2183. [bug] dnssec-signzone didn't handle offline private keys

                        well.  [RT #16832]

diff --git a/CHANGES b/CHANGES
index 8dff7c385af42c01d955bf312aff76226c901f0f..02039514d08f26ba58a12d1c282685c2d1989f6c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2183.  [bug]           dnssec-signzone didn't handle offline private keys
+                       well.  [RT #16832]
+
 2182.  [bug]           dns_dispatch_createtcp() and dispatch_createudp()
                        could return ISC_R_SUCCESS when they ran out of
                        memory. [RT #16365]

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 46650a563549c8e1d28296d31002d627502513c1..b8e11010d3c18ed8cfe9af32db31402fb3dcdb37 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.199 2006/08/30 22:57:16 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.200 2007/05/18 05:50:35 marka Exp $ */
 
 /*! \file */
 
@@ -1481,7 +1481,7 @@ loadzonekeys(dns_db_t *db) {
        for (i = 0; i < nkeys; i++) {
                signer_key_t *key;
 
-               key = newkeystruct(keys[i], ISC_TRUE);
+               key = newkeystruct(keys[i], dst_key_isprivate(keys[i]));
                ISC_LIST_APPEND(keylist, key, link);
        }
        dns_db_detachnode(db, &node);

diff --git a/bin/named/update.c b/bin/named/update.c
index f0feeb82819b43620a9b05b75e6e147dd8805e5f..22bcf23badee96f11e5f9045cc348c0d9a77b9f6 100644 (file)
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.132 2007/03/29 23:47:04 tbox Exp $ */
+/* $Id: update.c,v 1.133 2007/05/18 05:50:35 marka Exp $ */
 
 #include <config.h>
 
@@ -1658,6 +1658,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                if (check_ksk && type != dns_rdatatype_dnskey &&
                    (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
                        continue;
+
+               if (!dst_key_isprivate(keys[i]))
+                       continue;
                
                /* Calculate the signature, creating a RRSIG RDATA. */
                CHECK(dns_dnssec_sign(name, &rdataset, keys[i],

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 729b196f2222baa2c06500fca77b1c4f7fa686bb..28c470f18e6e53412dfd8b1be6806d720bbf6c40 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.87 2006/03/07 00:34:55 marka Exp $
+ * $Id: dnssec.c,v 1.88 2007/05/18 05:50:35 marka Exp $
  */
 
 /*! \file */
@@ -531,6 +531,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
        dst_key_t *pubkey = NULL;
        unsigned int count = 0;
 
+       REQUIRE(nkeys != NULL);
+       REQUIRE(keys != NULL);
+
        *nkeys = 0;
        dns_rdataset_init(&rdataset);
        RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
@@ -540,7 +543,8 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
                pubkey = NULL;
                dns_rdataset_current(&rdataset, &rdata);
                RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
-               if (!is_zone_key(pubkey))
+               if (!is_zone_key(pubkey) ||
+                   (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
                        goto next;
                keys[count] = NULL;
                result = dst_key_fromfile(dst_key_name(pubkey),
@@ -549,17 +553,23 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
                                          DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
                                          directory,
                                          mctx, &keys[count]);
-               if (result == ISC_R_FILENOTFOUND)
+               if (result == ISC_R_FILENOTFOUND) {
+                       keys[count] = pubkey;
+                       pubkey = NULL;
+                       count++;
                        goto next;
+               }
                if (result != ISC_R_SUCCESS)
                        goto failure;
                if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
+                       /* We should never get here. */
                        dst_key_free(&keys[count]);
                        goto next;
                }
                count++;
  next:
-               dst_key_free(&pubkey);
+               if (pubkey != NULL)
+                       dst_key_free(&pubkey);
                dns_rdata_reset(&rdata);
                result = dns_rdataset_next(&rdataset);
        }
@@ -575,6 +585,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
                dns_rdataset_disassociate(&rdataset);
        if (pubkey != NULL)
                dst_key_free(&pubkey);
+       if (result != ISC_R_SUCCESS)
+               while (count > 0)
+                       dst_key_free(&keys[--count]);
        *nkeys = count;
        return (result);
 }