dnssec-signzone.c 114 KB
Newer Older
Michael Graff's avatar
Michael Graff committed
1
/*
Automatic Updater's avatar
Automatic Updater committed
2
 * Portions Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
3
 * Portions Copyright (C) 1999-2003  Internet Software Consortium.
Automatic Updater's avatar
Automatic Updater committed
4 5 6 7 8 9 10 11 12 13 14 15 16
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 *
17
 * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
18
 *
Automatic Updater's avatar
Automatic Updater committed
19
 * Permission to use, copy, modify, and/or distribute this software for any
Michael Graff's avatar
Michael Graff committed
20 21
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
22
 *
Mark Andrews's avatar
Mark Andrews committed
23 24 25 26 27 28 29
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Michael Graff's avatar
Michael Graff committed
30
 */
Brian Wellington's avatar
Brian Wellington committed
31

Automatic Updater's avatar
Automatic Updater committed
32
/* $Id: dnssec-signzone.c,v 1.268 2011/03/05 23:52:29 tbox Exp $ */
33 34

/*! \file */
David Lawrence's avatar
David Lawrence committed
35

Brian Wellington's avatar
Brian Wellington committed
36 37 38
#include <config.h>

#include <stdlib.h>
39
#include <time.h>
Brian Wellington's avatar
Brian Wellington committed
40

41
#include <isc/app.h>
42
#include <isc/base32.h>
43
#include <isc/commandline.h>
Brian Wellington's avatar
Brian Wellington committed
44
#include <isc/entropy.h>
45
#include <isc/event.h>
46
#include <isc/file.h>
47
#include <isc/hash.h>
48
#include <isc/hex.h>
Brian Wellington's avatar
Brian Wellington committed
49
#include <isc/mem.h>
50 51
#include <isc/mutex.h>
#include <isc/os.h>
52
#include <isc/print.h>
53
#include <isc/random.h>
54
#include <isc/rwlock.h>
55
#include <isc/serial.h>
56
#include <isc/stdio.h>
57
#include <isc/stdlib.h>
58
#include <isc/string.h>
59
#include <isc/task.h>
60
#include <isc/time.h>
61
#include <isc/util.h>
Brian Wellington's avatar
Brian Wellington committed
62 63 64

#include <dns/db.h>
#include <dns/dbiterator.h>
65
#include <dns/diff.h>
66
#include <dns/dnssec.h>
67
#include <dns/ds.h>
68
#include <dns/fixedname.h>
69 70
#include <dns/keyvalues.h>
#include <dns/log.h>
71 72
#include <dns/master.h>
#include <dns/masterdump.h>
73
#include <dns/nsec.h>
74
#include <dns/nsec3.h>
Brian Wellington's avatar
Brian Wellington committed
75
#include <dns/rdata.h>
76
#include <dns/rdatalist.h>
Brian Wellington's avatar
Brian Wellington committed
77
#include <dns/rdataset.h>
78
#include <dns/rdataclass.h>
Brian Wellington's avatar
Brian Wellington committed
79
#include <dns/rdatasetiter.h>
80
#include <dns/rdatastruct.h>
81
#include <dns/rdatatype.h>
Brian Wellington's avatar
Brian Wellington committed
82
#include <dns/result.h>
83
#include <dns/soa.h>
84
#include <dns/time.h>
Brian Wellington's avatar
Brian Wellington committed
85

86
#include <dst/dst.h>
Brian Wellington's avatar
Brian Wellington committed
87

88 89
#include "dnssectool.h"

Evan Hunt's avatar
Evan Hunt committed
90 91 92 93
#ifndef PATH_MAX
#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
#endif

David Lawrence's avatar
David Lawrence committed
94
const char *program = "dnssec-signzone";
95
int verbose;
96

97 98 99 100 101 102 103
typedef struct hashlist hashlist_t;

static int nsec_datatype = dns_rdatatype_nsec;

#define IS_NSEC3	(nsec_datatype == dns_rdatatype_nsec3)
#define OPTOUT(x)	(((x) & DNS_NSEC3FLAG_OPTOUT) != 0)

104 105
#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)

106
#define BUFSIZE 2048
107
#define MAXDSKEYS 8
Brian Wellington's avatar
Brian Wellington committed
108

109 110 111 112
#define SIGNER_EVENTCLASS	ISC_EVENTCLASS(0x4453)
#define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
#define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)

113 114 115 116
#define SOA_SERIAL_KEEP		0
#define SOA_SERIAL_INCREMENT	1
#define SOA_SERIAL_UNIXTIME	2

117 118 119 120 121 122 123
typedef struct signer_event sevent_t;
struct signer_event {
	ISC_EVENT_COMMON(sevent_t);
	dns_fixedname_t *fname;
	dns_dbnode_t *node;
};

124
static dns_dnsseckeylist_t keylist;
125
static unsigned int keycount = 0;
126
isc_rwlock_t keylist_lock;
127
static isc_stdtime_t starttime = 0, endtime = 0, dnskey_endtime = 0, now;
128
static int cycle = -1;
129
static int jitter = 0;
130
static isc_boolean_t tryverify = ISC_FALSE;
131
static isc_boolean_t printstats = ISC_FALSE;
Brian Wellington's avatar
Brian Wellington committed
132
static isc_mem_t *mctx = NULL;
Brian Wellington's avatar
Brian Wellington committed
133
static isc_entropy_t *ectx = NULL;
134
static dns_ttl_t zone_soa_min_ttl;
135
static dns_ttl_t soa_ttl;
136
static FILE *fp;
137
static char *tempfile = NULL;
Danny Mayer's avatar
Danny Mayer committed
138
static const dns_master_style_t *masterstyle;
139 140
static dns_masterformat_t inputformat = dns_masterformat_text;
static dns_masterformat_t outputformat = dns_masterformat_text;
141 142
static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
static unsigned int nverified = 0, nverifyfailed = 0;
143
static const char *directory = NULL, *dsdir = NULL;
144 145 146 147 148
static isc_mutex_t namelock, statslock;
static isc_taskmgr_t *taskmgr = NULL;
static dns_db_t *gdb;			/* The database */
static dns_dbversion_t *gversion;	/* The database version */
static dns_dbiterator_t *gdbiter;	/* The database iterator */
149
static dns_rdataclass_t gclass;		/* The class */
150
static dns_name_t *gorigin;		/* The database origin */
151
static int nsec3flags = 0;
152
static dns_iterations_t nsec3iter = 10U;
153 154 155
static unsigned char saltbuf[255];
static unsigned char *salt = saltbuf;
static size_t salt_length = 0;
156 157 158
static isc_task_t *master = NULL;
static unsigned int ntasks = 0;
static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
159
static isc_boolean_t nokeys = ISC_FALSE;
160
static isc_boolean_t removefile = ISC_FALSE;
161
static isc_boolean_t generateds = ISC_FALSE;
162
static isc_boolean_t ignore_kskflag = ISC_FALSE;
163
static isc_boolean_t keyset_kskonly = ISC_FALSE;
164 165 166
static dns_name_t *dlv = NULL;
static dns_fixedname_t dlv_fixed;
static dns_master_style_t *dsstyle = NULL;
167
static unsigned int serialformat = SOA_SERIAL_KEEP;
168 169
static unsigned int hash_length = 0;
static isc_boolean_t unknownalg = ISC_FALSE;
170
static isc_boolean_t disable_zone_check = ISC_FALSE;
171
static isc_boolean_t update_chain = ISC_FALSE;
172 173
static isc_boolean_t set_keyttl = ISC_FALSE;
static dns_ttl_t keyttl;
174 175
static isc_boolean_t smartsign = ISC_FALSE;
static isc_boolean_t output_dnssec_only = ISC_FALSE;
176 177 178 179 180 181 182 183 184 185 186

#define INCSTAT(counter)		\
	if (printstats) {		\
		LOCK(&statslock);	\
		counter++;		\
		UNLOCK(&statslock);	\
	}

static void
sign(isc_task_t *task, isc_event_t *event);

187 188 189
#define check_dns_dbiterator_current(result) \
	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
		     "dns_dbiterator_current()")
Brian Wellington's avatar
Brian Wellington committed
190

Brian Wellington's avatar
Brian Wellington committed
191 192
static void
dumpnode(dns_name_t *name, dns_dbnode_t *node) {
193 194 195 196
	dns_rdataset_t rds;
	dns_rdatasetiter_t *iter = NULL;
	isc_buffer_t *buffer = NULL;
	isc_region_t r;
Brian Wellington's avatar
Brian Wellington committed
197
	isc_result_t result;
198
	unsigned bufsize = 4096;
Brian Wellington's avatar
Brian Wellington committed
199

200 201
	if (outputformat != dns_masterformat_text)
		return;
202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220

	if (!output_dnssec_only) {
		result = dns_master_dumpnodetostream(mctx, gdb, gversion, node,
						     name, masterstyle, fp);
		check_result(result, "dns_master_dumpnodetostream");
		return;
	}

	result = dns_db_allrdatasets(gdb, node, gversion, 0, &iter);
	check_result(result, "dns_db_allrdatasets");

	dns_rdataset_init(&rds);

	result = isc_buffer_allocate(mctx, &buffer, bufsize);
	check_result(result, "isc_buffer_allocate");

	for (result = dns_rdatasetiter_first(iter);
	     result == ISC_R_SUCCESS;
	     result = dns_rdatasetiter_next(iter)) {
Automatic Updater's avatar
Automatic Updater committed
221

222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255
		dns_rdatasetiter_current(iter, &rds);

		if (rds.type != dns_rdatatype_rrsig &&
		    rds.type != dns_rdatatype_nsec &&
		    rds.type != dns_rdatatype_nsec3 &&
		    rds.type != dns_rdatatype_nsec3param &&
		    (!smartsign || rds.type != dns_rdatatype_dnskey)) {
			dns_rdataset_disassociate(&rds);
			continue;
		}

		while (ISC_TRUE) {
			result = dns_master_rdatasettotext(name, &rds,
							   masterstyle, buffer);
			if (result != ISC_R_NOSPACE)
				break;

			bufsize <<= 1;
			isc_buffer_free(&buffer);
			result = isc_buffer_allocate(mctx, &buffer, bufsize);
			check_result(result, "isc_buffer_allocate");
		}
		check_result(result, "dns_master_rdatasettotext");

		isc_buffer_usedregion(buffer, &r);
		result = isc_stdio_write(r.base, 1, r.length, fp, NULL);
		check_result(result, "isc_stdio_write");
		isc_buffer_clear(buffer);

		dns_rdataset_disassociate(&rds);
	}

	isc_buffer_free(&buffer);
	dns_rdatasetiter_destroy(&iter);
Brian Wellington's avatar
Brian Wellington committed
256 257
}

258
/*%
Mark Andrews's avatar
Mark Andrews committed
259
 * Sign the given RRset with given key, and add the signature record to the
260 261
 * given tuple.
 */
262
static void
263 264
signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
	    dns_ttl_t ttl, dns_diff_t *add, const char *logmsg)
Brian Wellington's avatar
Brian Wellington committed
265 266
{
	isc_result_t result;
267
	isc_stdtime_t jendtime, expiry;
268
	char keystr[DST_KEY_FORMATSIZE];
269
	dns_rdata_t trdata = DNS_RDATA_INIT;
270 271
	unsigned char array[BUFSIZE];
	isc_buffer_t b;
272 273
	dns_difftuple_t *tuple;

274
	dst_key_format(key, keystr, sizeof(keystr));
275
	vbprintf(1, "\t%s %s\n", logmsg, keystr);
Brian Wellington's avatar
Brian Wellington committed
276

277 278 279 280 281 282
	if (rdataset->type == dns_rdatatype_dnskey)
		expiry = dnskey_endtime;
	else
		expiry = endtime;

	jendtime = (jitter != 0) ? isc_random_jitter(expiry, jitter) : expiry;
283
	isc_buffer_init(&b, array, sizeof(array));
284
	result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
285
				 mctx, &b, &trdata);
286
	isc_entropy_stopcallbacksources(ectx);
287
	if (result != ISC_R_SUCCESS) {
288 289
		char keystr[DST_KEY_FORMATSIZE];
		dst_key_format(key, keystr, sizeof(keystr));
290
		fatal("dnskey '%s' failed to sign data: %s",
291 292
		      keystr, isc_result_totext(result));
	}
293
	INCSTAT(nsigned);
294

295
	if (tryverify) {
296
		result = dns_dnssec_verify(name, rdataset, key,
297
					   ISC_TRUE, mctx, &trdata);
298
		if (result == ISC_R_SUCCESS) {
299
			vbprintf(3, "\tsignature verified\n");
300
			INCSTAT(nverified);
301
		} else {
302
			vbprintf(3, "\tsignature failed to verify\n");
303
			INCSTAT(nverifyfailed);
304
		}
305
	}
306 307 308 309 310 311

	tuple = NULL;
	result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, ttl, &trdata,
				      &tuple);
	check_result(result, "dns_difftuple_create");
	dns_diff_append(add, &tuple);
312
}
Brian Wellington's avatar
Brian Wellington committed
313

314
static inline isc_boolean_t
315 316
issigningkey(dns_dnsseckey_t *key) {
	return (key->force_sign || key->hint_sign);
Brian Wellington's avatar
Brian Wellington committed
317 318
}

319
static inline isc_boolean_t
320
iszonekey(dns_dnsseckey_t *key) {
321
	return (ISC_TF(dns_name_equal(dst_key_name(key->key), gorigin) &&
322
		       dst_key_iszonekey(key->key)));
323 324
}

325 326 327 328 329 330 331 332 333 334
static inline isc_boolean_t
isksk(dns_dnsseckey_t *key) {
	return (key->ksk);
}

static inline isc_boolean_t
iszsk(dns_dnsseckey_t *key) {
	return (ignore_kskflag || !key->ksk);
}

335
/*%
336 337 338
 * Find the key that generated an RRSIG, if it is in the key list.  If
 * so, return a pointer to it, otherwise return NULL.
 *
339
 * No locking is performed here, this must be done by the caller.
340
 */
341
static dns_dnsseckey_t *
342
keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
343
	dns_dnsseckey_t *key;
344

345 346 347
	for (key = ISC_LIST_HEAD(keylist);
	     key != NULL;
	     key = ISC_LIST_NEXT(key, link)) {
348 349 350
		if (rrsig->keyid == dst_key_id(key->key) &&
		    rrsig->algorithm == dst_key_alg(key->key) &&
		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
351
			return (key);
352
	}
353 354 355 356 357 358 359
	return (NULL);
}

/*%
 * Finds the key that generated a RRSIG, if possible.  First look at the keys
 * that we've loaded already, and then see if there's a key on disk.
 */
360
static dns_dnsseckey_t *
361 362 363
keythatsigned(dns_rdata_rrsig_t *rrsig) {
	isc_result_t result;
	dst_key_t *pubkey = NULL, *privkey = NULL;
364
	dns_dnsseckey_t *key = NULL;
365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384

	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_read);
	key = keythatsigned_unlocked(rrsig);
	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_read);
	if (key != NULL)
		return (key);

	/*
	 * We did not find the key in our list.  Get a write lock now, since
	 * we may be modifying the bits.  We could do the tryupgrade() dance,
	 * but instead just get a write lock and check once again to see if
	 * it is on our list.  It's possible someone else may have added it
	 * after all.
	 */
	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_write);
	key = keythatsigned_unlocked(rrsig);
	if (key != NULL) {
		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
		return (key);
	}
385

386 387
	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
				  rrsig->algorithm, DST_TYPE_PUBLIC,
388
				  directory, mctx, &pubkey);
389 390
	if (result != ISC_R_SUCCESS) {
		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
391
		return (NULL);
392
	}
393

394 395
	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
				  rrsig->algorithm,
396
				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
397
				  directory, mctx, &privkey);
398
	if (result == ISC_R_SUCCESS) {
399
		dst_key_free(&pubkey);
400 401 402 403
		dns_dnsseckey_create(mctx, &privkey, &key);
	} else {
		dns_dnsseckey_create(mctx, &pubkey, &key);
	}
404 405
	key->force_publish = ISC_TRUE;
	key->force_sign = ISC_FALSE;
406
	ISC_LIST_APPEND(keylist, key, link);
407 408

	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
409
	return (key);
410 411
}

412
/*%
413 414
 * Check to see if we expect to find a key at this name.  If we see a RRSIG
 * and can't find the signing key that we expect to find, we drop the rrsig.
415 416
 * I'm not sure if this is completely correct, but it seems to work.
 */
417
static isc_boolean_t
418
expecttofindkey(dns_name_t *name) {
419
	unsigned int options = DNS_DBFIND_NOWILD;
420
	dns_fixedname_t fname;
421
	isc_result_t result;
422
	char namestr[DNS_NAME_FORMATSIZE];
423

424
	dns_fixedname_init(&fname);
425
	result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options,
426
			     0, NULL, dns_fixedname_name(&fname), NULL, NULL);
427
	switch (result) {
428 429 430 431 432 433 434 435
	case ISC_R_SUCCESS:
	case DNS_R_NXDOMAIN:
	case DNS_R_NXRRSET:
		return (ISC_TRUE);
	case DNS_R_DELEGATION:
	case DNS_R_CNAME:
	case DNS_R_DNAME:
		return (ISC_FALSE);
436
	}
Andreas Gustafsson's avatar
Andreas Gustafsson committed
437
	dns_name_format(name, namestr, sizeof(namestr));
438
	fatal("failure looking for '%s DNSKEY' in database: %s",
439
	      namestr, isc_result_totext(result));
Evan Hunt's avatar
Evan Hunt committed
440
	/* NOTREACHED */
441
	return (ISC_FALSE); /* removes a warning */
442 443
}

444
static inline isc_boolean_t
445
setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
446
	    dns_rdata_t *rrsig)
447
{
448
	isc_result_t result;
449
	result = dns_dnssec_verify(name, set, key, ISC_FALSE, mctx, rrsig);
450
	if (result == ISC_R_SUCCESS) {
451
		INCSTAT(nverified);
452 453
		return (ISC_TRUE);
	} else {
454
		INCSTAT(nverifyfailed);
455 456
		return (ISC_FALSE);
	}
457 458
}

459
/*%
460
 * Signs a set.  Goes through contortions to decide if each RRSIG should
461 462 463
 * be dropped or retained, and then determines if any new SIGs need to
 * be generated.
 */
464
static void
465
signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
466
	dns_rdataset_t *set)
467
{
468
	dns_rdataset_t sigset;
469
	dns_rdata_t sigrdata = DNS_RDATA_INIT;
470
	dns_rdata_rrsig_t rrsig;
471
	dns_dnsseckey_t *key;
472
	isc_result_t result;
473 474 475
	isc_boolean_t nosigs = ISC_FALSE;
	isc_boolean_t *wassignedby, *nowsignedby;
	int arraysize;
476 477
	dns_difftuple_t *tuple;
	dns_ttl_t ttl;
478
	int i;
479 480 481
	char namestr[DNS_NAME_FORMATSIZE];
	char typestr[TYPE_FORMATSIZE];
	char sigstr[SIG_FORMATSIZE];
482
	isc_stdtime_t expiry;
483

Andreas Gustafsson's avatar
Andreas Gustafsson committed
484 485
	dns_name_format(name, namestr, sizeof(namestr));
	type_format(set->type, typestr, sizeof(typestr));
486

487 488 489 490 491
	if (set->type == dns_rdatatype_dnskey)
		expiry = dnskey_endtime;
	else
		expiry = endtime;

492
	ttl = ISC_MIN(set->ttl, endtime - starttime);
493

494
	dns_rdataset_init(&sigset);
495
	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig,
496
				     set->type, 0, &sigset, NULL);
497 498 499 500
	if (result == ISC_R_NOTFOUND) {
		result = ISC_R_SUCCESS;
		nosigs = ISC_TRUE;
	}
501
	if (result != ISC_R_SUCCESS)
502
		fatal("failed while looking for '%s RRSIG %s': %s",
503
		      namestr, typestr, isc_result_totext(result));
504

505
	vbprintf(1, "%s/%s:\n", namestr, typestr);
506

507 508 509
	arraysize = keycount;
	if (!nosigs)
		arraysize += dns_rdataset_count(&sigset);
510 511
	wassignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
	nowsignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
512 513 514 515 516 517
	if (wassignedby == NULL || nowsignedby == NULL)
		fatal("out of memory");

	for (i = 0; i < arraysize; i++)
		wassignedby[i] = nowsignedby[i] = ISC_FALSE;

Brian Wellington's avatar
Brian Wellington committed
518 519 520
	if (nosigs)
		result = ISC_R_NOMORE;
	else
521
		result = dns_rdataset_first(&sigset);
522

Brian Wellington's avatar
Brian Wellington committed
523 524 525
	while (result == ISC_R_SUCCESS) {
		isc_boolean_t expired, future;
		isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
526

Brian Wellington's avatar
Brian Wellington committed
527
		dns_rdataset_current(&sigset, &sigrdata);
528

529
		result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
Brian Wellington's avatar
Brian Wellington committed
530
		check_result(result, "dns_rdata_tostruct");
531

532
		future = isc_serial_lt(now, rrsig.timesigned);
533

534 535
		key = keythatsigned(&rrsig);
		sig_format(&rrsig, sigstr, sizeof(sigstr));
536
		if (key != NULL && issigningkey(key))
537
			expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
538
		else
539
			expired = isc_serial_gt(now, rrsig.timeexpire);
Brian Wellington's avatar
Brian Wellington committed
540

541 542 543
		if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
			/* rrsig is dropped and not replaced */
			vbprintf(2, "\trrsig by %s dropped - "
Brian Wellington's avatar
Brian Wellington committed
544
				 "invalid validity period\n",
545
				 sigstr);
Brian Wellington's avatar
Brian Wellington committed
546
		} else if (key == NULL && !future &&
Francis Dupont's avatar
Francis Dupont committed
547
			   expecttofindkey(&rrsig.signer)) {
548 549 550
			/* rrsig is dropped and not replaced */
			vbprintf(2, "\trrsig by %s dropped - "
				 "private dnskey not found\n",
551
				 sigstr);
Brian Wellington's avatar
Brian Wellington committed
552
		} else if (key == NULL || future) {
553
			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
554
				 expired ? "retained" : "dropped", sigstr);
Brian Wellington's avatar
Brian Wellington committed
555 556 557
			if (!expired)
				keep = ISC_TRUE;
		} else if (issigningkey(key)) {
558 559
			if (!expired && rrsig.originalttl == set->ttl &&
			    setverifies(name, set, key->key, &sigrdata)) {
560
				vbprintf(2, "\trrsig by %s retained\n", sigstr);
561
				keep = ISC_TRUE;
562 563
				wassignedby[key->index] = ISC_TRUE;
				nowsignedby[key->index] = ISC_TRUE;
564
			} else {
565
				vbprintf(2, "\trrsig by %s dropped - %s\n",
566 567 568
					 sigstr, expired ? "expired" :
					 rrsig.originalttl != set->ttl ?
					 "ttl change" : "failed to verify");
569
				wassignedby[key->index] = ISC_TRUE;
Brian Wellington's avatar
Brian Wellington committed
570
				resign = ISC_TRUE;
571
			}
572
		} else if (iszonekey(key)) {
573 574
			if (!expired && rrsig.originalttl == set->ttl &&
			    setverifies(name, set, key->key, &sigrdata)) {
575
				vbprintf(2, "\trrsig by %s retained\n", sigstr);
Brian Wellington's avatar
Brian Wellington committed
576
				keep = ISC_TRUE;
577 578
				wassignedby[key->index] = ISC_TRUE;
				nowsignedby[key->index] = ISC_TRUE;
Brian Wellington's avatar
Brian Wellington committed
579
			} else {
580
				vbprintf(2, "\trrsig by %s dropped - %s\n",
581 582 583
					 sigstr, expired ? "expired" :
					 rrsig.originalttl != set->ttl ?
					 "ttl change" : "failed to verify");
584
				wassignedby[key->index] = ISC_TRUE;
585
			}
Brian Wellington's avatar
Brian Wellington committed
586
		} else if (!expired) {
587
			vbprintf(2, "\trrsig by %s retained\n", sigstr);
Brian Wellington's avatar
Brian Wellington committed
588 589
			keep = ISC_TRUE;
		} else {
590
			vbprintf(2, "\trrsig by %s expired\n", sigstr);
Brian Wellington's avatar
Brian Wellington committed
591
		}
592

593
		if (keep) {
594
			nowsignedby[key->index] = ISC_TRUE;
595
			INCSTAT(nretained);
596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613
			if (sigset.ttl != ttl) {
				vbprintf(2, "\tfixing ttl %s\n", sigstr);
				tuple = NULL;
				result = dns_difftuple_create(mctx,
							      DNS_DIFFOP_DEL,
							      name, sigset.ttl,
							      &sigrdata,
							      &tuple);
				check_result(result, "dns_difftuple_create");
				dns_diff_append(del, &tuple);
				result = dns_difftuple_create(mctx,
							      DNS_DIFFOP_ADD,
							      name, ttl,
							      &sigrdata,
							      &tuple);
				check_result(result, "dns_difftuple_create");
				dns_diff_append(add, &tuple);
			}
614
		} else {
Brian Wellington's avatar
Brian Wellington committed
615 616
			tuple = NULL;
			result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
617 618
						      name, sigset.ttl,
						      &sigrdata, &tuple);
Brian Wellington's avatar
Brian Wellington committed
619
			check_result(result, "dns_difftuple_create");
620
			dns_diff_append(del, &tuple);
621
			INCSTAT(ndropped);
Brian Wellington's avatar
Brian Wellington committed
622 623 624
		}

		if (resign) {
625 626
			INSIST(!keep);

627 628
			signwithkey(name, set, key->key, ttl, add,
				    "resigning with dnskey");
629
			nowsignedby[key->index] = ISC_TRUE;
630
		}
Brian Wellington's avatar
Brian Wellington committed
631

632
		dns_rdata_reset(&sigrdata);
633
		dns_rdata_freestruct(&rrsig);
Brian Wellington's avatar
Brian Wellington committed
634
		result = dns_rdataset_next(&sigset);
Brian Wellington's avatar
Brian Wellington committed
635
	}
Brian Wellington's avatar
Brian Wellington committed
636 637 638 639 640 641
	if (result == ISC_R_NOMORE)
		result = ISC_R_SUCCESS;

	check_result(result, "dns_rdataset_first/next");
	if (dns_rdataset_isassociated(&sigset))
		dns_rdataset_disassociate(&sigset);
642

Brian Wellington's avatar
Brian Wellington committed
643 644 645 646
	for (key = ISC_LIST_HEAD(keylist);
	     key != NULL;
	     key = ISC_LIST_NEXT(key, link))
	{
647
		if (nowsignedby[key->index])
648 649
			continue;

650
		if (!issigningkey(key))
Brian Wellington's avatar
Brian Wellington committed
651 652
			continue;

653 654
		if (set->type == dns_rdatatype_dnskey &&
		     dns_name_equal(name, gorigin)) {
Evan Hunt's avatar
Evan Hunt committed
655
			isc_boolean_t have_ksk;
656 657
			dns_dnsseckey_t *tmpkey;

Automatic Updater's avatar
Automatic Updater committed
658
			have_ksk = isksk(key);
659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674
			for (tmpkey = ISC_LIST_HEAD(keylist);
			     tmpkey != NULL;
			     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
				if (dst_key_alg(key->key) !=
				    dst_key_alg(tmpkey->key))
					continue;
				if (REVOKE(tmpkey->key))
					continue;
				if (isksk(tmpkey))
					have_ksk = ISC_TRUE;
			}
			if (isksk(key) || !have_ksk ||
			    (iszsk(key) && !keyset_kskonly))
				signwithkey(name, set, key->key, ttl, add,
					    "signing with dnskey");
		} else if (iszsk(key)) {
675 676
			signwithkey(name, set, key->key, ttl, add,
				    "signing with dnskey");
677
		}
678
	}
679 680 681

	isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t));
	isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
682 683
}

684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764
struct hashlist {
	unsigned char *hashbuf;
	size_t entries;
	size_t size;
	size_t length;
};

static void
hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) {

	l->entries = 0;
	l->length = length + 1;

	if (nodes != 0) {
		l->size = nodes;
		l->hashbuf = malloc(l->size * l->length);
		if (l->hashbuf == NULL)
			l->size = 0;
	} else {
		l->size = 0;
		l->hashbuf = NULL;
	}
}

static void
hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
{

	REQUIRE(len <= l->length);

	if (l->entries == l->size) {
		l->size = l->size * 2 + 100;
		l->hashbuf = realloc(l->hashbuf, l->size * l->length);
	}
	memset(l->hashbuf + l->entries * l->length, 0, l->length);
	memcpy(l->hashbuf + l->entries * l->length, hash, len);
	l->entries++;
}

static void
hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
		      unsigned int hashalg, unsigned int iterations,
		      const unsigned char *salt, size_t salt_length,
		      isc_boolean_t speculative)
{
	char nametext[DNS_NAME_FORMATSIZE];
	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
	unsigned int len;
	size_t i;

	len = isc_iterated_hash(hash, hashalg, iterations, salt, salt_length,
				name->ndata, name->length);
	if (verbose) {
		dns_name_format(name, nametext, sizeof nametext);
		for (i = 0 ; i < len; i++)
			fprintf(stderr, "%02x", hash[i]);
		fprintf(stderr, " %s\n", nametext);
	}
	hash[len++] = speculative ? 1 : 0;
	hashlist_add(l, hash, len);
}

static int
hashlist_comp(const void *a, const void *b) {
	return (memcmp(a, b, hash_length + 1));
}

static void
hashlist_sort(hashlist_t *l) {
	qsort(l->hashbuf, l->entries, l->length, hashlist_comp);
}

static isc_boolean_t
hashlist_hasdup(hashlist_t *l) {
	unsigned char *current;
	unsigned char *next = l->hashbuf;
	size_t entries = l->entries;

	/*
	 * Skip initial speculative wild card hashs.
	 */
Mark Andrews's avatar
Mark Andrews committed
765
	while (entries > 0U && next[l->length-1] != 0U) {
766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846
		next += l->length;
		entries--;
	}

	current = next;
	while (entries-- > 1U) {
		next += l->length;
		if (next[l->length-1] != 0)
			continue;
		if (memcmp(current, next, l->length - 1) == 0)
			return (ISC_TRUE);
		current = next;
	}
	return (ISC_FALSE);
}

static const unsigned char *
hashlist_findnext(const hashlist_t *l,
		  const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
{
	unsigned int entries = l->entries;
	const unsigned char *next = bsearch(hash, l->hashbuf, l->entries,
					    l->length, hashlist_comp);
	INSIST(next != NULL);

	do {
		if (next < l->hashbuf + (l->entries - 1) * l->length)
			next += l->length;
		else
			next = l->hashbuf;
		if (next[l->length - 1] == 0)
			break;
	} while (entries-- > 1);
	INSIST(entries != 0);
	return (next);
}

static isc_boolean_t
hashlist_exists(const hashlist_t *l,
		const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
{
	if (bsearch(hash, l->hashbuf, l->entries, l->length, hashlist_comp))
		return (ISC_TRUE);
	else
		return (ISC_FALSE);
}

static void
addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name,
		  unsigned int hashalg, unsigned int iterations,
		  const unsigned char *salt, size_t salt_length)
{
	dns_fixedname_t fixed;
	dns_name_t *wild;
	dns_dbnode_t *node = NULL;
	isc_result_t result;
	char namestr[DNS_NAME_FORMATSIZE];

	dns_fixedname_init(&fixed);
	wild = dns_fixedname_name(&fixed);

	result = dns_name_concatenate(dns_wildcardname, name, wild, NULL);
	if (result == ISC_R_NOSPACE)
		return;
	check_result(result,"addnowildcardhash: dns_name_concatenate()");

	result = dns_db_findnode(gdb, wild, ISC_FALSE, &node);
	if (result == ISC_R_SUCCESS) {
		dns_db_detachnode(gdb, &node);
		return;
	}

	if (verbose) {
		dns_name_format(wild, namestr, sizeof(namestr));
		fprintf(stderr, "adding no-wildcardhash for %s\n", namestr);
	}

	hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_length,
			      ISC_TRUE);
}

847 848
static void
opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
849
       dns_db_t **dbp)
850
{
851
	char filename[PATH_MAX];
852 853 854 855
	isc_buffer_t b;
	isc_result_t result;

	isc_buffer_init(&b, filename, sizeof(filename));
856 857 858 859 860 861
	if (dsdir != NULL) {
		/* allow room for a trailing slash */
		if (strlen(dsdir) >= isc_buffer_availablelength(&b))
			fatal("path '%s' is too long", dsdir);
		isc_buffer_putstr(&b, dsdir);
		if (dsdir[strlen(dsdir) - 1] != '/')
862 863
			isc_buffer_putstr(&b, "/");
	}
864 865
	if (strlen(prefix) > isc_buffer_availablelength(&b))
		fatal("path '%s' is too long", dsdir);
866
	isc_buffer_putstr(&b, prefix);
867
	result = dns_name_tofilenametext(name, ISC_FALSE, &b);