+ --- 9.7.0a3 released ---
+
+2668. [func] Several improvements to dnssec-* tools, including:
+ - dnssec-keygen and dnssec-settime can now set key
+ metadata fields 0 (to unset a value, use "none")
+ - dnssec-revoke sets the revocation date in
+ addition to the revoke bit
+ - dnssec-settime can now print individual metadata
+ fields instead of always printing all of them,
+ and can print them in unix epoch time format for
+ use by scripts
+ [RT #19942]
+
2667. [func] Add support for logging stack backtrace on assertion
failure (not available for all platforms). [RT #19780]
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.90 2009/09/01 00:22:24 jinmei Exp $ */
+/* $Id: dnssec-keygen.c,v 1.91 2009/09/02 06:29:00 each Exp $ */
/*! \file */
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t unpublish = 0, delete = 0;
isc_stdtime_t now;
+ isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
+ isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
+ isc_boolean_t setdel = ISC_FALSE;
+ isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+ isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+ isc_boolean_t unsetdel = ISC_FALSE;
if (argc == 1)
usage();
/* already the default */
break;
case 'P':
- publish = strtotime(isc_commandline_argument,
- now, now);
+ if (setpub || unsetpub)
+ fatal("-P specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setpub = ISC_TRUE;
+ publish = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetpub = ISC_TRUE;
+ }
break;
case 'A':
- activate = strtotime(isc_commandline_argument,
- now, now);
+ if (setact || unsetact)
+ fatal("-A specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setact = ISC_TRUE;
+ activate = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetact = ISC_TRUE;
+ }
break;
case 'R':
- revoke = strtotime(isc_commandline_argument,
- now, now);
+ if (setrev || unsetrev)
+ fatal("-R specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setrev = ISC_TRUE;
+ revoke = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetrev = ISC_TRUE;
+ }
break;
case 'U':
- unpublish = strtotime(isc_commandline_argument,
- now, now);
+ if (setunpub || unsetunpub)
+ fatal("-U specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setunpub = ISC_TRUE;
+ unpublish = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetunpub = ISC_TRUE;
+ }
break;
case 'D':
- delete = strtotime(isc_commandline_argument,
- now, now);
+ if (setdel || unsetdel)
+ fatal("-D specified more than once");
+
+ if (strcasecmp(isc_commandline_argument, "none")) {
+ setdel = ISC_TRUE;
+ delete = strtotime(isc_commandline_argument,
+ now, now);
+ } else {
+ unsetdel = ISC_TRUE;
+ }
break;
case 'F':
/* Reserved for FIPS mode */
dst_key_setbits(key, dbits);
/*
- * Set key timing metadata
+ * Set key timing metadata (unless using -C)
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
- dst_key_settime(key, DST_TIME_PUBLISH, publish);
- dst_key_settime(key, DST_TIME_ACTIVATE, activate);
- dst_key_settime(key, DST_TIME_REVOKE, revoke);
- dst_key_settime(key, DST_TIME_REMOVE, unpublish);
- dst_key_settime(key, DST_TIME_DELETE, delete);
- } else if (publish != 0 || activate != 0 || revoke != 0 ||
- unpublish != 0 || delete != 0) {
- fatal("cannot use -C together with "
- "-P, -A, -R, -U, or -D options");
+
+ if (setpub)
+ dst_key_settime(key, DST_TIME_PUBLISH,
+ publish);
+ if (setact)
+ dst_key_settime(key, DST_TIME_ACTIVATE,
+ activate);
+ if (setrev)
+ dst_key_settime(key, DST_TIME_REVOKE,
+ revoke);
+ if (setunpub)
+ dst_key_settime(key, DST_TIME_UNPUBLISH,
+ unpublish);
+ if (setdel)
+ dst_key_settime(key, DST_TIME_DELETE,
+ delete);
+ } else {
+ if (setpub || setact || setrev || setunpub ||
+ setdel || unsetpub || unsetact ||
+ unsetrev || unsetunpub || unsetdel)
+ fatal("cannot use -C together with "
+ "-P, -A, -R, -U, or -D options");
+ /*
+ * Compatibility mode: Private-key-format
+ * should be set to 1.2.
+ */
+ dst_key_setprivateformat(key, 1, 2);
}
/*
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.docbook,v 1.26 2009/08/28 21:47:02 each Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.27 2009/09/02 06:29:00 each Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
- an offset from the present time. If such an offset is followed
- by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
- offset is computed in years, months, weeks, days, or hours,
- respectively; otherwise it is computed in seconds.
+ an offset from the present time. For convenience, if such an offset
+ is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+ then the offset is computed in years (defined as 365 24-hour days,
+ ignoring leap years), months (defined as 30 24-hour days), weeks,
+ days, hours, or minutes, respectively. Without a suffix, the offset
+ is computed in seconds.
</para>
<variablelist>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-revoke.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */
+/* $Id: dnssec-revoke.c,v 1.9 2009/09/02 06:29:00 each Exp $ */
/*! \file */
flags = dst_key_flags(key);
if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
+ isc_stdtime_t now;
+
+ isc_stdtime_get(&now);
+ dst_key_settime(key, DST_TIME_REVOKE, now);
+
dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
isc_buffer_init(&buf, newname, sizeof(newname));
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-settime.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */
+/* $Id: dnssec-settime.c,v 1.9 2009/09/02 06:29:00 each Exp $ */
/*! \file */
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
- fprintf(stderr, "Options:\n");
+ fprintf(stderr, "General options:\n");
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
- fprintf(stderr, " -h: help\n");
- fprintf(stderr, " -v level: set level of verbosity\n");
+ fprintf(stderr, " -v level: set level of verbosity\n");
+ fprintf(stderr, " -h: help\n");
fprintf(stderr, "Timing options:\n");
- fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
- fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
- fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
- fprintf(stderr, " -U date/[+-]offset: set key unpublication date\n");
- fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
+ fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
+ "publication date\n");
+ fprintf(stderr, " -A date/[+-]offset/none: set key "
+ "activation date\n");
+ fprintf(stderr, " -R date/[+-]offset/none: set key "
+ "revocation date\n");
+ fprintf(stderr, " -U date/[+-]offset/none: set key "
+ "unpublication date\n");
+ fprintf(stderr, " -D date/[+-]offset/none: set key "
+ "deletion date\n");
+ fprintf(stderr, "Printing options:\n");
+ fprintf(stderr, " -p C/P/A/R/U/D/all: print a particular time "
+ "value or values "
+ "[default: all]\n");
+ fprintf(stderr, " -u: print times in unix epoch "
+ "format\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
"K<name>+<alg>+<new id>.private\n");
}
static void
-printtime(dst_key_t *key, int type, const char *tag, FILE *stream) {
+printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
+ FILE *stream)
+{
isc_result_t result;
- time_t when;
- const char *output;
+ const char *output = NULL;
+ isc_stdtime_t when;
- result = dst_key_gettime(key, type, (isc_stdtime_t *) &when);
- if (result == ISC_R_NOTFOUND || when == 0) {
- fprintf(stream, "%s: NOT SET\n", tag);
- return;
- }
+ if (tag != NULL)
+ fprintf(stream, "%s: ", tag);
- output = ctime(&when);
- fprintf(stream, "%s: %s", tag, output);
+ result = dst_key_gettime(key, type, &when);
+ if (result == ISC_R_NOTFOUND) {
+ fprintf(stream, "UNSET\n");
+ } else if (epoch) {
+ fprintf(stream, "%d\n", (int) when);
+ } else {
+ time_t time = when;
+ output = ctime(&time);
+ fprintf(stream, "%s", output);
+ }
}
int
char *filename = NULL, *directory = NULL;
char newname[1024];
char keystr[KEY_FORMATSIZE];
- char *endp;
+ char *endp, *p;
int ch;
isc_entropy_t *ectx = NULL;
dst_key_t *key = NULL;
isc_buffer_t buf;
- isc_stdtime_t now, when;
+ int major, minor;
+ isc_stdtime_t now;
isc_stdtime_t pub = 0, act = 0, rev = 0, unpub = 0, del = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
+ isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+ isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+ isc_boolean_t unsetdel = ISC_FALSE;
+ isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
+ isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
+ isc_boolean_t printunpub = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t forceupdate = ISC_FALSE;
- isc_boolean_t print = ISC_TRUE;
+ isc_boolean_t epoch = ISC_FALSE;
+ isc_boolean_t changed = ISC_FALSE;
if (argc == 1)
usage();
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
- "fK:hv:P:A:R:U:D:")) != -1) {
+ "fK:uhp:v:P:A:R:U:D:")) != -1) {
switch (ch) {
case 'f':
forceupdate = ISC_TRUE;
break;
+ case 'p':
+ p = isc_commandline_argument;
+ if (!strcasecmp(p, "all")) {
+ printcreate = ISC_TRUE;
+ printpub = ISC_TRUE;
+ printact = ISC_TRUE;
+ printrev = ISC_TRUE;
+ printunpub = ISC_TRUE;
+ printdel = ISC_TRUE;
+ break;
+ }
+
+ do {
+ switch (*p++) {
+ case 'C':
+ printcreate = ISC_TRUE;
+ break;
+ case 'P':
+ printpub = ISC_TRUE;
+ break;
+ case 'A':
+ printact = ISC_TRUE;
+ break;
+ case 'R':
+ printrev = ISC_TRUE;
+ break;
+ case 'U':
+ printunpub = ISC_TRUE;
+ break;
+ case 'D':
+ printdel = ISC_TRUE;
+ break;
+ case ' ':
+ break;
+ default:
+ usage();
+ break;
+ }
+ } while (*p != '\0');
+ break;
+ case 'u':
+ epoch = ISC_TRUE;
+ break;
case 'K':
/*
* We don't have to copy it here, but do it to
fatal("-v must be followed by a number");
break;
case 'P':
- print = ISC_FALSE;
- setpub = ISC_TRUE;
- pub = strtotime(isc_commandline_argument, now, now);
+ if (setpub || unsetpub)
+ fatal("-P specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetpub = ISC_TRUE;
+ } else {
+ setpub = ISC_TRUE;
+ pub = strtotime(isc_commandline_argument,
+ now, now);
+ }
break;
case 'A':
- print = ISC_FALSE;
- setact = ISC_TRUE;
- act = strtotime(isc_commandline_argument, now, now);
+ if (setact || unsetact)
+ fatal("-A specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetact = ISC_TRUE;
+ } else {
+ setact = ISC_TRUE;
+ act = strtotime(isc_commandline_argument,
+ now, now);
+ }
break;
case 'R':
- print = ISC_FALSE;
- setrev = ISC_TRUE;
- rev = strtotime(isc_commandline_argument, now, now);
+ if (setrev || unsetrev)
+ fatal("-R specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetrev = ISC_TRUE;
+ } else {
+ setrev = ISC_TRUE;
+ rev = strtotime(isc_commandline_argument,
+ now, now);
+ }
break;
case 'U':
- print = ISC_FALSE;
- setunpub = ISC_TRUE;
- unpub = strtotime(isc_commandline_argument, now, now);
+ if (setunpub || unsetunpub)
+ fatal("-U specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetunpub = ISC_TRUE;
+ } else {
+ setunpub = ISC_TRUE;
+ unpub = strtotime(isc_commandline_argument,
+ now, now);
+ }
break;
case 'D':
- print = ISC_FALSE;
- setdel = ISC_TRUE;
- del = strtotime(isc_commandline_argument, now, now);
+ if (setdel || unsetdel)
+ fatal("-D specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetdel = ISC_TRUE;
+ } else {
+ setdel = ISC_TRUE;
+ del = strtotime(isc_commandline_argument,
+ now, now);
+ }
break;
case '?':
if (isc_commandline_option != '?')
key_format(key, keystr, sizeof(keystr));
/* Is this an old-style key? */
- result = dst_key_gettime(key, DST_TIME_CREATED, &when);
- if (result == ISC_R_NOTFOUND) {
- if (forceupdate)
+ dst_key_getprivateformat(key, &major, &minor);
+ if (major <= 1 && minor <= 2) {
+ if (forceupdate) {
+ /*
+ * Updating to new-style key: set
+ * Private-key-format to 1.3
+ */
+ dst_key_setprivateformat(key, 1, 3);
dst_key_settime(key, DST_TIME_CREATED, now);
- else
+ } else
fatal("Incompatible key %s, "
- "use -f force update.", keystr);
+ "use -f to force update.", keystr);
}
if (verbose > 2)
fprintf(stderr, "%s: %s\n", program, keystr);
- if (print) {
- printtime(key, DST_TIME_CREATED, "Created", stdout);
- printtime(key, DST_TIME_PUBLISH, "Publish", stdout);
- printtime(key, DST_TIME_ACTIVATE, "Activate", stdout);
- printtime(key, DST_TIME_REVOKE, "Revoke", stdout);
- printtime(key, DST_TIME_REMOVE, "Remove", stdout);
- printtime(key, DST_TIME_DELETE, "Delete", stdout);
- } else {
- if (setpub)
- dst_key_settime(key, DST_TIME_PUBLISH, pub);
-
- if (setact)
- dst_key_settime(key, DST_TIME_ACTIVATE, act);
-
- if (setrev)
- dst_key_settime(key, DST_TIME_REVOKE, rev);
-
- if (setunpub)
- dst_key_settime(key, DST_TIME_REMOVE, unpub);
-
- if (setdel)
- dst_key_settime(key, DST_TIME_DELETE, del);
-
+ /*
+ * Set time values.
+ */
+ if (setpub)
+ dst_key_settime(key, DST_TIME_PUBLISH, pub);
+ else if (unsetpub)
+ dst_key_unsettime(key, DST_TIME_PUBLISH);
+
+ if (setact)
+ dst_key_settime(key, DST_TIME_ACTIVATE, act);
+ else if (unsetact)
+ dst_key_unsettime(key, DST_TIME_ACTIVATE);
+
+ if (setrev) {
+ if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
+ fprintf(stderr, "%s: warning: Key %s is already "
+ "revoked; changing the revocation date "
+ "will not affect this.\n",
+ program, keystr);
+ dst_key_settime(key, DST_TIME_REVOKE, rev);
+ } else if (unsetrev) {
+ if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
+ fprintf(stderr, "%s: warning: Key %s is already "
+ "revoked; removing the revocation date "
+ "will not affect this.\n",
+ program, keystr);
+ dst_key_unsettime(key, DST_TIME_REVOKE);
+ }
+
+ if (setunpub)
+ dst_key_settime(key, DST_TIME_UNPUBLISH, unpub);
+ else if (unsetunpub)
+ dst_key_unsettime(key, DST_TIME_UNPUBLISH);
+
+ if (setdel)
+ dst_key_settime(key, DST_TIME_DELETE, del);
+ else if (unsetdel)
+ dst_key_unsettime(key, DST_TIME_DELETE);
+
+ /*
+ * Print out time values, if -p was used.
+ */
+ if (printcreate)
+ printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
+
+ if (printpub)
+ printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
+
+ if (printact)
+ printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
+
+ if (printrev)
+ printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
+
+ if (printunpub)
+ printtime(key, DST_TIME_UNPUBLISH, "Unpublish", epoch, stdout);
+
+ if (printdel)
+ printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
+
+ if (changed) {
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
&buf);
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-settime.docbook,v 1.2 2009/07/19 04:18:04 each Exp $ -->
+<!-- $Id: dnssec-settime.docbook,v 1.3 2009/09/02 06:29:00 each Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
- an offset from the present time. If such an offset is followed
- by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
- offset is computed in years, months, weeks, days, or hours,
- respectively; otherwise it is computed in seconds.
+ an offset from the present time. For convenience, if such an offset
+ is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+ then the offset is computed in years (defined as 365 24-hour days,
+ ignoring leap years), months (defined as 30 24-hour days), weeks,
+ days, hours, or minutes, respectively. Without a suffix, the offset
+ is computed in seconds. To unset a date, use 'none'.
</para>
<variablelist>
</variablelist>
</refsect1>
+ <refsect1>
+ <title>PRINTING OPTIONS</title>
+ <para>
+ <command>dnssec-settime</command> can also be used to print the
+ timing metadata associated with a key.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>-u</term>
+ <listitem>
+ <para>
+ Print times in UNIX epoch format.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p <replaceable class="parameter">C/P/A/R/U/D/all</replaceable></term>
+ <listitem>
+ <para>
+ Print a specific metadata value or set of metadata values.
+ The <option>-p</option> option may be followed by one or more
+ of the following letters to indicate which value or values to print:
+ <option>C</option> for the creation date,
+ <option>P</option> for the publication date,
+ <option>A</option> for the activation date,
+ <option>R</option> for the revokation date,
+ <option>U</option> for the unpublication date, or
+ <option>D</option> for the deletion date.
+ To print all of the metadata, use <option>-p all</option>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.228 2009/09/01 00:22:24 jinmei Exp $ */
+/* $Id: dnssec-signzone.c,v 1.229 2009/09/02 06:29:00 each Exp $ */
/*! \file */
static isc_mem_t *mctx = NULL;
static isc_entropy_t *ectx = NULL;
static dns_ttl_t zone_soa_min_ttl;
+static dns_ttl_t soa_ttl;
static FILE *fp;
static char *tempfile = NULL;
static const dns_master_style_t *masterstyle;
static unsigned int hash_length = 0;
static isc_boolean_t unknownalg = ISC_FALSE;
static isc_boolean_t disable_zone_check = ISC_FALSE;
-static int keyttl = 3600;
+static isc_boolean_t set_keyttl = ISC_FALSE;
+static dns_ttl_t keyttl;
#define INCSTAT(counter) \
if (printstats) { \
}
/*%
- * Extracts the minimum TTL from the SOA.
+ * Extracts the minimum TTL from the SOA record, and the SOA record's TTL.
*/
-static dns_ttl_t
-soa_min_ttl(void) {
+static void
+get_soa_ttls(void) {
dns_rdataset_t soaset;
dns_fixedname_t fname;
dns_name_t *name;
isc_result_t result;
- dns_ttl_t ttl;
dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_soa_t soa;
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
result = dns_rdataset_first(&soaset);
check_result(result, "dns_rdataset_first");
dns_rdataset_current(&soaset, &rdata);
- result = dns_rdata_tostruct(&rdata, &soa, NULL);
- check_result(result, "dns_rdata_tostruct");
- ttl = soa.minimum;
+ zone_soa_min_ttl = dns_soa_getminimum(&rdata);
+ soa_ttl = soaset.ttl;
dns_rdataset_disassociate(&soaset);
- return (ttl);
}
/*%
&rdataset, NULL);
if (result == ISC_R_SUCCESS) {
+ if (set_keyttl && keyttl != rdataset.ttl) {
+ fprintf(stderr, "User-specified TTL (%d) conflicts "
+ "with existing DNSKEY RRset TTL.\n",
+ keyttl);
+ fprintf(stderr, "Imported keys will use the RRSet "
+ "TTL (%d) instead.\n",
+ rdataset.ttl);
+ }
keyttl = rdataset.ttl;
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
make_dnskey(key1->key, &dnskey);
alg_format(dst_key_alg(key1->key), alg, sizeof(alg));
- fprintf(stderr, "Fetching %s %d/%s from key %s.\n",
+ fprintf(stderr, "Fetching %s %d/%s from key %s\n",
isksk(key1) ?
(iszsk(key1) ? "KSK/ZSK" : "KSK") :
"ZSK",
"file" :
"repository");
+ if (key1->prepublish && keyttl > key1->prepublish) {
+ char keystr[KEY_FORMATSIZE];
+ key_format(key1->key, keystr, sizeof(keystr));
+ fatal("Key %s is scheduled to\n"
+ "become active in %d seconds. "
+ "This is less than the DNSKEY TTL\n"
+ "value of %d seconds. Reduce "
+ "the TTL, or change the activation\n"
+ "date of the key using "
+ "'dnssec-settime -A'.",
+ keystr, key1->prepublish, keyttl);
+ }
+
/* add key to the zone */
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
gorigin, keyttl,
case 'T':
endp = NULL;
- keyttl = strtol(isc_commandline_argument, &endp, 0);
- if (*endp != '\0')
- fatal("key TTL must be numeric");
+ set_keyttl = ISC_TRUE;
+ keyttl = strtottl(isc_commandline_argument);
break;
case 't':
isc_stdtime_get(&now);
if (startstr != NULL) {
- if (startstr[0] == '-' || strncmp(startstr, "now-", 4) == 0)
- fatal("time value %s is invalid", startstr);
starttime = strtotime(startstr, now, now);
} else
starttime = now - 3600; /* Allow for some clock skew. */
if (endstr != NULL) {
- if (endstr[0] == '-' || strncmp(endstr, "now-", 4) == 0)
- fatal("time value %s is invalid", endstr);
endtime = strtotime(endstr, now, starttime);
} else
endtime = starttime + (30 * 24 * 60 * 60);
loadzone(file, origin, rdclass, &gdb);
gorigin = dns_db_origin(gdb);
gclass = dns_db_class(gdb);
- zone_soa_min_ttl = soa_min_ttl();
+ get_soa_ttls();
+
+ if (!set_keyttl)
+ keyttl = soa_ttl;
if (IS_NSEC3) {
isc_boolean_t answer;
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.docbook,v 1.35 2009/07/19 04:18:04 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.36 2009/09/02 06:29:00 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-C</term>
+ <listitem>
+ <para>
+ Compatibility mode: Generate a
+ <filename>keyset-<replaceable>zonename</replaceable></filename>
+ file in addition to
+ <filename>dsset-<replaceable>zonename</replaceable></filename>
+ when signing a zone, for use by older versions of
+ <command>dnssec-signzone</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
the start time. A time relative to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
+ <option>end-time</option> must be later than
+ <option>start-time</option>.
</para>
</listitem>
</varlistentry>
<term>-T <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
- Specifies the TTL of new DNSKEY records imported to the zone
- from the key repository. Only useful with the -S option.
+ Specifies the TTL to be used for new DNSKEY records imported
+ into the zone from the key repository. If not specified,
+ the default is the minimum TTL value from the zone's SOA
+ record. This option is ignored when signing without
+ <option>-S</option>, since DNSKEY records are not imported
+ from the key repository in that case. It is also ignored if
+ there are any pre-existing DNSKEY records at the zone apex,
+ in which case new records' TTL values will be set to match
+ them.
</para>
</listitem>
</varlistentry>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.c,v 1.50 2009/08/13 04:13:58 marka Exp $ */
+/* $Id: dnssectool.c,v 1.51 2009/09/02 06:29:01 each Exp $ */
/*! \file */
}
static isc_stdtime_t
-time_units(isc_stdtime_t offset, char suffix, const char *str) {
- switch(suffix) {
+time_units(isc_stdtime_t offset, char *suffix, const char *str) {
+ switch (suffix[0]) {
case 'Y': case 'y':
return (offset * (365 * 24 * 3600));
case 'M': case 'm':
- return (offset * (30 * 24 * 3600));
+ switch (suffix[1]) {
+ case 'O': case 'o':
+ return (offset * (30 * 24 * 3600));
+ case 'I': case 'i':
+ return (offset * 60);
+ case '\0':
+ fatal("'%s' ambiguous: use 'mi' for minutes "
+ "or 'mo' for months", str);
+ default:
+ fatal("time value %s is invalid", str);
+ }
+ break;
case 'W': case 'w':
return (offset * (7 * 24 * 3600));
case 'D': case 'd':
return(0); /* silence compiler warning */
}
+dns_ttl_t
+strtottl(const char *str) {
+ const char *orig = str;
+ dns_ttl_t ttl;
+ char *endp;
+
+ ttl = strtol(str, &endp, 0);
+ if (ttl == 0 && endp == str)
+ fatal("TTL must be numeric");
+ ttl = time_units(ttl, endp, orig);
+ return (ttl);
+}
+
isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
isc_int64_t val, offset;
return ((isc_stdtime_t) base);
else if (str[0] == '+') {
offset = strtol(str + 1, &endp, 0);
- offset = time_units(offset, *endp, orig);
+ offset = time_units(offset, endp, orig);
val = base + offset;
} else if (str[0] == '-') {
offset = strtol(str + 1, &endp, 0);
- offset = time_units(offset, *endp, orig);
+ offset = time_units(offset, endp, orig);
val = base - offset;
} else if (strlen(str) == 8U) {
char timestr[15];
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssectool.h,v 1.22 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: dnssectool.h,v 1.23 2009/09/02 06:29:01 each Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
void
cleanup_entropy(isc_entropy_t **ectx);
+dns_ttl_t strtottl(const char *str);
+
isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base);
*/
/*
- * $Id: dnssec.c,v 1.98 2009/07/19 23:47:55 tbox Exp $
+ * $Id: dnssec.c,v 1.99 2009/09/02 06:29:01 each Exp $
*/
/*! \file */
dns_dnsseckey_t **dkp)
{
isc_result_t result;
- isc_stdtime_t when;
dns_dnsseckey_t *dk;
+ int major, minor;
REQUIRE(dkp != NULL && *dkp == NULL);
dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t));
dk->hint_publish = ISC_FALSE;
dk->hint_sign = ISC_FALSE;
dk->hint_remove = ISC_FALSE;
+ dk->prepublish = 0;
dk->source = dns_keysource_unknown;
dk->index = 0;
dk->ksk = ISC_TF((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) != 0);
/* Is this an old-style key? */
- result = dst_key_gettime(dk->key, DST_TIME_CREATED, &when);
- dk->legacy = ISC_TF(result != ISC_R_SUCCESS);
+ result = dst_key_getprivateformat(dk->key, &major, &minor);
+ dk->legacy = ISC_TF(major == 1 && minor <= 2);
ISC_LINK_INIT(dk, link);
*dkp = dk;
static void
get_hints(dns_dnsseckey_t *key) {
isc_result_t result;
- isc_stdtime_t now, publish, active, revoke, remove, delete;
+ isc_stdtime_t now, publish, active, revoke, unpublish, delete;
isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
isc_boolean_t revset = ISC_FALSE, remset = ISC_FALSE;
isc_boolean_t delset = ISC_FALSE;
if (result == ISC_R_SUCCESS)
revset = ISC_TRUE;
- result = dst_key_gettime(key->key, DST_TIME_REMOVE, &remove);
+ result = dst_key_gettime(key->key, DST_TIME_UNPUBLISH, &unpublish);
if (result == ISC_R_SUCCESS)
remset = ISC_TRUE;
if (actset && !pubset)
key->hint_publish = ISC_TRUE;
+ /*
+ * If activation date is in the future, make note of how far off
+ */
+ if (key->hint_publish && actset && active > now) {
+ key->prepublish = active - now;
+ }
+
/*
* Metadata says revoke. If the key is published,
* we *have to* sign with it per RFC5011--even if it was
}
/*
- * Metadata says remove or delete, so don't publish
+ * Metadata says unpublish or delete, so don't publish
* this key or sign with it.
*/
- if ((remset && remove < now) ||
+ if ((remset && unpublish < now) ||
(delset && delete < now)) {
key->hint_publish = ISC_FALSE;
key->hint_sign = ISC_FALSE;
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.27 2009/09/01 00:22:26 jinmei Exp $
+ * $Id: dst_api.c,v 1.28 2009/09/02 06:29:01 each Exp $
*/
/*! \file */
REQUIRE(VALID_KEY(key));
REQUIRE(timep != NULL);
REQUIRE(type <= DST_MAX_TIMES);
- if (key->times[type] == 0)
+ if (!key->timeset[type])
return (ISC_R_NOTFOUND);
*timep = key->times[type];
return (ISC_R_SUCCESS);
REQUIRE(VALID_KEY(key));
REQUIRE(type <= DST_MAX_TIMES);
key->times[type] = when;
+ key->timeset[type] = ISC_TRUE;
+}
+
+void
+dst_key_unsettime(dst_key_t *key, int type) {
+ REQUIRE(VALID_KEY(key));
+ REQUIRE(type <= DST_MAX_TIMES);
+ key->timeset[type] = ISC_FALSE;
+}
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) {
+ REQUIRE(VALID_KEY(key));
+ REQUIRE(majorp != NULL);
+ REQUIRE(minorp != NULL);
+ *majorp = key->fmt_major;
+ *minorp = key->fmt_minor;
+ return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
+ REQUIRE(VALID_KEY(key));
+ key->fmt_major = major;
+ key->fmt_minor = minor;
}
isc_boolean_t
{
dst_key_t *key;
isc_result_t result;
+ int i;
key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
if (key == NULL)
key->key_alg = alg;
key->key_flags = flags;
key->key_proto = protocol;
- memset(key->times, 0, sizeof(key->times));
key->mctx = mctx;
key->keydata.generic = NULL;
key->key_size = bits;
key->key_class = rdclass;
key->func = dst_t_func[alg];
+ key->fmt_major = 0;
+ key->fmt_minor = 0;
+ for (i = 0; i < (DST_MAX_TIMES + 1); i++) {
+ key->times[i] = 0;
+ key->timeset[i] = ISC_FALSE;
+ }
return (key);
}
printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
- printtime(key, DST_TIME_REMOVE, "; Remove", fp);
+ printtime(key, DST_TIME_UNPUBLISH, "; Unpublish", fp);
printtime(key, DST_TIME_DELETE, "; Delete", fp);
}
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_internal.h,v 1.15 2009/07/19 04:18:05 each Exp $ */
+/* $Id: dst_internal.h,v 1.16 2009/09/02 06:29:01 each Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
} keydata; /*%< pointer to key in crypto pkg fmt */
isc_stdtime_t times[DST_MAX_TIMES + 1]; /*%< key timing metadata */
+ isc_boolean_t timeset[DST_MAX_TIMES + 1]; /*%< metadata set? */
+
+ int fmt_major; /*%< private key format, major version */
+ int fmt_minor; /*%< private key format, minor version */
+
dst_func_t * func; /*%< crypto package specific functions */
};
/*%
* Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.19 2009/07/19 23:47:55 tbox Exp $
+ * $Id: dst_parse.c,v 1.20 2009/09/02 06:29:01 each Exp $
*/
#include <config.h>
"Publish:",
"Activate:",
"Revoke:",
- "Remove:",
+ "Unpublish:",
"Delete:"
};
priv->nelements = 0;
}
-int
+isc_result_t
dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
isc_mem_t *mctx, dst_private_t *priv)
{
goto fail;
}
+ /*
+ * Store the private key format version number
+ */
+ dst_key_setprivateformat(key, major, minor);
+
READLINE(lex, opt, &token);
/*
return (ret);
}
-int
+isc_result_t
dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
const char *directory)
{
isc_stdtime_t when;
isc_buffer_t b;
isc_region_t r;
+ int major, minor;
REQUIRE(priv != NULL);
&access);
(void)isc_fsaccess_set(filename, access);
+ dst_key_getprivateformat(key, &major, &minor);
+ if (major == 0 && minor == 0) {
+ major = MAJOR_VERSION;
+ minor = MINOR_VERSION;
+ }
+
/* XXXDCL return value should be checked for full filesystem */
- fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, MAJOR_VERSION,
- MINOR_VERSION);
+ fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
+
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (dst_key_alg(key)) {
case DST_ALG_RSAMD5:
}
/* Add the timing metadata tags */
- for (i = 0; i < METADATA_NTAGS; i++) {
- result = dst_key_gettime(key, i, &when);
- if (result != ISC_R_SUCCESS)
- continue;
-
- isc_buffer_init(&b, buffer, sizeof(buffer));
- result = dns_time32_totext(when, &b);
- if (result != ISC_R_SUCCESS)
- continue;
-
- isc_buffer_usedregion(&b, &r);
-
- fprintf(fp, "%s ", metatags[i]);
- fwrite(r.base, 1, r.length, fp);
- fprintf(fp, "\n");
+ if (major > 1 || (major == 1 && minor >= 3)) {
+ for (i = 0; i < METADATA_NTAGS; i++) {
+ result = dst_key_gettime(key, i, &when);
+ if (result != ISC_R_SUCCESS)
+ continue;
+
+ isc_buffer_init(&b, buffer, sizeof(buffer));
+ result = dns_time32_totext(when, &b);
+ if (result != ISC_R_SUCCESS)
+ continue;
+
+ isc_buffer_usedregion(&b, &r);
+
+ fprintf(fp, "%s ", metatags[i]);
+ fwrite(r.base, 1, r.length, fp);
+ fprintf(fp, "\n");
+ }
}
fflush(fp);
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_parse.h,v 1.13 2009/07/19 23:47:55 tbox Exp $ */
+/* $Id: dst_parse.h,v 1.14 2009/09/02 06:29:01 each Exp $ */
/*! \file */
#ifndef DST_DST_PARSE_H
void
dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
-int
+isc_result_t
dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
isc_mem_t *mctx, dst_private_t *priv);
-int
+isc_result_t
dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
const char *directory);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec.h,v 1.35 2009/07/19 04:18:05 each Exp $ */
+/* $Id: dnssec.h,v 1.36 2009/09/02 06:29:01 each Exp $ */
#ifndef DNS_DNSSEC_H
#define DNS_DNSSEC_H 1
isc_boolean_t hint_sign; /*% metadata says to sign with this key */
isc_boolean_t force_sign; /*% sign with key regardless of metadata */
isc_boolean_t hint_remove; /*% metadata says *don't* publish */
+ unsigned int prepublish; /*% how long until active? */
dns_keysource_t source; /*% how the key was found */
isc_boolean_t ksk; /*% this is a key-signing key */
isc_boolean_t legacy; /*% this is old-style key with no
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst.h,v 1.16 2009/07/19 04:18:05 each Exp $ */
+/* $Id: dst.h,v 1.17 2009/09/02 06:29:01 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
#define DST_TIME_PUBLISH 1
#define DST_TIME_ACTIVATE 2
#define DST_TIME_REVOKE 3
-#define DST_TIME_REMOVE 4
+#define DST_TIME_UNPUBLISH 4
#define DST_TIME_DELETE 5
#define DST_MAX_TIMES 5
* "type" is no larger than DST_MAX_TIMES
*/
+void
+dst_key_unsettime(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the timing metadata array as "not set".
+ *
+ * Requires:
+ * "key" is a valid key.
+ * "type" is no larger than DST_MAX_TIMES
+ */
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp);
+/*%<
+ * Get the private key format version number. (If the key does not have
+ * a private key associated with it, the version will be 0.0.) The major
+ * version number is placed in '*majorp', and the minor version number in
+ * '*minorp'.
+ *
+ * Requires:
+ * "key" is a valid key.
+ * "majorp" is not NULL.
+ * "minorp" is not NULL.
+ */
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor);
+/*%<
+ * Set the private key format version number.
+ *
+ * Requires:
+ * "key" is a valid key.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DST_DST_H */
dst_key_fromlabel
dst_key_fromnamedfile
dst_key_generate
+dst_key_getprivateformat
dst_key_gettime
dst_key_id
dst_key_isnullkey
dst_key_secretsize
dst_key_setbits
dst_key_setflags
+dst_key_setprivateformat
dst_key_settime
dst_key_sigsize
dst_key_size
dst_key_tobuffer
dst_key_todns
dst_key_tofile
+dst_key_unsettime
dst_lib_destroy
dst_lib_init
dst_lib_initmsgcat
projects / thirdparty / bind9.git / commitdiff
