Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
ISC Open Source Projects
BIND
Commits
0b09763c
Commit
0b09763c
authored
Jun 17, 2002
by
Mark Andrews
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
1328. [func] DS (delegation signer) support.
parent
6a3c86ff
Changes
24
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
24 changed files
with
1613 additions
and
961 deletions
+1613
-961
CHANGES
CHANGES
+2
-0
bin/dnssec/Makefile.in
bin/dnssec/Makefile.in
+5
-22
bin/dnssec/dnssec-signzone.c
bin/dnssec/dnssec-signzone.c
+304
-289
bin/named/query.c
bin/named/query.c
+79
-153
bin/tests/system/conf.sh.in
bin/tests/system/conf.sh.in
+1
-3
bin/tests/system/dnssec/ns1/sign.sh
bin/tests/system/dnssec/ns1/sign.sh
+2
-8
bin/tests/system/dnssec/ns2/sign.sh
bin/tests/system/dnssec/ns2/sign.sh
+6
-14
bin/tests/system/dnssec/ns3/sign.sh
bin/tests/system/dnssec/ns3/sign.sh
+1
-9
bin/tests/system/dnssec/tests.sh
bin/tests/system/dnssec/tests.sh
+10
-2
lib/dns/Makefile.in
lib/dns/Makefile.in
+3
-3
lib/dns/ds.c
lib/dns/ds.c
+80
-0
lib/dns/include/dns/Makefile.in
lib/dns/include/dns/Makefile.in
+2
-2
lib/dns/include/dns/ds.h
lib/dns/include/dns/ds.h
+56
-0
lib/dns/include/dns/rdata.h
lib/dns/include/dns/rdata.h
+14
-1
lib/dns/include/dns/result.h
lib/dns/include/dns/result.h
+3
-2
lib/dns/include/dns/validator.h
lib/dns/include/dns/validator.h
+6
-3
lib/dns/rbtdb.c
lib/dns/rbtdb.c
+3
-2
lib/dns/rdata.c
lib/dns/rdata.c
+8
-1
lib/dns/rdata/generic/ds_43.c
lib/dns/rdata/generic/ds_43.c
+257
-0
lib/dns/rdata/generic/ds_43.h
lib/dns/rdata/generic/ds_43.h
+34
-0
lib/dns/resolver.c
lib/dns/resolver.c
+53
-9
lib/dns/result.c
lib/dns/result.c
+3
-2
lib/dns/validator.c
lib/dns/validator.c
+680
-435
version
version
+1
-1
No files found.
CHANGES
View file @
0b09763c
1328. [func] DS (delegation signer) support.
1327. [bug] nsupdate: allow white space base64 key data.
1326. [bug] Badly encoded LOC record when the size, horizontal
...
...
bin/dnssec/Makefile.in
View file @
0b09763c
...
...
@@ -13,7 +13,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.2
1
200
1/11/06 20
:0
5
:0
0 bwelling
Exp $
# $Id: Makefile.in,v 1.2
2
200
2/06/17 04
:0
1
:0
3 marka
Exp $
srcdir
=
@srcdir@
VPATH
=
@srcdir@
...
...
@@ -39,26 +39,15 @@ DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS
=
${DNSLIBS}
${ISCLIBS}
@LIBS@
# Alphabetically
TARGETS
=
dnssec-keygen
\
dnssec-makekeyset
\
dnssec-signkey
\
dnssec-signzone
TARGETS
=
dnssec-keygen dnssec-signzone
OBJS
=
dnssectool.@O@
SRCS
=
dnssec-keygen.c dnssec-makekeyset.c
\
dnssec-signkey.c dnssec-signzone.c
\
dnssectool.c
SRCS
=
dnssec-keygen.c dnssec-signzone.c dnssectool.c
MANPAGES
=
dnssec-keygen.8
\
dnssec-makekeyset.8
\
dnssec-signkey.8
\
dnssec-signzone.8
MANPAGES
=
dnssec-keygen.8 dnssec-signzone.8
HTMLPAGES
=
dnssec-keygen.html
\
dnssec-makekeyset.html
\
dnssec-signkey.html
\
dnssec-signzone.html
HTMLPAGES
=
dnssec-keygen.html dnssec-signzone.html
MANOBJS
=
${MANPAGES}
${HTMLPAGES}
...
...
@@ -67,12 +56,6 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
dnssec-keygen
:
dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL}
${PURIFY}
${CC}
${CFLAGS}
-o
$@
dnssec-keygen.@O@
${OBJS}
${LIBS}
dnssec-makekeyset
:
dnssec-makekeyset.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL}
${PURIFY}
${CC}
${CFLAGS}
-o
$@
dnssec-makekeyset.@O@
${OBJS}
${LIBS}
dnssec-signkey
:
dnssec-signkey.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL}
${PURIFY}
${CC}
${CFLAGS}
-o
$@
dnssec-signkey.@O@
${OBJS}
${LIBS}
dnssec-signzone.@O@
:
dnssec-signzone.c
${LIBTOOL}
${PURIFY}
${CC}
${ALL_CFLAGS}
-DVERSION
=
\"
${VERSION}
\"
-c
$<
...
...
bin/dnssec/dnssec-signzone.c
View file @
0b09763c
This diff is collapsed.
Click to expand it.
bin/named/query.c
View file @
0b09763c
...
...
@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.2
19
2002/0
3/28
04:0
3:50
marka Exp $ */
/* $Id: query.c,v 1.2
20
2002/0
6/17
04:0
1:08
marka Exp $ */
#include <config.h>
...
...
@@ -2045,6 +2045,70 @@ query_addbestns(ns_client_t *client) {
}
}
static
void
query_addds
(
ns_client_t
*
client
,
dns_db_t
*
db
,
dns_dbnode_t
*
node
)
{
dns_name_t
*
rname
;
dns_rdataset_t
*
rdataset
,
*
sigrdataset
;
isc_result_t
result
;
CTRACE
(
"query_addds"
);
rname
=
NULL
;
rdataset
=
NULL
;
sigrdataset
=
NULL
;
/*
* We'll need some resources...
*/
rdataset
=
query_newrdataset
(
client
);
sigrdataset
=
query_newrdataset
(
client
);
if
(
rdataset
==
NULL
||
sigrdataset
==
NULL
)
return
;
/*
* Look for the DS record, which may or may not be present.
*/
result
=
dns_db_findrdataset
(
db
,
node
,
NULL
,
dns_rdatatype_ds
,
0
,
client
->
now
,
rdataset
,
sigrdataset
);
/*
* If we didn't find it, look for an NXT. */
if
(
result
==
ISC_R_NOTFOUND
)
result
=
dns_db_findrdataset
(
db
,
node
,
NULL
,
dns_rdatatype_nxt
,
0
,
client
->
now
,
rdataset
,
sigrdataset
);
if
(
result
!=
ISC_R_SUCCESS
&&
result
!=
ISC_R_NOTFOUND
)
goto
cleanup
;
if
(
!
dns_rdataset_isassociated
(
rdataset
)
||
!
dns_rdataset_isassociated
(
sigrdataset
))
goto
cleanup
;
/*
* We've already added the NS record, so if the name's not there,
* we have other problems. Use this name rather than calling
* query_addrrset().
*/
result
=
dns_message_firstname
(
client
->
message
,
DNS_SECTION_AUTHORITY
);
if
(
result
!=
ISC_R_SUCCESS
)
goto
cleanup
;
rname
=
NULL
;
dns_message_currentname
(
client
->
message
,
DNS_SECTION_AUTHORITY
,
&
rname
);
result
=
dns_message_findtype
(
rname
,
dns_rdatatype_ns
,
0
,
NULL
);
if
(
result
!=
ISC_R_SUCCESS
)
goto
cleanup
;
ISC_LIST_APPEND
(
rname
->
list
,
rdataset
,
link
);
ISC_LIST_APPEND
(
rname
->
list
,
sigrdataset
,
link
);
rdataset
=
NULL
;
sigrdataset
=
NULL
;
cleanup:
if
(
rdataset
!=
NULL
)
query_putrdataset
(
client
,
&
rdataset
);
if
(
sigrdataset
!=
NULL
)
query_putrdataset
(
client
,
&
sigrdataset
);
}
static
void
query_resume
(
isc_task_t
*
task
,
isc_event_t
*
event
)
{
dns_fetchevent_t
*
devent
=
(
dns_fetchevent_t
*
)
event
;
...
...
@@ -2206,98 +2270,6 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
return
(
result
);
}
static
inline
isc_result_t
query_findparentkey
(
ns_client_t
*
client
,
dns_name_t
*
name
,
dns_zone_t
**
zonep
,
dns_db_t
**
dbp
,
dns_dbversion_t
**
versionp
,
dns_dbnode_t
**
nodep
,
dns_rdataset_t
*
rdataset
,
dns_rdataset_t
*
sigrdataset
)
{
dns_db_t
*
pdb
;
dns_dbnode_t
*
pnode
;
dns_dbversion_t
*
pversion
;
dns_rdataset_t
prdataset
,
psigrdataset
;
dns_rdataset_t
*
psigrdatasetp
;
isc_result_t
result
;
dns_zone_t
*
pzone
;
isc_boolean_t
is_zone
;
dns_fixedname_t
pfoundname
;
/*
* 'name' is at a zone cut. Try to find a KEY for 'name' in
* the deepest ancestor zone of 'name' (if any). If it exists,
* update *zonep, *dbp, *nodep, rdataset, and sigrdataset and
* return ISC_R_SUCCESS. If not, leave them alone and return a
* non-success status.
*/
pzone
=
NULL
;
pdb
=
NULL
;
pnode
=
NULL
;
pversion
=
NULL
;
dns_rdataset_init
(
&
prdataset
);
if
(
sigrdataset
!=
NULL
)
dns_rdataset_init
(
&
psigrdataset
);
is_zone
=
ISC_FALSE
;
dns_fixedname_init
(
&
pfoundname
);
result
=
query_getdb
(
client
,
name
,
DNS_GETDB_NOEXACT
,
&
pzone
,
&
pdb
,
&
pversion
,
&
is_zone
);
if
(
result
!=
ISC_R_SUCCESS
)
goto
cleanup
;
if
(
!
is_zone
)
{
result
=
ISC_R_FAILURE
;
goto
cleanup
;
}
if
(
sigrdataset
!=
NULL
)
psigrdatasetp
=
&
psigrdataset
;
else
psigrdatasetp
=
NULL
;
result
=
dns_db_find
(
pdb
,
name
,
pversion
,
dns_rdatatype_key
,
client
->
query
.
dboptions
,
client
->
now
,
&
pnode
,
dns_fixedname_name
(
&
pfoundname
),
&
prdataset
,
psigrdatasetp
);
if
(
result
==
ISC_R_SUCCESS
)
{
if
(
dns_rdataset_isassociated
(
rdataset
))
dns_rdataset_disassociate
(
rdataset
);
dns_rdataset_clone
(
&
prdataset
,
rdataset
);
if
(
sigrdataset
!=
NULL
)
{
if
(
dns_rdataset_isassociated
(
sigrdataset
))
dns_rdataset_disassociate
(
sigrdataset
);
if
(
dns_rdataset_isassociated
(
&
psigrdataset
))
dns_rdataset_clone
(
&
psigrdataset
,
sigrdataset
);
}
if
(
*
nodep
!=
NULL
)
dns_db_detachnode
(
*
dbp
,
nodep
);
*
nodep
=
pnode
;
pnode
=
NULL
;
*
versionp
=
pversion
;
if
(
*
dbp
!=
NULL
)
dns_db_detach
(
dbp
);
*
dbp
=
pdb
;
pdb
=
NULL
;
if
(
*
zonep
!=
NULL
)
dns_zone_detach
(
zonep
);
*
zonep
=
pzone
;
pzone
=
NULL
;
}
cleanup:
if
(
dns_rdataset_isassociated
(
&
prdataset
))
dns_rdataset_disassociate
(
&
prdataset
);
if
(
sigrdataset
!=
NULL
&&
dns_rdataset_isassociated
(
&
psigrdataset
))
dns_rdataset_disassociate
(
&
psigrdataset
);
if
(
pnode
!=
NULL
)
dns_db_detachnode
(
pdb
,
&
pnode
);
if
(
pdb
!=
NULL
)
dns_db_detach
(
&
pdb
);
if
(
pzone
!=
NULL
)
dns_zone_detach
(
&
pzone
);
return
(
result
);
}
#define MAX_RESTARTS 16
#define QUERY_ERROR(r) \
...
...
@@ -2419,6 +2391,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
dns_zone_t
*
zone
;
dns_rdata_cname_t
cname
;
dns_rdata_dname_t
dname
;
unsigned
int
options
;
CTRACE
(
"query_find"
);
...
...
@@ -2508,7 +2481,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
/*
* First we must find the right database.
*/
result
=
query_getdb
(
client
,
client
->
query
.
qname
,
0
,
&
zone
,
&
db
,
options
=
0
;
if
(
dns_rdatatype_atparent
(
qtype
)
&&
!
dns_name_equal
(
client
->
query
.
qname
,
dns_rootname
))
options
|=
DNS_GETDB_NOEXACT
;
result
=
query_getdb
(
client
,
client
->
query
.
qname
,
options
,
&
zone
,
&
db
,
&
version
,
&
is_zone
);
if
(
result
!=
ISC_R_SUCCESS
)
{
if
(
result
==
DNS_R_REFUSED
)
...
...
@@ -2560,63 +2537,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
client
->
query
.
dboptions
,
client
->
now
,
&
node
,
fname
,
rdataset
,
sigrdataset
);
/*
* We interrupt our normal query processing to bring you this special
* case...
*
* RFC 2535 (DNSSEC), section 2.3.4, discusses various special
* cases that can occur at delegation points.
*
* One of these cases is that the NULL KEY for an unsecure zone
* may occur in the delegating zone instead of in the delegated zone.
* If we're authoritative for both zones, we need to look for the
* key in the delegator if we didn't find it in the delegatee. If
* we didn't do this, a client doing DNSSEC validation could fail
* because it couldn't get the NULL KEY.
*/
if
(
type
==
dns_rdatatype_key
&&
is_zone
&&
result
==
DNS_R_NXRRSET
&&
!
dns_db_issecure
(
db
)
&&
dns_name_equal
(
client
->
query
.
qname
,
dns_db_origin
(
db
)))
{
/*
* We're looking for a KEY at the top of an unsecure zone,
* and we didn't find it.
*/
result
=
query_findparentkey
(
client
,
client
->
query
.
qname
,
&
zone
,
&
db
,
&
version
,
&
node
,
rdataset
,
sigrdataset
);
if
(
result
==
ISC_R_SUCCESS
)
{
/*
* We found the parent KEY.
*
* zone, db, version, node, rdataset, and sigrdataset
* have all been updated to refer to the parent's
* data. We will resume query processing as if
* we had looked for the KEY in the parent zone in
* the first place.
*
* We need to set fname correctly. We do this here
* instead of in query_findparentkey() because
* dns_name_copy() can fail (though it shouldn't
* ever do so since we should have enough space).
*/
result
=
dns_name_copy
(
client
->
query
.
qname
,
fname
,
NULL
);
if
(
result
!=
ISC_R_SUCCESS
)
{
QUERY_ERROR
(
DNS_R_SERVFAIL
);
goto
cleanup
;
}
}
else
{
/*
* We couldn't find the KEY in a parent zone.
* Continue with processing of the original
* results of dns_db_find().
*/
result
=
DNS_R_NXRRSET
;
}
}
resume:
CTRACE
(
"query_find: resume"
);
switch
(
result
)
{
...
...
@@ -2730,6 +2650,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
&
rdataset
,
sigrdatasetp
,
dbuf
,
DNS_SECTION_AUTHORITY
);
client
->
query
.
gluedb
=
NULL
;
if
(
WANTDNSSEC
(
client
)
&&
dns_db_issecure
(
db
))
query_addds
(
client
,
db
,
node
);
}
else
{
/*
* We might have a better answer or delegation
...
...
@@ -2789,6 +2711,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
/*
* Recurse!
*/
/* XXXBEW look at this? */
if
(
type
==
dns_rdatatype_key
)
result
=
query_recurse
(
client
,
qtype
,
NULL
,
NULL
);
...
...
@@ -2826,6 +2749,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
client
->
query
.
gluedb
=
NULL
;
client
->
query
.
attributes
&=
~
NS_QUERYATTR_CACHEGLUEOK
;
if
(
WANTDNSSEC
(
client
)
&&
!
dns_rdataset_isassociated
(
sigrdataset
))
query_addds
(
client
,
db
,
node
);
}
}
goto
cleanup
;
...
...
@@ -2857,8 +2783,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
/*
* Add NXT record if we found one.
*/
if
(
dns_rdataset_isassociated
(
rdatase
t
))
{
if
(
WANTDNSSEC
(
clien
t
))
if
(
WANTDNSSEC
(
clien
t
))
{
if
(
dns_rdataset_isassociated
(
rdatase
t
))
query_addrrset
(
client
,
&
fname
,
&
rdataset
,
&
sigrdataset
,
NULL
,
DNS_SECTION_AUTHORITY
);
...
...
bin/tests/system/conf.sh.in
View file @
0b09763c
...
...
@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: conf.sh.in,v 1.2
3
200
1
/0
8/01 19:00:58 gson
Exp $
# $Id: conf.sh.in,v 1.2
4
200
2
/0
6/17 04:01:10 marka
Exp $
#
# Common configuration data for system tests, to be sourced into
...
...
@@ -37,8 +37,6 @@ RNDC=$TOP/bin/rndc/rndc
NSUPDATE
=
$TOP
/bin/nsupdate/nsupdate
KEYGEN
=
$TOP
/bin/dnssec/dnssec-keygen
SIGNER
=
$TOP
/bin/dnssec/dnssec-signzone
KEYSIGNER
=
$TOP
/bin/dnssec/dnssec-signkey
KEYSETTOOL
=
$TOP
/bin/dnssec/dnssec-makekeyset
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
...
...
bin/tests/system/dnssec/ns1/sign.sh
View file @
0b09763c
...
...
@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.1
3
200
1
/0
9
/17
17:42:04 bwelling
Exp $
# $Id: sign.sh,v 1.1
4
200
2
/0
6
/17
04:01:12 marka
Exp $
SYSTEMTESTTOP
=
../..
.
$SYSTEMTESTTOP
/conf.sh
...
...
@@ -26,17 +26,11 @@ zone=.
infile
=
root.db.in
zonefile
=
root.db
keyname
=
`
$KEYGEN
-r
$RANDFILE
-a
RSA
-b
768
-n
zone
$zone
`
(
cd
../ns2
&&
sh sign.sh
)
cp
../ns2/keyset-example.
.
$KEYSIGNER
-r
$RANDFILE
keyset-example.
$keyname
>
/dev/null
cat
signedkey-example.
>>
../ns2/example.db.signed
$KEYSETTOOL
-r
$RANDFILE
-t
3600
$keyname
>
/dev/null
keyname
=
`
$KEYGEN
-r
$RANDFILE
-a
RSA
-b
768
-n
zone
$zone
`
cat
$infile
$keyname
.key
>
$zonefile
...
...
bin/tests/system/dnssec/ns2/sign.sh
View file @
0b09763c
...
...
@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.
19
2002/0
2/20 03:33:55
marka Exp $
# $Id: sign.sh,v 1.
20
2002/0
6/17 04:01:14
marka Exp $
SYSTEMTESTTOP
=
../..
.
$SYSTEMTESTTOP
/conf.sh
...
...
@@ -26,29 +26,21 @@ zone=example.
infile
=
example.db.in
zonefile
=
example.db
keyname
=
`
$KEYGEN
-r
$RANDFILE
-a
DSA
-b
768
-n
zone
$zone
`
# Have the child generate a zone key and pass it to us,
# sign it, and pass it back
# Have the child generate a zone key and pass it to us.
(
cd
../ns3
&&
sh sign.sh
)
for
subdomain
in
secure bogus dynamic
do
cp
../ns3/keyset-
$subdomain
.example.
.
$KEYSIGNER
-r
$RANDFILE
keyset-
$subdomain
.example.
$keyname
>
/dev/null
# This will leave two copies of the child's zone key in the signed db file;
# that shouldn't cause any problems.
cat
signedkey-
$subdomain
.example.
>>
../ns3/
$subdomain
.example.db.signed
done
$KEYSETTOOL
-r
$RANDFILE
-t
3600
$keyname
>
/dev/null
keyname1
=
`
$KEYGEN
-r
$RANDFILE
-a
DSA
-b
768
-n
zone
$zone
`
keyname2
=
`
$KEYGEN
-r
$RANDFILE
-a
DSA
-b
768
-n
zone
$zone
`
cat
$infile
$keyname
.key
>
$zonefile
cat
$infile
$keyname
1
.key
$keyname2
.key
>
$zonefile
$SIGNER
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null
$SIGNER
-r
$RANDFILE
-o
$zone
-k
$keyname1
$zonefile
$keyname2
>
/dev/null
# Sign the privately secure file
...
...
bin/tests/system/dnssec/ns3/sign.sh
View file @
0b09763c
...
...
@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.1
6
2002/0
2/20 03:33:59
marka Exp $
# $Id: sign.sh,v 1.1
7
2002/0
6/17 04:01:15
marka Exp $
RANDFILE
=
../random.data
...
...
@@ -25,8 +25,6 @@ zonefile=secure.example.db
keyname
=
`
$KEYGEN
-r
$RANDFILE
-a
RSASHA1
-b
768
-n
zone
$zone
`
$KEYSETTOOL
-r
$RANDFILE
-t
3600
$keyname
.key
>
/dev/null
cat
$infile
$keyname
.key
>
$zonefile
$SIGNER
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null
...
...
@@ -37,8 +35,6 @@ zonefile=bogus.example.db
keyname
=
`
$KEYGEN
-r
$RANDFILE
-a
RSA
-b
768
-n
zone
$zone
`
$KEYSETTOOL
-r
$RANDFILE
-t
3600
$keyname
.key
>
/dev/null
cat
$infile
$keyname
.key
>
$zonefile
$SIGNER
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null
...
...
@@ -49,8 +45,6 @@ zonefile=dynamic.example.db
keyname
=
`
$KEYGEN
-r
$RANDFILE
-a
RSA
-b
768
-n
zone
$zone
`
$KEYSETTOOL
-r
$RANDFILE
-t
3600
$keyname
.key
>
/dev/null
cat
$infile
$keyname
.key
>
$zonefile
$SIGNER
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null
...
...
@@ -61,8 +55,6 @@ zonefile=keyless.example.db
keyname
=
`
$KEYGEN
-r
$RANDFILE
-a
RSA
-b
768
-n
zone
$zone
`
$KEYSETTOOL
-r
$RANDFILE
-t
3600
$keyname
.key
>
/dev/null
cat
$infile
$keyname
.key
>
$zonefile
$SIGNER
-r
$RANDFILE
-o
$zone
$zonefile
>
/dev/null
...
...
bin/tests/system/dnssec/tests.sh
View file @
0b09763c
...
...
@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.
39
2002/0
2/20 03:33:50
marka Exp $
# $Id: tests.sh,v 1.
40
2002/0
6/17 04:01:11
marka Exp $
SYSTEMTESTTOP
=
..
.
$SYSTEMTESTTOP
/conf.sh
...
...
@@ -25,7 +25,7 @@ n=0
rm
-f
dig.out.
*
DIGOPTS
=
"+tcp +noadd +nosea +nostat
+noquest
+nocmd +dnssec -p 5300"
DIGOPTS
=
"+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
# Check the example. domain
...
...
@@ -113,6 +113,14 @@ n=`expr $n + 1`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:checking that insecurity proofs fail with a misconfigured trusted key (
$n
)"
ret
=
0
$DIG
$DIGOPTS
a.insecure.example. a @10.53.0.5
>
dig.out.ns5.test
$n
||
ret
=
1
grep
"SERVFAIL"
dig.out.ns5.test
$n
>
/dev/null
||
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:checking that validation fails when key record is missing (
$n
)"
ret
=
0
$DIG
$DIGOPTS
a.b.keyless.example. a @10.53.0.4
>
dig.out.ns4.test
$n
||
ret
=
1
...
...
lib/dns/Makefile.in
View file @
0b09763c
...
...
@@ -13,7 +13,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.1
29
2002/0
3/07 06:29:36
marka Exp $
# $Id: Makefile.in,v 1.1
30
2002/0
6/17 04:01:17
marka Exp $
srcdir
=
@srcdir@
VPATH
=
@srcdir@
...
...
@@ -46,7 +46,7 @@ DSTOBJS = sec/dst/dst_api.@O@ \
OBJS
=
a6.@O@ acl.@O@ adb.@O@ byaddr.@O@
\
cache.@O@ callbacks.@O@ compress.@O@
\
db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@
\
dnssec.@O@ forward.@O@ journal.@O@ keytable.@O@
\
dnssec.@O@
ds.@O@
forward.@O@ journal.@O@ keytable.@O@
\
lib.@O@ log.@O@ lookup.@O@
\
master.@O@ masterdump.@O@ message.@O@
\
name.@O@ ncache.@O@ nxt.@O@ order.@O@ peer.@O@
\
...
...
@@ -62,7 +62,7 @@ OBJS = a6.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
SRCS
=
a6.c acl.c adb.c byaddr.c
\
cache.c callbacks.c compress.c
\
db.c dbiterator.c dbtable.c diff.c dispatch.c
\
dnssec.c forward.c journal.c keytable.c
\
dnssec.c
ds.c
forward.c journal.c keytable.c
\
lib.c log.c lookup.c
\
master.c masterdump.c message.c
\
name.c ncache.c nxt.c order.c peer.c
\
...
...
lib/dns/ds.c
0 → 100644
View file @
0b09763c
/*
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: ds.c,v 1.2 2002/06/17 04:01:18 marka Exp $ */
#include <config.h>
#include <string.h>
#include <isc/buffer.h>
#include <isc/region.h>
#include <isc/sha1.h>
#include <isc/util.h>
#include <dns/ds.h>
#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdatastruct.h>
#include <dns/result.h>
#include <dst/dst.h>
isc_result_t
dns_ds_buildrdata
(
dns_name_t
*
owner
,
dns_rdata_t
*
key
,
unsigned
int
digest_type
,
unsigned
char
*
buffer
,
dns_rdata_t
*
rdata
)
{
isc_sha1_t
sha1
;
dns_fixedname_t
fname
;
dns_name_t
*
name
;
unsigned
char
digest
[
ISC_SHA1_DIGESTLENGTH
];
isc_region_t
r
;
isc_buffer_t
b
;
dns_rdata_ds_t
ds
;
if
(
digest_type
!=
DNS_DSDIGEST_SHA1
)
return
(
ISC_R_NOTIMPLEMENTED
);
dns_fixedname_init
(
&
fname
);
name
=
dns_fixedname_name
(
&
fname
);
(
void
)
dns_name_downcase
(
owner
,
name
,
NULL
);
memset
(
buffer
,
0
,
DNS_DS_BUFFERSIZE
);
isc_buffer_init
(
&
b
,
buffer
,
DNS_DS_BUFFERSIZE
);
isc_sha1_init
(
&
sha1
);
dns_name_toregion
(
name
,
&
r
);
isc_sha1_update
(
&
sha1
,
r
.
base
,
r
.
length
);
dns_rdata_toregion
(
key
,
&
r
);
INSIST
(
r
.
length
>=
4
);
isc_sha1_update
(
&
sha1
,
r
.
base
,
r
.
length
);
isc_sha1_final
(
&
sha1
,
digest
);
ds
.
mctx
=
NULL
;
ds
.
common
.
rdclass
=
key
->
rdclass
;
ds
.
common
.
rdtype
=
dns_rdatatype_ds
;
ds
.
algorithm
=
r
.
base
[
3
];
ds
.
key_tag
=
dst_region_computeid
(
&
r
,
ds
.
algorithm
);