for (key = ISC_LIST_HEAD(*keys);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
- dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
- dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
+ dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
+ dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
&cdnskeyrdata));
/*
+ * We construct the SHA-1 version of the record so we can
+ * delete any old records generated by previous versions of
+ * BIND. We only add SHA-256 records.
+ *
* XXXMPA we need to be able to specify the DS algorithms
* to be used here and below with rmkeys.
*/
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA1, dsbuf1,
- &cdsrdata1));
+ &cds_sha1));
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA256, dsbuf2,
- &cdsrdata2));
+ &cds_sha256));
/*
* Now that the we have created the DS records convert
* the rdata to CDNSKEY and CDS for comparison.
*/
cdnskeyrdata.type = dns_rdatatype_cdnskey;
- cdsrdata1.type = dns_rdatatype_cds;
- cdsrdata2.type = dns_rdatatype_cds;
+ cds_sha1.type = dns_rdatatype_cds;
+ cds_sha256.type = dns_rdatatype_cds;
if (syncpublish(key->key, now)) {
if (!dns_rdataset_isassociated(cdnskey) ||
!exists(cdnskey, &cdnskeyrdata))
+ {
RETERR(publish(&cdnskeyrdata, diff, origin,
ttl, mctx));
+ }
+ /* Only publish SHA-256 (SHA-1 is deprecated) */
if (!dns_rdataset_isassociated(cds) ||
- !exists(cds, &cdsrdata1))
- RETERR(publish(&cdsrdata1, diff, origin,
- ttl, mctx));
- if (!dns_rdataset_isassociated(cds) ||
- !exists(cds, &cdsrdata2))
- RETERR(publish(&cdsrdata2, diff, origin,
+ !exists(cds, &cds_sha256))
+ {
+ RETERR(publish(&cds_sha256, diff, origin,
ttl, mctx));
+ }
}
if (dns_rdataset_isassociated(cds) &&
- syncdelete(key->key, now)) {
- if (exists(cds, &cdsrdata1))
- RETERR(delrdata(&cdsrdata1, diff, origin,
+ syncdelete(key->key, now))
+ {
+ /* Delete both SHA-1 and SHA-256 */
+ if (exists(cds, &cds_sha1)) {
+ RETERR(delrdata(&cds_sha1, diff, origin,
cds->ttl, mctx));
- if (exists(cds, &cdsrdata2))
- RETERR(delrdata(&cdsrdata2, diff, origin,
+ }
+ if (exists(cds, &cds_sha256)) {
+ RETERR(delrdata(&cds_sha256, diff, origin,
cds->ttl, mctx));
+ }
}
if (dns_rdataset_isassociated(cdnskey) &&
- syncdelete(key->key, now)) {
- if (exists(cdnskey, &cdnskeyrdata))
+ syncdelete(key->key, now))
+ {
+ if (exists(cdnskey, &cdnskeyrdata)) {
RETERR(delrdata(&cdnskeyrdata, diff, origin,
cdnskey->ttl, mctx));
+ }
}
}
if (!dns_rdataset_isassociated(cds) &&
!dns_rdataset_isassociated(cdnskey))
+ {
return (ISC_R_SUCCESS);
+ }
/*
* Unconditionaly remove CDS/DNSKEY records for removed keys.
*/
for (key = ISC_LIST_HEAD(*rmkeys);
key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
- dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
+ key = ISC_LIST_NEXT(key, link))
+ {
+ dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
+ dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
if (dns_rdataset_isassociated(cds)) {
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA1, dsbuf1,
- &cdsrdata1));
+ &cds_sha1));
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA256, dsbuf2,
- &cdsrdata2));
- if (exists(cds, &cdsrdata1))
- RETERR(delrdata(&cdsrdata1, diff, origin,
+ &cds_sha256));
+ if (exists(cds, &cds_sha1)) {
+ RETERR(delrdata(&cds_sha1, diff, origin,
cds->ttl, mctx));
- if (exists(cds, &cdsrdata2))
- RETERR(delrdata(&cdsrdata2, diff, origin,
+ }
+ if (exists(cds, &cds_sha256)) {
+ RETERR(delrdata(&cds_sha256, diff, origin,
cds->ttl, mctx));
+ }
}
if (dns_rdataset_isassociated(cdnskey)) {
- if (exists(cdnskey, &cdnskeyrdata))
+ if (exists(cdnskey, &cdnskeyrdata)) {
RETERR(delrdata(&cdnskeyrdata, diff, origin,
cdnskey->ttl, mctx));
+ }
}
}
projects / thirdparty / bind9.git / commitdiff
