Commit 28479307 authored by Mark Andrews's avatar Mark Andrews

2708. [func] Insecure to secure and NSEC3 parameter changes via

                        update are now fully supported and no longer require
                        defines to enable.  We now no longer overload the
                        NSEC3PARAM flag field, nor the NSEC OPT bit at the
                        apex.  Secure to insecure changes are controlled by
                        by the named.conf option 'secure-to-insecure'.

                        Warning: If you had previously enabled support by
                        adding defines at compile time to BIND 9.6 you should
                        ensure that all changes that are in progress have
                        completed prior to upgrading to BIND 9.7.  BIND 9.7
                        is not backwards compatible.
parent 169b9003
2708. [func] Insecure to secure and NSEC3 parameter changes via
update are now fully supported and no longer require
defines to enable. We now no longer overload the
NSEC3PARAM flag field, nor the NSEC OPT bit at the
apex. Secure to insecure changes are controlled by
by the named.conf option 'secure-to-insecure'.
Warning: If you had previously enabled support by
adding defines at compile time to BIND 9.6 you should
ensure that all changes that are in progress have
completed prior to upgrading to BIND 9.7. BIND 9.7
is not backwards compatible.
2707. [func] dnssec-keyfromlabel no longer require engine name
to be specified in the label if there is a default
engine or the -E option has been used. Also, it
......
......@@ -32,18 +32,36 @@ generated as part of the initial signing process.
While the update request will complete almost immediately the zone
will not be completely signed until named has had time to walk the
zone and generate the NSEC and RRSIG records. Initially the NSEC
record at the zone apex will have the OPT bit set. When the NSEC
chain is complete the OPT bit will be cleared. Additionally when
the zone is fully signed the private type (default TYPE65534) records
will have a non zero value for the final octet.
zone and generate the NSEC and RRSIG records. The NSEC record at the
apex will be added last to signal that there is a complete NSEC chain.
Additionally when the zone is fully signed the private type (default
TYPE65534) records will have a non zero value for the final octet for
those record with a none zero initial octet.
The private type record format:
If the first octet is non-zero then the record indicates that the zone needs
to be signed with the key matching the record or that all signatures that
match the record should be removed.
The private type record has 5 octets.
algorithm (octet 1)
key id in network order (octet 2 and 3)
removal flag (octet 4)
complete flag (octet 5)
Only records with the complete flag set can be removed via nsupdate.
Attempts to remove other private type records will be silently ignored.
If the first octet is zero (this is a reserved algorithm number
that should never appear in a DNSKEY record) then the record indicates
changes to the NSEC3 chains are in progress. The rest of the record
contains a NSEC3PARAM record. The flag field tells what operation
to perform based on the flag bits.
0x01 OPTOUT
0x80 CREATE
0x40 REMOVE
0x20 NONSEC
If you wish to go straight to a secure zone using NSEC3 you should
also add a NSECPARAM record to the update request with the flags
field set to indicate whether the NSEC3 chain will have the OPTOUT
......@@ -56,10 +74,11 @@ bit set or not.
> update add example.net NSEC3PARAM 1 1 100 1234567890
> send
Again the update request will complete almost immediately however the
NSEC3PARAM record will have additional flag bits set indicating that the
NSEC3 chain is under construction. When the NSEC3 chain is complete the
flags field will be set to zero.
Again the update request will complete almost immediately however
the record won't show up or be deleted until named has had a chance
to build/remove the relevent chain. A private type record will be
created to record the operatation and will be removed once the
operation completes.
While the initial signing and NSEC/NSEC3 chain generation is happening
other updates are possible.
......@@ -109,7 +128,8 @@ NSEC chain will be generated before the NSEC3 chain is removed.
To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
will be removed as well as associated NSEC3PARAM records. This will
take place after the update requests completes.
take place after the update requests completes. This requires
secure-to-insecure to be set in named.conf.
Periodic re-signing.
......
......@@ -73,6 +73,11 @@ BIND 9.7.0
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection (see README.pkcs11 for additional details).
Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
you should ensure that all changes that are in progress have completed
prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.
BIND 9.6.0
BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.101 2009/09/01 07:14:25 each Exp $ */
/* $Id: config.c,v 1.102 2009/10/08 23:13:05 marka Exp $ */
/*! \file */
......@@ -185,6 +185,7 @@ options {\n\
max-refresh-time 2419200; /* 4 weeks */\n\
min-refresh-time 300;\n\
multi-master no;\n\
secure-to-insecure no;\n\
sig-validity-interval 30; /* days */\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.39 2008/09/24 02:46:21 marka Exp $ -->
<!-- $Id: named.conf.docbook,v 1.40 2009/10/08 23:13:05 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
......@@ -340,6 +340,7 @@ options {
try-tcp-refresh <replaceable>boolean</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
secure-to-insecure <replaceable>boolean</replaceable>;
nsec3-test-zone <replaceable>boolean</replaceable>; // testing only
......@@ -499,6 +500,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
key-directory <replaceable>quoted_string</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
secure-to-insecure <replaceable>boolean</replaceable>;
allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
fetch-glue <replaceable>boolean</replaceable>; // obsolete
......@@ -533,6 +535,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
ixfr-from-differences <replaceable>boolean</replaceable>;
journal <replaceable>quoted_string</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
secure-to-insecure <replaceable>boolean</replaceable>;
allow-query { <replaceable>address_match_element</replaceable>; ... };
allow-query-on { <replaceable>address_match_element</replaceable>; ... };
......
This diff is collapsed.
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.154 2009/09/01 00:22:25 jinmei Exp $ */
/* $Id: zoneconf.c,v 1.155 2009/10/08 23:13:06 marka Exp $ */
/*% */
......@@ -929,6 +929,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(0);
dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
obj = NULL;
result = ns_config_get(maps, "secure-to-insecure", &obj);
INSIST(obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
cfg_obj_asboolean(obj));
}
/*
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.430 2009/10/05 01:49:59 each Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.431 2009/10/08 23:13:06 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -4891,6 +4891,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
......@@ -6442,6 +6443,17 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>secure-to-insecure</command></term>
<listitem>
<para>
Allow a zone to transition from secure to insecure by
deleting all DNSKEY records. The default is
<command>no</command>.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect3>
......@@ -9347,6 +9359,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
<optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
......@@ -10259,6 +10272,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
<varlistentry>
<term><command>secure-to-insecure</command></term>
<listitem>
<para>
See the description of
<command>secure-to-insecure</command> in <xref linkend="boolean_options"/>.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect3>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.108 2009/09/02 16:10:03 each Exp $ */
/* $Id: check.c,v 1.109 2009/10/08 23:13:06 marka Exp $ */
/*! \file */
......@@ -23,6 +23,7 @@
#include <stdlib.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/log.h>
#include <isc/mem.h>
......@@ -1100,6 +1101,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "min-retry-time", SLAVEZONE | STUBZONE },
{ "max-refresh-time", SLAVEZONE | STUBZONE },
{ "min-refresh-time", SLAVEZONE | STUBZONE },
{ "secure-to-insecure", MASTERZONE },
{ "sig-validity-interval", MASTERZONE },
{ "sig-re-signing-interval", MASTERZONE },
{ "sig-signing-nodes", MASTERZONE },
......@@ -1404,6 +1406,9 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
const char *algorithm;
int i;
size_t len = 0;
isc_result_t result;
isc_buffer_t buf;
unsigned char secretbuf[1024];
static const algorithmtable algorithms[] = {
{ "hmac-md5", 128 },
{ "hmac-md5.sig-alg.reg.int", 0 },
......@@ -1426,6 +1431,14 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
return (ISC_R_FAILURE);
}
isc_buffer_init(&buf, secretbuf, sizeof(secretbuf));
result = isc_base64_decodestring(cfg_obj_asstring(secretobj), &buf);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(secretobj, logctx, ISC_LOG_ERROR,
"bad secret '%s'", isc_result_totext(result));
return (result);
}
algorithm = cfg_obj_asstring(algobj);
for (i = 0; algorithms[i].name != NULL; i++) {
len = strlen(algorithms[i].name);
......
......@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.167 2009/10/05 17:30:49 fdupont Exp $
# $Id: Makefile.in,v 1.168 2009/10/08 23:13:06 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
......@@ -61,7 +61,7 @@ DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
keydata.@O@ keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
master.@O@ masterdump.@O@ message.@O@ \
name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ \
portlist.@O@ \
portlist.@O@ private.@O@ \
rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
rdatalist.@O@ \
rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: db.c,v 1.94 2009/09/01 00:22:26 jinmei Exp $ */
/* $Id: db.c,v 1.95 2009/10/08 23:13:06 marka Exp $ */
/*! \file */
......@@ -938,9 +938,9 @@ dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name)
}
void
dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
dns_dbversion_t *version)
{
if (db->methods->resigned != NULL)
(db->methods->resigned)(db, rdataset, version);
}
......@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.55 2008/11/14 23:47:33 tbox Exp $
# $Id: Makefile.in,v 1.56 2009/10/08 23:13:07 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
......@@ -21,19 +21,17 @@ top_srcdir = @top_srcdir@
@BIND9_VERSION@
HEADERS = acl.h adb.h byaddr.h cache.h callbacks.h \
cert.h compress.h \
HEADERS = acl.h adb.h byaddr.h cache.h callbacks.h cert.h compress.h \
db.h dbiterator.h dbtable.h diff.h dispatch.h dlz.h \
dnssec.h ds.h events.h fixedname.h iptable.h journal.h keyflags.h \
keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
message.h name.h ncache.h \
nsec.h peer.h portlist.h rbt.h rcode.h \
dnssec.h ds.h events.h fixedname.h iptable.h journal.h \
keyflags.h keytable.h keyvalues.h lib.h log.h \
master.h masterdump.h message.h name.h ncache.h nsec.h \
peer.h portlist.h private.h rbt.h rcode.h \
rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
rdataslab.h rdatatype.h request.h resolver.h result.h \
rootns.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
tcpmsg.h time.h tkey.h \
tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \
zone.h zonekey.h zt.h
tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \
validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h
GENHEADERS = enumclass.h enumtype.h rdatastruct.h
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsec3.h,v 1.8 2009/10/06 21:20:45 each Exp $ */
/* $Id: nsec3.h,v 1.9 2009/10/08 23:13:07 marka Exp $ */
#ifndef DNS_NSEC3_H
#define DNS_NSEC3_H 1
......@@ -110,6 +110,12 @@ isc_result_t
dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
dns_name_t *name, dns_ttl_t nsecttl,
isc_boolean_t unsecure, dns_diff_t *diff);
isc_result_t
dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
dns_name_t *name, dns_ttl_t nsecttl,
isc_boolean_t unsecure, dns_rdatatype_t private,
dns_diff_t *diff);
/*%<
* Add NSEC3 records for 'name', recording the change in 'diff'.
* Adjust previous NSEC3 records, if any, to reflect the addition.
......@@ -130,6 +136,10 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
* NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
* record in the chain.
*
* dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
* specifies the type of the private rdataset to be checked in addition to
* the nsec3param rdataset at the zone apex.
*
* Requires:
* 'db' to be valid.
* 'version' to be valid or NULL.
......@@ -145,6 +155,10 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
isc_result_t
dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
dns_diff_t *diff);
isc_result_t
dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
dns_rdatatype_t private, dns_diff_t *diff);
/*%<
* Remove NSEC3 records for 'name', recording the change in 'diff'.
* Adjust previous NSEC3 records, if any, to reflect the removal.
......@@ -156,6 +170,10 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
* to dns_nsec3_addnsec3s(). Unlike dns_nsec3_addnsec3s() updated NSEC3
* records have the OPTOUT flag preserved.
*
* dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
* specifies the type of the private rdataset to be checked in addition to
* the nsec3param rdataset at the zone apex.
*
* Requires:
* 'db' to be valid.
* 'version' to be valid or NULL.
......@@ -167,10 +185,19 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
isc_result_t
dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
isc_boolean_t complete, isc_boolean_t *answer);
isc_result_t
dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
isc_boolean_t complete, dns_rdatatype_t private,
isc_boolean_t *answer);
/*%<
* Check if there are any complete/to be built NSEC3 chains.
* If 'complete' is ISC_TRUE only complete chains will be recognized.
*
* dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
* specifies the type of the private rdataset to be checked in addition to
* the nsec3param rdataset at the zone apex.
*
* Requires:
* 'db' to be valid.
* 'version' to be valid or NULL.
......@@ -191,6 +218,27 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
* 'iterationsp' to be non NULL.
*/
isc_boolean_t
dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
unsigned char *buf, size_t buflen);
/*%<
* Convert a private rdata to a nsec3param rdata.
*
* Return ISC_TRUE if 'src' could be successfully converted.
*
* 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
*/
void
dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
dns_rdatatype_t privatetype,
unsigned char *buf, size_t buflen);
/*%<
* Convert a nsec3param rdata to a private rdata.
*
* 'buf' should be at least src->length + 1 in size.
*/
ISC_LANG_ENDDECLS
#endif /* DNS_NSEC3_H */
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rdata.h,v 1.74 2009/09/01 00:22:26 jinmei Exp $ */
/* $Id: rdata.h,v 1.75 2009/10/08 23:13:07 marka Exp $ */
#ifndef DNS_RDATA_H
#define DNS_RDATA_H 1
......@@ -125,9 +125,27 @@ struct dns_rdata {
#define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
#define DNS_RDATA_CHECKINITIALIZED
#ifdef DNS_RDATA_CHECKINITIALIZED
#define DNS_RDATA_INITIALIZED(rdata) \
((rdata)->data == NULL && (rdata)->length == 0 && \
(rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
!ISC_LINK_LINKED((rdata), link))
#else
#ifdef ISC_LIST_CHECKINIT
#define DNS_RDATA_INITIALIZED(rdata) \
(!ISC_LINK_LINKED((rdata), link))
#else
#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
#endif
#endif
#define DNS_RDATA_UPDATE 0x0001 /*%< update pseudo record. */
#define DNS_RDATA_OFFLINE 0x0002 /*%< RRSIG has a offline key. */
#define DNS_RDATA_VALIDFLAGS(rdata) \
(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
/*
* Flags affecting rdata formatting style. Flags 0xFFFF0000
* are used by masterfile-level formatting and defined elsewhere.
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.h,v 1.167 2009/10/05 19:39:20 each Exp $ */
/* $Id: zone.h,v 1.168 2009/10/08 23:13:07 marka Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
......@@ -71,6 +71,7 @@ typedef enum {
#define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U /*%< try tcp refresh on udp failure */
#define DNS_ZONEOPT_NOTIFYTOSOA 0x02000000U /*%< Notify the SOA MNAME */
#define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U /*%< nsec3-test-zone */
#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< secure-to-insecure */
#ifndef NOMINUM_PUBLIC
/*
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsec3.c,v 1.8 2009/06/04 02:56:47 tbox Exp $ */
/* $Id: nsec3.c,v 1.9 2009/10/08 23:13:06 marka Exp $ */
#include <config.h>
......@@ -28,6 +28,7 @@
#include <dst/dst.h>
#include <dns/db.h>
#include <dns/compress.h>
#include <dns/dbiterator.h>
#include <dns/diff.h>
#include <dns/fixedname.h>
......@@ -457,7 +458,6 @@ delete(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
return (result);
}
#ifndef RFC5155_STRICT
static isc_boolean_t
better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
dns_rdataset_t rdataset;
......@@ -472,7 +472,17 @@ better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset)) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
if (rdataset.type != dns_rdatatype_nsec3param) {
dns_rdata_t tmprdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &tmprdata);
if (!dns_nsec3param_fromprivate(&tmprdata, &rdata,
buf, sizeof(buf)))
continue;
} else
dns_rdataset_current(&rdataset, &rdata);
if (rdata.length != param->length)
continue;
if (rdata.data[0] != param->data[0] ||
......@@ -490,7 +500,6 @@ better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
dns_rdataset_disassociate(&rdataset);
return (ISC_FALSE);
}
#endif
static isc_result_t
find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
......@@ -913,17 +922,159 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
dns_rdata_tostruct(&rdata, &nsec3param, NULL);
CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
#ifdef RFC5155_STRICT
if (nsec3param.flags != 0)
continue;
#else
/*
* We have a active chain. Update it.
*/
CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
nsecttl, unsecure, diff));
}
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
failure:
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
if (node != NULL)
dns_db_detachnode(db, &node);
return (result);
}
isc_boolean_t
dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
unsigned char *buf, size_t buflen)
{
dns_decompress_t dctx;
isc_result_t result;
isc_buffer_t buf1;
isc_buffer_t buf2;
/*
* Algorithm 0 (reserved by RFC 4034) is used to identify
* NSEC3PARAM records from DNSKEY pointers.
*/
if (src->length < 1 || src->data[0] != 0)
return (ISC_FALSE);
isc_buffer_init(&buf1, src->data + 1, src->length - 1);
isc_buffer_add(&buf1, src->length - 1);
isc_buffer_setactive(&buf1, src->length - 1);
isc_buffer_init(&buf2, buf, buflen);
dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
result = dns_rdata_fromwire(target, src->rdclass,
dns_rdatatype_nsec3param,
&buf1, &dctx, 0, &buf2);
dns_decompress_invalidate(&dctx);
return (ISC_TF(result == ISC_R_SUCCESS));
}
void
dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
dns_rdatatype_t privatetype,
unsigned char *buf, size_t buflen)
{
REQUIRE(buflen >= src->length + 1);
REQUIRE(DNS_RDATA_INITIALIZED(target));
memcpy(buf + 1, src->data, src->length);
buf[0] = 0;
target->data = buf;
target->length = src->length + 1;
target->type = privatetype;
target->rdclass = src->rdclass;
target->flags = 0;
ISC_LINK_INIT(target, link);
}
isc_result_t
dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
dns_name_t *