Commit 2534a73a authored by Mark Andrews's avatar Mark Andrews

2608. [func] Perform post signing verification checks in

                        dnssec-signzone.  These can be disabled with -P.

                        The post sign verification test ensures that for each
                        algorithm in use there is at least one non revoked
                        self signed KSK key.  That all revoked KSK keys are
                        self signed.  That all records in the zone are signed
                        by the algorithm.  [RT #19653]
parent f05a6b11
2608. [func] Perform post signing verification checks in
dnssec-signzone. These can be disabled with -P.
The post sign verification test ensures that for each
algorithm in use there is at least one non revoked
self signed KSK key. That all revoked KSK keys are
self signed. That all records in the zone are signed
by the algorithm. [RT #19653]
2607. [bug] named could incorrectly delete NSEC3 records for
empty nodes when processing a update request.
[RT #19749]
......
This diff is collapsed.
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.31 2008/10/14 14:28:25 jreed Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.32 2009/06/04 02:13:37 marka Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 30, 2000</date>
......@@ -72,6 +72,7 @@
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
<arg><option>-p</option></arg>
<arg><option>-P</option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg><option>-t</option></arg>
......@@ -358,6 +359,21 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-P</term>
<listitem>
<para>
Disable post sign verification tests.
</para>
<para>
The post sign verification test ensures that for each algorithm
in use there is at least one non revoked self signed KSK key.
That all revoked KSK keys are self signed. That all records
in the zone are signed by the algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssectool.c,v 1.45 2007/06/19 23:46:59 tbox Exp $ */
/* $Id: dnssectool.c,v 1.46 2009/06/04 02:13:37 marka Exp $ */
/*! \file */
......@@ -65,7 +65,7 @@ void
fatal(const char *format, ...) {
va_list args;
fprintf(stderr, "%s: ", program);
fprintf(stderr, "%s: fatal: ", program);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
......
example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpZ
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: oXTPXsN2QEAqJhJxU2rOypfDtXP8LHk4LDtP/pGdT8qIa/zXmSUfahvLBFlfZlwSD1HxJTNCI/3KBjSzXEXkgViLfYexZ+01XtX+A3A2sycYLSBXZ7c5rCxDYJhZllXA5uv9+Zwohe5jp5F0m3I6KUxGGW+ugl1dnDUJB2JzGlk=
PublicExponent: AQAB
PrivateExponent: QrbJmRabHiFlSSYFvbo8iGn9bFTotlfAZkZ732y72+SMSlLHo3g7atThJoLncJxKuhnZ0s1DXyvW9omAM3iN2lxfVDW58at1amj/lWRDYkjI0fM8z6eyrF4U2lHKDM2YEstg+sGAAs5DUZBbli4Y7+zHjhxSKLYvRf4AJvX8aoE=
Prime1: 0259CgdF0JW+miedRZXC6tn3FijZJ4/j5edzd8IpTpdUSZupQg9hMP1ot7crreNq7MnzO0Z2ImbowUx8CDOuXQ==
Prime2: w31/WLM2275Z1tsHEOhrntUQCUk55B4PNOCmM4hjp0vAvA/SVSgAYRNb7rc/ujaLf0DnxnDsnVsFAS2PmvQELQ==
Exponent1: yKPhJNMh/X8dEUzmglJMVnHheLXq3RA/RL0PZmZqrJoO8os1Y+sUYFkaNr0sRie6IFrE50tGb/8YgdcDHQVuQQ==
Exponent2: lVhDuGy5RSjnk1eiz0zwIthctutlOZupPFk/P3E7yGv74vAnXH0BxSe3/Oer3MOc0GuyZYyRhyko6px28AbpRQ==
Coefficient: Hjup1nDnPFkQrxU2qLQBJrDz+ipw0RkNhsjWs6IgAq1Mq4sFV50bR9hOTLDd9oNhhtAwVjF+Oc0WIq+M1Mi6Ow==
example.com. IN DNSKEY 257 3 5 AwEAAbuWh5W3eGwixISqPwxszotQ0246KqhUB2Mb6JqNMJd6cWR66IrX YnevpIHsb6oanqJmVzOcJ6Yj3rXOIYtYYXgLbT7EJ8x7BNCZPHxG+w5C 7I1WsDbT6eGf//FLn2c4odKLOXaWCVITeNy61w43IlteIT9Q1egKdt+8 a7X9605j
Private-key-format: v1.2
Algorithm: 5 (RSASHA1)
Modulus: u5aHlbd4bCLEhKo/DGzOi1DTbjoqqFQHYxvomo0wl3pxZHroitdid6+kgexvqhqeomZXM5wnpiPetc4hi1hheAttPsQnzHsE0Jk8fEb7DkLsjVawNtPp4Z//8UufZzih0os5dpYJUhN43LrXDjciW14hP1DV6Ap237xrtf3rTmM=
PublicExponent: AQAB
PrivateExponent: XZSssv3CL3/wtZYQuewV5d4+e8C8wxiYTtL/aQqCcS7+HnhKRelJEBgpYz9GPX/mH3Iakn6WMQW39s6MYW2HwXUnqhsvHoyabGX0Dbc/1LcY4J2VPgzVHwSXYm+j4unOByOOS4KoBtUAQxJsTBokVZrZ5pKsLUK9X2gdywYw+PE=
Prime1: 9fB7PaygjKoT1nbbeEMy1KYNqetg3zmN49Mk6ilEWxzJXKSSjTIhdkiLGXtYmE8rDBLBiYm8YWNe7YdA9PbQ7Q==
Prime2: w0L7mTOLDecH3XAkC/wvALv8K9KSoZ31ajidKBxV15u8awj5AxDG7gjerYgCLjU1fq1GulMr11j8r4ftQn3Cjw==
Exponent1: Up52yEE1rgt0npdPIxdv+//Ml0h7QoITKHXF8OPsEq+Y9YZTtRsiIpo8IFNPb9somuWyHoImxpCbUzAcoi5IAQ==
Exponent2: uYTbvYx+UsAt9dOFPCnnkqAJEK3qCUomET0m/CQn30mldGC7DpGTIDgnMeLmh3agk/IYIBHDtsBinHfeEe2guw==
Coefficient: FiHAet8On9Yaz1ksEAlCWulwck3zPWIsgqJBM2J4kHhgHTm17mZyxtVxIzLAMBNMIBcFl40FCpmPmTLY5QK5mw==
;
; This is a bogus key. It will not have a .private file.
;
; This will be key id 7091
;
example.com. IN DNSKEY 257 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz
;
; This is a bogus key. It will not have a .private file.
;
; This will be key id 7092
;
example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz
#!/bin/sh
sign="../../dnssec/dnssec-signzone -f signed.zone -o example.com."
signit() {
rm -f signed.zone
grep '^;' $zone
$sign $zone
}
expect_success() {
if ! test -f signed.zone ; then
echo "Error: expected success, but sign failed for $zone."
else
echo "Success: Sign succeeded for $zone."
fi
}
expect_failure() {
if test -f signed.zone ; then
echo "Error: expected failure, but sign succeeded for $zone."
else
echo "Success: Sign failed (expected) for $zone"
fi
}
zone="test1.zone" ; signit ; expect_success
zone="test2.zone" ; signit ; expect_failure
zone="test3.zone" ; signit ; expect_failure
zone="test4.zone" ; signit ; expect_success
zone="test5.zone" ; signit ; expect_failure
zone="test6.zone" ; signit ; expect_failure
zone="test7.zone" ; signit ; expect_failure
zone="test8.zone" ; signit ; expect_failure
;
; This is a zone which has two DNSKEY records, both of which have
; existing private key files available. They should be loaded automatically
; and the zone correctly signed.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
$include Kexample.com.+005+23362.key
;
; This is a zone which has one non-KSK DNSKEY record for which the
; private key file exists. It should be loaded automatically and the zone
; correctly signed.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
;
; This is a zone which has one KSK DNSKEY record for which the
; private key file exists. It should be loaded automatically. As there
; is no non-KSK DNSKEY the resulting zone should be rejected.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+23362.key
;
; This is a zone which has three DNSKEY records, two (KSK + ZSK) of
; which have existing private key files available. The third is a
; pre-published ZSK.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
$include Kexample.com.+005+23362.key
$include bogus-zsk.key
;
; This is a zone which has three DNSKEY records, two (KSK +ZSK) of which
; have existing private key files available. The third is a KSK.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
$include Kexample.com.+005+23362.key
$include bogus-ksk.key
;
; This is a zone which has four DNSKEY records, two (KK + ZSK) of which
; have existing private key files available. There are also a KSK and ZSK
; for which there will be no signatures.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+07065.key
$include Kexample.com.+005+23362.key
$include bogus-ksk.key
$include bogus-zsk.key
;
; This is a zone which has two DNSKEY records, none of which have
; existing private key files available. The resulting zone should fail
; the consistancy tests.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include bogus-ksk.key
$include bogus-zsk.key
;
; This is a zone which has two DNSKEY records, one of which,
; the KSK, has a private key. The resulting zone should be rejected as
; it has no ZSK signatures.
;
$TTL 3600
example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
$include Kexample.com.+005+23362.key
$include bogus-zsk.key
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.25 2008/09/25 04:02:38 tbox Exp $
# $Id: sign.sh,v 1.26 2009/06/04 02:13:37 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -35,8 +35,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key > $zonefile
echo $SIGNER -g -r $RANDFILE -o $zone $zonefile
$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
# Configure the resolving server with a trusted key.
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.30 2008/09/25 04:02:38 tbox Exp $
# $Id: sign.sh,v 1.31 2009/06/04 02:13:37 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -40,7 +40,7 @@ keyname2=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
# Sign the privately secure file
......@@ -52,7 +52,7 @@ privkeyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
cat $privinfile $privkeyname.key >$privzonefile
$SIGNER -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
$SIGNER -P -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
# Sign the DLV secure zone.
......@@ -65,4 +65,4 @@ dlvkeyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
$SIGNER -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
$SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.25 2008/09/25 04:02:38 tbox Exp $
# $Id: sign.sh,v 1.26 2009/06/04 02:13:37 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -30,7 +30,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
zone=bogus.example.
infile=bogus.example.db.in
......@@ -40,7 +40,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
zone=dynamic.example.
infile=dynamic.example.db.in
......@@ -51,7 +51,7 @@ keyname2=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
zone=keyless.example.
infile=keyless.example.db.in
......@@ -61,7 +61,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
# Change the signer field of the a.b.keyless.example SIG A
# to point to a provably nonexistent KEY record.
......@@ -81,7 +81,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
#
# NSEC3/NSEC3 test zone
......@@ -94,7 +94,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
#
# OPTOUT/NSEC3 test zone
......@@ -107,7 +107,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
#
# A nsec3 zone (non-optout).
......@@ -120,7 +120,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
#
# OPTOUT/NSEC test zone
......@@ -133,7 +133,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
#
# OPTOUT/NSEC3 test zone
......@@ -146,7 +146,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
#
# OPTOUT/OPTOUT test zone
......@@ -159,7 +159,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
#
# A optout nsec3 zone.
......@@ -172,7 +172,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
#
# A nsec3 zone (non-optout) with unknown hash algorithm.
......@@ -185,7 +185,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null
#
# A optout nsec3 zone.
......@@ -198,7 +198,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null
#
# A multiple parameter nsec3 zone.
......@@ -211,14 +211,14 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
mv $zonefile.signed $zonefile
$SIGNER -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
mv $zonefile.signed $zonefile
$SIGNER -3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null
mv $zonefile.signed $zonefile
$SIGNER -3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null
mv $zonefile.signed $zonefile
$SIGNER -3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
mv $zonefile.signed $zonefile
$SIGNER -3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
$SIGNER -P -3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
......@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.93 2008/11/14 23:47:33 tbox Exp $
* $Id: dnssec.c,v 1.94 2009/06/04 02:13:37 marka Exp $
*/
/*! \file */
......@@ -93,6 +93,7 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
isc_result_t ret;
int i = 0, n;
dns_rdata_t *data;
dns_rdataset_t rdataset;
n = dns_rdataset_count(set);
......@@ -100,8 +101,11 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
if (data == NULL)
return (ISC_R_NOMEMORY);
ret = dns_rdataset_first(set);
dns_rdataset_init(&rdataset);
dns_rdataset_clone(set, &rdataset);
ret = dns_rdataset_first(&rdataset);
if (ret != ISC_R_SUCCESS) {
dns_rdataset_disassociate(&rdataset);
isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
return (ret);
}
......@@ -111,8 +115,8 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
*/
do {
dns_rdata_init(&data[i]);
dns_rdataset_current(set, &data[i++]);
} while (dns_rdataset_next(set) == ISC_R_SUCCESS);
dns_rdataset_current(&rdataset, &data[i++]);
} while (dns_rdataset_next(&rdataset) == ISC_R_SUCCESS);
/*
* Sort the array.
......@@ -120,6 +124,7 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
*rdata = data;
*nrdata = n;
dns_rdataset_disassociate(&rdataset);
return (ISC_R_SUCCESS);
}
......@@ -890,3 +895,59 @@ failure:
return (result);
}
/*%
* Does this key ('rdata') self sign the rrset ('rdataset')?
*/
isc_boolean_t
dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
isc_boolean_t ignoretime, isc_mem_t *mctx)
{
dst_key_t *dstkey = NULL;
dns_keytag_t keytag;
dns_rdata_dnskey_t key;
dns_rdata_rrsig_t sig;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
isc_result_t result;
INSIST(rdataset->type == dns_rdatatype_key ||
rdataset->type == dns_rdatatype_dnskey);
if (rdataset->type == dns_rdatatype_key) {
INSIST(sigrdataset->type == dns_rdatatype_sig);
INSIST(sigrdataset->covers == dns_rdatatype_key);
} else {
INSIST(sigrdataset->type == dns_rdatatype_rrsig);
INSIST(sigrdataset->covers == dns_rdatatype_dnskey);
}
result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey);
if (result != ISC_R_SUCCESS)
return (ISC_FALSE);
result = dns_rdata_tostruct(rdata, &key, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
keytag = dst_key_id(dstkey);
for (result = dns_rdataset_first(sigrdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(sigrdataset))
{
dns_rdata_reset(&sigrdata);
dns_rdataset_current(sigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (sig.algorithm == key.algorithm &&
sig.keyid == keytag) {
result = dns_dnssec_verify2(name, rdataset, dstkey,
ignoretime, mctx,
&sigrdata, NULL);
if (result == ISC_R_SUCCESS) {
dst_key_free(&dstkey);
return (ISC_TRUE);
}
}
}
dst_key_free(&dstkey);
return (ISC_FALSE);
}
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec.h,v 1.32 2007/06/19 23:47:16 tbox Exp $ */
/* $Id: dnssec.h,v 1.33 2009/06/04 02:13:37 marka Exp $ */
#ifndef DNS_DNSSEC_H
#define DNS_DNSSEC_H 1
......@@ -178,6 +178,12 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
*\li DST_R_*
*/
isc_boolean_t
dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
isc_boolean_t ignoretime, isc_mem_t *mctx);
ISC_LANG_ENDDECLS
#endif /* DNS_DNSSEC_H */
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keyvalues.h,v 1.23 2008/09/25 04:02:39 tbox Exp $ */
/* $Id: keyvalues.h,v 1.24 2009/06/04 02:13:37 marka Exp $ */
#ifndef DNS_KEYVALUES_H
#define DNS_KEYVALUES_H 1
......@@ -42,7 +42,7 @@
#define DNS_KEYOWNER_ENTITY 0x0200 /*%< key is assoc. with entity eg host */
#define DNS_KEYOWNER_ZONE 0x0100 /*%< key is zone key */
#define DNS_KEYOWNER_RESERVED 0x0300 /*%< reserved meaning */
#define DNS_KEYFLAG_RESERVED8 0x0080 /*%< reserved - must be zero */
#define DNS_KEYFLAG_REVOKE 0x0080 /*%< key revoked (per rfc5001) */
#define DNS_KEYFLAG_RESERVED9 0x0040 /*%< reserved - must be zero */
#define DNS_KEYFLAG_RESERVED10 0x0020 /*%< reserved - must be zero */
#define DNS_KEYFLAG_RESERVED11 0x0010 /*%< reserved - must be zero */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment