dnssec-signzone.c 114 KB
Newer Older
Michael Graff's avatar
Michael Graff committed
1
/*
Automatic Updater's avatar
Automatic Updater committed
2
 * Portions Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
3
 * Portions Copyright (C) 1999-2003  Internet Software Consortium.
Automatic Updater's avatar
Automatic Updater committed
4 5 6 7 8 9 10 11 12 13 14 15 16
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 *
17
 * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
18
 *
Automatic Updater's avatar
Automatic Updater committed
19
 * Permission to use, copy, modify, and/or distribute this software for any
Michael Graff's avatar
Michael Graff committed
20 21
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
22
 *
Mark Andrews's avatar
Mark Andrews committed
23 24 25 26 27 28 29
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Michael Graff's avatar
Michael Graff committed
30
 */
Brian Wellington's avatar
Brian Wellington committed
31

32
/* $Id: dnssec-signzone.c,v 1.270 2011/03/11 06:11:20 marka Exp $ */
33 34

/*! \file */
David Lawrence's avatar
David Lawrence committed
35

Brian Wellington's avatar
Brian Wellington committed
36 37 38
#include <config.h>

#include <stdlib.h>
39
#include <time.h>
Brian Wellington's avatar
Brian Wellington committed
40

41
#include <isc/app.h>
42
#include <isc/base32.h>
43
#include <isc/commandline.h>
Brian Wellington's avatar
Brian Wellington committed
44
#include <isc/entropy.h>
45
#include <isc/event.h>
46
#include <isc/file.h>
47
#include <isc/hash.h>
48
#include <isc/hex.h>
Brian Wellington's avatar
Brian Wellington committed
49
#include <isc/mem.h>
50 51
#include <isc/mutex.h>
#include <isc/os.h>
52
#include <isc/print.h>
53
#include <isc/random.h>
54
#include <isc/rwlock.h>
55
#include <isc/serial.h>
56
#include <isc/stdio.h>
57
#include <isc/stdlib.h>
58
#include <isc/string.h>
59
#include <isc/task.h>
60
#include <isc/time.h>
61
#include <isc/util.h>
Brian Wellington's avatar
Brian Wellington committed
62 63 64

#include <dns/db.h>
#include <dns/dbiterator.h>
65
#include <dns/diff.h>
66
#include <dns/dnssec.h>
67
#include <dns/ds.h>
68
#include <dns/fixedname.h>
69 70
#include <dns/keyvalues.h>
#include <dns/log.h>
71 72
#include <dns/master.h>
#include <dns/masterdump.h>
73
#include <dns/nsec.h>
74
#include <dns/nsec3.h>
Brian Wellington's avatar
Brian Wellington committed
75
#include <dns/rdata.h>
76
#include <dns/rdatalist.h>
Brian Wellington's avatar
Brian Wellington committed
77
#include <dns/rdataset.h>
78
#include <dns/rdataclass.h>
Brian Wellington's avatar
Brian Wellington committed
79
#include <dns/rdatasetiter.h>
80
#include <dns/rdatastruct.h>
81
#include <dns/rdatatype.h>
Brian Wellington's avatar
Brian Wellington committed
82
#include <dns/result.h>
83
#include <dns/soa.h>
84
#include <dns/time.h>
Brian Wellington's avatar
Brian Wellington committed
85

86
#include <dst/dst.h>
Brian Wellington's avatar
Brian Wellington committed
87

88 89
#include "dnssectool.h"

Evan Hunt's avatar
Evan Hunt committed
90 91 92 93
#ifndef PATH_MAX
#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
#endif

David Lawrence's avatar
David Lawrence committed
94
const char *program = "dnssec-signzone";
95
int verbose;
96

97 98 99 100 101 102 103
typedef struct hashlist hashlist_t;

static int nsec_datatype = dns_rdatatype_nsec;

#define IS_NSEC3	(nsec_datatype == dns_rdatatype_nsec3)
#define OPTOUT(x)	(((x) & DNS_NSEC3FLAG_OPTOUT) != 0)

104 105
#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)

106
#define BUFSIZE 2048
107
#define MAXDSKEYS 8
Brian Wellington's avatar
Brian Wellington committed
108

109 110 111 112
#define SIGNER_EVENTCLASS	ISC_EVENTCLASS(0x4453)
#define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
#define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)

113 114 115 116
#define SOA_SERIAL_KEEP		0
#define SOA_SERIAL_INCREMENT	1
#define SOA_SERIAL_UNIXTIME	2

117 118 119 120 121 122 123
typedef struct signer_event sevent_t;
struct signer_event {
	ISC_EVENT_COMMON(sevent_t);
	dns_fixedname_t *fname;
	dns_dbnode_t *node;
};

124
static dns_dnsseckeylist_t keylist;
125
static unsigned int keycount = 0;
126
isc_rwlock_t keylist_lock;
127
static isc_stdtime_t starttime = 0, endtime = 0, dnskey_endtime = 0, now;
128
static int cycle = -1;
129
static int jitter = 0;
130
static isc_boolean_t tryverify = ISC_FALSE;
131
static isc_boolean_t printstats = ISC_FALSE;
Brian Wellington's avatar
Brian Wellington committed
132
static isc_mem_t *mctx = NULL;
Brian Wellington's avatar
Brian Wellington committed
133
static isc_entropy_t *ectx = NULL;
134
static dns_ttl_t zone_soa_min_ttl;
135
static dns_ttl_t soa_ttl;
136
static FILE *fp;
137
static char *tempfile = NULL;
Danny Mayer's avatar
Danny Mayer committed
138
static const dns_master_style_t *masterstyle;
139 140
static dns_masterformat_t inputformat = dns_masterformat_text;
static dns_masterformat_t outputformat = dns_masterformat_text;
141 142
static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
static unsigned int nverified = 0, nverifyfailed = 0;
143
static const char *directory = NULL, *dsdir = NULL;
144 145 146 147 148
static isc_mutex_t namelock, statslock;
static isc_taskmgr_t *taskmgr = NULL;
static dns_db_t *gdb;			/* The database */
static dns_dbversion_t *gversion;	/* The database version */
static dns_dbiterator_t *gdbiter;	/* The database iterator */
149
static dns_rdataclass_t gclass;		/* The class */
150
static dns_name_t *gorigin;		/* The database origin */
151
static int nsec3flags = 0;
152
static dns_iterations_t nsec3iter = 10U;
153 154 155
static unsigned char saltbuf[255];
static unsigned char *salt = saltbuf;
static size_t salt_length = 0;
156 157 158
static isc_task_t *master = NULL;
static unsigned int ntasks = 0;
static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
159
static isc_boolean_t nokeys = ISC_FALSE;
160
static isc_boolean_t removefile = ISC_FALSE;
161
static isc_boolean_t generateds = ISC_FALSE;
162
static isc_boolean_t ignore_kskflag = ISC_FALSE;
163
static isc_boolean_t keyset_kskonly = ISC_FALSE;
164 165 166
static dns_name_t *dlv = NULL;
static dns_fixedname_t dlv_fixed;
static dns_master_style_t *dsstyle = NULL;
167
static unsigned int serialformat = SOA_SERIAL_KEEP;
168 169
static unsigned int hash_length = 0;
static isc_boolean_t unknownalg = ISC_FALSE;
170
static isc_boolean_t disable_zone_check = ISC_FALSE;
171
static isc_boolean_t update_chain = ISC_FALSE;
172 173
static isc_boolean_t set_keyttl = ISC_FALSE;
static dns_ttl_t keyttl;
174 175
static isc_boolean_t smartsign = ISC_FALSE;
static isc_boolean_t output_dnssec_only = ISC_FALSE;
176 177 178 179 180 181 182 183 184 185 186

#define INCSTAT(counter)		\
	if (printstats) {		\
		LOCK(&statslock);	\
		counter++;		\
		UNLOCK(&statslock);	\
	}

static void
sign(isc_task_t *task, isc_event_t *event);

187 188 189
#define check_dns_dbiterator_current(result) \
	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
		     "dns_dbiterator_current()")
Brian Wellington's avatar
Brian Wellington committed
190

Brian Wellington's avatar
Brian Wellington committed
191 192
static void
dumpnode(dns_name_t *name, dns_dbnode_t *node) {
193 194 195 196
	dns_rdataset_t rds;
	dns_rdatasetiter_t *iter = NULL;
	isc_buffer_t *buffer = NULL;
	isc_region_t r;
Brian Wellington's avatar
Brian Wellington committed
197
	isc_result_t result;
198
	unsigned bufsize = 4096;
Brian Wellington's avatar
Brian Wellington committed
199

200 201
	if (outputformat != dns_masterformat_text)
		return;
202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220

	if (!output_dnssec_only) {
		result = dns_master_dumpnodetostream(mctx, gdb, gversion, node,
						     name, masterstyle, fp);
		check_result(result, "dns_master_dumpnodetostream");
		return;
	}

	result = dns_db_allrdatasets(gdb, node, gversion, 0, &iter);
	check_result(result, "dns_db_allrdatasets");

	dns_rdataset_init(&rds);

	result = isc_buffer_allocate(mctx, &buffer, bufsize);
	check_result(result, "isc_buffer_allocate");

	for (result = dns_rdatasetiter_first(iter);
	     result == ISC_R_SUCCESS;
	     result = dns_rdatasetiter_next(iter)) {
Automatic Updater's avatar
Automatic Updater committed
221

222 223 224 225 226 227 228 229 230 231 232
		dns_rdatasetiter_current(iter, &rds);

		if (rds.type != dns_rdatatype_rrsig &&
		    rds.type != dns_rdatatype_nsec &&
		    rds.type != dns_rdatatype_nsec3 &&
		    rds.type != dns_rdatatype_nsec3param &&
		    (!smartsign || rds.type != dns_rdatatype_dnskey)) {
			dns_rdataset_disassociate(&rds);
			continue;
		}

233
		for (;;) {
234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255
			result = dns_master_rdatasettotext(name, &rds,
							   masterstyle, buffer);
			if (result != ISC_R_NOSPACE)
				break;

			bufsize <<= 1;
			isc_buffer_free(&buffer);
			result = isc_buffer_allocate(mctx, &buffer, bufsize);
			check_result(result, "isc_buffer_allocate");
		}
		check_result(result, "dns_master_rdatasettotext");

		isc_buffer_usedregion(buffer, &r);
		result = isc_stdio_write(r.base, 1, r.length, fp, NULL);
		check_result(result, "isc_stdio_write");
		isc_buffer_clear(buffer);

		dns_rdataset_disassociate(&rds);
	}

	isc_buffer_free(&buffer);
	dns_rdatasetiter_destroy(&iter);
Brian Wellington's avatar
Brian Wellington committed
256 257
}

258
/*%
Mark Andrews's avatar
Mark Andrews committed
259
 * Sign the given RRset with given key, and add the signature record to the
260 261
 * given tuple.
 */
262
static void
263 264
signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
	    dns_ttl_t ttl, dns_diff_t *add, const char *logmsg)
Brian Wellington's avatar
Brian Wellington committed
265 266
{
	isc_result_t result;
267
	isc_stdtime_t jendtime, expiry;
268
	char keystr[DST_KEY_FORMATSIZE];
269
	dns_rdata_t trdata = DNS_RDATA_INIT;
270 271
	unsigned char array[BUFSIZE];
	isc_buffer_t b;
272 273
	dns_difftuple_t *tuple;

274
	dst_key_format(key, keystr, sizeof(keystr));
275
	vbprintf(1, "\t%s %s\n", logmsg, keystr);
Brian Wellington's avatar
Brian Wellington committed
276

277 278 279 280 281 282
	if (rdataset->type == dns_rdatatype_dnskey)
		expiry = dnskey_endtime;
	else
		expiry = endtime;

	jendtime = (jitter != 0) ? isc_random_jitter(expiry, jitter) : expiry;
283
	isc_buffer_init(&b, array, sizeof(array));
284
	result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
285
				 mctx, &b, &trdata);
286
	isc_entropy_stopcallbacksources(ectx);
287
	if (result != ISC_R_SUCCESS) {
288 289
		char keystr[DST_KEY_FORMATSIZE];
		dst_key_format(key, keystr, sizeof(keystr));
290
		fatal("dnskey '%s' failed to sign data: %s",
291 292
		      keystr, isc_result_totext(result));
	}
293
	INCSTAT(nsigned);
294

295
	if (tryverify) {
296
		result = dns_dnssec_verify(name, rdataset, key,
297
					   ISC_TRUE, mctx, &trdata);
298
		if (result == ISC_R_SUCCESS) {
299
			vbprintf(3, "\tsignature verified\n");
300
			INCSTAT(nverified);
301
		} else {
302
			vbprintf(3, "\tsignature failed to verify\n");
303
			INCSTAT(nverifyfailed);
304
		}
305
	}
306 307 308 309 310 311

	tuple = NULL;
	result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, ttl, &trdata,
				      &tuple);
	check_result(result, "dns_difftuple_create");
	dns_diff_append(add, &tuple);
312
}
Brian Wellington's avatar
Brian Wellington committed
313

314
static inline isc_boolean_t
315 316
issigningkey(dns_dnsseckey_t *key) {
	return (key->force_sign || key->hint_sign);
Brian Wellington's avatar
Brian Wellington committed
317 318
}

319
static inline isc_boolean_t
320
iszonekey(dns_dnsseckey_t *key) {
321
	return (ISC_TF(dns_name_equal(dst_key_name(key->key), gorigin) &&
322
		       dst_key_iszonekey(key->key)));
323 324
}

325 326 327 328 329 330 331 332 333 334
static inline isc_boolean_t
isksk(dns_dnsseckey_t *key) {
	return (key->ksk);
}

static inline isc_boolean_t
iszsk(dns_dnsseckey_t *key) {
	return (ignore_kskflag || !key->ksk);
}

335
/*%
336 337 338
 * Find the key that generated an RRSIG, if it is in the key list.  If
 * so, return a pointer to it, otherwise return NULL.
 *
339
 * No locking is performed here, this must be done by the caller.
340
 */
341
static dns_dnsseckey_t *
342
keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
343
	dns_dnsseckey_t *key;
344

345 346 347
	for (key = ISC_LIST_HEAD(keylist);
	     key != NULL;
	     key = ISC_LIST_NEXT(key, link)) {
348 349 350
		if (rrsig->keyid == dst_key_id(key->key) &&
		    rrsig->algorithm == dst_key_alg(key->key) &&
		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
351
			return (key);
352
	}
353 354 355 356 357 358 359
	return (NULL);
}

/*%
 * Finds the key that generated a RRSIG, if possible.  First look at the keys
 * that we've loaded already, and then see if there's a key on disk.
 */
360
static dns_dnsseckey_t *
361 362 363
keythatsigned(dns_rdata_rrsig_t *rrsig) {
	isc_result_t result;
	dst_key_t *pubkey = NULL, *privkey = NULL;
364
	dns_dnsseckey_t *key = NULL;
365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384

	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_read);
	key = keythatsigned_unlocked(rrsig);
	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_read);
	if (key != NULL)
		return (key);

	/*
	 * We did not find the key in our list.  Get a write lock now, since
	 * we may be modifying the bits.  We could do the tryupgrade() dance,
	 * but instead just get a write lock and check once again to see if
	 * it is on our list.  It's possible someone else may have added it
	 * after all.
	 */
	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_write);
	key = keythatsigned_unlocked(rrsig);
	if (key != NULL) {
		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
		return (key);
	}
385

386 387
	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
				  rrsig->algorithm, DST_TYPE_PUBLIC,
388
				  directory, mctx, &pubkey);
389 390
	if (result != ISC_R_SUCCESS) {
		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
391
		return (NULL);
392
	}
393

394 395
	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
				  rrsig->algorithm,
396
				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
397
				  directory, mctx, &privkey);
398
	if (result == ISC_R_SUCCESS) {
399
		dst_key_free(&pubkey);
400 401 402 403
		dns_dnsseckey_create(mctx, &privkey, &key);
	} else {
		dns_dnsseckey_create(mctx, &pubkey, &key);
	}
404 405
	key->force_publish = ISC_TRUE;
	key->force_sign = ISC_FALSE;
406
	ISC_LIST_APPEND(keylist, key, link);
407 408

	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
409
	return (key);
410 411
}

412
/*%
413 414
 * Check to see if we expect to find a key at this name.  If we see a RRSIG
 * and can't find the signing key that we expect to find, we drop the rrsig.
415 416
 * I'm not sure if this is completely correct, but it seems to work.
 */
417
static isc_boolean_t
418
expecttofindkey(dns_name_t *name) {
419
	unsigned int options = DNS_DBFIND_NOWILD;
420
	dns_fixedname_t fname;
421
	isc_result_t result;
422
	char namestr[DNS_NAME_FORMATSIZE];
423

424
	dns_fixedname_init(&fname);
425
	result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options,
426
			     0, NULL, dns_fixedname_name(&fname), NULL, NULL);
427
	switch (result) {
428 429 430 431 432 433 434 435
	case ISC_R_SUCCESS:
	case DNS_R_NXDOMAIN:
	case DNS_R_NXRRSET:
		return (ISC_TRUE);
	case DNS_R_DELEGATION:
	case DNS_R_CNAME:
	case DNS_R_DNAME:
		return (ISC_FALSE);
436
	}
Andreas Gustafsson's avatar
Andreas Gustafsson committed
437
	dns_name_format(name, namestr, sizeof(namestr));
438
	fatal("failure looking for '%s DNSKEY' in database: %s",
439
	      namestr, isc_result_totext(result));
Evan Hunt's avatar
Evan Hunt committed
440
	/* NOTREACHED */
441
	return (ISC_FALSE); /* removes a warning */
442 443
}

444
static inline isc_boolean_t
445
setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
446
	    dns_rdata_t *rrsig)
447
{
448
	isc_result_t result;
449
	result = dns_dnssec_verify(name, set, key, ISC_FALSE, mctx, rrsig);
450
	if (result == ISC_R_SUCCESS) {
451
		INCSTAT(nverified);
452 453
		return (ISC_TRUE);
	} else {
454
		INCSTAT(nverifyfailed);
455 456
		return (ISC_FALSE);
	}
457 458
}

459
/*%
460
 * Signs a set.  Goes through contortions to decide if each RRSIG should
461 462 463
 * be dropped or retained, and then determines if any new SIGs need to
 * be generated.
 */
464
static void
465
signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
466
	dns_rdataset_t *set)
467
{
468
	dns_rdataset_t sigset;
469
	dns_rdata_t sigrdata = DNS_RDATA_INIT;
470
	dns_rdata_rrsig_t rrsig;
471
	dns_dnsseckey_t *key;
472
	isc_result_t result;
473 474 475
	isc_boolean_t nosigs = ISC_FALSE;
	isc_boolean_t *wassignedby, *nowsignedby;
	int arraysize;
476 477
	dns_difftuple_t *tuple;
	dns_ttl_t ttl;
478
	int i;
479 480 481 482
	char namestr[DNS_NAME_FORMATSIZE];
	char typestr[TYPE_FORMATSIZE];
	char sigstr[SIG_FORMATSIZE];

Andreas Gustafsson's avatar
Andreas Gustafsson committed
483 484
	dns_name_format(name, namestr, sizeof(namestr));
	type_format(set->type, typestr, sizeof(typestr));
485

486
	ttl = ISC_MIN(set->ttl, endtime - starttime);
487

488
	dns_rdataset_init(&sigset);
489
	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig,
490
				     set->type, 0, &sigset, NULL);
491 492 493 494
	if (result == ISC_R_NOTFOUND) {
		result = ISC_R_SUCCESS;
		nosigs = ISC_TRUE;
	}
495
	if (result != ISC_R_SUCCESS)
496
		fatal("failed while looking for '%s RRSIG %s': %s",
497
		      namestr, typestr, isc_result_totext(result));
498

499
	vbprintf(1, "%s/%s:\n", namestr, typestr);
500

501 502 503
	arraysize = keycount;
	if (!nosigs)
		arraysize += dns_rdataset_count(&sigset);
504 505
	wassignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
	nowsignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
506 507 508 509 510 511
	if (wassignedby == NULL || nowsignedby == NULL)
		fatal("out of memory");

	for (i = 0; i < arraysize; i++)
		wassignedby[i] = nowsignedby[i] = ISC_FALSE;

Brian Wellington's avatar
Brian Wellington committed
512 513 514
	if (nosigs)
		result = ISC_R_NOMORE;
	else
515
		result = dns_rdataset_first(&sigset);
516

Brian Wellington's avatar
Brian Wellington committed
517 518 519
	while (result == ISC_R_SUCCESS) {
		isc_boolean_t expired, future;
		isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
520

Brian Wellington's avatar
Brian Wellington committed
521
		dns_rdataset_current(&sigset, &sigrdata);
522

523
		result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
Brian Wellington's avatar
Brian Wellington committed
524
		check_result(result, "dns_rdata_tostruct");
525

526
		future = isc_serial_lt(now, rrsig.timesigned);
527

528 529
		key = keythatsigned(&rrsig);
		sig_format(&rrsig, sigstr, sizeof(sigstr));
530
		if (key != NULL && issigningkey(key))
531
			expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
532
		else
533
			expired = isc_serial_gt(now, rrsig.timeexpire);
Brian Wellington's avatar
Brian Wellington committed
534

535 536 537
		if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
			/* rrsig is dropped and not replaced */
			vbprintf(2, "\trrsig by %s dropped - "
Brian Wellington's avatar
Brian Wellington committed
538
				 "invalid validity period\n",
539
				 sigstr);
Brian Wellington's avatar
Brian Wellington committed
540
		} else if (key == NULL && !future &&
Francis Dupont's avatar
Francis Dupont committed
541
			   expecttofindkey(&rrsig.signer)) {
542 543 544
			/* rrsig is dropped and not replaced */
			vbprintf(2, "\trrsig by %s dropped - "
				 "private dnskey not found\n",
545
				 sigstr);
Brian Wellington's avatar
Brian Wellington committed
546
		} else if (key == NULL || future) {
547
			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
548
				 expired ? "retained" : "dropped", sigstr);
Brian Wellington's avatar
Brian Wellington committed
549 550 551
			if (!expired)
				keep = ISC_TRUE;
		} else if (issigningkey(key)) {
552 553
			if (!expired && rrsig.originalttl == set->ttl &&
			    setverifies(name, set, key->key, &sigrdata)) {
554
				vbprintf(2, "\trrsig by %s retained\n", sigstr);
555
				keep = ISC_TRUE;
556 557
				wassignedby[key->index] = ISC_TRUE;
				nowsignedby[key->index] = ISC_TRUE;
558
			} else {
559
				vbprintf(2, "\trrsig by %s dropped - %s\n",
560 561 562
					 sigstr, expired ? "expired" :
					 rrsig.originalttl != set->ttl ?
					 "ttl change" : "failed to verify");
563
				wassignedby[key->index] = ISC_TRUE;
Brian Wellington's avatar
Brian Wellington committed
564
				resign = ISC_TRUE;
565
			}
566
		} else if (iszonekey(key)) {
567 568
			if (!expired && rrsig.originalttl == set->ttl &&
			    setverifies(name, set, key->key, &sigrdata)) {
569
				vbprintf(2, "\trrsig by %s retained\n", sigstr);
Brian Wellington's avatar
Brian Wellington committed
570
				keep = ISC_TRUE;
571 572
				wassignedby[key->index] = ISC_TRUE;
				nowsignedby[key->index] = ISC_TRUE;
Brian Wellington's avatar
Brian Wellington committed
573
			} else {
574
				vbprintf(2, "\trrsig by %s dropped - %s\n",
575 576 577
					 sigstr, expired ? "expired" :
					 rrsig.originalttl != set->ttl ?
					 "ttl change" : "failed to verify");
578
				wassignedby[key->index] = ISC_TRUE;
579
			}
Brian Wellington's avatar
Brian Wellington committed
580
		} else if (!expired) {
581
			vbprintf(2, "\trrsig by %s retained\n", sigstr);
Brian Wellington's avatar
Brian Wellington committed
582 583
			keep = ISC_TRUE;
		} else {
584
			vbprintf(2, "\trrsig by %s expired\n", sigstr);
Brian Wellington's avatar
Brian Wellington committed
585
		}
586

587
		if (keep) {
588
			nowsignedby[key->index] = ISC_TRUE;
589
			INCSTAT(nretained);
590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607
			if (sigset.ttl != ttl) {
				vbprintf(2, "\tfixing ttl %s\n", sigstr);
				tuple = NULL;
				result = dns_difftuple_create(mctx,
							      DNS_DIFFOP_DEL,
							      name, sigset.ttl,
							      &sigrdata,
							      &tuple);
				check_result(result, "dns_difftuple_create");
				dns_diff_append(del, &tuple);
				result = dns_difftuple_create(mctx,
							      DNS_DIFFOP_ADD,
							      name, ttl,
							      &sigrdata,
							      &tuple);
				check_result(result, "dns_difftuple_create");
				dns_diff_append(add, &tuple);
			}
608
		} else {
Brian Wellington's avatar
Brian Wellington committed
609 610
			tuple = NULL;
			result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
611 612
						      name, sigset.ttl,
						      &sigrdata, &tuple);
Brian Wellington's avatar
Brian Wellington committed
613
			check_result(result, "dns_difftuple_create");
614
			dns_diff_append(del, &tuple);
615
			INCSTAT(ndropped);
Brian Wellington's avatar
Brian Wellington committed
616 617 618
		}

		if (resign) {
619 620
			INSIST(!keep);

621 622
			signwithkey(name, set, key->key, ttl, add,
				    "resigning with dnskey");
623
			nowsignedby[key->index] = ISC_TRUE;
624
		}
Brian Wellington's avatar
Brian Wellington committed
625

626
		dns_rdata_reset(&sigrdata);
627
		dns_rdata_freestruct(&rrsig);
Brian Wellington's avatar
Brian Wellington committed
628
		result = dns_rdataset_next(&sigset);
Brian Wellington's avatar
Brian Wellington committed
629
	}
Brian Wellington's avatar
Brian Wellington committed
630 631 632 633 634 635
	if (result == ISC_R_NOMORE)
		result = ISC_R_SUCCESS;

	check_result(result, "dns_rdataset_first/next");
	if (dns_rdataset_isassociated(&sigset))
		dns_rdataset_disassociate(&sigset);
636

Brian Wellington's avatar
Brian Wellington committed
637 638 639 640
	for (key = ISC_LIST_HEAD(keylist);
	     key != NULL;
	     key = ISC_LIST_NEXT(key, link))
	{
641
		if (nowsignedby[key->index])
642 643
			continue;

644
		if (!issigningkey(key))
Brian Wellington's avatar
Brian Wellington committed
645 646
			continue;

647 648
		if (set->type == dns_rdatatype_dnskey &&
		     dns_name_equal(name, gorigin)) {
Evan Hunt's avatar
Evan Hunt committed
649
			isc_boolean_t have_ksk;
650 651
			dns_dnsseckey_t *tmpkey;

Automatic Updater's avatar
Automatic Updater committed
652
			have_ksk = isksk(key);
653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668
			for (tmpkey = ISC_LIST_HEAD(keylist);
			     tmpkey != NULL;
			     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
				if (dst_key_alg(key->key) !=
				    dst_key_alg(tmpkey->key))
					continue;
				if (REVOKE(tmpkey->key))
					continue;
				if (isksk(tmpkey))
					have_ksk = ISC_TRUE;
			}
			if (isksk(key) || !have_ksk ||
			    (iszsk(key) && !keyset_kskonly))
				signwithkey(name, set, key->key, ttl, add,
					    "signing with dnskey");
		} else if (iszsk(key)) {
669 670
			signwithkey(name, set, key->key, ttl, add,
				    "signing with dnskey");
671
		}
672
	}
673 674 675

	isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t));
	isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
676 677
}

678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758
struct hashlist {
	unsigned char *hashbuf;
	size_t entries;
	size_t size;
	size_t length;
};

static void
hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) {

	l->entries = 0;
	l->length = length + 1;

	if (nodes != 0) {
		l->size = nodes;
		l->hashbuf = malloc(l->size * l->length);
		if (l->hashbuf == NULL)
			l->size = 0;
	} else {
		l->size = 0;
		l->hashbuf = NULL;
	}
}

static void
hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
{

	REQUIRE(len <= l->length);

	if (l->entries == l->size) {
		l->size = l->size * 2 + 100;
		l->hashbuf = realloc(l->hashbuf, l->size * l->length);
	}
	memset(l->hashbuf + l->entries * l->length, 0, l->length);
	memcpy(l->hashbuf + l->entries * l->length, hash, len);
	l->entries++;
}

static void
hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
		      unsigned int hashalg, unsigned int iterations,
		      const unsigned char *salt, size_t salt_length,
		      isc_boolean_t speculative)
{
	char nametext[DNS_NAME_FORMATSIZE];
	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
	unsigned int len;
	size_t i;

	len = isc_iterated_hash(hash, hashalg, iterations, salt, salt_length,
				name->ndata, name->length);
	if (verbose) {
		dns_name_format(name, nametext, sizeof nametext);
		for (i = 0 ; i < len; i++)
			fprintf(stderr, "%02x", hash[i]);
		fprintf(stderr, " %s\n", nametext);
	}
	hash[len++] = speculative ? 1 : 0;
	hashlist_add(l, hash, len);
}

static int
hashlist_comp(const void *a, const void *b) {
	return (memcmp(a, b, hash_length + 1));
}

static void
hashlist_sort(hashlist_t *l) {
	qsort(l->hashbuf, l->entries, l->length, hashlist_comp);
}

static isc_boolean_t
hashlist_hasdup(hashlist_t *l) {
	unsigned char *current;
	unsigned char *next = l->hashbuf;
	size_t entries = l->entries;

	/*
	 * Skip initial speculative wild card hashs.
	 */
Mark Andrews's avatar
Mark Andrews committed
759
	while (entries > 0U && next[l->length-1] != 0U) {
760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840
		next += l->length;
		entries--;
	}

	current = next;
	while (entries-- > 1U) {
		next += l->length;
		if (next[l->length-1] != 0)
			continue;
		if (memcmp(current, next, l->length - 1) == 0)
			return (ISC_TRUE);
		current = next;
	}
	return (ISC_FALSE);
}

static const unsigned char *
hashlist_findnext(const hashlist_t *l,
		  const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
{
	unsigned int entries = l->entries;
	const unsigned char *next = bsearch(hash, l->hashbuf, l->entries,
					    l->length, hashlist_comp);
	INSIST(next != NULL);

	do {
		if (next < l->hashbuf + (l->entries - 1) * l->length)
			next += l->length;
		else
			next = l->hashbuf;
		if (next[l->length - 1] == 0)
			break;
	} while (entries-- > 1);
	INSIST(entries != 0);
	return (next);
}

static isc_boolean_t
hashlist_exists(const hashlist_t *l,
		const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
{
	if (bsearch(hash, l->hashbuf, l->entries, l->length, hashlist_comp))
		return (ISC_TRUE);
	else
		return (ISC_FALSE);
}

static void
addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name,
		  unsigned int hashalg, unsigned int iterations,
		  const unsigned char *salt, size_t salt_length)
{
	dns_fixedname_t fixed;
	dns_name_t *wild;
	dns_dbnode_t *node = NULL;
	isc_result_t result;
	char namestr[DNS_NAME_FORMATSIZE];

	dns_fixedname_init(&fixed);
	wild = dns_fixedname_name(&fixed);

	result = dns_name_concatenate(dns_wildcardname, name, wild, NULL);
	if (result == ISC_R_NOSPACE)
		return;
	check_result(result,"addnowildcardhash: dns_name_concatenate()");

	result = dns_db_findnode(gdb, wild, ISC_FALSE, &node);
	if (result == ISC_R_SUCCESS) {
		dns_db_detachnode(gdb, &node);
		return;
	}

	if (verbose) {
		dns_name_format(wild, namestr, sizeof(namestr));
		fprintf(stderr, "adding no-wildcardhash for %s\n", namestr);
	}

	hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_length,
			      ISC_TRUE);
}

841 842
static void
opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
843
       dns_db_t **dbp)
844
{
845
	char filename[PATH_MAX];
846 847 848 849
	isc_buffer_t b;
	isc_result_t result;

	isc_buffer_init(&b, filename, sizeof(filename));
850 851 852 853 854 855
	if (dsdir != NULL) {
		/* allow room for a trailing slash */
		if (strlen(dsdir) >= isc_buffer_availablelength(&b))
			fatal("path '%s' is too long", dsdir);
		isc_buffer_putstr(&b, dsdir);
		if (dsdir[strlen(dsdir) - 1] != '/')
856 857
			isc_buffer_putstr(&b, "/");
	}
858 859
	if (strlen(prefix) > isc_buffer_availablelength(&b))
		fatal("path '%s' is too long", dsdir);
860
	isc_buffer_putstr(&b, prefix);
861
	result = dns_name_tofilenametext(name, ISC_FALSE, &b);
862
	check_result(result, "dns_name_tofilenametext()");
863 864
	if (isc_buffer_availablelength(&b) == 0) {
		char namestr[DNS_NAME_FORMATSIZE];