+4757. [func] New "dnssec-cds" command creates a new parent DS
+ RRset based on CDS or CDNSKEY RRsets found in
+ a child zone, and generates either a dsset file
+ or stream of nsupdate commands to update the
+ parent. Thanks to Tony Finch. [RT #46090]
+
4756. [bug] Interrupting dig could lead to an INSIST failure after
certain errors were encountered while querying a host
whose name resolved to more than one address. Change
+dnssec-cds
dnssec-dsfromkey
dnssec-keyfromlabel
dnssec-keygen
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
+TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
+ dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
+ dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
+ dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
+ dnssec-verify@EXEEXT@
OBJS = dnssectool.@O@
-SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
- dnssec-revoke.c dnssec-settime.c dnssec-signzone.c \
- dnssec-verify.c dnssec-importkey.c dnssectool.c
+SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
+ dnssec-keyfromlabel.c dnssec-keygen.c dnssec-revoke.c \
+ dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
+ dnssectool.c
-MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
- dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \
- dnssec-verify.8 dnssec-importkey.8
+MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
+ dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
+ dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
-HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
+HTMLPAGES = dnssec-cds.html dnssec-dsfromkey.html \
+ dnssec-importkey.html dnssec-keyfromlabel.html \
dnssec-keygen.html dnssec-revoke.html \
dnssec-settime.html dnssec-signzone.html \
- dnssec-verify.html dnssec-importkey.html
+ dnssec-verify.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
+dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
+ export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
+
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
clean distclean::
rm -f ${TARGETS}
-
--- /dev/null
+.\" Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\" Title: dnssec-cds
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 2017-10-02
+.\" Manual: BIND9
+.\" Source: ISC
+.\" Language: English
+.\"
+.TH "DNSSEC\-CDS" "8" "2017\-10\-02" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+dnssec-cds \- change DS records for a child zone based on CDS/CDNSKEY
+.SH "SYNOPSIS"
+.HP 11
+\fBdnssec\-cds\fR [\fB\-a\ \fR\fB\fIalg\fR\fR...] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\fR] {\fB\-d\ \fR\fB\fIdsset\-file\fR\fR} {\fB\-f\ \fR\fB\fIchild\-file\fR\fR} [\fB\-i\fR\ [\fIextension\fR]] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {domain}
+.SH "DESCRIPTION"
+.PP
+The
+\fBdnssec\-cds\fR
+command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&.
+.PP
+Two input files are required\&. The
+\fB\-f \fR\fB\fIchild\-file\fR\fR
+option specifies a file containing the child\*(Aqs CDS and/or CDNSKEY records, plus RRSIG and DNSKEY records so that they can be authenticated\&. The
+\fB\-d \fR\fB\fIpath\fR\fR
+option specifies the location of a file containing the current DS records\&. For example, this could be a
+dsset\-
+file generated by
+\fBdnssec\-signzone\fR, or the output of
+\fBdnssec\-dsfromkey\fR, or the output of a previous run of
+\fBdnssec\-cds\fR\&.
+.PP
+For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
+\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
+dsset\-
+file, or from the
+\fB\-s\fR
+option\&.
+.PP
+To protect against breaking the delegation,
+\fBdnssec\-cds\fR
+ensures that the DNSKEY RRset can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type\&.
+.PP
+By default, replacement DS records are written to the standard output; with the
+\fB\-i\fR
+option the input file is overwritten in place\&. The replacement DS records will be the same as the existing records when no change is required\&. The output can be empty if the CDS / CDNSKEY records specify that the child zone wants to go insecure\&.
+.PP
+Warning: Be careful not to delete the DS records when
+\fBdnssec\-cds\fR
+fails!
+.PP
+Alternatively,
+\fBdnssec\-cds \-u\fR
+writes an
+\fBnsupdate\fR
+script to the standard output\&. You can use the
+\fB\-u\fR
+and
+\fB\-i\fR
+options together to maintain a
+dsset\-
+file as well as emit an
+\fBnsupdate\fR
+script\&.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specify a digest algorithm to use when converting CDNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each CDNSKEY record\&. This option has no effect when using CDS records\&.
+.sp
+The
+\fIalgorithm\fR
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST, or SHA\-384 (SHA384)\&. These values are case insensitive\&. If no algorithm is specified, the default is SHA\-256\&.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Specifies the DNS class of the zones\&.
+.RE
+.PP
+\-D
+.RS 4
+Generate DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone\&. By default CDS records are preferred\&.
+.RE
+.PP
+\-d \fIpath\fR
+.RS 4
+Location of the parent DS records\&. The
+\fIpath\fR
+can be the name of a file containing the DS records, or if it is a directory,
+\fBdnssec\-cds\fR
+looks for a
+dsset\-
+file for the
+\fIdomain\fR
+inside the directory\&.
+.sp
+To protect against replay attacks, child records are rejected if they were signed earlier than the modification time of the
+dsset\-
+file\&. This can be adjusted with the
+\fB\-s\fR
+option\&.
+.RE
+.PP
+\-f \fIchild\-file\fR
+.RS 4
+File containing the child\*(Aqs CDS and/or CDNSKEY records, plus its DNSKEY records and the covering RRSIG records so that they can be authenticated\&.
+.sp
+The EXAMPLES below describe how to generate this file\&.
+.RE
+.PP
+\-i [\fIextension\fR]
+.RS 4
+Update the
+dsset\-
+file in place, instead of writing DS records to the standard output\&.
+.sp
+There must be no space between the
+\fB\-i\fR
+and the
+\fIextension\fR\&. If you provide no
+\fIextension\fR
+then the old
+dsset\-
+is discarded\&. If an
+\fIextension\fR
+is present, a backup of the old
+dsset\-
+file is kept with the
+\fIextension\fR
+appended to its filename\&.
+.sp
+To protect against replay attacks, the modification time of the
+dsset\-
+file is set to match the signature inception time of the child records, provided that is later than the file\*(Aqs current modification time\&.
+.RE
+.PP
+\-s \fIstart\-time\fR
+.RS 4
+Specify the date and time after which RRSIG records become acceptable\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017\&. A time relative to the
+dsset\-
+file is indicated with \-N, which is N seconds before the file modification time\&. A time relative to the current time is indicated with now+N\&.
+.sp
+If no
+\fIstart\-time\fR
+is specified, the modification time of the
+dsset\-
+file is used\&.
+.RE
+.PP
+\-T \fIttl\fR
+.RS 4
+Specifies a TTL to be used for new DS records\&. If not specified, the default is the TTL of the old DS records\&. If they had no explicit TTL then the new DS records also have no explicit TTL\&.
+.RE
+.PP
+\-u
+.RS 4
+Write an
+\fBnsupdate\fR
+script to the standard output, instead of printing the new DS reords\&. The output will be empty if no change is needed\&.
+.sp
+Note: The TTL of new records needs to be specified, either in the original
+dsset\-
+file, or with the
+\fB\-T\fR
+option, or using the
+\fBnsupdate\fR
+\fBttl\fR
+command\&.
+.RE
+.PP
+\-V
+.RS 4
+Print version information\&.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level\&. Level 1 is intended to be usefully verbose for general users; higher levels are intended for developers\&.
+.RE
+.PP
+\fIdomain\fR
+.RS 4
+The name of the delegation point / child zone apex\&.
+.RE
+.SH "EXIT STATUS"
+.PP
+The
+\fBdnssec\-cds\fR
+command exits 0 on success, or non\-zero if an error occurred\&.
+.PP
+In the success case, the DS records might or might not need to be changed\&.
+.SH "EXAMPLES"
+.PP
+Before running
+\fBdnssec\-signzone\fR, you can ensure that the delegations are up\-to\-date by running
+\fBdnssec\-cds\fR
+on every
+dsset\-
+file\&.
+.PP
+To fetch the child records required by
+\fBdnssec\-cds\fR
+you can invoke
+\fBdig\fR
+as in the script below\&. It\*(Aqs okay if the
+\fBdig\fR
+fails since
+\fBdnssec\-cds\fR
+performs all the necessary checking\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+for f in dsset\-*
+do
+ d=${f#dsset\-}
+ dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+ dnssec\-cds \-i \-f /dev/stdin \-d $f $d
+done
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+When the parent zone is automatically signed by
+\fBnamed\fR, you can use
+\fBdnssec\-cds\fR
+with
+\fBnsupdate\fR
+to maintain a delegation as follows\&. The
+dsset\-
+file allows the script to avoid having to fetch and validate the parent DS records, and it keeps the replay attack protection time\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+dnssec\-cds \-u \-i \-f /dev/stdin \-d $f $d |
+nsupdate \-l
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+\fBdig\fR(1),
+\fBdnssec-settime\fR(8),
+\fBdnssec-signzone\fR(8),
+\fBnsupdate\fR(1),
+BIND 9 Administrator Reference Manual,
+RFC 7344\&.
+.SH "AUTHORS"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.PP
+\fBTony Finch\fR <\&dot@dotat\&.at\&>, <\&fanf2@cam\&.ac\&.uk\&>
+.br
+.RS 4
+.RE
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2017 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Written by Tony Finch <dot@dotat.at> <fanf2@cam.ac.uk>
+ * at Cambridge University Information Services
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <errno.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/time.h>
+
+#include <dst/dst.h>
+
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
+#include "dnssectool.h"
+
+#ifndef PATH_MAX
+#define PATH_MAX 1024 /* AIX, WIN32, and others don't define this. */
+#endif
+
+const char *program = "dnssec-cds";
+int verbose;
+
+/*
+ * Infrastructure
+ */
+static isc_log_t *lctx = NULL;
+static isc_mem_t *mctx = NULL;
+static isc_entropy_t *ectx = NULL;
+
+/*
+ * The domain we are working on
+ */
+static const char *namestr = NULL;
+static dns_fixedname_t fixed;
+static dns_name_t *name = NULL;
+static dns_rdataclass_t rdclass = dns_rdataclass_in;
+
+/*
+ * List of digest types used by ds_from_cdnskey(), filled in by add_dtype()
+ * from -a arguments. The size of the array is an arbitrary limit.
+ */
+static isc_uint8_t dtype[8];
+
+static const char *startstr = NULL; /* from which we derive notbefore */
+static isc_stdtime_t notbefore = 0; /* restrict sig inception times */
+static dns_rdata_rrsig_t oldestsig; /* for recording inception time */
+
+static int nkey; /* number of child zone DNSKEY records */
+
+/*
+ * The validation strategy of this program is top-down.
+ *
+ * We start with an implicitly trusted authoritative dsset.
+ *
+ * The child DNSKEY RRset is scanned to find out which keys are
+ * authenticated by DS records, and the result is recorded in a key
+ * table as described later in this comment.
+ *
+ * The key table is used up to three times to verify the signatures on
+ * the child DNSKEY, CDNSKEY, and CDS RRsets. In this program, only keys
+ * that have matching DS records are used for validating signatures.
+ *
+ * For replay attack protection, signatures are ignored if their inception
+ * time is before the previously recorded inception time. We use the earliest
+ * signature so that another run of dnssec-cds with the same records will
+ * still accept all the signatures.
+ *
+ * A key table is an array of nkey keyinfo structures, like
+ *
+ * keyinfo_t key_tbl[nkey];
+ *
+ * Each key is decoded into more useful representations, held in
+ * keyinfo->rdata
+ * keyinfo->dst
+ *
+ * If a key has no matching DS record then keyinfo->dst is NULL.
+ *
+ * The key algorithm and ID are saved in keyinfo->algo and
+ * keyinfo->tag for quicky skipping DS and RRSIG records that can't
+ * match.
+ */
+typedef struct keyinfo {
+ dns_rdata_t rdata;
+ dst_key_t *dst;
+ isc_uint8_t algo;
+ dns_keytag_t tag;
+} keyinfo_t;
+
+/* A replaceable function that can generate a DS RRset from some input */
+typedef isc_result_t
+ds_maker_func_t(dns_rdatalist_t *dslist, isc_buffer_t *buf, dns_rdata_t *rdata);
+
+static dns_rdataset_t cdnskey_set, cdnskey_sig;
+static dns_rdataset_t cds_set, cds_sig;
+static dns_rdataset_t dnskey_set, dnskey_sig;
+static dns_rdataset_t old_ds_set, new_ds_set;
+
+static keyinfo_t *old_key_tbl, *new_key_tbl;
+
+isc_buffer_t *new_ds_buf = NULL; /* backing store for new_ds_set */
+
+static void
+verbose_time(int level, const char *msg, isc_stdtime_t time) {
+ isc_result_t result;
+ isc_buffer_t timebuf;
+ char timestr[32];
+
+ if (verbose < level) {
+ return;
+ }
+
+ isc_buffer_init(&timebuf, timestr, sizeof(timestr));
+ result = dns_time64_totext(time, &timebuf);
+ check_result(result, "dns_time64_totext()");
+ isc_buffer_putuint8(&timebuf, 0);
+ if (verbose < 3) {
+ vbprintf(level, "%s %s\n", msg, timestr);
+ } else {
+ vbprintf(level, "%s %s (%lld)\n",
+ msg, timestr, (long long)time);
+ }
+}
+
+static void
+initname(char *setname) {
+ isc_result_t result;
+ isc_buffer_t buf;
+
+ dns_fixedname_init(&fixed);
+ name = dns_fixedname_name(&fixed);
+ namestr = setname;
+
+ isc_buffer_init(&buf, setname, strlen(setname));
+ isc_buffer_add(&buf, strlen(setname));
+ result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+ if (result != ISC_R_SUCCESS) {
+ fatal("could not initialize name %s", setname);
+ }
+}
+
+static void
+findset(dns_db_t *db, dns_dbnode_t *node, dns_rdatatype_t type,
+ dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+ isc_result_t result;
+
+ dns_rdataset_init(rdataset);
+ if (sigrdataset != NULL) {
+ dns_rdataset_init(sigrdataset);
+ }
+ result = dns_db_findrdataset(db, node, NULL, type, 0, 0,
+ rdataset, sigrdataset);
+ if (result != ISC_R_NOTFOUND) {
+ check_result(result, "dns_db_findrdataset()");
+ }
+}
+
+static void
+freeset(dns_rdataset_t *rdataset) {
+ if (dns_rdataset_isassociated(rdataset)) {
+ dns_rdataset_disassociate(rdataset);
+ }
+}
+
+static void
+freelist(dns_rdataset_t *rdataset) {
+ dns_rdatalist_t *rdlist;
+ dns_rdata_t *rdata;
+
+ if (!dns_rdataset_isassociated(rdataset)) {
+ return;
+ }
+
+ dns_rdatalist_fromrdataset(rdataset, &rdlist);
+
+ for (rdata = ISC_LIST_HEAD(rdlist->rdata);
+ rdata != NULL;
+ rdata = ISC_LIST_HEAD(rdlist->rdata))
+ {
+ ISC_LIST_UNLINK(rdlist->rdata, rdata, link);
+ isc_mem_put(mctx, rdata, sizeof(*rdata));
+ }
+ isc_mem_put(mctx, rdlist, sizeof(*rdlist));
+ dns_rdataset_disassociate(rdataset);
+}
+
+static void
+free_all_sets(void) {
+ freeset(&cdnskey_set);
+ freeset(&cdnskey_sig);
+ freeset(&cds_set);
+ freeset(&cds_sig);
+ freeset(&dnskey_set);
+ freeset(&dnskey_sig);
+ freeset(&old_ds_set);
+ freelist(&new_ds_set);
+ if (new_ds_buf != NULL) {
+ isc_buffer_free(&new_ds_buf);
+ }
+}
+
+static void
+load_db(const char *filename, dns_db_t **dbp, dns_dbnode_t **nodep) {
+ isc_result_t result;
+
+ result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+ rdclass, 0, NULL, dbp);
+ check_result(result, "dns_db_create()");
+
+ result = dns_db_load3(*dbp, filename,
+ dns_masterformat_text, DNS_MASTER_HINT);
+ if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+ fatal("can't load %s: %s", filename,
+ isc_result_totext(result));
+ }
+
+ result = dns_db_findnode(*dbp, name, ISC_FALSE, nodep);
+ if (result != ISC_R_SUCCESS) {
+ fatal("can't find %s node in %s", namestr, filename);
+ }
+}
+
+static void
+free_db(dns_db_t **dbp, dns_dbnode_t **nodep) {
+ dns_db_detachnode(*dbp, nodep);
+ dns_db_detach(dbp);
+}
+
+static void
+load_child_sets(const char *file) {
+ dns_db_t *db = NULL;
+ dns_dbnode_t *node = NULL;
+
+ load_db(file, &db, &node);
+ findset(db, node, dns_rdatatype_dnskey, &dnskey_set, &dnskey_sig);
+ findset(db, node, dns_rdatatype_cdnskey, &cdnskey_set, &cdnskey_sig);
+ findset(db, node, dns_rdatatype_cds, &cds_set, &cds_sig);
+ free_db(&db, &node);
+}
+
+static void
+get_dsset_name(char *filename, size_t size,
+ const char *path, const char *suffix)
+{
+ isc_result_t result;
+ isc_buffer_t buf;
+ size_t len;
+
+ isc_buffer_init(&buf, filename, size);
+
+ len = strlen(path);
+
+ /* allow room for a trailing slash */
+ if (isc_buffer_availablelength(&buf) <= len) {
+ fatal("%s: pathname too long", path);
+ }
+ isc_buffer_putstr(&buf, path);
+
+ if (isc_file_isdirectory(path) == ISC_R_SUCCESS) {
+ const char *prefix = "dsset-";
+
+ if (path[len - 1] != '/') {
+ isc_buffer_putstr(&buf, "/");
+ }
+
+ if (isc_buffer_availablelength(&buf) < strlen(prefix)) {
+ fatal("%s: pathname too long", path);
+ }
+ isc_buffer_putstr(&buf, prefix);
+
+ result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
+ check_result(result, "dns_name_tofilenametext()");
+ if (isc_buffer_availablelength(&buf) == 0) {
+ fatal("%s: pathname too long", path);
+ }
+ }
+ /* allow room for a trailing nul */
+ if (isc_buffer_availablelength(&buf) <= strlen(suffix)) {
+ fatal("%s: pathname too long", path);
+ }
+ isc_buffer_putstr(&buf, suffix);
+ isc_buffer_putuint8(&buf, 0);
+}
+
+static void
+load_parent_set(const char *path) {
+ isc_result_t result;
+ dns_db_t *db = NULL;
+ dns_dbnode_t *node = NULL;
+ isc_time_t modtime;
+ char filename[PATH_MAX + 1];
+
+ get_dsset_name(filename, sizeof(filename), path, "");
+
+ result = isc_file_getmodtime(filename, &modtime);
+ if (result != ISC_R_SUCCESS) {
+ fatal("could not get modification time of %s: %s",
+ filename, isc_result_totext(result));
+ }
+ notbefore = isc_time_seconds(&modtime);
+ if (startstr != NULL) {
+ isc_stdtime_t now;
+ isc_stdtime_get(&now);
+ notbefore = strtotime(startstr, now, notbefore, NULL);
+ }
+ verbose_time(1, "child records must not be signed before", notbefore);
+
+ load_db(filename, &db, &node);
+ findset(db, node, dns_rdatatype_ds, &old_ds_set, NULL);
+
+ if (!dns_rdataset_isassociated(&old_ds_set)) {
+ fatal("could not find DS records for %s in %s",
+ namestr, filename);
+ }
+
+ free_db(&db, &node);
+}
+
+static isc_buffer_t *
+formatset(dns_rdataset_t *rdataset) {
+ isc_result_t result;
+ isc_buffer_t *buf = NULL;
+ dns_master_style_t *style = NULL;
+ unsigned int styleflags;
+ unsigned int size;
+
+ styleflags = (rdataset->ttl == 0) ? DNS_STYLEFLAG_NO_TTL : 0;
+
+ /*
+ * This style is for consistency with the output of dnssec-dsfromkey
+ * which just separates fields with spaces. The huge tab stop width
+ * eliminates any tab characters.
+ */
+ result = dns_master_stylecreate2(&style, styleflags,
+ 0, 0, 0, 0, 0, 1000000, 0,
+ mctx);
+
+ size = 256;
+ do {
+ result = isc_buffer_allocate(mctx, &buf, size);
+ check_result(result, "printing DS records");
+ result = dns_master_rdatasettotext(name, rdataset,
+ style, buf);
+ if (result == ISC_R_NOSPACE ||
+ isc_buffer_availablelength(buf) < 1)
+ {
+ vbprintf(20, "formatset buffer size %u\n", size);
+ isc_buffer_free(&buf);
+ size *= 2;
+ } else {
+ check_result(result, "dns_rdataset_totext()");
+ }
+ } while (result != ISC_R_SUCCESS);
+
+ isc_buffer_putuint8(buf, 0);
+
+ dns_master_styledestroy(&style, mctx);
+
+ return (buf);
+}
+
+static void
+write_parent_set(const char *path, const char *inplace,
+ isc_boolean_t nsupdate, dns_rdataset_t *rdataset)
+{
+ isc_result_t result;
+ isc_buffer_t *buf = NULL;
+ isc_region_t r;
+ isc_time_t filetime;
+ char backname[PATH_MAX + 1];
+ char filename[PATH_MAX + 1];
+ char tmpname[PATH_MAX + 1];
+ FILE *fp = NULL;
+
+ if (nsupdate && inplace == NULL) {
+ return;
+ }
+
+ buf = formatset(rdataset);
+ isc_buffer_usedregion(buf, &r);
+
+ /*
+ * Try to ensure a write error doesn't make a zone go insecure!
+ */
+ if (inplace == NULL) {
+ printf("%s", (char *)r.base);
+ isc_buffer_free(&buf);
+ if (fflush(stdout) == EOF) {
+ fatal("error writing to stdout: %s", strerror(errno));
+ }
+ return;
+ }
+
+ if (inplace[0] != '\0') {
+ get_dsset_name(backname, sizeof(backname), path, inplace);
+ }
+ get_dsset_name(filename, sizeof(filename), path, "");
+ get_dsset_name(tmpname, sizeof(tmpname), path, "-XXXXXXXXXX");
+
+ result = isc_file_openunique(tmpname, &fp);
+ if (result != ISC_R_SUCCESS) {
+ fatal("open %s: %s", tmpname, isc_result_totext(result));
+ }
+ fprintf(fp, "%s", (char *)r.base);
+ isc_buffer_free(&buf);
+ if (fclose(fp) == EOF) {
+ result = ISC_R_FAILURE;
+ isc_file_remove(tmpname);
+ fatal("error writing to %s: %s", tmpname, strerror(result));
+ }
+
+ isc_time_set(&filetime, oldestsig.timesigned, 0);
+ result = isc_file_settime(tmpname, &filetime);
+ if (result != ISC_R_SUCCESS) {
+ isc_file_remove(tmpname);
+ fatal("can't set modification time of %s: %s",
+ tmpname, isc_result_totext(result));
+ }
+
+ if (inplace[0] != '\0') {
+ isc_file_rename(filename, backname);
+ }
+ isc_file_rename(tmpname, filename);
+}
+
+typedef enum { LOOSE, TIGHT } strictness_t;
+
+/*
+ * Find out if any (C)DS record matches a particular (C)DNSKEY.
+ */
+static isc_boolean_t
+match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
+{
+ isc_result_t result;
+ unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+
+ for (result = dns_rdataset_first(dsset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(dsset))
+ {
+ dns_rdata_ds_t ds;
+ dns_rdata_t dsrdata = DNS_RDATA_INIT;
+ dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+ dns_rdatatype_t keytype;
+ isc_boolean_t c;
+
+ dns_rdataset_current(dsset, &dsrdata);
+ result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+ check_result(result, "dns_rdata_tostruct(DS)");
+
+ if (ki->tag != ds.key_tag || ki->algo != ds.algorithm) {
+ continue;
+ }
+
+ /* allow for both DNSKEY and CDNSKEY */
+ keytype = ki->rdata.type;
+ ki->rdata.type = dns_rdatatype_dnskey;
+ result = dns_ds_buildrdata(name, &ki->rdata, ds.digest_type,
+ dsbuf, &newdsrdata);
+ ki->rdata.type = keytype;
+ if (result != ISC_R_SUCCESS) {
+ vbprintf(3, "dns_ds_buildrdata("
+ "keytag=%d, algo=%d, digest=%d): %s\n",
+ ds.key_tag, ds.algorithm, ds.digest_type,
+ dns_result_totext(result));
+ continue;
+ }
+ /* allow for both DS and CDS */
+ c = dsrdata.type != dns_rdatatype_ds;
+ dsrdata.type = dns_rdatatype_ds;
+ if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0) {
+ vbprintf(1, "found matching %s %d %d %d\n",
+ c ? "CDS" : "DS",
+ ds.key_tag, ds.algorithm, ds.digest_type);
+ return (ISC_TRUE);
+ } else if (strictness == TIGHT) {
+ vbprintf(0, "key does not match %s %d %d %d "
+ "when it looks like it should\n",
+ c ? "CDS" : "DS",
+ ds.key_tag, ds.algorithm, ds.digest_type);
+ return (ISC_FALSE);
+ }
+ }
+
+ return (ISC_FALSE);
+}
+
+/*
+ * Find which (C)DNSKEY records match a (C)DS RRset.
+ * This creates a keyinfo_t key_tbl[nkey] array.
+ */
+static keyinfo_t *
+match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
+ strictness_t strictness)
+{
+ isc_result_t result;
+ keyinfo_t *keytable;
+ int i;
+
+ nkey = dns_rdataset_count(keyset);
+
+ keytable = isc_mem_get(mctx, sizeof(keyinfo_t) * nkey);
+ if (keytable == NULL) {
+ fatal("out of memory");
+ }
+
+ for (result = dns_rdataset_first(keyset), i = 0;
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(keyset), i++)
+ {
+ keyinfo_t *ki;
+ dns_rdata_dnskey_t dnskey;
+ dns_rdata_t *keyrdata;
+ isc_region_t r;
+
+ INSIST(i < nkey);
+ ki = &keytable[i];
+ keyrdata = &ki->rdata;
+
+ dns_rdata_init(keyrdata);
+ dns_rdataset_current(keyset, keyrdata);
+
+ result = dns_rdata_tostruct(keyrdata, &dnskey, NULL);
+ check_result(result, "dns_rdata_tostruct(DNSKEY)");
+ ki->algo = dnskey.algorithm;
+
+ dns_rdata_toregion(keyrdata, &r);
+ ki->tag = dst_region_computeid(&r, ki->algo);
+
+ ki->dst = NULL;
+ if (!match_key_dsset(ki, dsset, strictness)) {
+ continue;
+ }
+
+ result = dns_dnssec_keyfromrdata(name, keyrdata,
+ mctx, &ki->dst);
+ if (result != ISC_R_SUCCESS) {
+ vbprintf(3, "dns_dnssec_keyfromrdata("
+ "keytag=%d, algo=%d): %s\n",
+ ki->tag, ki->algo,
+ dns_result_totext(result));
+ }
+ }
+
+ return (keytable);
+}
+
+static void
+free_keytable(keyinfo_t **keytable_p) {
+ keyinfo_t *keytable = *keytable_p;
+ keyinfo_t *ki;
+ int i;
+
+ for (i = 0; i < nkey; i++) {
+ ki = &keytable[i];
+ if (ki->dst != NULL) {
+ dst_key_free(&ki->dst);
+ }
+ }
+
+ isc_mem_put(mctx, keytable, sizeof(keyinfo_t) * nkey);
+ *keytable_p = NULL;
+}
+
+/*
+ * Find out which keys have signed an RRset. Keys that do not match a
+ * DS record are skipped.
+ *
+ * The return value is an array with nkey elements, one for each key,
+ * either zero if the key was skipped or did not sign the RRset, or
+ * otherwise the key algorithm. This is used by the signature coverage
+ * check functions below.
+ */
+static isc_uint8_t *
+matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
+ dns_rdataset_t *sigset)
+{
+ isc_result_t result;
+ isc_uint8_t *algo;
+ int i;
+
+ algo = isc_mem_get(mctx, nkey);
+ if (algo == NULL) {
+ fatal("allocating RRSIG/DNSKEY match list: %s",
+ isc_result_totext(ISC_R_NOMEMORY));
+ }
+ memset(algo, 0, nkey);
+
+ for (result = dns_rdataset_first(sigset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(sigset))
+ {
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
+ dns_rdata_rrsig_t sig;
+
+ dns_rdataset_current(sigset, &sigrdata);
+ result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+ check_result(result, "dns_rdata_tostruct(RRSIG)");
+
+ /*
+ * Replay attack protection: check against current age limit
+ */
+ if (isc_serial_lt(sig.timesigned, notbefore)) {
+ vbprintf(1, "skip RRSIG by key %d: too old\n",
+ sig.keyid);
+ continue;
+ }
+
+ for (i = 0; i < nkey; i++) {
+ keyinfo_t *ki = &keytbl[i];
+ if (ki->dst == NULL ||
+ sig.keyid != ki->tag ||
+ sig.algorithm != ki->algo ||
+ !dns_name_equal(&sig.signer, name))
+ {
+ continue;
+ }
+
+ result = dns_dnssec_verify(name, rdataset, ki->dst,
+ ISC_FALSE, mctx, &sigrdata);
+ if (result != ISC_R_SUCCESS) {
+ continue;
+ }
+
+ vbprintf(1, "found RRSIG by key %d\n", ki->tag);
+ algo[i] = sig.algorithm;
+
+ /*
+ * Replay attack protection: work out next age limit,
+ * only after the signature has been verified
+ */
+ if (oldestsig.timesigned == 0 ||
+ isc_serial_lt(sig.timesigned,
+ oldestsig.timesigned))
+ {
+ verbose_time(2, "this is the oldest so far",
+ sig.timesigned);
+ oldestsig = sig;
+ }
+ }
+ }
+
+ return (algo);
+}
+
+/*
+ * Consume the result of matching_sigs(). When checking records
+ * fetched from the child zone, any working signature is enough.
+ */
+static isc_boolean_t
+signed_loose(isc_uint8_t *algo) {
+ isc_boolean_t ok = ISC_FALSE;
+ int i;
+ for (i = 0; i < nkey; i++) {
+ if (algo[i] != 0) {
+ ok = ISC_TRUE;
+ }
+ }
+ isc_mem_put(mctx, algo, nkey);
+ return (ok);
+}
+
+/*
+ * Consume the result of matching_sigs(). To ensure that the new DS
+ * RRset does not break the chain of trust to the DNSKEY RRset, every
+ * key algorithm in the DS RRset must have a signature in the DNSKEY
+ * RRset.
+ */
+static isc_boolean_t
+signed_strict(dns_rdataset_t *dsset, isc_uint8_t *algo) {
+ isc_result_t result;
+ isc_boolean_t all_ok = ISC_TRUE;
+
+ for (result = dns_rdataset_first(dsset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(dsset))
+ {
+ dns_rdata_t dsrdata = DNS_RDATA_INIT;
+ dns_rdata_ds_t ds;
+ isc_boolean_t ds_ok;
+ int i;
+
+ dns_rdataset_current(dsset, &dsrdata);
+ result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+ check_result(result, "dns_rdata_tostruct(DS)");
+
+ ds_ok = ISC_FALSE;
+ for (i = 0; i < nkey; i++) {
+ if (algo[i] == ds.algorithm) {
+ ds_ok = ISC_TRUE;
+ }
+ }
+ if (!ds_ok) {
+ vbprintf(0, "missing signature for algorithm %d "
+ "(key %d)\n", ds.algorithm, ds.key_tag);
+ all_ok = ISC_FALSE;
+ }
+ }
+
+ isc_mem_put(mctx, algo, nkey);
+ return (all_ok);
+}
+
+static dns_rdata_t *
+rdata_get(void) {
+ dns_rdata_t *rdata;
+
+ rdata = isc_mem_get(mctx, sizeof(*rdata));
+ if (rdata == NULL) {
+ fatal("allocating DS rdata: %s",
+ isc_result_totext(ISC_R_NOMEMORY));
+ }
+ dns_rdata_init(rdata);
+
+ return (rdata);
+}
+
+static isc_result_t
+rdata_put(isc_result_t result, dns_rdatalist_t *rdlist, dns_rdata_t *rdata) {
+ if (result == ISC_R_SUCCESS) {
+ ISC_LIST_APPEND(rdlist->rdata, rdata, link);
+ } else {
+ isc_mem_put(mctx, rdata, sizeof(*rdata));
+ }
+
+ return (result);
+}
+
+/*
+ * This basically copies the rdata into the buffer, but going via the
+ * unpacked struct has the side-effect of changing the rdatatype. The
+ * dns_rdata_cds_t and dns_rdata_ds_t types are aliases.
+ */
+static isc_result_t
+ds_from_cds(dns_rdatalist_t *dslist, isc_buffer_t *buf, dns_rdata_t *cds) {
+ isc_result_t result;
+ dns_rdata_ds_t ds;
+ dns_rdata_t *rdata;
+
+ rdata = rdata_get();
+
+ result = dns_rdata_tostruct(cds, &ds, NULL);
+ check_result(result, "dns_rdata_tostruct(CDS)");
+ ds.common.rdtype = dns_rdatatype_ds;
+
+ result = dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_ds,
+ &ds, buf);
+
+ return (rdata_put(result, dslist, rdata));
+}
+
+static isc_result_t
+ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
+ dns_rdata_t *cdnskey)
+{
+ isc_result_t result;
+ unsigned i, n;
+
+ n = sizeof(dtype)/sizeof(dtype[0]);
+ for (i = 0; i < n; i++) {
+ if (dtype[i] != 0) {
+ dns_rdata_t *rdata;
+ isc_region_t r;
+
+ isc_buffer_availableregion(buf, &r);
+ if (r.length < DNS_DS_BUFFERSIZE) {
+ return (ISC_R_NOSPACE);
+ }
+
+ cdnskey->type = dns_rdatatype_dnskey;
+ rdata = rdata_get();
+ result = dns_ds_buildrdata(name, cdnskey, dtype[i],
+ r.base, rdata);
+ if (result == ISC_R_SUCCESS) {
+ isc_buffer_add(buf, DNS_DS_BUFFERSIZE);
+ }
+
+ result = rdata_put(result, dslist, rdata);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+ }
+ }
+
+ return (ISC_R_SUCCESS);
+}
+
+/*
+ * For sorting the digest types so that DS records generated
+ * from CDNSKEY records are in canonical order.
+ */
+static int
+cmp_dtype(const void *ap, const void *bp) {
+ int a = *(const isc_uint8_t *)ap;
+ int b = *(const isc_uint8_t *)bp;
+ return (a - b);
+}
+
+static void
+add_dtype(const char *dn) {
+ isc_uint8_t dt;
+ unsigned i, n;
+
+ dt = strtodsdigest(dn);
+ n = sizeof(dtype)/sizeof(dtype[0]);
+ for (i = 0; i < n; i++) {
+ if (dtype[i] == 0 || dtype[i] == dt) {
+ dtype[i] = dt;
+ qsort(dtype, i+1, 1, cmp_dtype);
+ return;
+ }
+ }
+ fatal("too many -a digest type arguments");
+}
+
+static void
+make_new_ds_set(ds_maker_func_t *ds_from_rdata,
+ isc_uint32_t ttl, dns_rdataset_t *rdset)
+{
+ unsigned int size = 16;
+ for (;;) {
+ isc_result_t result;
+ dns_rdatalist_t *dslist;
+
+ dslist = isc_mem_get(mctx, sizeof(*dslist));
+ if (dslist == NULL) {
+ fatal("allocating new DS list: %s",
+ isc_result_totext(ISC_R_NOMEMORY));
+ }
+
+ dns_rdatalist_init(dslist);
+ dslist->rdclass = rdclass;
+ dslist->type = dns_rdatatype_ds;
+ dslist->ttl = ttl;
+
+ dns_rdataset_init(&new_ds_set);
+ result = dns_rdatalist_tordataset(dslist, &new_ds_set);
+ check_result(result, "dns_rdatalist_tordataset(dslist)");
+
+ result = isc_buffer_allocate(mctx, &new_ds_buf, size);
+ check_result(result, "building new DS records");
+
+ for (result = dns_rdataset_first(rdset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(rdset))
+ {
+ isc_result_t tresult;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+
+ dns_rdataset_current(rdset, &rdata);
+
+ tresult = ds_from_rdata(dslist, new_ds_buf, &rdata);
+ if (tresult == ISC_R_NOSPACE) {
+ vbprintf(20, "DS list buffer size %u\n", size);
+ freelist(&new_ds_set);
+ isc_buffer_free(&new_ds_buf);
+ size *= 2;
+ break;
+ }
+
+ check_result(tresult, "ds_from_rdata()");
+ }
+
+ if (result == ISC_R_NOMORE) {
+ break;
+ }
+ }
+}
+
+static inline int
+rdata_cmp(const void *rdata1, const void *rdata2) {
+ return (dns_rdata_compare((const dns_rdata_t *)rdata1,
+ (const dns_rdata_t *)rdata2));
+}
+
+/*
+ * Ensure that every key identified by the DS RRset has the same set of
+ * digest types.
+ */
+static isc_boolean_t
+consistent_digests(dns_rdataset_t *dsset) {
+ isc_result_t result;
+ dns_rdata_t *arrdata;
+ dns_rdata_ds_t *ds;
+ dns_keytag_t key_tag;
+ isc_uint8_t algorithm;
+ isc_boolean_t match;
+ int i, j, n, d;
+
+ /*
+ * First sort the dsset. DS rdata fields are tag, algorithm, digest,
+ * so sorting them brings together all the records for each key.
+ */
+
+ n = dns_rdataset_count(dsset);
+
+ arrdata = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
+ if (arrdata == NULL) {
+ fatal("allocating DS rdata array: %s",
+ isc_result_totext(ISC_R_NOMEMORY));
+ }
+
+ for (result = dns_rdataset_first(dsset), i = 0;
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(dsset), i++)
+ {
+ dns_rdata_init(&arrdata[i]);
+ dns_rdataset_current(dsset, &arrdata[i]);
+ }
+
+ qsort(arrdata, n, sizeof(dns_rdata_t), rdata_cmp);
+
+ /*
+ * Convert sorted arrdata to more accessible format
+ */
+ ds = isc_mem_get(mctx, n * sizeof(dns_rdata_ds_t));
+ if (ds == NULL) {
+ fatal("allocating unpacked DS array: %s",
+ isc_result_totext(ISC_R_NOMEMORY));
+ }
+
+ for (i = 0; i < n; i++) {
+ result = dns_rdata_tostruct(&arrdata[i], &ds[i], NULL);
+ check_result(result, "dns_rdata_tostruct(DS)");
+ }
+
+ /*
+ * Count number of digest types (d) for first key
+ */
+ key_tag = ds[0].key_tag;
+ algorithm = ds[0].algorithm;
+ for (d = 0, i = 0; i < n; i++, d++) {
+ if (ds[i].key_tag != key_tag || ds[i].algorithm != algorithm) {
+ break;
+ }
+ }
+
+ /*
+ * Check subsequent keys match the first one
+ */
+ match = ISC_TRUE;
+ while (i < n) {
+ key_tag = ds[i].key_tag;
+ algorithm = ds[i].algorithm;
+ for (j = 0; j < d && i+j < n; j++) {
+ if (ds[i+j].key_tag != key_tag ||
+ ds[i+j].algorithm != algorithm ||
+ ds[i+j].digest_type != ds[j].digest_type)
+ {
+ match = ISC_FALSE;
+ }
+ }
+ i += d;
+ }
+
+ /*
+ * Done!
+ */
+ isc_mem_put(mctx, ds, n * sizeof(dns_rdata_ds_t));
+ isc_mem_put(mctx, arrdata, n * sizeof(dns_rdata_t));
+
+ return (match);
+}
+
+static void
+print_diff(const char *cmd, dns_rdataset_t *rdataset) {
+ isc_buffer_t *buf;
+ isc_region_t r;
+ unsigned char *nl;
+ size_t len;
+
+ buf = formatset(rdataset);
+ isc_buffer_usedregion(buf, &r);
+
+ while ((nl = memchr(r.base, '\n', r.length)) != NULL) {
+ len = nl - r.base + 1;
+ printf("update %s %.*s", cmd, (int)len, (char *)r.base);
+ isc_region_consume(&r, len);
+ }
+
+ isc_buffer_free(&buf);
+}
+
+static void
+update_diff(const char *cmd, isc_uint32_t ttl,
+ dns_rdataset_t *addset, dns_rdataset_t *delset)
+{
+ isc_result_t result;
+ dns_db_t *db;
+ dns_dbnode_t *node;
+ dns_dbversion_t *ver;
+ dns_rdataset_t diffset;
+ isc_uint32_t save;
+
+ db = NULL;
+ result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+ rdclass, 0, NULL, &db);
+ check_result(result, "dns_db_create()");
+
+ ver = NULL;
+ result = dns_db_newversion(db, &ver);
+ check_result(result, "dns_db_newversion()");
+
+ node = NULL;
+ result = dns_db_findnode(db, name, ISC_TRUE, &node);
+ check_result(result, "dns_db_findnode()");
+
+ dns_rdataset_init(&diffset);
+
+ result = dns_db_addrdataset(db, node, ver, 0, addset,
+ DNS_DBADD_MERGE, NULL);
+ check_result(result, "dns_db_addrdataset()");
+
+ result = dns_db_subtractrdataset(db, node, ver, delset,
+ 0, &diffset);
+ if (result == DNS_R_UNCHANGED) {
+ save = addset->ttl;
+ addset->ttl = ttl;
+ print_diff(cmd, addset);
+ addset->ttl = save;
+ } else if (result != DNS_R_NXRRSET) {
+ check_result(result, "dns_db_subtractrdataset()");
+ diffset.ttl = ttl;
+ print_diff(cmd, &diffset);
+ dns_rdataset_disassociate(&diffset);
+ }
+
+ dns_db_detachnode(db, &node);
+ dns_db_closeversion(db, &ver, ISC_FALSE);
+ dns_db_detach(&db);
+}
+
+static void
+nsdiff(isc_uint32_t ttl, dns_rdataset_t *oldset, dns_rdataset_t *newset) {
+ if (ttl == 0) {
+ vbprintf(1, "warning: no TTL in nsupdate script\n");
+ }
+ update_diff("add", ttl, newset, oldset);
+ update_diff("del", 0, oldset, newset);
+ if (verbose > 0) {
+ printf("show\nsend\nanswer\n");
+ } else {
+ printf("send\n");
+ }
+ if (fflush(stdout) == EOF) {
+ fatal("write stdout: %s", strerror(errno));
+ }
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ " %s options [options] -f <file> -d <path> <domain>\n",
+ program);
+ fprintf(stderr, "Version: %s\n", VERSION);
+ fprintf(stderr, "Options:\n"
+" -a <algorithm> digest algorithm (SHA-1 / SHA-256 / GOST / SHA-384)\n"
+" -c <class> of domain (default IN)\n"
+" -D prefer CDNSKEY records instead of CDS\n"
+" -d <file|dir> where to find parent dsset- file\n"
+" -f <file> child DNSKEY+CDNSKEY+CDS+RRSIG records\n"
+" -i[extension] update dsset- file in place\n"
+" -s <start-time> oldest permitted child signatures\n"
+" -u emit nsupdate script\n"
+" -T <ttl> TTL of DS records\n"
+" -V print version\n"
+" -v <verbosity>\n"
+ );
+ exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+ const char *child_path = NULL;
+ const char *ds_path = NULL;
+ const char *inplace = NULL;
+ isc_result_t result;
+ isc_boolean_t prefer_cdnskey = ISC_FALSE;
+ isc_boolean_t nsupdate = ISC_FALSE;
+ isc_uint32_t ttl = 0;
+ int ch;
+ char *endp;
+
+ result = isc_mem_create(0, 0, &mctx);
+ if (result != ISC_R_SUCCESS) {
+ fatal("out of memory");
+ }
+
+#ifdef PKCS11CRYPTO
+ pk11_result_register();
+#endif
+ dns_result_register();
+
+ isc_commandline_errprint = ISC_FALSE;
+
+#define OPTIONS "a:c:Dd:f:i:ms:T:uv:V"
+ while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
+ switch (ch) {
+ case 'a':
+ add_dtype(isc_commandline_argument);
+ break;
+ case 'c':
+ rdclass = strtoclass(isc_commandline_argument);
+ break;
+ case 'D':
+ prefer_cdnskey = ISC_TRUE;
+ break;
+ case 'd':
+ ds_path = isc_commandline_argument;
+ break;
+ case 'f':
+ child_path = isc_commandline_argument;
+ break;
+ case 'i':
+ /*
+ * This is a bodge to make the argument optional,
+ * so that it works just like sed(1).
+ */
+ if (isc_commandline_argument ==
+ argv[isc_commandline_index - 1])
+ {
+ isc_commandline_index--;
+ inplace = "";
+ } else {
+ inplace = isc_commandline_argument;
+ }
+ break;
+ case 'm':
+ isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+ ISC_MEM_DEBUGRECORD;
+ break;
+ case 's':
+ startstr = isc_commandline_argument;
+ break;
+ case 'T':
+ ttl = strtottl(isc_commandline_argument);
+ break;
+ case 'u':
+ nsupdate = ISC_TRUE;
+ break;
+ case 'V':
+ /* Does not return. */
+ version(program);
+ break;
+ case 'v':
+ verbose = strtoul(isc_commandline_argument, &endp, 0);
+ if (*endp != '\0') {
+ fatal("-v must be followed by a number");
+ }
+ break;
+ default:
+ usage();
+ break;
+ }
+ }
+ argv += isc_commandline_index;
+ argc -= isc_commandline_index;
+
+ if (argc != 1) {
+ usage();
+ }
+ initname(argv[0]);
+
+ /*
+ * Default digest type if none specified.
+ */
+ if (dtype[0] == 0) {
+ dtype[0] = DNS_DSDIGEST_SHA256;
+ }
+
+ setup_logging(mctx, &lctx);
+
+ if (ectx == NULL) {
+ setup_entropy(mctx, NULL, &ectx);
+ }
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS) {
+ fatal("could not initialize hash");
+ }
+ result = dst_lib_init(mctx, ectx,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ if (result != ISC_R_SUCCESS) {
+ fatal("could not initialize dst: %s",
+ isc_result_totext(result));
+ }
+ isc_entropy_stopcallbacksources(ectx);
+
+ if (ds_path == NULL) {
+ fatal("missing -d DS pathname");
+ }
+ load_parent_set(ds_path);
+
+ /*
+ * Preserve the TTL if it wasn't overridden.
+ */
+ if (ttl == 0) {
+ ttl = old_ds_set.ttl;
+ }
+
+ if (child_path == NULL) {
+ fatal("path to file containing child data must be specified");
+ }
+
+ load_child_sets(child_path);
+
+ /*
+ * Check child records have accompanying RRSIGs and DNSKEYs
+ */
+
+ if (!dns_rdataset_isassociated(&dnskey_set) ||
+ !dns_rdataset_isassociated(&dnskey_sig))
+ {
+ fatal("could not find signed DNSKEY RRset for %s", namestr);
+ }
+
+ if (dns_rdataset_isassociated(&cdnskey_set) &&
+ !dns_rdataset_isassociated(&cdnskey_sig))
+ {
+ fatal("missing RRSIG CDNSKEY records for %s", namestr);
+ }
+ if (dns_rdataset_isassociated(&cds_set) &&
+ !dns_rdataset_isassociated(&cds_sig))
+ {
+ fatal("missing RRSIG CDS records for %s", namestr);
+ }
+
+ vbprintf(1, "which child DNSKEY records match parent DS records?\n");
+ old_key_tbl = match_keyset_dsset(&dnskey_set, &old_ds_set, LOOSE);
+
+ /*
+ * We have now identified the keys that are allowed to authenticate
+ * the DNSKEY RRset (RFC 4035 section 5.2 bullet 2), and CDNSKEY and
+ * CDS RRsets (RFC 7344 section 4.1 bullet 2).
+ */
+
+ vbprintf(1, "verify DNSKEY signature(s)\n");
+ if (!signed_loose(matching_sigs(old_key_tbl, &dnskey_set, &dnskey_sig)))
+ {
+ fatal("could not validate child DNSKEY RRset for %s", namestr);
+ }
+
+ if (dns_rdataset_isassociated(&cdnskey_set)) {
+ vbprintf(1, "verify CDNSKEY signature(s)\n");
+ if (!signed_loose(matching_sigs(old_key_tbl,
+ &cdnskey_set, &cdnskey_sig)))
+ {
+ fatal("could not validate child CDNSKEY RRset for %s",
+ namestr);
+ }
+ }
+ if (dns_rdataset_isassociated(&cds_set)) {
+ vbprintf(1, "verify CDS signature(s)\n");
+ if (!signed_loose(matching_sigs(old_key_tbl,
+ &cds_set, &cds_sig)))
+ {
+ fatal("could not validate child CDS RRset for %s",
+ namestr);
+ }
+ }
+
+ free_keytable(&old_key_tbl);
+
+ /*
+ * Report the result of the replay attack protection checks
+ * used for the output file timestamp
+ */
+ if (oldestsig.timesigned != 0 && verbose > 0) {
+ char type[32];
+ dns_rdatatype_format(oldestsig.covered, type, sizeof(type));
+ verbose_time(1, "child signature inception time",
+ oldestsig.timesigned);
+ vbprintf(2, "from RRSIG %s by key %d\n",
+ type, oldestsig.keyid);
+ }
+
+ /*
+ * Sucessfully do nothing if there's neither CDNSKEY nor CDS
+ * RFC 7344 section 4.1 first paragraph
+ */
+ if (!dns_rdataset_isassociated(&cdnskey_set) &&
+ !dns_rdataset_isassociated(&cds_set))
+ {
+ vbprintf(1, "%s has neither CDS nor CDNSKEY records\n",
+ namestr);
+ write_parent_set(ds_path, inplace, nsupdate, &old_ds_set);
+ exit(0);
+ }
+
+ /*
+ * Make DS records from the CDS or CDNSKEY records
+ * Prefer CDS if present, unless run with -D
+ */
+ if (prefer_cdnskey && dns_rdataset_isassociated(&cdnskey_set)) {
+ make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set);
+ } else if (dns_rdataset_isassociated(&cds_set)) {
+ make_new_ds_set(ds_from_cds, ttl, &cds_set);
+ } else {
+ make_new_ds_set(ds_from_cdnskey, ttl, &cdnskey_set);
+ }
+
+ /*
+ * Now we have a candidate DS RRset, we need to check it
+ * won't break the delegation.
+ */
+ vbprintf(1, "which child DNSKEY records match new DS records?\n");
+ new_key_tbl = match_keyset_dsset(&dnskey_set, &new_ds_set, TIGHT);
+
+ if (!consistent_digests(&new_ds_set)) {
+ fatal("CDS records at %s do not cover each key "
+ "with the same set of digest types", namestr);
+ }
+
+ vbprintf(1, "verify DNSKEY signature(s)\n");
+ if (!signed_strict(&new_ds_set,
+ matching_sigs(new_key_tbl,
+ &dnskey_set, &dnskey_sig)))
+ {
+ fatal("could not validate child DNSKEY RRset "
+ "with new DS records for %s", namestr);
+ }
+
+ free_keytable(&new_key_tbl);
+
+ /*
+ * OK, it's all good!
+ */
+ if (nsupdate) {
+ nsdiff(ttl, &old_ds_set, &new_ds_set);
+ }
+
+ write_parent_set(ds_path, inplace, nsupdate, &new_ds_set);
+
+ free_all_sets();
+ cleanup_logging(&lctx);
+ dst_lib_destroy();
+ isc_hash_destroy();
+ cleanup_entropy(&ectx);
+ if (verbose > 10) {
+ isc_mem_stats(mctx, stdout);
+ }
+ isc_mem_destroy(&mctx);
+
+ exit(0);
+}
--- /dev/null
+<!--
+ - Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-signzone">
+ <info>
+ <date>2017-10-02</date>
+ </info>
+ <refentryinfo>
+ <corpname>ISC</corpname>
+ <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+ <author>
+ <personname>Tony Finch</personname>
+ <email>dot@dotat.at</email>
+ <email>fanf2@cam.ac.uk</email>
+ <affiliation>Cambridge University Information Services</affiliation>
+ <personblurb></personblurb>
+ </author>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-cds</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-cds</application></refname>
+ <refpurpose>change DS records for a child zone based on CDS/CDNSKEY</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2017</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis sepchar=" ">
+ <command>dnssec-cds</command>
+ <arg choice="opt" rep="repeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-D</option></arg>
+ <arg choice="req" rep="norepeat"><option>-d <replaceable class="parameter">dsset-file</replaceable></option></arg>
+ <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">child-file</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-i</option><arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></arg>
+ <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-u</option></arg>
+ <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-V</option></arg>
+ <arg choice="req" rep="norepeat">domain</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsection><info><title>DESCRIPTION</title></info>
+
+ <para>
+ The <command>dnssec-cds</command> command changes DS records at
+ a delegation point based on CDS or CDNSKEY records published in
+ the child zone. If both CDS and CDNSKEY records are present in
+ the child zone, the CDS is preferred.
+ </para>
+ <para>
+ Two input files are required. The
+ <option>-f <replaceable class="parameter">child-file</replaceable></option>
+ option specifies a file containing the child's CDS and/or CDNSKEY
+ records, plus RRSIG and DNSKEY records so that they can be
+ authenticated. The
+ <option>-d <replaceable class="parameter">path</replaceable></option>
+ option specifies the location of a file containing the current DS
+ records. For example, this could be a <filename>dsset-</filename>
+ file generated by <command>dnssec-signzone</command>, or the output of
+ <command>dnssec-dsfromkey</command>, or the output of a previous
+ run of <command>dnssec-cds</command>.
+ </para>
+ <para>
+ For protection against replay attacks, the signatures on the
+ child records must not be older than they were on a previous run
+ of <command>dnssec-cds</command>. This time is obtained from the
+ modification time of the <filename>dsset-</filename> file, or
+ from the <option>-s</option> option.
+ </para>
+ <para>
+ To protect against breaking the delegation,
+ <command>dnssec-cds</command> ensures that the DNSKEY RRset can be
+ verified by every key algorithm in the new DS RRset, and that the
+ same set of keys are covered by every DS digest type.
+ </para>
+ <para>
+ By default, replacement DS records are written to the standard
+ output; with the <option>-i</option> option the input file is
+ overwritten in place. The replacement DS records will be the
+ same as the existing records when no change is required. The
+ output can be empty if the CDS / CDNSKEY records specify that
+ the child zone wants to go insecure.
+ </para>
+ <para>
+ Warning: Be careful not to delete the DS records
+ when <command>dnssec-cds</command> fails!
+ </para>
+ <para>
+ Alternatively, <command>dnssec-cds -u</command> writes
+ an <command>nsupdate</command> script to the standard output.
+ You can use the <option>-u</option> and <option>-i</option>
+ options together to maintain a <filename>dsset-</filename> file
+ as well as emit an <command>nsupdate</command> script.
+ </para>
+
+ </refsection>
+
+ <refsection><info><title>OPTIONS</title></info>
+
+ <variablelist>
+
+ <varlistentry>
+ <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+ <listitem>
+ <para>
+ Specify a digest algorithm to use when converting CDNSKEY
+ records to DS records. This option can be repeated, so
+ that multiple DS records are created for each CDNSKEY
+ record. This option has no effect when using CDS records.
+ </para>
+ <para>
+ The <replaceable>algorithm</replaceable> must be one of SHA-1
+ (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+ values are case insensitive. If no algorithm is specified,
+ the default is SHA-256.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">class</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the DNS class of the zones.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-D</term>
+ <listitem>
+ <para>
+ Generate DS records from CDNSKEY records if both CDS and
+ CDNSKEY records are present in the child zone. By default
+ CDS records are preferred.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-d <replaceable class="parameter">path</replaceable></term>
+ <listitem>
+ <para>
+ Location of the parent DS records.
+ The <replaceable>path</replaceable> can be the name of a file
+ containing the DS records, or if it is a
+ directory, <command>dnssec-cds</command> looks for
+ a <filename>dsset-</filename> file for
+ the <replaceable>domain</replaceable> inside the directory.
+ </para>
+ <para>
+ To protect against replay attacks, child records are
+ rejected if they were signed earlier than the modification
+ time of the <filename>dsset-</filename> file. This can be
+ adjusted with the <option>-s</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-f <replaceable class="parameter">child-file</replaceable></term>
+ <listitem>
+ <para>
+ File containing the child's CDS and/or CDNSKEY records,
+ plus its DNSKEY records and the covering RRSIG records so
+ that they can be authenticated.
+ </para>
+ <para>
+ The EXAMPLES below describe how to generate this file.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i<arg choice="opt" rep="norepeat"><replaceable class="parameter">extension</replaceable></arg></term>
+ <listitem>
+ <para>
+ Update the <filename>dsset-</filename> file in place,
+ instead of writing DS records to the standard output.
+ </para>
+ <para>
+ There must be no space between the <option>-i</option> and
+ the <replaceable>extension</replaceable>. If you provide
+ no <replaceable>extension</replaceable> then the
+ old <filename>dsset-</filename> is discarded. If
+ an <replaceable>extension</replaceable> is present, a
+ backup of the old <filename>dsset-</filename> file is kept
+ with the <replaceable>extension</replaceable> appended to
+ its filename.
+ </para>
+ <para>
+ To protect against replay attacks, the modification time
+ of the <filename>dsset-</filename> file is set to match
+ the signature inception time of the child records,
+ provided that is later than the file's current
+ modification time.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">start-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time after which RRSIG records become
+ acceptable. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number in
+ YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
+ UTC on August 27th, 2017. A time relative to
+ the <filename>dsset-</filename> file is indicated with -N,
+ which is N seconds before the file modification time. A
+ time relative to the current time is indicated with now+N.
+ </para>
+ <para>
+ If no <replaceable>start-time</replaceable> is specified, the
+ modification time of the <filename>dsset-</filename> file
+ is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-T <replaceable class="parameter">ttl</replaceable></term>
+ <listitem>
+ <para>
+ Specifies a TTL to be used for new DS records. If not
+ specified, the default is the TTL of the old DS records.
+ If they had no explicit TTL then the new DS records also
+ have no explicit TTL.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-u</term>
+ <listitem>
+ <para>
+ Write an <command>nsupdate</command> script to the
+ standard output, instead of printing the new DS reords.
+ The output will be empty if no change is needed.
+ </para>
+ <para>
+ Note: The TTL of new records needs to be specified, either
+ in the original <filename>dsset-</filename> file, or with
+ the <option>-T</option> option, or using
+ the <command>nsupdate</command> <command>ttl</command>
+ command.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-V</term>
+ <listitem>
+ <para>
+ Print version information.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level. Level 1 is intended to be
+ usefully verbose for general users; higher levels are
+ intended for developers.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><replaceable>domain</replaceable></term>
+ <listitem>
+ <para>
+ The name of the delegation point / child zone apex.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsection>
+
+ <refsection><info><title>EXIT STATUS</title></info>
+
+ <para>
+ The <command>dnssec-cds</command> command exits 0 on success, or
+ non-zero if an error occurred.
+ </para>
+ <para>
+ In the success case, the DS records might or might not need
+ to be changed.
+ </para>
+
+ </refsection>
+
+ <refsection><info><title>EXAMPLES</title></info>
+
+ <para>
+ Before running <command>dnssec-signzone</command>, you can ensure
+ that the delegations are up-to-date by running
+ <command>dnssec-cds</command> on every <filename>dsset-</filename> file.
+ </para>
+ <para>
+ To fetch the child records required by <command>dnssec-cds</command>
+ you can invoke <command>dig</command> as in the script below. It's
+ okay if the <command>dig</command> fails since
+ <command>dnssec-cds</command> performs all the necessary checking.
+ </para>
+<programlisting>for f in dsset-*
+do
+ d=${f#dsset-}
+ dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+ dnssec-cds -i -f /dev/stdin -d $f $d
+done
+</programlisting>
+
+ <para>
+ When the parent zone is automatically signed by
+ <command>named</command>, you can use <command>dnssec-cds</command>
+ with <command>nsupdate</command> to maintain a delegation as follows.
+ The <filename>dsset-</filename> file allows the script to avoid
+ having to fetch and validate the parent DS records, and it keeps the
+ replay attack protection time.
+ </para>
+<programlisting>
+dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+dnssec-cds -u -i -f /dev/stdin -d $f $d |
+nsupdate -l
+</programlisting>
+ </refsection>
+
+ <refsection><info><title>SEE ALSO</title></info>
+
+ <para>
+ <citerefentry>
+ <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-settime</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 7344</citetitle>.
+ </para>
+
+ </refsection>
+
+</refentry>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-cds</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-cds</span> — change DS records for a child zone based on CDS/CDNSKEY</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-cds</code> [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>...] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D</code>] {<code class="option">-d <em class="replaceable"><code>dsset-file</code></em></code>} {<code class="option">-f <em class="replaceable"><code>child-file</code></em></code>} [<code class="option">-i</code> [<em class="replaceable"><code>extension</code></em>]] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {domain}</p></div>
+</div>
+<div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+<p>
+ The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
+ a delegation point based on CDS or CDNSKEY records published in
+ the child zone. If both CDS and CDNSKEY records are present in
+ the child zone, the CDS is preferred.
+ </p>
+<p>
+ Two input files are required. The
+ <code class="option">-f <em class="replaceable"><code>child-file</code></em></code>
+ option specifies a file containing the child's CDS and/or CDNSKEY
+ records, plus RRSIG and DNSKEY records so that they can be
+ authenticated. The
+ <code class="option">-d <em class="replaceable"><code>path</code></em></code>
+ option specifies the location of a file containing the current DS
+ records. For example, this could be a <code class="filename">dsset-</code>
+ file generated by <span class="command"><strong>dnssec-signzone</strong></span>, or the output of
+ <span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
+ run of <span class="command"><strong>dnssec-cds</strong></span>.
+ </p>
+<p>
+ For protection against replay attacks, the signatures on the
+ child records must not be older than they were on a previous run
+ of <span class="command"><strong>dnssec-cds</strong></span>. This time is obtained from the
+ modification time of the <code class="filename">dsset-</code> file, or
+ from the <code class="option">-s</code> option.
+ </p>
+<p>
+ To protect against breaking the delegation,
+ <span class="command"><strong>dnssec-cds</strong></span> ensures that the DNSKEY RRset can be
+ verified by every key algorithm in the new DS RRset, and that the
+ same set of keys are covered by every DS digest type.
+ </p>
+<p>
+ By default, replacement DS records are written to the standard
+ output; with the <code class="option">-i</code> option the input file is
+ overwritten in place. The replacement DS records will be the
+ same as the existing records when no change is required. The
+ output can be empty if the CDS / CDNSKEY records specify that
+ the child zone wants to go insecure.
+ </p>
+<p>
+ Warning: Be careful not to delete the DS records
+ when <span class="command"><strong>dnssec-cds</strong></span> fails!
+ </p>
+<p>
+ Alternatively, <span class="command"><strong>dnssec-cds -u</strong></span> writes
+ an <span class="command"><strong>nsupdate</strong></span> script to the standard output.
+ You can use the <code class="option">-u</code> and <code class="option">-i</code>
+ options together to maintain a <code class="filename">dsset-</code> file
+ as well as emit an <span class="command"><strong>nsupdate</strong></span> script.
+ </p>
+</div>
+<div class="refsection">
+<a name="id-1.8"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+<p>
+ Specify a digest algorithm to use when converting CDNSKEY
+ records to DS records. This option can be repeated, so
+ that multiple DS records are created for each CDNSKEY
+ record. This option has no effect when using CDS records.
+ </p>
+<p>
+ The <em class="replaceable"><code>algorithm</code></em> must be one of SHA-1
+ (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+ values are case insensitive. If no algorithm is specified,
+ the default is SHA-256.
+ </p>
+</dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+ Specifies the DNS class of the zones.
+ </p></dd>
+<dt><span class="term">-D</span></dt>
+<dd><p>
+ Generate DS records from CDNSKEY records if both CDS and
+ CDNSKEY records are present in the child zone. By default
+ CDS records are preferred.
+ </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>path</code></em></span></dt>
+<dd>
+<p>
+ Location of the parent DS records.
+ The <em class="replaceable"><code>path</code></em> can be the name of a file
+ containing the DS records, or if it is a
+ directory, <span class="command"><strong>dnssec-cds</strong></span> looks for
+ a <code class="filename">dsset-</code> file for
+ the <em class="replaceable"><code>domain</code></em> inside the directory.
+ </p>
+<p>
+ To protect against replay attacks, child records are
+ rejected if they were signed earlier than the modification
+ time of the <code class="filename">dsset-</code> file. This can be
+ adjusted with the <code class="option">-s</code> option.
+ </p>
+</dd>
+<dt><span class="term">-f <em class="replaceable"><code>child-file</code></em></span></dt>
+<dd>
+<p>
+ File containing the child's CDS and/or CDNSKEY records,
+ plus its DNSKEY records and the covering RRSIG records so
+ that they can be authenticated.
+ </p>
+<p>
+ The EXAMPLES below describe how to generate this file.
+ </p>
+</dd>
+<dt><span class="term">-i[<em class="replaceable"><code>extension</code></em>]</span></dt>
+<dd>
+<p>
+ Update the <code class="filename">dsset-</code> file in place,
+ instead of writing DS records to the standard output.
+ </p>
+<p>
+ There must be no space between the <code class="option">-i</code> and
+ the <em class="replaceable"><code>extension</code></em>. If you provide
+ no <em class="replaceable"><code>extension</code></em> then the
+ old <code class="filename">dsset-</code> is discarded. If
+ an <em class="replaceable"><code>extension</code></em> is present, a
+ backup of the old <code class="filename">dsset-</code> file is kept
+ with the <em class="replaceable"><code>extension</code></em> appended to
+ its filename.
+ </p>
+<p>
+ To protect against replay attacks, the modification time
+ of the <code class="filename">dsset-</code> file is set to match
+ the signature inception time of the child records,
+ provided that is later than the file's current
+ modification time.
+ </p>
+</dd>
+<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
+<dd>
+<p>
+ Specify the date and time after which RRSIG records become
+ acceptable. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number in
+ YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00
+ UTC on August 27th, 2017. A time relative to
+ the <code class="filename">dsset-</code> file is indicated with -N,
+ which is N seconds before the file modification time. A
+ time relative to the current time is indicated with now+N.
+ </p>
+<p>
+ If no <em class="replaceable"><code>start-time</code></em> is specified, the
+ modification time of the <code class="filename">dsset-</code> file
+ is used.
+ </p>
+</dd>
+<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
+<dd><p>
+ Specifies a TTL to be used for new DS records. If not
+ specified, the default is the TTL of the old DS records.
+ If they had no explicit TTL then the new DS records also
+ have no explicit TTL.
+ </p></dd>
+<dt><span class="term">-u</span></dt>
+<dd>
+<p>
+ Write an <span class="command"><strong>nsupdate</strong></span> script to the
+ standard output, instead of printing the new DS reords.
+ The output will be empty if no change is needed.
+ </p>
+<p>
+ Note: The TTL of new records needs to be specified, either
+ in the original <code class="filename">dsset-</code> file, or with
+ the <code class="option">-T</code> option, or using
+ the <span class="command"><strong>nsupdate</strong></span> <span class="command"><strong>ttl</strong></span>
+ command.
+ </p>
+</dd>
+<dt><span class="term">-V</span></dt>
+<dd><p>
+ Print version information.
+ </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+ Sets the debugging level. Level 1 is intended to be
+ usefully verbose for general users; higher levels are
+ intended for developers.
+ </p></dd>
+<dt><span class="term"><em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+ The name of the delegation point / child zone apex.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsection">
+<a name="id-1.9"></a><h2>EXIT STATUS</h2>
+<p>
+ The <span class="command"><strong>dnssec-cds</strong></span> command exits 0 on success, or
+ non-zero if an error occurred.
+ </p>
+<p>
+ In the success case, the DS records might or might not need
+ to be changed.
+ </p>
+</div>
+<div class="refsection">
+<a name="id-1.10"></a><h2>EXAMPLES</h2>
+<p>
+ Before running <span class="command"><strong>dnssec-signzone</strong></span>, you can ensure
+ that the delegations are up-to-date by running
+ <span class="command"><strong>dnssec-cds</strong></span> on every <code class="filename">dsset-</code> file.
+ </p>
+<p>
+ To fetch the child records required by <span class="command"><strong>dnssec-cds</strong></span>
+ you can invoke <span class="command"><strong>dig</strong></span> as in the script below. It's
+ okay if the <span class="command"><strong>dig</strong></span> fails since
+ <span class="command"><strong>dnssec-cds</strong></span> performs all the necessary checking.
+ </p>
+<pre class="programlisting">for f in dsset-*
+do
+ d=${f#dsset-}
+ dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+ dnssec-cds -i -f /dev/stdin -d $f $d
+done
+</pre>
+<p>
+ When the parent zone is automatically signed by
+ <span class="command"><strong>named</strong></span>, you can use <span class="command"><strong>dnssec-cds</strong></span>
+ with <span class="command"><strong>nsupdate</strong></span> to maintain a delegation as follows.
+ The <code class="filename">dsset-</code> file allows the script to avoid
+ having to fetch and validate the parent DS records, and it keeps the
+ replay attack protection time.
+ </p>
+<pre class="programlisting">
+dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
+dnssec-cds -u -i -f /dev/stdin -d $f $d |
+nsupdate -l
+</pre>
+</div>
+<div class="refsection">
+<a name="id-1.11"></a><h2>SEE ALSO</h2>
+<p>
+ <span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+ <span class="citerefentry"><span class="refentrytitle">dnssec-settime</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 7344</em>.
+ </p>
+</div>
+</div></body>
+</html>
'\" t
.\" Title: dnssec-dsfromkey
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 2012-05-02
.\" Manual: BIND9
.\" Source: ISC
.SH "NAME"
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
+.HP 17
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
+.HP 17
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
-.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
+.HP 17
\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
.SH "DESCRIPTION"
.PP
int
main(int argc, char **argv) {
- char *algname = NULL, *classname = NULL;
+ char *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *lookaside = NULL;
char *endp;
showall = ISC_TRUE;
break;
case 'a':
- algname = isc_commandline_argument;
+ dtype = strtodsdigest(isc_commandline_argument);
both = ISC_FALSE;
break;
case 'C':
break;
case 'T':
emitttl = ISC_TRUE;
- ttl = atol(isc_commandline_argument);
+ ttl = strtottl(isc_commandline_argument);
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
}
}
- if (algname != NULL) {
- if (strcasecmp(algname, "SHA1") == 0 ||
- strcasecmp(algname, "SHA-1") == 0)
- dtype = DNS_DSDIGEST_SHA1;
- else if (strcasecmp(algname, "SHA256") == 0 ||
- strcasecmp(algname, "SHA-256") == 0)
- dtype = DNS_DSDIGEST_SHA256;
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
- else if (strcasecmp(algname, "GOST") == 0)
- dtype = DNS_DSDIGEST_GOST;
-#endif
- else if (strcasecmp(algname, "SHA384") == 0 ||
- strcasecmp(algname, "SHA-384") == 0)
- dtype = DNS_DSDIGEST_SHA384;
- else
- fatal("unknown algorithm %s", algname);
- }
-
rdclass = strtoclass(classname);
if (usekeyset && filename != NULL)
'\" t
.\" Title: dnssec-importkey
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: August 21, 2015
.\" Manual: BIND9
.\" Source: ISC
.SH "NAME"
dnssec-importkey \- import DNSKEY records from external systems so they can be managed
.SH "SYNOPSIS"
-.HP \w'\fBdnssec\-importkey\fR\ 'u
+.HP 17
\fBdnssec\-importkey\fR [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] {\fBkeyfile\fR}
-.HP \w'\fBdnssec\-importkey\fR\ 'u
+.HP 17
\fBdnssec\-importkey\fR {\fB\-f\ \fR\fB\fIfilename\fR\fR} [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fBdnsname\fR]
.SH "DESCRIPTION"
.PP
'\" t
.\" Title: dnssec-settime
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 2015-08-21
.\" Manual: BIND9
.\" Source: ISC
.SH "NAME"
dnssec-settime \- set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
-.HP \w'\fBdnssec\-settime\fR\ 'u
+.HP 15
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-h\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
return (rdclass);
}
+unsigned int
+strtodsdigest(const char *algname) {
+ if (strcasecmp(algname, "SHA1") == 0 ||
+ strcasecmp(algname, "SHA-1") == 0)
+ {
+ return (DNS_DSDIGEST_SHA1);
+ } else if (strcasecmp(algname, "SHA256") == 0 ||
+ strcasecmp(algname, "SHA-256") == 0)
+ {
+ return (DNS_DSDIGEST_SHA256);
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+ } else if (strcasecmp(algname, "GOST") == 0) {
+ return (DNS_DSDIGEST_GOST);
+#endif
+ } else if (strcasecmp(algname, "SHA384") == 0 ||
+ strcasecmp(algname, "SHA-384") == 0)
+ {
+ return (DNS_DSDIGEST_SHA384);
+ } else {
+ fatal("unknown algorithm %s", algname);
+ }
+}
+
isc_result_t
try_dir(const char *dirname) {
isc_result_t result;
strtotime(const char *str, isc_int64_t now, isc_int64_t base,
isc_boolean_t *setp);
+unsigned int
+strtodsdigest(const char *str);
+
dns_rdataclass_t
strtoclass(const char *str);
--- /dev/null
+CDNSKEY*
+CDS*
+DS*
+K*
+UP*
+brk.*
+db.*
+dsset-*
+err
+empty
+out
+sig.*
+vars.sh
--- /dev/null
+#!/usr/bin/perl
+my $target = shift;
+my $file = shift;
+my $mtime = time - (stat $file)[9];
+die "bad mtime $mtime"
+ unless abs($mtime - $target) < 3;
--- /dev/null
+#!/usr/bin/perl
+
+$target = shift;
+while (<>) {
+ $notbefore = $1 if m{^.* must not be signed before \d+ [(](\d+)[)]$};
+ $inception = $1 if m{^.* inception time \d+ [(](\d+)[)]$};
+}
+die "missing notbefore time" unless $notbefore;
+die "missing inception time" unless $inception;
+my $delta = $inception - $notbefore;
+die "bad inception time $delta"
+ unless abs($delta - $target) < 3;
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+while read glob
+do rm -f $glob
+done <.gitignore
--- /dev/null
+#!/usr/bin/perl
+my $re = $ARGV[0];
+shift;
+while (<>) {
+ s{($re)........}{${1}00000000};
+ print;
+}
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+exec $SHELL ../testcrypto.sh
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+set -eu
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
+
+touch empty
+
+Z=cds.test
+
+keyz=$($KEYGEN -q -r $RANDFILE -a RSASHA256 $Z)
+key1=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z)
+key2=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z)
+
+idz=$(echo $keyz | sed 's/.*+0*//')
+id1=$(echo $key1 | sed 's/.*+0*//')
+id2=$(echo $key2 | sed 's/.*+0*//')
+
+cat <<EOF >vars.sh
+Z=$Z
+key1=$key1
+key2=$key2
+idz=$idz
+id1=$id1
+id2=$id2
+EOF
+
+tac() {
+ perl -e 'print reverse <>' "$@"
+}
+
+convert() {
+ local key=$1 n=$2
+ $DSFROMKEY $key >DS.$n
+ grep ' 8 1 ' DS.$n >DS.$n-1
+ grep ' 8 2 ' DS.$n >DS.$n-2
+ sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
+ sed 's/ IN DNSKEY / IN CDNSKEY /' <$key.key >CDNSKEY.$n
+ sed 's/ IN DS / 3600 IN DS /' <DS.$n >DS.ttl$n
+ sed 's/ IN DS / 7200 IN DS /' <DS.$n >DS.ttlong$n
+ tac <DS.$n >DS.rev$n
+}
+convert $key1 1
+convert $key2 2
+
+# consistent order wrt IDs
+sort DS.1 DS.2 >DS.both
+
+cp DS.1 DS.inplace
+$PERL -we 'utime time, time - 7200, "DS.inplace" or die'
+
+mangle="$PERL mangle.pl"
+
+$mangle " IN DS $id1 8 1 " <DS.1 >DS.broke1
+$mangle " IN DS $id1 8 2 " <DS.1 >DS.broke2
+$mangle " IN DS $id1 8 [12] " <DS.1 >DS.broke12
+
+sed 's/^/update add /;$a send' <DS.2 >UP.add2
+sed 's/^/update del /;$a send' <DS.1 >UP.del1
+cat UP.add2 UP.del1 | sed 3d >UP.swap
+
+sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
+
+sign() {
+ cat >db.$1
+ $SIGNER >/dev/null 2>&1 -r $RANDFILE \
+ -S -O full -o $Z -f sig.$1 db.$1
+}
+
+sign null <<EOF
+\$TTL 1h
+@ SOA localhost. root.localhost. (
+ 1 ; serial
+ 1h ; refresh
+ 1h ; retry
+ 1w ; expiry
+ 1h ; minimum
+ )
+;
+ NS localhost.
+;
+EOF
+
+cat sig.null CDS.1 >brk.unsigned-cds
+
+cat db.null CDS.1 | sign cds.1
+cat db.null CDS.2 | sign cds.2
+cat db.null CDS.1 CDS.2 | sign cds.both
+
+tac <sig.cds.1 >sig.cds.rev1
+
+cat db.null CDNSKEY.2 | sign cdnskey.2
+cat db.null CDS.2 CDNSKEY.2 | sign cds.cdnskey.2
+
+$mangle '\s+IN\s+RRSIG\s+CDS .* '$idz' '$Z'\. ' \
+ <sig.cds.1 >brk.rrsig.cds.zsk
+$mangle '\s+IN\s+RRSIG\s+CDS .* '$id1' '$Z'\. ' \
+ <sig.cds.1 >brk.rrsig.cds.ksk
+
+$mangle " IN CDS $id1 8 1 " <db.cds.1 |
+sign cds-mangled
+
+sed 's/IN CDS '$id1' 8 1 /IN CDS '$((id1 ^ 255))' 8 1 /' <db.cds.1 |
+sign bad-digests
+
+sed '/IN CDS '$id1' 8 /p;s//IN CDS '$((id1 ^ 255))' 13 /' <db.cds.1 |
+sign bad-algos
+
+rm -f dsset-*
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2012, 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+set -eu
+
+status=0
+die() {
+ echo "I:failed"
+ status=1
+}
+ck() {
+ local x=$1 die=:
+ shift
+ echo "I:$name"
+ if [ $x != $("$@" 2>err 1>out; echo $?) ]
+ then echo "D:exit status does not match $y"
+ die=die
+ fi
+ ckerr
+ ckout
+ $die
+ rm -f err out xerr xout
+ unset name err out
+}
+ckerr() {
+ if [ -n "${err:=}" ]
+ then egrep "$err" err >/dev/null &&
+ return 0
+ else [ -s err ] ||
+ return 0
+ fi
+ echo "D:stderr did not match '$err'"
+ sed 's/^/D:/' err
+ die=die
+}
+ckout() {
+ cmp out "${out:-empty}" >/dev/null && return
+ echo "D:stdout did not match '$out'"
+ ( echo "wanted"
+ cat "$out"
+ echo "got"
+ cat out
+ ) | sed 's/^/D:/'
+ die=die
+}
+
+Z=cds.test
+
+name='usage'
+err='Usage'
+ck 1 $CDS
+
+name='need a DS file'
+err='DS pathname'
+ck 1 $CDS $Z
+
+name='name of dsset in directory'
+err="./dsset-$Z.: file not found"
+ck 1 $CDS -d . $Z
+
+name='load a file'
+err='could not find DS records'
+ck 1 $CDS -d empty $Z
+
+name='load DS records'
+err='path to file containing child data must be specified'
+ck 1 $CDS -d DS.1 $Z
+
+name='missing DNSKEY'
+err='could not find signed DNSKEY RRset'
+ck 1 $CDS -f db.null -d DS.1 $Z
+
+name='sigs too old'
+err='could not validate child DNSKEY RRset'
+ck 1 $CDS -f sig.null -d DS.1 $Z
+
+name='sigs too old, verbosely'
+err='skip RRSIG by key [0-9]+: too old'
+ck 1 $CDS -v1 -f sig.null -d DS.1 $Z
+
+name='old sigs are allowed'
+err='found RRSIG by key'
+out=DS.1
+ck 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
+
+name='no CDS/CDNSKEY records'
+out=DS.1
+ck 0 $CDS -s -7200 -f sig.null -d DS.1 $Z
+
+name='no child records, verbosely'
+err='has neither CDS nor CDNSKEY records'
+out=DS.1
+ck 0 $CDS -v1 -s -7200 -f sig.null -d DS.1 $Z
+
+name='unsigned CDS'
+err='missing RRSIG CDS records'
+ck 1 $CDS -f brk.unsigned-cds -d DS.1 $Z
+
+name='correct signature inception time'
+$CDS -v3 -s -7200 -f sig.cds.1 -d DS.1 $Z 1>xout 2>xerr
+ck 0 $PERL checktime.pl 3600 xerr
+
+name='in-place reads modification time'
+ck 0 $CDS -f sig.cds.1 -i.bak -d DS.inplace $Z
+
+name='in-place output correct modification time'
+ck 0 $PERL checkmtime.pl 3600 DS.inplace
+
+name='in-place backup correct modification time'
+ck 0 $PERL checkmtime.pl 7200 DS.inplace.bak
+
+name='in-place correct output'
+ck 0 cmp DS.1 DS.inplace
+
+name='in-place backup unmodified'
+ck 0 cmp DS.1 DS.inplace.bak
+
+name='one mangled DS'
+err='found RRSIG by key'
+out=DS.1
+ck 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke1 $Z
+
+name='other mangled DS'
+err='found RRSIG by key'
+out=DS.1
+ck 0 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke2 $Z
+
+name='both mangled DS'
+err='could not validate child DNSKEY RRset'
+ck 1 $CDS -v1 -s -7200 -f sig.cds.1 -d DS.broke12 $Z
+
+name='mangle RRSIG CDS by ZSK'
+err='found RRSIG by key'
+out=DS.1
+ck 0 $CDS -v1 -s -7200 -f brk.rrsig.cds.zsk -d DS.1 $Z
+
+name='mangle RRSIG CDS by KSK'
+err='could not validate child CDS RRset'
+ck 1 $CDS -v1 -s -7200 -f brk.rrsig.cds.ksk -d DS.1 $Z
+
+name='mangle CDS 1'
+err='could not validate child DNSKEY RRset with new DS records'
+ck 1 $CDS -s -7200 -f sig.cds-mangled -d DS.1 $Z
+
+name='inconsistent digests'
+err='do not cover each key with the same set of digest types'
+ck 1 $CDS -s -7200 -f sig.bad-digests -d DS.1 $Z
+
+name='inconsistent algorithms'
+err='missing signature for algorithm'
+ck 1 $CDS -s -7200 -f sig.bad-algos -d DS.1 $Z
+
+name='add DS records'
+out=DS.both
+$CDS -s -7200 -f sig.cds.both -d DS.1 $Z >DS.out
+# sort to allow for numerical vs lexical order of key tags
+ck 0 sort DS.out
+
+name='update add'
+out=UP.add2
+ck 0 $CDS -u -s -7200 -f sig.cds.both -d DS.1 $Z
+
+name='remove DS records'
+out=DS.2
+ck 0 $CDS -s -7200 -f sig.cds.2 -d DS.both $Z
+
+name='update del'
+out=UP.del1
+ck 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.both $Z
+
+name='swap DS records'
+out=DS.2
+ck 0 $CDS -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='update swap'
+out=UP.swap
+ck 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='TTL from -T'
+out=DS.ttl2
+ck 0 $CDS -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='update TTL from -T'
+out=UP.swapttl
+ck 0 $CDS -u -T 3600 -s -7200 -f sig.cds.2 -d DS.1 $Z
+
+name='update TTL from dsset'
+out=UP.swapttl
+ck 0 $CDS -u -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
+
+name='TTL from -T overrides dsset'
+out=DS.ttlong2
+ck 0 $CDS -T 7200 -s -7200 -f sig.cds.2 -d DS.ttl1 $Z
+
+name='stable DS record order (no change)'
+out=DS.1
+ck 0 $CDS -s -7200 -f sig.null -d DS.rev1 $Z
+
+name='stable DS record order (changes)'
+out=DS.1
+ck 0 $CDS -s -7200 -f sig.cds.rev1 -d DS.2 $Z
+
+name='CDNSKEY default algorithm'
+out=DS.2-2
+ck 0 $CDS -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY SHA1'
+out=DS.2-1
+ck 0 $CDS -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY two algorithms'
+out=DS.2
+ck 0 $CDS -a SHA1 -a SHA256 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY two algorithms, reversed'
+out=DS.2
+ck 0 $CDS -a SHA256 -a SHA1 -s -7200 -f sig.cdnskey.2 -d DS.1 $Z
+
+name='CDNSKEY and CDS'
+out=DS.2
+ck 0 $CDS -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z
+
+name='prefer CDNSKEY'
+out=DS.2-2
+ck 0 $CDS -D -s -7200 -f sig.cds.cdnskey.2 -d DS.1 $Z
+
+echo "I:exit status: 0"
+exit $status
# Make it absolute so that it continues to work after we cd.
TOP=`cd $TOP && pwd`
-NAMED=$TOP/bin/named/named
-DIG=$TOP/bin/dig/dig
-DELV=$TOP/bin/delv/delv
-RNDC=$TOP/bin/rndc/rndc
-NSUPDATE=$TOP/bin/nsupdate/nsupdate
+ARPANAME=$TOP/bin/tools/arpaname
+CDS=$TOP/bin/dnssec/dnssec-cds
+CHECKCONF=$TOP/bin/check/named-checkconf
+CHECKDS=$TOP/bin/python/dnssec-checkds
+CHECKZONE=$TOP/bin/check/named-checkzone
+COVERAGE=$TOP/bin/python/dnssec-coverage
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
-TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
-RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
-KEYGEN=$TOP/bin/dnssec/dnssec-keygen
-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
-SIGNER=$TOP/bin/dnssec/dnssec-signzone
-REVOKE=$TOP/bin/dnssec/dnssec-revoke
-SETTIME=$TOP/bin/dnssec/dnssec-settime
+DELV=$TOP/bin/delv/delv
+DIG=$TOP/bin/dig/dig
+DNSTAPREAD=$TOP/bin/tools/dnstap-read
DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+FEATURETEST=$TOP/bin/tests/system/feature-test
+FSTRM_CAPTURE=@FSTRM_CAPTURE@
+GENRANDOM=$TOP/bin/tools/genrandom
IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
-CHECKDS=$TOP/bin/python/dnssec-checkds
-COVERAGE=$TOP/bin/python/dnssec-coverage
+JOURNALPRINT=$TOP/bin/tools/named-journalprint
+KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
+KEYGEN=$TOP/bin/dnssec/dnssec-keygen
KEYMGR=$TOP/bin/python/dnssec-keymgr
-CHECKZONE=$TOP/bin/check/named-checkzone
-CHECKCONF=$TOP/bin/check/named-checkconf
+MDIG=$TOP/bin/tools/mdig
+NAMED=$TOP/bin/named/named
+NSEC3HASH=$TOP/bin/tools/nsec3hash
+NSLOOKUP=$TOP/bin/dig/nslookup
+NSUPDATE=$TOP/bin/nsupdate/nsupdate
+NZD2NZF=$TOP/bin/tools/named-nzd2nzf
+PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
-PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
-JOURNALPRINT=$TOP/bin/tools/named-journalprint
-VERIFY=$TOP/bin/dnssec/dnssec-verify
-ARPANAME=$TOP/bin/tools/arpaname
RESOLVE=$TOP/lib/samples/resolve
+REVOKE=$TOP/bin/dnssec/dnssec-revoke
+RNDC=$TOP/bin/rndc/rndc
+RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
RRCHECKER=$TOP/bin/tools/named-rrchecker
-GENRANDOM=$TOP/bin/tools/genrandom
-NSEC3HASH=$TOP/bin/tools/nsec3hash
-NSLOOKUP=$TOP/bin/dig/nslookup
-DNSTAPREAD=$TOP/bin/tools/dnstap-read
-MDIG=$TOP/bin/tools/mdig
-NZD2NZF=$TOP/bin/tools/named-nzd2nzf
-FSTRM_CAPTURE=@FSTRM_CAPTURE@
-FEATURETEST=$TOP/bin/tests/system/feature-test
+SETTIME=$TOP/bin/dnssec/dnssec-settime
+SIGNER=$TOP/bin/dnssec/dnssec-signzone
+TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
+VERIFY=$TOP/bin/dnssec/dnssec-verify
WIRETEST=$TOP/bin/tests/wire_test
RANDFILE=$TOP/bin/tests/system/random.data
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl additional addzone allow_query autosign builtin
- cacheclean case catz chain
+ cacheclean case catz cds chain
checkconf @CHECKDS@ checknames checkzone cookie @COVERAGE@
database digdelv dlv dlz dlzexternal
dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa
#
export ARPANAME
export BIGKEY
+export CDS
export CHECKZONE
export DESCRIPTION
export DIG
<userinput>local</userinput>. [RT #42585]
</para>
</listitem>
+ <listitem>
+ <para>
+ The new <command>dnssec-cds</command> command generates a new DS
+ set to place in a parent zone, based on the contents of a child
+ zone's validated CDS or CDNSKEY records. It can produce a
+ <filename>dsset</filename> file suitable for input to
+ <command>dnssec-signzone</command>, or a series of
+ <command>nsupdate</command> to update the parent zone via dynamic
+ DNS. Thanks to Tony Finch for the contribution. [RT #46090]
+ </para>
+ </listitem>
<listitem>
<para>
<command>nsupdate</command> and <command>rndc</command> now accepts
projects / thirdparty / bind9.git / commitdiff
