+3361. [bug] "rndc signing -nsec3param" didn't work correctly
+ when salt was set to '-' (no salt). [RT #30099]
+
3360. [bug] 'host -w' could die. [RT #18723]
3359. [bug] An improperly-formed TSIG secret could cause a
memcpy(keystr, ptr, sizeof(keystr));
} else if(strcasecmp(ptr, "-nsec3param") == 0) {
const char *hashstr, *flagstr, *iterstr;
- isc_buffer_t buf;
char nbuf[512];
chain = ISC_TRUE;
ptr = next_token(&args, " \t");
if (ptr == NULL)
return (ISC_R_UNEXPECTEDEND);
- isc_buffer_init(&buf, salt, sizeof(salt));
- CHECK(isc_hex_decodestring(ptr, &buf));
- saltlen = isc_buffer_usedlength(&buf);
+ if (strcmp(ptr, "-") != 0) {
+ isc_buffer_t buf;
+
+ isc_buffer_init(&buf, salt, sizeof(salt));
+ CHECK(isc_hex_decodestring(ptr, &buf));
+ saltlen = isc_buffer_usedlength(&buf);
+ }
}
} else
CHECK(DNS_R_SYNTAX);
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/split-smart.example.db
+rm -f ns3/inline.example.db.signed
rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
rm -f nosign.before
rm -f signing.out*
--- /dev/null
+; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2000, 2001 Internet Software Consortium.
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: insecure.example.db,v 1.9 2007/06/19 23:47:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
file "lower.example.db.signed";
};
+zone "inline.example" {
+ type master;
+ file "inline.example.db";
+ inline-signing yes;
+ auto-dnssec maintain;
+};
+
include "trusted.conf";
awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
sed 's/[ ][ ]*/ /g'> ../nosign.before
+#
+# An inline signing zone
+#
+zone=inline.example.
+kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:check that 'rndc signing -nsec3param' works with salt ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10 ; do
+ salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
+ if [ "$salt" = "FFFF" ]; then
+ break;
+ fi
+ echo "I:sleeping ...."
+ sleep 1
+done;
+[ "$salt" = "FFFF" ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that 'rndc signing -nsec3param' works without salt ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
+for i in 1 2 3 4 5 6 7 8 9 10 ; do
+ salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
+ if [ "$salt" = "-" ]; then
+ break;
+ fi
+ echo "I:sleeping ...."
+ sleep 1
+done;
+[ "$salt" = "-" ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:check rndc signing -list output ($n)"
+ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic.example 2>&1 > signing.out
grep "No signing records found" signing.out > /dev/null 2>&1 || {
ret=1
<command>inline-signing</command> zones.
Parameters are specified in the same format as
an NSEC3PARAM resource record: hash algorithm,
- flags, iterations, salt. For example, to set an
- NSEC3 chain using the SHA-1 hash algorithm,
- no opt-out flag, 10 iterations, and a salt value
- of "FFFF", use:
- <command>rndc signing -nsec3param 1 0 10 FFFF</command>.
+ flags, iterations, and salt, in that order.
+ </para>
+ <para>
+ Currently, the only defined value for hash algorithm
+ is <literal>1</literal>, representing SHA-1.
+ The <option>flags</option> may be set to
+ <literal>0</literal> or <literal>1</literal>,
+ depending on whether you wish to set the opt-out
+ bit in the NSEC3 chain. <option>iterations</option>
+ defines the number of additional times to apply
+ the algorithm when generating an NSEC3 hash. The
+ <option>salt</option> is a string of data expressed
+ in hexidecimal, or a hyphen (`-') if no salt is
+ to be used.
+ </para>
+ <para>
+ So, for example, to create an NSEC3 chain using
+ the SHA-1 hash algorithm, no opt-out flag,
+ 10 iterations, and a salt value of "FFFF", use:
+ <command>rndc signing -nsec3param 1 0 10 FFFF <zone></command>.
+ To set the opt-out flag, 15 iterations, and no
+ salt, use:
+ <command>rndc signing -nsec3param 1 1 15 - <zone></command>.
+ </para>
+ <para>
<command>rndc signing -nsec3param none</command>
removes an existing NSEC3 chain and replaces it
with NSEC.
projects / thirdparty / bind9.git / commitdiff
