]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
[master] dnssec-keyfromlabel -S and -i
authorEvan Hunt <each@isc.org>
Fri, 28 Feb 2014 00:25:32 +0000 (16:25 -0800)
committerEvan Hunt <each@isc.org>
Fri, 28 Feb 2014 00:25:32 +0000 (16:25 -0800)
3764. [bug] The dnssec-keygen/settime -S and -i options
(to set up a successor key and set the prepublication
interval) were missing from dnssec-keyfromlabel.
[RT #35394]

CHANGES
bin/dnssec/dnssec-keyfromlabel.c
bin/dnssec/dnssec-keyfromlabel.docbook

diff --git a/CHANGES b/CHANGES
index 4b1df31c4e65a814307f70bb1601a6ef480477ba..d01988be4954e9e2d7387f1819fbfd93c608375b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+3764.  [bug]           The dnssec-keygen/settime -S and -i options
+                       (to set up a successor key and set the prepublication
+                       interval) were missing from dnssec-keyfromlabel.
+                       [RT #35394]
+
 3763.  [bug]           delve: Cache DNSSEC records to avoid the need to
                        re-fetch them when restarting validation. [RT #35476]
 
index 3609be5a22921dd51fd62b5c1918aebb2a623c90..8bd2ea3af388cdb31c9fa1a06f0078865879c8c5 100644 (file)
@@ -108,6 +108,11 @@ usage(void) {
        fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
        fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
                        " all dates\n");
+       fprintf(stderr, "    -S <key>: generate a successor to an existing "
+                                     "key\n");
+       fprintf(stderr, "    -i <interval>: prepublication interval for "
+                                          "successor key "
+                                          "(default: 30 days)\n");
        fprintf(stderr, "Output:\n");
        fprintf(stderr, "     K<name>+<alg>+<id>.key, "
                        "K<name>+<alg>+<id>.private\n");
@@ -120,6 +125,8 @@ main(int argc, char **argv) {
        char            *algname = NULL, *freeit = NULL;
        char            *nametype = NULL, *type = NULL;
        const char      *directory = NULL;
+       const char      *predecessor = NULL;
+       dst_key_t       *prevkey = NULL;
 #ifdef USE_PKCS11
        const char      *engine = PKCS11_ENGINE;
 #else
@@ -149,6 +156,7 @@ main(int argc, char **argv) {
        isc_stdtime_t   publish = 0, activate = 0, revoke = 0;
        isc_stdtime_t   inactive = 0, delete = 0;
        isc_stdtime_t   now;
+       int             prepub = -1;
        isc_boolean_t   setpub = ISC_FALSE, setact = ISC_FALSE;
        isc_boolean_t   setrev = ISC_FALSE, setinact = ISC_FALSE;
        isc_boolean_t   setdel = ISC_FALSE, setttl = ISC_FALSE;
@@ -172,9 +180,8 @@ main(int argc, char **argv) {
 
        isc_stdtime_get(&now);
 
-       while ((ch = isc_commandline_parse(argc, argv,
-                       "3a:Cc:E:f:K:kl:L:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
-       {
+#define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:n:P:p:R:S:t:v:y"
+       while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
            switch (ch) {
                case '3':
                        use_nsec3 = ISC_TRUE;
@@ -281,6 +288,12 @@ main(int argc, char **argv) {
                                           now, now, &setdel);
                        unsetdel = !setdel;
                        break;
+               case 'S':
+                       predecessor = isc_commandline_argument;
+                       break;
+               case 'i':
+                       prepub = strtottl(isc_commandline_argument);
+                       break;
                case 'F':
                        /* Reserved for FIPS mode */
                        /* FALLTHROUGH */
@@ -309,77 +322,179 @@ main(int argc, char **argv) {
 
        setup_logging(verbose, mctx, &log);
 
-       if (label == NULL)
-               fatal("the key label was not specified");
-       if (argc < isc_commandline_index + 1)
-               fatal("the key name was not specified");
-       if (argc > isc_commandline_index + 1)
-               fatal("extraneous arguments");
-
-       if (strchr(label, ':') == NULL) {
-               char *l;
-               int len;
-
-               len = strlen(label) + 8;
-               l = isc_mem_allocate(mctx, len);
-               if (l == NULL)
-                       fatal("cannot allocate memory");
-               snprintf(l, len, "pkcs11:%s", label);
-               isc_mem_free(mctx, label);
-               label = l;
-       }
+       if (predecessor == NULL) {
+               if (label == NULL)
+                       fatal("the key label was not specified");
+               if (argc < isc_commandline_index + 1)
+                       fatal("the key name was not specified");
+               if (argc > isc_commandline_index + 1)
+                       fatal("extraneous arguments");
+
+               if (strchr(label, ':') == NULL) {
+                       char *l;
+                       int len;
+
+                       len = strlen(label) + 8;
+                       l = isc_mem_allocate(mctx, len);
+                       if (l == NULL)
+                               fatal("cannot allocate memory");
+                       snprintf(l, len, "pkcs11:%s", label);
+                       isc_mem_free(mctx, label);
+                       label = l;
+               }
 
-       if (algname == NULL) {
-               if (use_nsec3)
-                       algname = strdup(DEFAULT_NSEC3_ALGORITHM);
-               else
-                       algname = strdup(DEFAULT_ALGORITHM);
-               if (algname == NULL)
-                       fatal("strdup failed");
-               freeit = algname;
-               if (verbose > 0)
-                       fprintf(stderr, "no algorithm specified; "
-                               "defaulting to %s\n", algname);
-       }
+               if (algname == NULL) {
+                       if (use_nsec3)
+                               algname = strdup(DEFAULT_NSEC3_ALGORITHM);
+                       else
+                               algname = strdup(DEFAULT_ALGORITHM);
+                       if (algname == NULL)
+                               fatal("strdup failed");
+                       freeit = algname;
+                       if (verbose > 0)
+                               fprintf(stderr, "no algorithm specified; "
+                                       "defaulting to %s\n", algname);
+               }
+
+               if (strcasecmp(algname, "RSA") == 0) {
+                       fprintf(stderr, "The use of RSA (RSAMD5) is not "
+                                       "recommended.\nIf you still wish to "
+                                       "use RSA (RSAMD5) please specify "
+                                       "\"-a RSAMD5\"\n");
+                       if (freeit != NULL)
+                               free(freeit);
+                       return (1);
+               } else {
+                       r.base = algname;
+                       r.length = strlen(algname);
+                       ret = dns_secalg_fromtext(&alg, &r);
+                       if (ret != ISC_R_SUCCESS)
+                               fatal("unknown algorithm %s", algname);
+                       if (alg == DST_ALG_DH)
+                               options |= DST_TYPE_KEY;
+               }
+
+               if (use_nsec3 &&
+                   alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+                   alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
+                   alg != DST_ALG_ECCGOST &&
+                   alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
+                       fatal("%s is incompatible with NSEC3; "
+                             "do not use the -3 option", algname);
+               }
 
-       if (strcasecmp(algname, "RSA") == 0) {
-               fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
-                               "If you still wish to use RSA (RSAMD5) please "
-                               "specify \"-a RSAMD5\"\n");
-               if (freeit != NULL)
-                       free(freeit);
-               return (1);
+               if (type != NULL && (options & DST_TYPE_KEY) != 0) {
+                       if (strcasecmp(type, "NOAUTH") == 0)
+                               flags |= DNS_KEYTYPE_NOAUTH;
+                       else if (strcasecmp(type, "NOCONF") == 0)
+                               flags |= DNS_KEYTYPE_NOCONF;
+                       else if (strcasecmp(type, "NOAUTHCONF") == 0)
+                               flags |= (DNS_KEYTYPE_NOAUTH |
+                                         DNS_KEYTYPE_NOCONF);
+                       else if (strcasecmp(type, "AUTHCONF") == 0)
+                               /* nothing */;
+                       else
+                               fatal("invalid type %s", type);
+               }
+
+               if (!oldstyle && prepub > 0) {
+                        if (setpub && setact && (activate - prepub) < publish)
+                                fatal("Activation and publication dates "
+                                      "are closer together than the\n\t"
+                                      "prepublication interval.");
+
+                        if (!setpub && !setact) {
+                                setpub = setact = ISC_TRUE;
+                                publish = now;
+                                activate = now + prepub;
+                        } else if (setpub && !setact) {
+                                setact = ISC_TRUE;
+                                activate = publish + prepub;
+                        } else if (setact && !setpub) {
+                                setpub = ISC_TRUE;
+                                publish = activate - prepub;
+                        }
+
+                        if ((activate - prepub) < now)
+                                fatal("Time until activation is shorter "
+                                      "than the\n\tprepublication interval.");
+                }
        } else {
-               r.base = algname;
-               r.length = strlen(algname);
-               ret = dns_secalg_fromtext(&alg, &r);
+               char keystr[DST_KEY_FORMATSIZE];
+               isc_stdtime_t when;
+               int major, minor;
+
+               if (prepub == -1)
+                       prepub = (30 * 86400);
+
+               if (algname != NULL)
+                       fatal("-S and -a cannot be used together");
+               if (nametype != NULL)
+                       fatal("-S and -n cannot be used together");
+               if (type != NULL)
+                       fatal("-S and -t cannot be used together");
+               if (setpub || unsetpub)
+                       fatal("-S and -P cannot be used together");
+               if (setact || unsetact)
+                       fatal("-S and -A cannot be used together");
+               if (use_nsec3)
+                       fatal("-S and -3 cannot be used together");
+               if (oldstyle)
+                       fatal("-S and -C cannot be used together");
+               if (genonly)
+                       fatal("-S and -G cannot be used together");
+
+               ret = dst_key_fromnamedfile(predecessor, directory,
+                                           DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+                                           mctx, &prevkey);
                if (ret != ISC_R_SUCCESS)
-                       fatal("unknown algorithm %s", algname);
-               if (alg == DST_ALG_DH)
-                       options |= DST_TYPE_KEY;
-       }
+                       fatal("Invalid keyfile %s: %s",
+                             predecessor, isc_result_totext(ret));
+               if (!dst_key_isprivate(prevkey))
+                       fatal("%s is not a private key", predecessor);
+
+               name = dst_key_name(prevkey);
+               alg = dst_key_alg(prevkey);
+               flags = dst_key_flags(prevkey);
+
+               dst_key_format(prevkey, keystr, sizeof(keystr));
+               dst_key_getprivateformat(prevkey, &major, &minor);
+               if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
+                       fatal("Key %s has incompatible format version %d.%d\n\t"
+                             "It is not possible to generate a successor key.",
+                             keystr, major, minor);
+
+               ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+               if (ret != ISC_R_SUCCESS)
+                       fatal("Key %s has no activation date.\n\t"
+                             "You must use dnssec-settime -A to set one "
+                             "before generating a successor.", keystr);
 
-       if (use_nsec3 &&
-           alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
-           alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
-           alg != DST_ALG_ECCGOST &&
-           alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
-               fatal("%s is incompatible with NSEC3; "
-                     "do not use the -3 option", algname);
-       }
+               ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
+               if (ret != ISC_R_SUCCESS)
+                       fatal("Key %s has no inactivation date.\n\t"
+                             "You must use dnssec-settime -I to set one "
+                             "before generating a successor.", keystr);
+
+               publish = activate - prepub;
+               if (publish < now)
+                       fatal("Key %s becomes inactive\n\t"
+                             "sooner than the prepublication period "
+                             "for the new key ends.\n\t"
+                             "Either change the inactivation date with "
+                             "dnssec-settime -I,\n\t"
+                             "or use the -i option to set a shorter "
+                             "prepublication interval.", keystr);
+
+               ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+               if (ret != ISC_R_SUCCESS)
+                       fprintf(stderr, "%s: WARNING: Key %s has no removal "
+                                       "date;\n\t it will remain in the zone "
+                                       "indefinitely after rollover.\n\t "
+                                       "You can use dnssec-settime -D to "
+                                       "change this.\n", program, keystr);
 
-       if (type != NULL && (options & DST_TYPE_KEY) != 0) {
-               if (strcasecmp(type, "NOAUTH") == 0)
-                       flags |= DNS_KEYTYPE_NOAUTH;
-               else if (strcasecmp(type, "NOCONF") == 0)
-                       flags |= DNS_KEYTYPE_NOCONF;
-               else if (strcasecmp(type, "NOAUTHCONF") == 0) {
-                       flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
-               }
-               else if (strcasecmp(type, "AUTHCONF") == 0)
-                       /* nothing */;
-               else
-                       fatal("invalid type %s", type);
+               setpub = setact = ISC_TRUE;
        }
 
        if (nametype == NULL) {
@@ -551,6 +666,8 @@ main(int argc, char **argv) {
                      isc_result_totext(ret));
        printf("%s\n", filename);
        dst_key_free(&key);
+       if (prevkey != NULL)
+               dst_key_free(&prevkey);
 
        cleanup_logging(&log);
        cleanup_entropy(&ectx);
index 5353f2d8a6b6013d661408458d733480daa88587..b75737f037743060995085b25c8d6d78790f80f3 100644 (file)
@@ -19,7 +19,7 @@
 
 <refentry id="man.dnssec-keyfromlabel">
   <refentryinfo>
-    <date>February 06, 2014</date>
+    <date>February 27, 2014</date>
   </refentryinfo>
 
   <refmeta>
@@ -58,6 +58,7 @@
       <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
       <arg><option>-G</option></arg>
       <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
       <arg><option>-k</option></arg>
       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
@@ -65,6 +66,7 @@
       <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
       <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg><option>-y</option></arg>
   <refsect1>
     <title>DESCRIPTION</title>
     <para><command>dnssec-keyfromlabel</command>
-      gets keys with the given label from a crypto hardware and builds
-      key files for DNSSEC (Secure DNS), as defined in RFC 2535
-      and RFC 4034.  
+      generates a key pair of files that referencing a key object stored
+      in a cryptographic hardware service module (HSM).  The private key
+      file can be used for DNSSEC signing of zone data as if it were a
+      conventional signing key created by <command>dnssec-keygen</command>,
+      but the key material is stored within the HSM, and the actual signing
+      takes place there.
     </para>
     <para>
       The <option>name</option> of the key is specified on the command
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-S <replaceable class="parameter">key</replaceable></term>
+        <listitem>
+          <para>
+            Generate a key as an explicit successor to an existing key.
+           The name, algorithm, size, and type of the key will be set
+           to match the predecessor. The activation date of the new
+           key will be set to the inactivation date of the existing
+           one. The publication date will be set to the activation
+           date minus the prepublication interval, which defaults to
+           30 days.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-t <replaceable class="parameter">type</replaceable></term>
         <listitem>
           </para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">interval</replaceable></term>
+        <listitem>
+          <para>
+            Sets the prepublication interval for a key.  If set, then
+            the publication and activation dates must be separated by at least
+            this much time.  If the activation date is specified but the
+            publication date isn't, then the publication date will default
+            to this much time before the activation date; conversely, if
+            the publication date is specified but activation date isn't,
+            then activation will be set to this much time after publication.
+          </para>
+          <para>
+            If the key is being created as an explicit successor to another
+            key, then the default prepublication interval is 30 days; 
+            otherwise it is zero.
+          </para>
+          <para>
+            As with date offsets, if the argument is followed by one of
+            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+            interval is measured in years, months, weeks, days, hours,
+            or minutes, respectively.  Without a suffix, the interval is
+            measured in seconds.
+          </para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>