dnssec-signzone.c 104 KB
Newer Older
Michael Graff's avatar
Michael Graff committed
1
/*
Tinderbox User's avatar
Tinderbox User committed
2
 * Portions Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
Mark Andrews committed
3
 * Portions Copyright (C) 1999-2003  Internet Software Consortium.
Automatic Updater's avatar
Automatic Updater committed
4 5 6 7 8 9 10 11 12 13 14 15 16
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 *
17
 * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
18
 *
Automatic Updater's avatar
Automatic Updater committed
19
 * Permission to use, copy, modify, and/or distribute this software for any
Michael Graff's avatar
Michael Graff committed
20 21
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
22
 *
Mark Andrews's avatar
Mark Andrews committed
23 24 25 26 27 28 29
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Michael Graff's avatar
Michael Graff committed
30
 */
Brian Wellington's avatar
Brian Wellington committed
31

32
/* $Id: dnssec-signzone.c,v 1.285.32.1 2012/02/07 00:44:12 each Exp $ */
33 34

/*! \file */
David Lawrence's avatar
David Lawrence committed
35

Brian Wellington's avatar
Brian Wellington committed
36 37 38
#include <config.h>

#include <stdlib.h>
39
#include <time.h>
40
#include <unistd.h>
Brian Wellington's avatar
Brian Wellington committed
41

42
#include <isc/app.h>
43
#include <isc/base32.h>
44
#include <isc/commandline.h>
Brian Wellington's avatar
Brian Wellington committed
45
#include <isc/entropy.h>
46
#include <isc/event.h>
47
#include <isc/file.h>
48
#include <isc/hash.h>
49
#include <isc/hex.h>
Brian Wellington's avatar
Brian Wellington committed
50
#include <isc/mem.h>
51 52
#include <isc/mutex.h>
#include <isc/os.h>
53
#include <isc/print.h>
54
#include <isc/random.h>
55
#include <isc/rwlock.h>
56
#include <isc/serial.h>
57
#include <isc/stdio.h>
58
#include <isc/stdlib.h>
59
#include <isc/string.h>
60
#include <isc/task.h>
61
#include <isc/time.h>
62
#include <isc/util.h>
Brian Wellington's avatar
Brian Wellington committed
63 64 65

#include <dns/db.h>
#include <dns/dbiterator.h>
66
#include <dns/diff.h>
67
#include <dns/dnssec.h>
68
#include <dns/ds.h>
69
#include <dns/fixedname.h>
70 71
#include <dns/keyvalues.h>
#include <dns/log.h>
72 73
#include <dns/master.h>
#include <dns/masterdump.h>
74
#include <dns/nsec.h>
75
#include <dns/nsec3.h>
Brian Wellington's avatar
Brian Wellington committed
76
#include <dns/rdata.h>
77
#include <dns/rdatalist.h>
Brian Wellington's avatar
Brian Wellington committed
78
#include <dns/rdataset.h>
79
#include <dns/rdataclass.h>
Brian Wellington's avatar
Brian Wellington committed
80
#include <dns/rdatasetiter.h>
81
#include <dns/rdatastruct.h>
82
#include <dns/rdatatype.h>
Brian Wellington's avatar
Brian Wellington committed
83
#include <dns/result.h>
84
#include <dns/soa.h>
85
#include <dns/time.h>
Brian Wellington's avatar
Brian Wellington committed
86

87
#include <dst/dst.h>
Brian Wellington's avatar
Brian Wellington committed
88

89 90
#include "dnssectool.h"

Evan Hunt's avatar
Evan Hunt committed
91 92 93 94
#ifndef PATH_MAX
#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
#endif

David Lawrence's avatar
David Lawrence committed
95
const char *program = "dnssec-signzone";
96
int verbose;
97

98 99 100 101 102 103 104
typedef struct hashlist hashlist_t;

static int nsec_datatype = dns_rdatatype_nsec;

#define IS_NSEC3	(nsec_datatype == dns_rdatatype_nsec3)
#define OPTOUT(x)	(((x) & DNS_NSEC3FLAG_OPTOUT) != 0)

105 106
#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)

107
#define BUFSIZE 2048
108
#define MAXDSKEYS 8
Brian Wellington's avatar
Brian Wellington committed
109

110 111 112 113
#define SIGNER_EVENTCLASS	ISC_EVENTCLASS(0x4453)
#define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
#define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)

114 115 116 117
#define SOA_SERIAL_KEEP		0
#define SOA_SERIAL_INCREMENT	1
#define SOA_SERIAL_UNIXTIME	2

118 119 120 121 122 123 124
typedef struct signer_event sevent_t;
struct signer_event {
	ISC_EVENT_COMMON(sevent_t);
	dns_fixedname_t *fname;
	dns_dbnode_t *node;
};

125
static dns_dnsseckeylist_t keylist;
126
static unsigned int keycount = 0;
127
isc_rwlock_t keylist_lock;
128
static isc_stdtime_t starttime = 0, endtime = 0, dnskey_endtime = 0, now;
129
static int cycle = -1;
130
static int jitter = 0;
131
static isc_boolean_t tryverify = ISC_FALSE;
132
static isc_boolean_t printstats = ISC_FALSE;
Brian Wellington's avatar
Brian Wellington committed
133
static isc_mem_t *mctx = NULL;
Brian Wellington's avatar
Brian Wellington committed
134
static isc_entropy_t *ectx = NULL;
135
static dns_ttl_t zone_soa_min_ttl;
136
static dns_ttl_t soa_ttl;
137
static FILE *fp = NULL;
138
static char *tempfile = NULL;
Danny Mayer's avatar
Danny Mayer committed
139
static const dns_master_style_t *masterstyle;
140 141
static dns_masterformat_t inputformat = dns_masterformat_text;
static dns_masterformat_t outputformat = dns_masterformat_text;
142 143
static isc_uint32_t rawversion = 1, serialnum = 0;
static isc_boolean_t snset = ISC_FALSE;
144 145
static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
static unsigned int nverified = 0, nverifyfailed = 0;
146
static const char *directory = NULL, *dsdir = NULL;
147 148 149 150 151
static isc_mutex_t namelock, statslock;
static isc_taskmgr_t *taskmgr = NULL;
static dns_db_t *gdb;			/* The database */
static dns_dbversion_t *gversion;	/* The database version */
static dns_dbiterator_t *gdbiter;	/* The database iterator */
152
static dns_rdataclass_t gclass;		/* The class */
153
static dns_name_t *gorigin;		/* The database origin */
154
static int nsec3flags = 0;
155
static dns_iterations_t nsec3iter = 10U;
156 157 158
static unsigned char saltbuf[255];
static unsigned char *salt = saltbuf;
static size_t salt_length = 0;
159 160 161
static isc_task_t *master = NULL;
static unsigned int ntasks = 0;
static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
162
static isc_boolean_t nokeys = ISC_FALSE;
163
static isc_boolean_t removefile = ISC_FALSE;
164
static isc_boolean_t generateds = ISC_FALSE;
165
static isc_boolean_t ignore_kskflag = ISC_FALSE;
166
static isc_boolean_t keyset_kskonly = ISC_FALSE;
167 168 169
static dns_name_t *dlv = NULL;
static dns_fixedname_t dlv_fixed;
static dns_master_style_t *dsstyle = NULL;
170
static unsigned int serialformat = SOA_SERIAL_KEEP;
171 172
static unsigned int hash_length = 0;
static isc_boolean_t unknownalg = ISC_FALSE;
173
static isc_boolean_t disable_zone_check = ISC_FALSE;
174
static isc_boolean_t update_chain = ISC_FALSE;
175 176
static isc_boolean_t set_keyttl = ISC_FALSE;
static dns_ttl_t keyttl;
177
static isc_boolean_t smartsign = ISC_FALSE;
Evan Hunt's avatar
Evan Hunt committed
178 179
static isc_boolean_t remove_orphansigs = ISC_FALSE;
static isc_boolean_t remove_inactkeysigs = ISC_FALSE;
180
static isc_boolean_t output_dnssec_only = ISC_FALSE;
181
static isc_boolean_t output_stdout = ISC_FALSE;
182 183 184 185 186 187 188 189 190 191 192

#define INCSTAT(counter)		\
	if (printstats) {		\
		LOCK(&statslock);	\
		counter++;		\
		UNLOCK(&statslock);	\
	}

static void
sign(isc_task_t *task, isc_event_t *event);

Brian Wellington's avatar
Brian Wellington committed
193 194
static void
dumpnode(dns_name_t *name, dns_dbnode_t *node) {
195 196 197 198
	dns_rdataset_t rds;
	dns_rdatasetiter_t *iter = NULL;
	isc_buffer_t *buffer = NULL;
	isc_region_t r;
Brian Wellington's avatar
Brian Wellington committed
199
	isc_result_t result;
200
	unsigned bufsize = 4096;
Brian Wellington's avatar
Brian Wellington committed
201

202 203
	if (outputformat != dns_masterformat_text)
		return;
204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222

	if (!output_dnssec_only) {
		result = dns_master_dumpnodetostream(mctx, gdb, gversion, node,
						     name, masterstyle, fp);
		check_result(result, "dns_master_dumpnodetostream");
		return;
	}

	result = dns_db_allrdatasets(gdb, node, gversion, 0, &iter);
	check_result(result, "dns_db_allrdatasets");

	dns_rdataset_init(&rds);

	result = isc_buffer_allocate(mctx, &buffer, bufsize);
	check_result(result, "isc_buffer_allocate");

	for (result = dns_rdatasetiter_first(iter);
	     result == ISC_R_SUCCESS;
	     result = dns_rdatasetiter_next(iter)) {
Automatic Updater's avatar
Automatic Updater committed
223

224 225 226 227 228 229 230 231 232 233 234
		dns_rdatasetiter_current(iter, &rds);

		if (rds.type != dns_rdatatype_rrsig &&
		    rds.type != dns_rdatatype_nsec &&
		    rds.type != dns_rdatatype_nsec3 &&
		    rds.type != dns_rdatatype_nsec3param &&
		    (!smartsign || rds.type != dns_rdatatype_dnskey)) {
			dns_rdataset_disassociate(&rds);
			continue;
		}

235
		for (;;) {
236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257
			result = dns_master_rdatasettotext(name, &rds,
							   masterstyle, buffer);
			if (result != ISC_R_NOSPACE)
				break;

			bufsize <<= 1;
			isc_buffer_free(&buffer);
			result = isc_buffer_allocate(mctx, &buffer, bufsize);
			check_result(result, "isc_buffer_allocate");
		}
		check_result(result, "dns_master_rdatasettotext");

		isc_buffer_usedregion(buffer, &r);
		result = isc_stdio_write(r.base, 1, r.length, fp, NULL);
		check_result(result, "isc_stdio_write");
		isc_buffer_clear(buffer);

		dns_rdataset_disassociate(&rds);
	}

	isc_buffer_free(&buffer);
	dns_rdatasetiter_destroy(&iter);
Brian Wellington's avatar
Brian Wellington committed
258 259
}

260
/*%
Mark Andrews's avatar
Mark Andrews committed
261
 * Sign the given RRset with given key, and add the signature record to the
262 263
 * given tuple.
 */
264
static void
265 266
signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
	    dns_ttl_t ttl, dns_diff_t *add, const char *logmsg)
Brian Wellington's avatar
Brian Wellington committed
267 268
{
	isc_result_t result;
269
	isc_stdtime_t jendtime, expiry;
270
	char keystr[DST_KEY_FORMATSIZE];
271
	dns_rdata_t trdata = DNS_RDATA_INIT;
272 273
	unsigned char array[BUFSIZE];
	isc_buffer_t b;
274 275
	dns_difftuple_t *tuple;

276
	dst_key_format(key, keystr, sizeof(keystr));
277
	vbprintf(1, "\t%s %s\n", logmsg, keystr);
Brian Wellington's avatar
Brian Wellington committed
278

279 280 281 282 283 284
	if (rdataset->type == dns_rdatatype_dnskey)
		expiry = dnskey_endtime;
	else
		expiry = endtime;

	jendtime = (jitter != 0) ? isc_random_jitter(expiry, jitter) : expiry;
285
	isc_buffer_init(&b, array, sizeof(array));
286
	result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
287
				 mctx, &b, &trdata);
288
	isc_entropy_stopcallbacksources(ectx);
289
	if (result != ISC_R_SUCCESS) {
290 291
		char keystr[DST_KEY_FORMATSIZE];
		dst_key_format(key, keystr, sizeof(keystr));
292
		fatal("dnskey '%s' failed to sign data: %s",
293 294
		      keystr, isc_result_totext(result));
	}
295
	INCSTAT(nsigned);
296

297
	if (tryverify) {
298
		result = dns_dnssec_verify(name, rdataset, key,
299
					   ISC_TRUE, mctx, &trdata);
300
		if (result == ISC_R_SUCCESS) {
301
			vbprintf(3, "\tsignature verified\n");
302
			INCSTAT(nverified);
303
		} else {
304
			vbprintf(3, "\tsignature failed to verify\n");
305
			INCSTAT(nverifyfailed);
306
		}
307
	}
308 309

	tuple = NULL;
310 311
	result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN,
				      name, ttl, &trdata, &tuple);
312 313
	check_result(result, "dns_difftuple_create");
	dns_diff_append(add, &tuple);
314
}
Brian Wellington's avatar
Brian Wellington committed
315

316
static inline isc_boolean_t
317 318
issigningkey(dns_dnsseckey_t *key) {
	return (key->force_sign || key->hint_sign);
Brian Wellington's avatar
Brian Wellington committed
319 320
}

321 322 323 324 325 326
static inline isc_boolean_t
ispublishedkey(dns_dnsseckey_t *key) {
	return ((key->force_publish || key->hint_publish) &&
		!key->hint_remove);
}

327
static inline isc_boolean_t
328
iszonekey(dns_dnsseckey_t *key) {
329
	return (ISC_TF(dns_name_equal(dst_key_name(key->key), gorigin) &&
330
		       dst_key_iszonekey(key->key)));
331 332
}

333 334 335 336 337 338 339 340 341 342
static inline isc_boolean_t
isksk(dns_dnsseckey_t *key) {
	return (key->ksk);
}

static inline isc_boolean_t
iszsk(dns_dnsseckey_t *key) {
	return (ignore_kskflag || !key->ksk);
}

343
/*%
344 345 346
 * Find the key that generated an RRSIG, if it is in the key list.  If
 * so, return a pointer to it, otherwise return NULL.
 *
347
 * No locking is performed here, this must be done by the caller.
348
 */
349
static dns_dnsseckey_t *
350
keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
351
	dns_dnsseckey_t *key;
352

353 354 355
	for (key = ISC_LIST_HEAD(keylist);
	     key != NULL;
	     key = ISC_LIST_NEXT(key, link)) {
356 357 358
		if (rrsig->keyid == dst_key_id(key->key) &&
		    rrsig->algorithm == dst_key_alg(key->key) &&
		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
359
			return (key);
360
	}
361 362 363 364 365 366 367
	return (NULL);
}

/*%
 * Finds the key that generated a RRSIG, if possible.  First look at the keys
 * that we've loaded already, and then see if there's a key on disk.
 */
368
static dns_dnsseckey_t *
369 370 371
keythatsigned(dns_rdata_rrsig_t *rrsig) {
	isc_result_t result;
	dst_key_t *pubkey = NULL, *privkey = NULL;
372
	dns_dnsseckey_t *key = NULL;
373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392

	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_read);
	key = keythatsigned_unlocked(rrsig);
	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_read);
	if (key != NULL)
		return (key);

	/*
	 * We did not find the key in our list.  Get a write lock now, since
	 * we may be modifying the bits.  We could do the tryupgrade() dance,
	 * but instead just get a write lock and check once again to see if
	 * it is on our list.  It's possible someone else may have added it
	 * after all.
	 */
	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_write);
	key = keythatsigned_unlocked(rrsig);
	if (key != NULL) {
		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
		return (key);
	}
393

394 395
	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
				  rrsig->algorithm, DST_TYPE_PUBLIC,
396
				  directory, mctx, &pubkey);
397 398
	if (result != ISC_R_SUCCESS) {
		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
399
		return (NULL);
400
	}
401

402 403
	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
				  rrsig->algorithm,
404
				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
405
				  directory, mctx, &privkey);
406
	if (result == ISC_R_SUCCESS) {
407
		dst_key_free(&pubkey);
408 409 410
		result = dns_dnsseckey_create(mctx, &privkey, &key);
	} else
		result = dns_dnsseckey_create(mctx, &pubkey, &key);
411

412
	if (result == ISC_R_SUCCESS) {
413
		key->force_publish = ISC_FALSE;
414
		key->force_sign = ISC_FALSE;
415
		key->index = keycount++;
416 417
		ISC_LIST_APPEND(keylist, key, link);
	}
418 419

	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
420
	return (key);
421 422
}

423
/*%
424 425
 * Check to see if we expect to find a key at this name.  If we see a RRSIG
 * and can't find the signing key that we expect to find, we drop the rrsig.
426 427
 * I'm not sure if this is completely correct, but it seems to work.
 */
428
static isc_boolean_t
429
expecttofindkey(dns_name_t *name) {
430
	unsigned int options = DNS_DBFIND_NOWILD;
431
	dns_fixedname_t fname;
432
	isc_result_t result;
433
	char namestr[DNS_NAME_FORMATSIZE];
434

435
	dns_fixedname_init(&fname);
436
	result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options,
437
			     0, NULL, dns_fixedname_name(&fname), NULL, NULL);
438
	switch (result) {
439 440 441 442 443 444 445 446
	case ISC_R_SUCCESS:
	case DNS_R_NXDOMAIN:
	case DNS_R_NXRRSET:
		return (ISC_TRUE);
	case DNS_R_DELEGATION:
	case DNS_R_CNAME:
	case DNS_R_DNAME:
		return (ISC_FALSE);
447
	}
Andreas Gustafsson's avatar
Andreas Gustafsson committed
448
	dns_name_format(name, namestr, sizeof(namestr));
449
	fatal("failure looking for '%s DNSKEY' in database: %s",
450
	      namestr, isc_result_totext(result));
Evan Hunt's avatar
Evan Hunt committed
451
	/* NOTREACHED */
452
	return (ISC_FALSE); /* removes a warning */
453 454
}

455
static inline isc_boolean_t
456
setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
457
	    dns_rdata_t *rrsig)
458
{
459
	isc_result_t result;
460
	result = dns_dnssec_verify(name, set, key, ISC_FALSE, mctx, rrsig);
461
	if (result == ISC_R_SUCCESS) {
462
		INCSTAT(nverified);
463 464
		return (ISC_TRUE);
	} else {
465
		INCSTAT(nverifyfailed);
466 467
		return (ISC_FALSE);
	}
468 469
}

470
/*%
471
 * Signs a set.  Goes through contortions to decide if each RRSIG should
472 473 474
 * be dropped or retained, and then determines if any new SIGs need to
 * be generated.
 */
475
static void
476
signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
477
	dns_rdataset_t *set)
478
{
479
	dns_rdataset_t sigset;
480
	dns_rdata_t sigrdata = DNS_RDATA_INIT;
481
	dns_rdata_rrsig_t rrsig;
482
	dns_dnsseckey_t *key;
483
	isc_result_t result;
484 485 486
	isc_boolean_t nosigs = ISC_FALSE;
	isc_boolean_t *wassignedby, *nowsignedby;
	int arraysize;
487 488
	dns_difftuple_t *tuple;
	dns_ttl_t ttl;
489
	int i;
490 491 492 493
	char namestr[DNS_NAME_FORMATSIZE];
	char typestr[TYPE_FORMATSIZE];
	char sigstr[SIG_FORMATSIZE];

Andreas Gustafsson's avatar
Andreas Gustafsson committed
494 495
	dns_name_format(name, namestr, sizeof(namestr));
	type_format(set->type, typestr, sizeof(typestr));
496

497
	ttl = ISC_MIN(set->ttl, endtime - starttime);
498

499
	dns_rdataset_init(&sigset);
500
	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig,
501
				     set->type, 0, &sigset, NULL);
502 503 504 505
	if (result == ISC_R_NOTFOUND) {
		result = ISC_R_SUCCESS;
		nosigs = ISC_TRUE;
	}
506
	if (result != ISC_R_SUCCESS)
507
		fatal("failed while looking for '%s RRSIG %s': %s",
508
		      namestr, typestr, isc_result_totext(result));
509

510
	vbprintf(1, "%s/%s:\n", namestr, typestr);
511

512 513 514
	arraysize = keycount;
	if (!nosigs)
		arraysize += dns_rdataset_count(&sigset);
515 516
	wassignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
	nowsignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
517 518 519 520 521 522
	if (wassignedby == NULL || nowsignedby == NULL)
		fatal("out of memory");

	for (i = 0; i < arraysize; i++)
		wassignedby[i] = nowsignedby[i] = ISC_FALSE;

Brian Wellington's avatar
Brian Wellington committed
523 524 525
	if (nosigs)
		result = ISC_R_NOMORE;
	else
526
		result = dns_rdataset_first(&sigset);
527

Brian Wellington's avatar
Brian Wellington committed
528 529 530
	while (result == ISC_R_SUCCESS) {
		isc_boolean_t expired, future;
		isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
531

Brian Wellington's avatar
Brian Wellington committed
532
		dns_rdataset_current(&sigset, &sigrdata);
533

534
		result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
Brian Wellington's avatar
Brian Wellington committed
535
		check_result(result, "dns_rdata_tostruct");
536

537
		future = isc_serial_lt(now, rrsig.timesigned);
538

539 540
		key = keythatsigned(&rrsig);
		sig_format(&rrsig, sigstr, sizeof(sigstr));
541
		if (key != NULL && issigningkey(key))
542
			expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
543
		else
544
			expired = isc_serial_gt(now, rrsig.timeexpire);
Brian Wellington's avatar
Brian Wellington committed
545

546 547 548
		if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
			/* rrsig is dropped and not replaced */
			vbprintf(2, "\trrsig by %s dropped - "
Brian Wellington's avatar
Brian Wellington committed
549
				 "invalid validity period\n",
550
				 sigstr);
Brian Wellington's avatar
Brian Wellington committed
551
		} else if (key == NULL && !future &&
Francis Dupont's avatar
Francis Dupont committed
552
			   expecttofindkey(&rrsig.signer)) {
553 554 555
			/* rrsig is dropped and not replaced */
			vbprintf(2, "\trrsig by %s dropped - "
				 "private dnskey not found\n",
556
				 sigstr);
Brian Wellington's avatar
Brian Wellington committed
557
		} else if (key == NULL || future) {
Evan Hunt's avatar
Evan Hunt committed
558
			keep = (!expired && !remove_orphansigs);
559
			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
560
				 keep ? "retained" : "dropped", sigstr);
Evan Hunt's avatar
Evan Hunt committed
561 562 563 564 565
		} else if (!dns_dnssec_keyactive(key->key, now) &&
			   remove_inactkeysigs) {
			keep = ISC_FALSE;
			vbprintf(2, "\trrsig by %s dropped - key inactive\n",
				 sigstr);
Brian Wellington's avatar
Brian Wellington committed
566
		} else if (issigningkey(key)) {
567 568
			wassignedby[key->index] = ISC_TRUE;

569 570
			if (!expired && rrsig.originalttl == set->ttl &&
			    setverifies(name, set, key->key, &sigrdata)) {
571
				vbprintf(2, "\trrsig by %s retained\n", sigstr);
572
				keep = ISC_TRUE;
573
			} else {
574
				vbprintf(2, "\trrsig by %s dropped - %s\n",
575 576 577
					 sigstr, expired ? "expired" :
					 rrsig.originalttl != set->ttl ?
					 "ttl change" : "failed to verify");
Brian Wellington's avatar
Brian Wellington committed
578
				resign = ISC_TRUE;
579
			}
Evan Hunt's avatar
Evan Hunt committed
580
		} else if (!ispublishedkey(key) && remove_orphansigs) {
581 582
			vbprintf(2, "\trrsig by %s dropped - dnskey removed\n",
				 sigstr);
583
		} else if (iszonekey(key)) {
584 585
			wassignedby[key->index] = ISC_TRUE;

586 587
			if (!expired && rrsig.originalttl == set->ttl &&
			    setverifies(name, set, key->key, &sigrdata)) {
588
				vbprintf(2, "\trrsig by %s retained\n", sigstr);
Brian Wellington's avatar
Brian Wellington committed
589 590
				keep = ISC_TRUE;
			} else {
591
				vbprintf(2, "\trrsig by %s dropped - %s\n",
592 593 594
					 sigstr, expired ? "expired" :
					 rrsig.originalttl != set->ttl ?
					 "ttl change" : "failed to verify");
595
			}
Brian Wellington's avatar
Brian Wellington committed
596
		} else if (!expired) {
597
			vbprintf(2, "\trrsig by %s retained\n", sigstr);
Brian Wellington's avatar
Brian Wellington committed
598 599
			keep = ISC_TRUE;
		} else {
600
			vbprintf(2, "\trrsig by %s expired\n", sigstr);
Brian Wellington's avatar
Brian Wellington committed
601
		}
602

603
		if (keep) {
604 605
			if (key != NULL)
				nowsignedby[key->index] = ISC_TRUE;
606
			INCSTAT(nretained);
607 608 609 610
			if (sigset.ttl != ttl) {
				vbprintf(2, "\tfixing ttl %s\n", sigstr);
				tuple = NULL;
				result = dns_difftuple_create(mctx,
611 612 613
						      DNS_DIFFOP_DELRESIGN,
						      name, sigset.ttl,
						      &sigrdata, &tuple);
614 615 616
				check_result(result, "dns_difftuple_create");
				dns_diff_append(del, &tuple);
				result = dns_difftuple_create(mctx,
617 618 619
						      DNS_DIFFOP_ADDRESIGN,
						      name, ttl,
						      &sigrdata, &tuple);
620 621 622
				check_result(result, "dns_difftuple_create");
				dns_diff_append(add, &tuple);
			}
623
		} else {
Brian Wellington's avatar
Brian Wellington committed
624
			tuple = NULL;
625
			vbprintf(2, "removing signature by %s\n", sigstr);
626 627
			result = dns_difftuple_create(mctx,
						      DNS_DIFFOP_DELRESIGN,
628 629
						      name, sigset.ttl,
						      &sigrdata, &tuple);
Brian Wellington's avatar
Brian Wellington committed
630
			check_result(result, "dns_difftuple_create");
631
			dns_diff_append(del, &tuple);
632
			INCSTAT(ndropped);
Brian Wellington's avatar
Brian Wellington committed
633 634 635
		}

		if (resign) {
636 637
			INSIST(!keep);

638 639
			signwithkey(name, set, key->key, ttl, add,
				    "resigning with dnskey");
640
			nowsignedby[key->index] = ISC_TRUE;
641
		}
Brian Wellington's avatar
Brian Wellington committed
642

643
		dns_rdata_reset(&sigrdata);
644
		dns_rdata_freestruct(&rrsig);
Brian Wellington's avatar
Brian Wellington committed
645
		result = dns_rdataset_next(&sigset);
Brian Wellington's avatar
Brian Wellington committed
646
	}
Brian Wellington's avatar
Brian Wellington committed
647 648 649 650 651 652
	if (result == ISC_R_NOMORE)
		result = ISC_R_SUCCESS;

	check_result(result, "dns_rdataset_first/next");
	if (dns_rdataset_isassociated(&sigset))
		dns_rdataset_disassociate(&sigset);
653

Brian Wellington's avatar
Brian Wellington committed
654 655 656 657
	for (key = ISC_LIST_HEAD(keylist);
	     key != NULL;
	     key = ISC_LIST_NEXT(key, link))
	{
658
		if (nowsignedby[key->index])
659 660
			continue;

661
		if (!issigningkey(key))
Brian Wellington's avatar
Brian Wellington committed
662 663
			continue;

664 665
		if (set->type == dns_rdatatype_dnskey &&
		     dns_name_equal(name, gorigin)) {
Evan Hunt's avatar
Evan Hunt committed
666
			isc_boolean_t have_ksk;
667 668
			dns_dnsseckey_t *tmpkey;

Automatic Updater's avatar
Automatic Updater committed
669
			have_ksk = isksk(key);
670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685
			for (tmpkey = ISC_LIST_HEAD(keylist);
			     tmpkey != NULL;
			     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
				if (dst_key_alg(key->key) !=
				    dst_key_alg(tmpkey->key))
					continue;
				if (REVOKE(tmpkey->key))
					continue;
				if (isksk(tmpkey))
					have_ksk = ISC_TRUE;
			}
			if (isksk(key) || !have_ksk ||
			    (iszsk(key) && !keyset_kskonly))
				signwithkey(name, set, key->key, ttl, add,
					    "signing with dnskey");
		} else if (iszsk(key)) {
686 687
			signwithkey(name, set, key->key, ttl, add,
				    "signing with dnskey");
688
		}
689
	}
690 691 692

	isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t));
	isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
693 694
}

695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727
struct hashlist {
	unsigned char *hashbuf;
	size_t entries;
	size_t size;
	size_t length;
};

static void
hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) {

	l->entries = 0;
	l->length = length + 1;

	if (nodes != 0) {
		l->size = nodes;
		l->hashbuf = malloc(l->size * l->length);
		if (l->hashbuf == NULL)
			l->size = 0;
	} else {
		l->size = 0;
		l->hashbuf = NULL;
	}
}

static void
hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
{

	REQUIRE(len <= l->length);

	if (l->entries == l->size) {
		l->size = l->size * 2 + 100;
		l->hashbuf = realloc(l->hashbuf, l->size * l->length);
728 729
		if (l->hashbuf == NULL)
			fatal("unable to grow hashlist: out of memory");
730 731
	}
	memset(l->hashbuf + l->entries * l->length, 0, l->length);
732
	memmove(l->hashbuf + l->entries * l->length, hash, len);
733 734 735 736 737 738 739 740 741 742 743 744 745 746
	l->entries++;
}

static void
hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
		      unsigned int hashalg, unsigned int iterations,
		      const unsigned char *salt, size_t salt_length,
		      isc_boolean_t speculative)
{
	char nametext[DNS_NAME_FORMATSIZE];
	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
	unsigned int len;
	size_t i;

747 748
	len = isc_iterated_hash(hash, hashalg, iterations,
				salt, (int)salt_length,
749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778
				name->ndata, name->length);
	if (verbose) {
		dns_name_format(name, nametext, sizeof nametext);
		for (i = 0 ; i < len; i++)
			fprintf(stderr, "%02x", hash[i]);
		fprintf(stderr, " %s\n", nametext);
	}
	hash[len++] = speculative ? 1 : 0;
	hashlist_add(l, hash, len);
}

static int
hashlist_comp(const void *a, const void *b) {
	return (memcmp(a, b, hash_length + 1));
}

static void
hashlist_sort(hashlist_t *l) {
	qsort(l->hashbuf, l->entries, l->length, hashlist_comp);
}

static isc_boolean_t
hashlist_hasdup(hashlist_t *l) {
	unsigned char *current;
	unsigned char *next = l->hashbuf;
	size_t entries = l->entries;

	/*
	 * Skip initial speculative wild card hashs.
	 */
Mark Andrews's avatar
Mark Andrews committed
779
	while (entries > 0U && next[l->length-1] != 0U) {
780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799
		next += l->length;
		entries--;
	}

	current = next;
	while (entries-- > 1U) {
		next += l->length;
		if (next[l->length-1] != 0)
			continue;
		if (memcmp(current, next, l->length - 1) == 0)
			return (ISC_TRUE);
		current = next;
	}
	return (ISC_FALSE);
}

static const unsigned char *
hashlist_findnext(const hashlist_t *l,
		  const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
{
800
	size_t entries = l->entries;
801 802 803 804 805 806 807 808 809 810 811
	const unsigned char *next = bsearch(hash, l->hashbuf, l->entries,
					    l->length, hashlist_comp);
	INSIST(next != NULL);

	do {
		if (next < l->hashbuf + (l->entries - 1) * l->length)
			next += l->length;
		else
			next = l->hashbuf;
		if (next[l->length - 1] == 0)
			break;
Mark Andrews's avatar
Mark Andrews committed
812 813
	} while (entries-- > 1U);
	INSIST(entries != 0U);
814 815 816 817 818 819 820 821 822 823 824 825 826 827