.");
}
+ if ((dflags & ROOT_KSK_2010) != 0 && (dflags & ROOT_KSK_2017) == 0) {
+ cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+ "initial-key entry for the root zone "
+ "uses the 2010 key without the updated "
+ "2017 key");
+ }
+
+ if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) {
+ cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+ "both trusted-keys and dnssec-keys "
+ "for the root zone are present");
+ }
+
+ if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
+ cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+ "both initial-key and static-key entries for the "
+ "root zone are present");
+ }
+
+ if ((dflags & DLV_KSK_KEY) != 0) {
+ cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+ "trust anchor for dlv.isc.org is present; "
+ "dlv.isc.org has been shut down");
+ }
+
+ /*
+ * "managed-keys" is a backward-compatible synonym for
+ * "dnssec-keys"; perform the same checks.
+ */
mkeys = NULL;
if (voptions != NULL) {
(void)cfg_map_get(voptions, "managed-keys", &mkeys);
}
- if (keys == NULL) {
+ if (mkeys == NULL) {
(void)cfg_map_get(config, "managed-keys", &mkeys);
}
- mflags = 0;
for (element = cfg_list_first(mkeys);
element != NULL;
element = cfg_list_next(element))
}
if ((mflags & ROOT_KSK_STATIC) != 0) {
- cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
- "managed-keys static-key entry for the root zone "
+ cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+ "static-key entry for the root zone "
"WILL FAIL after key rollover - use "
- "managed-keys with initial-key instead.");
+ "dnssec-keys with initial-key instead.");
}
if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
- cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
- "managed-keys initial-key entry for the root zone "
+ cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+ "initial-key entry for the root zone "
"uses the 2010 key without the updated "
"2017 key");
}
if ((tflags & ROOT_KSK_ANY) != 0 && (mflags & ROOT_KSK_ANY) != 0) {
- cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
- "both trusted-keys and managed-keys for the "
- "root zone are present");
+ cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+ "both trusted-keys and managed-keys "
+ "for the root zone are present");
}
if ((mflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
- cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+ cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"both initial-key and static-key entries for the "
"root zone are present");
}
if ((mflags & DLV_KSK_KEY) != 0) {
- cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
- "managed-keys entry for dlv.isc.org still present; "
+ cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+ "trust anchor for dlv.isc.org is present; "
"dlv.isc.org has been shut down");
}
}
static isc_result_t
-configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
- dns_rdataclass_t rdclass)
+configure_keygroup(irs_dnsconf_t *conf, const cfg_obj_t *keys,
+ dns_rdataclass_t rdclass)
{
isc_result_t result;
- isc_mem_t *mctx = conf->mctx;
- const cfg_obj_t *keys = NULL;
const cfg_obj_t *key, *keylist;
const cfg_listelt_t *element, *element2;
-
- cfg_map_get(cfgobj, "trusted-keys", &keys);
- if (keys == NULL) {
- return (ISC_R_SUCCESS);
- }
+ isc_mem_t *mctx = conf->mctx;
for (element = cfg_list_first(keys);
element != NULL;
}
}
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
+ dns_rdataclass_t rdclass)
+{
+ isc_result_t result;
+ const cfg_obj_t *keys = NULL;
+
+ cfg_map_get(cfgobj, "trusted-keys", &keys);
+ if (keys == NULL) {
+ return (ISC_R_SUCCESS);
+ }
+
+ result = configure_keygroup(conf, keys, rdclass);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+
+ keys = NULL;
+ cfg_map_get(cfgobj, "dnssec-keys", &keys);
+ if (keys == NULL) {
+ return (ISC_R_SUCCESS);
+ }
+
+ result = configure_keygroup(conf, keys, rdclass);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+
keys = NULL;
cfg_map_get(cfgobj, "managed-keys", &keys);
if (keys == NULL) {
return (ISC_R_SUCCESS);
}
- for (element = cfg_list_first(keys);
- element != NULL;
- element = cfg_list_next(element))
- {
- keylist = cfg_listelt_value(element);
- for (element2 = cfg_list_first(keylist);
- element2 != NULL;
- element2 = cfg_list_next(element2))
- {
- key = cfg_listelt_value(element2);
- result = configure_key(mctx, key, conf, rdclass);
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
- }
+ result = configure_keygroup(conf, keys, rdclass);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
}
return (ISC_R_SUCCESS);
* Notes:
* This module is very experimental and the configuration syntax or library
* interfaces may change in future versions. Currently, only static
- * key configuration is supported; "trusted-keys" and "managed-keys"
- * statements will be parsed exactly as they are in named.conf, except
- * that all "managed-keys" entries will be treated as if they were
- * configured with "static-key", even if they were actually configured
- * with "initial-key".
+ * key configuration is supported; "trusted-keys" and "dnssec-keys"/
+ * "managed-keys" statements will be parsed exactly as they are in
+ * named.conf, except that "dnssec-keys" and "managed-keys" entries will
+ * be treated as if they were configured with "static-key", even if they
+ * were actually configured with "initial-key".
*/
#include <irs/types.h>
};
/*%
- * A managed key initialization specifier, as used in the
- * "managed-keys" statement.
+ * A key initialization specifier, as used in the
+ * "dnssec-keys" (or synonymous "managed-keys") statement.
*/
static const char *init_enums[] = { "static-key", "initial-key", NULL };
static cfg_type_t cfg_type_keyinit = {
};
/*% A list of dnssec keys, as in "trusted-keys". Deprecated. */
-static cfg_type_t cfg_type_dnsseckeys = {
- "dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+static cfg_type_t cfg_type_trustedkeys = {
+ "trustedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_dnsseckey
};
* "initial-key" or "static-key". If "initial-key", then the key is
* RFC 5011 managed; if "static-key", then the key never changes.
*/
-static cfg_type_t cfg_type_managedkeys = {
- "managedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+static cfg_type_t cfg_type_dnsseckeys = {
+ "dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_managedkey
};
{ "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI },
{ "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI },
{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
- { "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
+ { "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+ { "managed-keys", &cfg_type_dnsseckeys,
+ CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI },
{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
- { "trusted-keys", &cfg_type_dnsseckeys,
+ { "trusted-keys", &cfg_type_trustedkeys,
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
{ NULL, NULL, 0 }
*/
static cfg_clausedef_t
bindkeys_clauses[] = {
- { "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
- { "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+ { "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+ { "managed-keys", &cfg_type_dnsseckeys,
+ CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
+ { "trusted-keys", &cfg_type_trustedkeys,
+ CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ NULL, NULL, 0 }
};
&cfg_rep_map, namedconf_clausesets
};
-/*% The bind.keys syntax (trusted-keys/managed-keys only). */
+/*% The bind.keys syntax (dnssec-keys/managed-keys/trusted-keys only). */
static cfg_clausedef_t *
bindkeys_clausesets[] = {
bindkeys_clauses,
$lines .= $_ . "\n";
}
-my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n";
-
-$lines =~ s/managed-keys/trusted-keys/;
-$lines =~ s/\s+initial-key//g;
-my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n";
+my $mkey = '#define DNSSEC_KEYS "\\' . "\n" . $lines . "\"\n";
print "#ifndef BIND_KEYS_H\n";
print "#define BIND_KEYS_H 1\n";
-print $tkey;
-print "\n";
print $mkey;
print "#endif /* BIND_KEYS_H */\n";
projects / thirdparty / bind9.git / commitdiff
