fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: \n"
- " DH | RSASHA1 |\n"
+ " RSASHA1 |\n"
" NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384 |\n"
/*
* Process memory debugging argument first.
*/
-#define CMDLINE_FLAGS \
- "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:k:L:l:m:n:P:p:qR:r:S:s:" \
+#define CMDLINE_FLAGS \
+ "3A:a:b:Cc:D:d:E:Ff:GhI:i:K:k:L:l:m:n:P:p:qR:r:S:s:" \
"T:t:v:V"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
- case 'e':
- fprintf(stderr, "phased-out option -e "
- "(was 'use (RSA) large exponent')\n");
- break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
if (toupper(c) == 'K') {
isc_commandline_argument);
}
break;
- case 'g':
- fprintf(stderr,
- "phased-out option -e "
- "(was 'use specified generator (DH only)')\n");
- break;
case 'K':
ctx.directory = isc_commandline_argument;
ret = try_dir(ctx.directory);
Synopsis
~~~~~~~~
-:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-g** generator] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
+:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
Description
~~~~~~~~~~~
This option generates a key, but does not publish it or sign with it. This option is
incompatible with :option:`-P` and :option:`-A`.
-.. option:: -g generator
-
- This option indicates the generator to use if generating a Diffie-Hellman key. Allowed
- values are 2 and 5. If no generator is specified, a known prime from
- :rfc:`2539` is used if possible; otherwise the default is 2.
-
.. option:: -h
This option prints a short summary of the options and arguments to
result = named_server_freeze(named_g_server, false, lex, text);
} else if (command_compare(command, NAMED_COMMAND_TRACE)) {
result = named_server_setdebuglevel(named_g_server, lex);
- } else if (command_compare(command, NAMED_COMMAND_TSIGDELETE)) {
- result = named_server_tsigdelete(named_g_server, lex, text);
- } else if (command_compare(command, NAMED_COMMAND_TSIGLIST)) {
- result = named_server_tsiglist(named_g_server, text);
} else if (command_compare(command, NAMED_COMMAND_VALIDATION)) {
result = named_server_validation(named_g_server, lex, text);
} else if (command_compare(command, NAMED_COMMAND_ZONESTATUS)) {
#define NAMED_COMMAND_FLUSHNAME "flushname"
#define NAMED_COMMAND_FLUSHTREE "flushtree"
#define NAMED_COMMAND_STATUS "status"
-#define NAMED_COMMAND_TSIGLIST "tsig-list"
-#define NAMED_COMMAND_TSIGDELETE "tsig-delete"
#define NAMED_COMMAND_FREEZE "freeze"
#define NAMED_COMMAND_UNFREEZE "unfreeze"
#define NAMED_COMMAND_THAW "thaw"
isc_result_t
named_server_status(named_server_t *server, isc_buffer_t **text);
-/*%
- * Report a list of dynamic and static tsig keys, per view.
- */
-isc_result_t
-named_server_tsiglist(named_server_t *server, isc_buffer_t **text);
-
-/*%
- * Delete a specific key (with optional view).
- */
-isc_result_t
-named_server_tsigdelete(named_server_t *server, isc_lex_t *lex,
- isc_buffer_t **text);
-
/*%
* Enable or disable updates for a zone.
*/
return (result);
}
-static isc_result_t
-delete_keynames(dns_tsig_keyring_t *ring, char *target,
- unsigned int *foundkeys) {
- char namestr[DNS_NAME_FORMATSIZE];
- isc_result_t result;
- dns_rbtnodechain_t chain;
- dns_name_t foundname;
- dns_fixedname_t fixedorigin;
- dns_name_t *origin;
- dns_rbtnode_t *node;
- dns_tsigkey_t *tkey;
-
- dns_name_init(&foundname, NULL);
- origin = dns_fixedname_initname(&fixedorigin);
-
-again:
- dns_rbtnodechain_init(&chain);
- result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
- if (result == ISC_R_NOTFOUND) {
- dns_rbtnodechain_invalidate(&chain);
- return (ISC_R_SUCCESS);
- }
- if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
- dns_rbtnodechain_invalidate(&chain);
- return (result);
- }
-
- for (;;) {
- node = NULL;
- dns_rbtnodechain_current(&chain, &foundname, origin, &node);
- tkey = node->data;
-
- if (tkey != NULL) {
- if (!tkey->generated) {
- goto nextkey;
- }
-
- dns_name_format(&tkey->name, namestr, sizeof(namestr));
- if (strcmp(namestr, target) == 0) {
- (*foundkeys)++;
- dns_rbtnodechain_invalidate(&chain);
- (void)dns_rbt_deletename(ring->keys,
- &tkey->name, false);
- goto again;
- }
- }
-
- nextkey:
- result = dns_rbtnodechain_next(&chain, &foundname, origin);
- if (result == ISC_R_NOMORE) {
- break;
- }
- if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
- dns_rbtnodechain_invalidate(&chain);
- return (result);
- }
- }
-
- return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-named_server_tsigdelete(named_server_t *server, isc_lex_t *lex,
- isc_buffer_t **text) {
- isc_result_t result;
- dns_view_t *view;
- unsigned int foundkeys = 0;
- char *ptr, *viewname;
- char target[DNS_NAME_FORMATSIZE];
- char fbuf[16];
-
- REQUIRE(text != NULL);
-
- (void)next_token(lex, text); /* skip command name */
-
- ptr = next_token(lex, text);
- if (ptr == NULL) {
- return (ISC_R_UNEXPECTEDEND);
- }
- strlcpy(target, ptr, DNS_NAME_FORMATSIZE);
-
- viewname = next_token(lex, text);
-
- isc_loopmgr_pause(named_g_loopmgr);
- for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
- view = ISC_LIST_NEXT(view, link))
- {
- if (viewname == NULL || strcmp(view->name, viewname) == 0) {
- RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
- result = delete_keynames(view->dynamickeys, target,
- &foundkeys);
- RWUNLOCK(&view->dynamickeys->lock,
- isc_rwlocktype_write);
- if (result != ISC_R_SUCCESS) {
- isc_loopmgr_resume(named_g_loopmgr);
- return (result);
- }
- }
- }
- isc_loopmgr_resume(named_g_loopmgr);
-
- snprintf(fbuf, sizeof(fbuf), "%u", foundkeys);
-
- CHECK(putstr(text, fbuf));
- CHECK(putstr(text, " tsig keys deleted."));
- CHECK(putnull(text));
-
-cleanup:
- return (result);
-}
-
-static isc_result_t
-list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t **text,
- unsigned int *foundkeys) {
- char namestr[DNS_NAME_FORMATSIZE];
- char creatorstr[DNS_NAME_FORMATSIZE];
- isc_result_t result;
- dns_rbtnodechain_t chain;
- dns_name_t foundname;
- dns_fixedname_t fixedorigin;
- dns_name_t *origin;
- dns_rbtnode_t *node;
- dns_tsigkey_t *tkey;
- const char *viewname;
-
- if (view != NULL) {
- viewname = view->name;
- } else {
- viewname = "(global)";
- }
-
- dns_name_init(&foundname, NULL);
- origin = dns_fixedname_initname(&fixedorigin);
- dns_rbtnodechain_init(&chain);
- result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
- if (result == ISC_R_NOTFOUND) {
- dns_rbtnodechain_invalidate(&chain);
- return (ISC_R_SUCCESS);
- }
- if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
- dns_rbtnodechain_invalidate(&chain);
- return (result);
- }
-
- for (;;) {
- node = NULL;
- dns_rbtnodechain_current(&chain, &foundname, origin, &node);
- tkey = node->data;
-
- if (tkey != NULL) {
- dns_name_format(&tkey->name, namestr, sizeof(namestr));
- if (tkey->generated) {
- dns_name_format(tkey->creator, creatorstr,
- sizeof(creatorstr));
- if (*foundkeys != 0) {
- CHECK(putstr(text, "\n"));
- }
- CHECK(putstr(text, "view \""));
- CHECK(putstr(text, viewname));
- CHECK(putstr(text, "\"; type \"dynamic\"; key "
- "\""));
- CHECK(putstr(text, namestr));
- CHECK(putstr(text, "\"; creator \""));
- CHECK(putstr(text, creatorstr));
- CHECK(putstr(text, "\";"));
- } else {
- if (*foundkeys != 0) {
- CHECK(putstr(text, "\n"));
- }
- CHECK(putstr(text, "view \""));
- CHECK(putstr(text, viewname));
- CHECK(putstr(text, "\"; type \"static\"; key "
- "\""));
- CHECK(putstr(text, namestr));
- CHECK(putstr(text, "\";"));
- }
- (*foundkeys)++;
- }
- result = dns_rbtnodechain_next(&chain, &foundname, origin);
- if (result == ISC_R_NOMORE || result == DNS_R_NEWORIGIN) {
- break;
- }
- }
-
- return (ISC_R_SUCCESS);
-cleanup:
- dns_rbtnodechain_invalidate(&chain);
- return (result);
-}
-
-isc_result_t
-named_server_tsiglist(named_server_t *server, isc_buffer_t **text) {
- isc_result_t result = ISC_R_SUCCESS;
- dns_view_t *view;
- unsigned int foundkeys = 0;
-
- REQUIRE(text != NULL);
-
- for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
- view = ISC_LIST_NEXT(view, link))
- {
- RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
- result = list_keynames(view, view->statickeys, text,
- &foundkeys);
- RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
- RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
- result = list_keynames(view, view->dynamickeys, text,
- &foundkeys);
- RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
- }
-
- if (foundkeys == 0) {
- CHECK(putstr(text, "no tsig keys found."));
- }
-
- if (isc_buffer_usedlength(*text) > 0) {
- CHECK(putnull(text));
- }
-
-cleanup:
- return (result);
-}
-
/*
* Act on a "sign" or "loadkeys" command from the command channel.
*/
Enable updates to a frozen dynamic zone and reload it.\n\
trace Increment debugging level by one.\n\
trace level Change the debugging level.\n\
- tsig-delete keyname [view]\n\
- Delete a TKEY-negotiated TSIG key.\n\
- tsig-list List all currently active TSIG keys, including both statically\n\
- configured and TKEY-negotiated keys.\n\
validation [ on | off | status ] [view]\n\
Enable / disable DNSSEC validation.\n\
zonestatus zone [class [view]]\n\
.. program:: rndc
-.. option:: tsig-delete keyname [view]
-
- This command deletes a given TKEY-negotiated key from the server. This does not
- apply to statically configured TSIG keys.
-
-.. option:: tsig-list
-
- This command lists the names of all TSIG keys currently configured for use by
- :iscman:`named` in each view. The list includes both statically configured keys and
- dynamic TKEY-negotiated keys.
-
.. option:: validation (on | off | status) [view ...]
This command enables, disables, or checks the current status of DNSSEC validation. By
rpz.inc.rst \
security.inc.rst \
sig0.inc.rst \
- tkey.inc.rst \
troubleshooting.inc.rst \
tsig.inc.rst \
zones.inc.rst \
.. include:: security.inc.rst
.. include:: tsig.inc.rst
-.. include:: tkey.inc.rst
.. include:: sig0.inc.rst
+++ /dev/null
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0. If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-TKEY
-----
-
-TKEY (Transaction KEY) is a mechanism for automatically negotiating a
-shared secret between two hosts, originally specified in :rfc:`2930`.
-
-There are several TKEY "modes" that specify how a key is to be generated
-or assigned. BIND 9 implements only one of these modes: Diffie-Hellman
-key exchange. Both hosts are required to have a KEY record with
-algorithm DH (though this record is not required to be present in a
-zone).
-
-The TKEY process is initiated by a client or server by sending a query
-of type TKEY to a TKEY-aware server. The query must include an
-appropriate KEY record in the additional section, and must be signed
-using either TSIG or SIG(0) with a previously established key. The
-server's response, if successful, contains a TKEY record in its
-answer section. After this transaction, both participants have
-enough information to calculate a shared secret using Diffie-Hellman key
-exchange. The shared secret can then be used to sign subsequent
-transactions between the two servers.
-
-TSIG keys known by the server, including TKEY-negotiated keys, can be
-listed using :option:`rndc tsig-list`.
-
-TKEY-negotiated keys can be deleted from a server using
-:option:`rndc tsig-delete`. This can also be done via the TKEY protocol
-itself, by sending an authenticated TKEY query specifying the "key
-deletion" mode.
the signature. If the signature is valid, the response is signed
using the same key.
-TSIG keys that are known to a server can be listed using the command
-:option:`rndc tsig-list`.
-
Instructing the Server to Use a Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*\li *err_message optional error message
*/
-isc_result_t
-dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
-/*%<
- * Builds a query containing a TKEY record that will delete the
- * specified shared secret from the server.
- *
- * Requires:
- *\li 'msg' is a valid message
- *\li 'key' is a valid TSIG key
- *
- * Returns:
- *\li #ISC_R_SUCCESS msg was successfully updated to include the
- * query to be sent
- *\li other an error occurred while building the message
- */
-
-isc_result_t
-dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- const dns_name_t *gname, dns_gss_ctx_id_t *context,
- isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
- dns_tsig_keyring_t *ring, char **err_message);
-/*%<
- * XXX
- */
-
-isc_result_t
-dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- dns_tsig_keyring_t *ring);
-/*%<
- * Processes a response to a query containing a TKEY that was
- * designed to delete a shared secret. If the query was successful,
- * the shared key is deleted from the list of shared keys.
- *
- * Requires:
- *\li 'qmsg' is a valid message (the query)
- *\li 'rmsg' is a valid message (the response)
- *\li 'ring' is not NULL
- *
- * Returns:
- *\li #ISC_R_SUCCESS the shared key was successfully deleted
- *\li #ISC_R_NOTFOUND an error occurred while looking for a
- * component of the query or response
- */
-
isc_result_t
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
const dns_name_t *server, dns_gss_ctx_id_t *context,
* RSA: exponent
* 0 use exponent 3
* !0 use Fermat4 (2^16 + 1)
- * DH: generator
- * 0 default - use well known prime if bits == 768 or 1024,
- * otherwise use 2 as the generator.
- * !0 use this value as the generator.
* DSA: unused
* HMACMD5: entropy
* 0 default - require good entropy
va_end(ap);
}
-static void
-dumpmessage(dns_message_t *msg) {
- isc_buffer_t outbuf;
- unsigned char *output;
- int len = TEMP_BUFFER_SZ;
- isc_result_t result;
-
- for (;;) {
- output = isc_mem_get(msg->mctx, len);
-
- isc_buffer_init(&outbuf, output, len);
- result = dns_message_totext(msg, &dns_master_style_debug, 0,
- &outbuf);
- if (result == ISC_R_NOSPACE) {
- isc_mem_put(msg->mctx, output, len);
- len *= 2;
- continue;
- }
-
- if (result == ISC_R_SUCCESS) {
- tkey_log("%.*s", (int)isc_buffer_usedlength(&outbuf),
- (char *)isc_buffer_base(&outbuf));
- } else {
- tkey_log("Warning: dns_message_totext: %s",
- isc_result_totext(result));
- }
- break;
- }
-
- if (output != NULL) {
- isc_mem_put(msg->mctx, output, len);
- }
-}
-
isc_result_t
dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp) {
REQUIRE(mctx != NULL);
return (buildquery(msg, name, &tkey, win2k));
}
-isc_result_t
-dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
- dns_rdata_tkey_t tkey;
-
- REQUIRE(msg != NULL);
- REQUIRE(key != NULL);
-
- tkey.common.rdclass = dns_rdataclass_any;
- tkey.common.rdtype = dns_rdatatype_tkey;
- ISC_LINK_INIT(&tkey.common, link);
- tkey.mctx = msg->mctx;
- dns_name_init(&tkey.algorithm, NULL);
- dns_name_clone(key->algorithm, &tkey.algorithm);
- tkey.inception = tkey.expire = 0;
- tkey.mode = DNS_TKEYMODE_DELETE;
- tkey.error = 0;
- tkey.keylen = tkey.otherlen = 0;
- tkey.key = tkey.other = NULL;
-
- return (buildquery(msg, &key->name, &tkey, false));
-}
-
static isc_result_t
find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
int section) {
return (result);
}
-isc_result_t
-dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- const dns_name_t *gname, dns_gss_ctx_id_t *context,
- isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
- dns_tsig_keyring_t *ring, char **err_message) {
- dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
- dns_name_t *tkeyname;
- dns_rdata_tkey_t rtkey, qtkey;
- dst_key_t *dstkey = NULL;
- isc_buffer_t intoken;
- isc_result_t result;
- unsigned char array[TEMP_BUFFER_SZ];
-
- REQUIRE(outtoken != NULL);
- REQUIRE(qmsg != NULL);
- REQUIRE(rmsg != NULL);
- REQUIRE(gname != NULL);
- REQUIRE(ring != NULL);
- if (outkey != NULL) {
- REQUIRE(*outkey == NULL);
- }
-
- if (rmsg->rcode != dns_rcode_noerror) {
- return (dns_result_fromrcode(rmsg->rcode));
- }
- RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
- RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
-
- /*
- * Win2k puts the item in the ANSWER section, while the RFC
- * specifies it should be in the ADDITIONAL section. Check first
- * where it should be, and then where it may be.
- */
- result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
- DNS_SECTION_ADDITIONAL);
- if (result == ISC_R_NOTFOUND) {
- result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
- DNS_SECTION_ANSWER);
- }
- if (result != ISC_R_SUCCESS) {
- goto failure;
- }
-
- RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
- if (rtkey.error != dns_rcode_noerror ||
- rtkey.mode != DNS_TKEYMODE_GSSAPI ||
- !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
- {
- tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
- "or error set(2) %d",
- rtkey.error);
- dumpmessage(qmsg);
- dumpmessage(rmsg);
- result = DNS_R_INVALIDTKEY;
- goto failure;
- }
-
- isc_buffer_init(outtoken, array, sizeof(array));
- isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
- RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context,
- ring->mctx, err_message));
-
- RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, &dstkey,
- NULL));
-
- RETERR(dns_tsigkey_createfromkey(
- tkeyname, DNS_TSIG_GSSAPI_NAME, dstkey, false, NULL,
- rtkey.inception, rtkey.expire, ring->mctx, ring, outkey));
- dst_key_free(&dstkey);
- dns_rdata_freestruct(&rtkey);
- return (result);
-
-failure:
- /*
- * XXXSRA This probably leaks memory from rtkey and qtkey.
- */
- if (dstkey != NULL) {
- dst_key_free(&dstkey);
- }
- return (result);
-}
-
-isc_result_t
-dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- dns_tsig_keyring_t *ring) {
- dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
- dns_name_t *tkeyname, *tempname;
- dns_rdata_tkey_t qtkey, rtkey;
- dns_tsigkey_t *tsigkey = NULL;
- isc_result_t result;
-
- REQUIRE(qmsg != NULL);
- REQUIRE(rmsg != NULL);
-
- if (rmsg->rcode != dns_rcode_noerror) {
- return (dns_result_fromrcode(rmsg->rcode));
- }
-
- RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
- RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
-
- RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata, DNS_SECTION_ADDITIONAL));
- RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
- if (rtkey.error != dns_rcode_noerror ||
- rtkey.mode != DNS_TKEYMODE_DELETE || rtkey.mode != qtkey.mode ||
- !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
- rmsg->rcode != dns_rcode_noerror)
- {
- tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
- "or error set(3)");
- result = DNS_R_INVALIDTKEY;
- dns_rdata_freestruct(&qtkey);
- dns_rdata_freestruct(&rtkey);
- goto failure;
- }
-
- dns_rdata_freestruct(&qtkey);
-
- RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));
-
- dns_rdata_freestruct(&rtkey);
-
- /*
- * Mark the key as deleted.
- */
- dns_tsigkey_setdeleted(tsigkey);
- /*
- * Release the reference.
- */
- dns_tsigkey_detach(&tsigkey);
-
-failure:
- return (result);
-}
-
isc_result_t
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
const dns_name_t *server, dns_gss_ctx_id_t *context,
projects / thirdparty / bind9.git / commitdiff
