* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.66 2004/03/10 02:19:51 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.67 2004/06/11 01:12:39 marka Exp $ */
#include <config.h>
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
- fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER\n");
+ fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -c <class> (default: IN)\n");
dst_key_t *key = NULL, *oldkey;
dns_fixedname_t fname;
dns_name_t *name;
- isc_uint16_t flags = 0;
+ isc_uint16_t flags = 0, ksk = 0;
dns_secalg_t alg;
isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE;
isc_mem_t *mctx = NULL;
break;
case 'f':
if (strcasecmp(isc_commandline_argument, "KSK") == 0)
- flags |= DNS_KEYFLAG_KSK;
+ ksk = DNS_KEYFLAG_KSK;
else
fatal("unknown flag '%s'",
isc_commandline_argument);
if (algname == NULL)
fatal("no algorithm was specified");
- if (strcasecmp(algname, "HMAC-MD5") == 0)
+ if (strcasecmp(algname, "HMAC-MD5") == 0) {
+ options |= DST_TYPE_KEY;
alg = DST_ALG_HMACMD5;
- else {
+ } else {
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS)
fatal("unknown algorithm %s", algname);
+ if (alg == DST_ALG_DH)
+ options |= DST_TYPE_KEY;
}
- if (type != NULL) {
+ if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH;
else if (strcasecmp(type, "NOCONF") == 0)
fatal("no nametype specified");
if (strcasecmp(nametype, "zone") == 0)
flags |= DNS_KEYOWNER_ZONE;
- else if (strcasecmp(nametype, "host") == 0 ||
- strcasecmp(nametype, "entity") == 0)
- flags |= DNS_KEYOWNER_ENTITY;
- else if (strcasecmp(nametype, "user") == 0)
- flags |= DNS_KEYOWNER_USER;
- else
- fatal("invalid nametype %s", nametype);
+ else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
+ if (strcasecmp(nametype, "host") == 0 ||
+ strcasecmp(nametype, "entity") == 0)
+ flags |= DNS_KEYOWNER_ENTITY;
+ else if (strcasecmp(nametype, "user") == 0)
+ flags |= DNS_KEYOWNER_USER;
+ else
+ fatal("invalid KEY nametype %s", nametype);
+ } else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
+ fatal("invalid DNSKEY nametype %s", nametype);
rdclass = strtoclass(classname);
- flags |= signatory;
+ if ((options & DST_TYPE_KEY) != 0) /* KEY */
+ flags |= signatory;
+ else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
+ flags |= ksk;
if (protocol == -1)
protocol = DNS_KEYPROTO_DNSSEC;
+ else if ((options & DST_TYPE_KEY) == 0 &&
+ protocol != DNS_KEYPROTO_DNSSEC)
+ fatal("invalid DNSKEY protocol: %d", protocol);
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
if (size > 0)
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.docbook,v 1.8 2004/06/03 02:22:31 marka Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.9 2004/06/11 01:12:40 marka Exp $ -->
<refentry>
<refentryinfo>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
+ <arg><option>-k</option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<title>DESCRIPTION</title>
<para>
<command>dnssec-keygen</command> generates keys for DNSSEC
- (Secure DNS), as defined in RFC 2535. It can also generate
+ (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate
keys for use with TSIG (Transaction Signatures), as
defined in RFC 2845.
</para>
<listitem>
<para>
Selects the cryptographic algorithm. The value of
- <option>algorithm</option> must be one of RSAMD5 or RSA,
+ <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
DSA, DH (Diffie Hellman), or HMAC-MD5. These values
are case insensitive.
</para>
<para>
- Note that for DNSSEC, DSA is a mandatory to implement algorithm,
- and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
+ and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+ </para>
+ <para>
+ Note 2: HMAC-MD5 and DH automatically set the -k flag.
</para>
</listitem>
</varlistentry>
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
- size depends on the algorithm used. RSA keys must be between
+ size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between
512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC-MD5 keys must be
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
- zone key), HOST or ENTITY (for a key associated with a host),
- or USER (for a key associated with a user). These values are
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
+ USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are
case insensitive.
</para>
</listitem>
<term>-e</term>
<listitem>
<para>
- If generating an RSA key, use a large exponent.
+ If generating an RSAMD5/RSASHA1 key, use a large exponent.
</para>
</listitem>
</varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
- Set the specified flag in the flag field of the key record.
- The only recognized flag is KSK (Key Signing Key).
+ Set the specified flag in the flag field of the KEY/DNSKEY record.
+ The only recognized flag is KSK (Key Signing Key) DNSKEY.
</para>
</listitem>
</varlistentry>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-k</term>
+ <listitem>
+ <para>
+ Generate KEY records rather than DNSKEY records.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<refsect1>
<title>SEE ALSO</title>
<para>
- <citerefentry>
- <refentrytitle>dnssec-makekeyset</refentrytitle>
- <manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>dnssec-signkey</refentrytitle>
- <manvolnum>8</manvolnum>
- </citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle>
<manvolnum>8</manvolnum>
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.178 2004/04/15 01:58:22 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.179 2004/06/11 01:12:40 marka Exp $ */
#include <config.h>
if (result != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(key, keystr, sizeof(keystr));
- fatal("key '%s' failed to sign data: %s",
+ fatal("dnskey '%s' failed to sign data: %s",
keystr, isc_result_totext(result));
}
INCSTAT(nsigned);
}
/*
- * Finds the key that generated a SIG, if possible. First look at the keys
+ * Finds the key that generated a RRSIG, if possible. First look at the keys
* that we've loaded already, and then see if there's a key on disk.
*/
static signer_key_t *
-keythatsigned(dns_rdata_rrsig_t *sig) {
+keythatsigned(dns_rdata_rrsig_t *rrsig) {
isc_result_t result;
dst_key_t *pubkey = NULL, *privkey = NULL;
signer_key_t *key;
key = ISC_LIST_HEAD(keylist);
while (key != NULL) {
- if (sig->keyid == dst_key_id(key->key) &&
- sig->algorithm == dst_key_alg(key->key) &&
- dns_name_equal(&sig->signer, dst_key_name(key->key)))
+ if (rrsig->keyid == dst_key_id(key->key) &&
+ rrsig->algorithm == dst_key_alg(key->key) &&
+ dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
return key;
key = ISC_LIST_NEXT(key, link);
}
- result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
- DST_TYPE_PUBLIC, NULL, mctx, &pubkey);
+ result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
+ rrsig->algorithm, DST_TYPE_PUBLIC,
+ NULL, mctx, &pubkey);
if (result != ISC_R_SUCCESS)
return (NULL);
- result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
+ result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
+ rrsig->algorithm,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
NULL, mctx, &privkey);
if (result == ISC_R_SUCCESS) {
}
/*
- * Check to see if we expect to find a key at this name. If we see a SIG
- * and can't find the signing key that we expect to find, we drop the sig.
+ * Check to see if we expect to find a key at this name. If we see a RRSIG
+ * and can't find the signing key that we expect to find, we drop the rrsig.
* I'm not sure if this is completely correct, but it seems to work.
*/
static isc_boolean_t
return (ISC_FALSE);
}
dns_name_format(name, namestr, sizeof(namestr));
- fatal("failure looking for '%s KEY' in database: %s",
+ fatal("failure looking for '%s DNSKEY' in database: %s",
namestr, isc_result_totext(result));
return (ISC_FALSE); /* removes a warning */
}
static inline isc_boolean_t
setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
- dns_rdata_t *sig)
+ dns_rdata_t *rrsig)
{
isc_result_t result;
- result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, sig);
+ result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig);
if (result == ISC_R_SUCCESS) {
INCSTAT(nverified);
return (ISC_TRUE);
}
/*
- * Signs a set. Goes through contortions to decide if each SIG should
+ * Signs a set. Goes through contortions to decide if each RRSIG should
* be dropped or retained, and then determines if any new SIGs need to
* be generated.
*/
{
dns_rdataset_t sigset;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
- dns_rdata_rrsig_t sig;
+ dns_rdata_rrsig_t rrsig;
signer_key_t *key;
isc_result_t result;
isc_boolean_t nosigs = ISC_FALSE;
nosigs = ISC_TRUE;
}
if (result != ISC_R_SUCCESS)
- fatal("failed while looking for '%s SIG %s': %s",
+ fatal("failed while looking for '%s RRSIG %s': %s",
namestr, typestr, isc_result_totext(result));
vbprintf(1, "%s/%s:\n", namestr, typestr);
dns_rdataset_current(&sigset, &sigrdata);
- result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+ result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
check_result(result, "dns_rdata_tostruct");
- future = isc_serial_lt(now, sig.timesigned);
+ future = isc_serial_lt(now, rrsig.timesigned);
- key = keythatsigned(&sig);
- sig_format(&sig, sigstr, sizeof(sigstr));
+ key = keythatsigned(&rrsig);
+ sig_format(&rrsig, sigstr, sizeof(sigstr));
if (key != NULL && issigningkey(key))
- expired = isc_serial_gt(now + cycle, sig.timeexpire);
+ expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
else
- expired = isc_serial_gt(now, sig.timeexpire);
+ expired = isc_serial_gt(now, rrsig.timeexpire);
- if (isc_serial_gt(sig.timesigned, sig.timeexpire)) {
- /* sig is dropped and not replaced */
- vbprintf(2, "\tsig by %s dropped - "
+ if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
+ /* rrsig is dropped and not replaced */
+ vbprintf(2, "\trrsig by %s dropped - "
"invalid validity period\n",
sigstr);
} else if (key == NULL && !future &&
- expecttofindkey(&sig.signer))
+ expecttofindkey(&rrsig.signer))
{
- /* sig is dropped and not replaced */
- vbprintf(2, "\tsig by %s dropped - "
- "private key not found\n",
+ /* rrsig is dropped and not replaced */
+ vbprintf(2, "\trrsig by %s dropped - "
+ "private dnskey not found\n",
sigstr);
} else if (key == NULL || future) {
- vbprintf(2, "\tsig by %s %s - key not found\n",
+ vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
expired ? "retained" : "dropped", sigstr);
if (!expired)
keep = ISC_TRUE;
} else if (issigningkey(key)) {
if (!expired && setverifies(name, set, key, &sigrdata))
{
- vbprintf(2, "\tsig by %s retained\n", sigstr);
+ vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
wassignedby[key->position] = ISC_TRUE;
nowsignedby[key->position] = ISC_TRUE;
} else {
- vbprintf(2, "\tsig by %s dropped - %s\n",
+ vbprintf(2, "\trrsig by %s dropped - %s\n",
sigstr,
expired ? "expired" :
"failed to verify");
} else if (iszonekey(key)) {
if (!expired && setverifies(name, set, key, &sigrdata))
{
- vbprintf(2, "\tsig by %s retained\n", sigstr);
+ vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
wassignedby[key->position] = ISC_TRUE;
nowsignedby[key->position] = ISC_TRUE;
} else {
- vbprintf(2, "\tsig by %s dropped - %s\n",
+ vbprintf(2, "\trrsig by %s dropped - %s\n",
sigstr,
expired ? "expired" :
"failed to verify");
wassignedby[key->position] = ISC_TRUE;
}
} else if (!expired) {
- vbprintf(2, "\tsig by %s retained\n", sigstr);
+ vbprintf(2, "\trrsig by %s retained\n", sigstr);
keep = ISC_TRUE;
} else {
- vbprintf(2, "\tsig by %s expired\n", sigstr);
+ vbprintf(2, "\trrsig by %s expired\n", sigstr);
}
if (keep) {
char keystr[KEY_FORMATSIZE];
key_format(key->key, keystr, sizeof(keystr));
- vbprintf(1, "\tresigning with key %s\n", keystr);
+ vbprintf(1, "\tresigning with dnskey %s\n", keystr);
isc_buffer_init(&b, array, sizeof(array));
signwithkey(name, set, &trdata, key->key, &b);
nowsignedby[key->position] = ISC_TRUE;
}
dns_rdata_reset(&sigrdata);
- dns_rdata_freestruct(&sig);
+ dns_rdata_freestruct(&rrsig);
result = dns_rdataset_next(&sigset);
}
if (result == ISC_R_NOMORE)
continue;
key_format(key->key, keystr, sizeof(keystr));
- vbprintf(1, "\tsigning with key %s\n", keystr);
+ vbprintf(1, "\tsigning with dnskey %s\n", keystr);
dns_rdata_init(&trdata);
isc_buffer_init(&b, array, sizeof(array));
signwithkey(name, set, &trdata, key->key, &b);
return (result);
}
- vbprintf(2, "found KEY records\n");
+ vbprintf(2, "found DNSKEY records\n");
result = dns_db_newversion(db, &ver);
check_result(result, "dns_db_newversion");
/*
* Signs all records at a name. This mostly just signs each set individually,
- * but also adds the SIG bit to any NSECs generated earlier, deals with
+ * but also adds the RRSIG bit to any NSECs generated earlier, deals with
* parent/child KEY signatures, and handles other exceptional cases.
*/
static void
dns_rdataset_disassociate(&sigdsset);
} else if (dns_rdataset_isassociated(&sigdsset)) {
result = dns_db_deleterdataset(gdb, node,
- gversion,
- dns_rdatatype_rrsig,
- dns_rdatatype_ds);
+ gversion,
+ dns_rdatatype_rrsig,
+ dns_rdatatype_ds);
check_result(result, "dns_db_deleterdataset");
dns_rdataset_disassociate(&sigdsset);
}
while (result == ISC_R_SUCCESS) {
dns_rdatasetiter_current(rdsiter, &rdataset);
- /* If this is a SIG set, skip it. */
+ /* If this is a RRSIG set, skip it. */
if (rdataset.type == dns_rdatatype_rrsig)
goto skip;
if (rdataset.type != dns_rdatatype_nsec &&
rdataset.type != dns_rdatatype_ds)
goto skip;
-#if 0
- /*
- * The current draft allows DS not at a zone cut.
- * This is a bad idea. Update once the RFC is published.
- * XXXMPA.
- */
} else if (rdataset.type == dns_rdatatype_ds) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(name, namebuf, sizeof(namebuf));
fatal("'%s': found DS RRset without NS RRset\n",
namebuf);
-#endif
}
signset(&diff, node, name, &rdataset);
}
/*
- * Delete any SIG records at a node.
+ * Delete any RRSIG records at a node.
*/
static void
cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
dns_db_detachnode(db, &node);
dns_db_closeversion(db, ¤tversion, ISC_FALSE);
if (!have_non_ksk && !ignoreksk)
- fprintf(stderr,
- "%s: warning: No non-KSK key found. Supply non-KSK key or use '-z'.\n",
+ fprintf(stderr, "%s: warning: No non-KSK dnskey found. "
+ "Supply non-KSK dnskey or use '-z'.\n",
program);
}
fprintf(stderr, "\t-g:\t");
fprintf(stderr, "generate DS records from keyset files\n");
fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
- fprintf(stderr, "\t\tSIG start time - absolute|offset (now - 1 hour)\n");
+ fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n");
fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
- fprintf(stderr, "\t\tSIG end time - absolute|from start|from now "
+ fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now "
"(now + 30 days)\n");
fprintf(stderr, "\t-i interval:\n");
fprintf(stderr, "\t\tcycle interval - resign "
fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
fprintf(stderr, "\t-k key_signing_key\n");
fprintf(stderr, "\t-l lookasidezone\n");
+ fprintf(stderr, "\t-z:\t");
+ fprintf(stderr, "ignore KSK flag in DNSKEYs");
fprintf(stderr, "\n");
DST_TYPE_PRIVATE,
mctx, &newkey);
if (result != ISC_R_SUCCESS)
- fatal("cannot load key %s: %s", argv[i],
+ fatal("cannot load dnskey %s: %s", argv[i],
isc_result_totext(result));
key = ISC_LIST_HEAD(keylist);
{
if (!dst_key_isprivate(dkey))
fatal("cannot sign zone with "
- "non-private key %s",
+ "non-private dnskey %s",
argv[i]);
break;
}
DST_TYPE_PRIVATE,
mctx, &newkey);
if (result != ISC_R_SUCCESS)
- fatal("cannot load key %s: %s", dskeyfile[i],
+ fatal("cannot load dnskey %s: %s", dskeyfile[i],
isc_result_totext(result));
key = ISC_LIST_HEAD(keylist);
key = ISC_LIST_NEXT(key, link);
}
if (key == NULL) {
- /* Override key flags. */
+ /* Override dnskey flags. */
key = newkeystruct(newkey, ISC_TRUE);
key->isksk = ISC_TRUE;
key->isdsk = ISC_FALSE;
projects / thirdparty / bind9.git / commitdiff
