Commit 3727725b authored by Evan Hunt's avatar Evan Hunt

2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'

			zone option cause a zone to be signed with only KSKs
			signing the DNSKEY RRset, not ZSKs.  This reduces
			the size of a DNSKEY answer.  [RT #20340]
parent 0d9fb986
2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
zone option cause a zone to be signed with only KSKs
signing the DNSKEY RRset, not ZSKs. This reduces
the size of a DNSKEY answer. [RT #20340]
2709. [func] Added some data fields, currently unused, to the
private key file format, to allow implementation
of explicit key rollover in a future release
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.242 2009/10/09 06:09:21 each Exp $ */
/* $Id: dnssec-signzone.c,v 1.243 2009/10/10 01:47:59 each Exp $ */
/*! \file */
......@@ -101,6 +101,8 @@ static int nsec_datatype = dns_rdatatype_nsec;
#define IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3)
#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
#define BUFSIZE 2048
#define MAXDSKEYS 8
......@@ -158,6 +160,7 @@ static isc_boolean_t nokeys = ISC_FALSE;
static isc_boolean_t removefile = ISC_FALSE;
static isc_boolean_t generateds = ISC_FALSE;
static isc_boolean_t ignore_kskflag = ISC_FALSE;
static isc_boolean_t keyset_kskonly = ISC_FALSE;
static dns_name_t *dlv = NULL;
static dns_fixedname_t dlv_fixed;
static dns_master_style_t *dsstyle = NULL;
......@@ -579,9 +582,27 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
if (!issigningkey(key))
continue;
if (iszsk(key) ||
(isksk(key) && set->type == dns_rdatatype_dnskey &&
dns_name_equal(name, gorigin))) {
if (set->type == dns_rdatatype_dnskey &&
dns_name_equal(name, gorigin)) {
isc_boolean_t have_ksk = isksk(key);;
dns_dnsseckey_t *tmpkey;
for (tmpkey = ISC_LIST_HEAD(keylist);
tmpkey != NULL;
tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
if (dst_key_alg(key->key) !=
dst_key_alg(tmpkey->key))
continue;
if (REVOKE(tmpkey->key))
continue;
if (isksk(tmpkey))
have_ksk = ISC_TRUE;
}
if (isksk(key) || !have_ksk ||
(iszsk(key) && !keyset_kskonly))
signwithkey(name, set, key->key, ttl, add,
"signing with dnskey");
} else if (iszsk(key)) {
signwithkey(name, set, key->key, ttl, add,
"signing with dnskey");
}
......@@ -1422,8 +1443,8 @@ verifynode(dns_name_t *name, dns_dbnode_t *node, isc_boolean_t delegation,
/*%
* Verify that certain things are sane:
*
* The apex has a DNSKEY record with at least one KSK and at least
* one ZSK.
* The apex has a DNSKEY record with at least one KSK, and at least
* one ZSK if the -x flag was not used.
*
* The DNSKEY record was signed with at least one of the KSKs in this
* set.
......@@ -1492,8 +1513,9 @@ verifyzone(void) {
#endif
/*
* Check that the DNSKEY RR has at least one self signing KSK and
* one ZSK per algorithm in it.
* Check that the DNSKEY RR has at least one self signing KSK
* and one ZSK per algorithm in it (or, if -x was used, one
* self-signing KSK).
*/
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
......@@ -1591,7 +1613,7 @@ verifyzone(void) {
}
fprintf(stderr, ".\n");
if (!ignore_kskflag) {
if (!ignore_kskflag && !keyset_kskonly) {
for (i = 0; i < 256; i++) {
/*
* The counts should both be zero or both be non-zero.
......@@ -1708,20 +1730,24 @@ verifyzone(void) {
*/
fprintf(stderr, "Zone signing complete:\n");
for (i = 0; i < 256; i++) {
if ((zsk_algorithms[i] != 0) ||
(ksk_algorithms[i] != 0) ||
(standby_zsk[i] != 0) || (standby_ksk[i] != 0) ||
(revoked_ksk[i] != 0) || (revoked_zsk[i] != 0)) {
if ((ksk_algorithms[i] != 0) ||
(standby_ksk[i] != 0) ||
(revoked_zsk[i] != 0) ||
(zsk_algorithms[i] != 0) ||
(standby_zsk[i] != 0) ||
(revoked_zsk[i] != 0)) {
alg_format(i, algbuf, sizeof(algbuf));
fprintf(stderr, "Algorithm: %s: KSKs: "
"%u active, %u stand-by, %u revoked\n",
algbuf, ksk_algorithms[i],
standby_ksk[i], revoked_ksk[i]);
fprintf(stderr, "%*sZSKs: "
"%u active, %u stand-by, %u revoked\n",
"%u active, %u %s, %u revoked\n",
(int) strlen(algbuf) + 13, "",
zsk_algorithms[i],
standby_zsk[i], revoked_zsk[i]);
standby_zsk[i],
keyset_kskonly ? "present" : "stand-by",
revoked_zsk[i]);
}
}
}
......@@ -3136,7 +3162,7 @@ writeset(const char *prefix, dns_rdatatype_t type) {
isc_buffer_t namebuf;
isc_region_t r;
isc_result_t result;
dns_dnsseckey_t *key;
dns_dnsseckey_t *key, *tmpkey;
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
unsigned char keybuf[DST_KEY_MAXSIZE];
unsigned int filenamelen;
......@@ -3162,22 +3188,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
dns_diff_init(mctx, &diff);
for (key = ISC_LIST_HEAD(keylist);
key != NULL;
key = ISC_LIST_NEXT(key, link))
if (!isksk(key)) {
have_non_ksk = ISC_TRUE;
break;
}
for (key = ISC_LIST_HEAD(keylist);
key != NULL;
key = ISC_LIST_NEXT(key, link))
if (isksk(key)) {
have_ksk = ISC_TRUE;
break;
}
if (type == dns_rdatatype_dlv) {
dns_name_t tname;
unsigned int labels;
......@@ -3196,6 +3206,27 @@ writeset(const char *prefix, dns_rdatatype_t type) {
key != NULL;
key = ISC_LIST_NEXT(key, link))
{
if (REVOKE(key->key))
continue;
if (isksk(key)) {
have_ksk = ISC_TRUE;
have_non_ksk = ISC_FALSE;
} else {
have_ksk = ISC_FALSE;
have_non_ksk = ISC_TRUE;
}
for (tmpkey = ISC_LIST_HEAD(keylist);
tmpkey != NULL;
tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
if (dst_key_alg(key->key) != dst_key_alg(tmpkey->key))
continue;
if (REVOKE(tmpkey->key))
continue;
if (isksk(tmpkey))
have_ksk = ISC_TRUE;
else
have_non_ksk = ISC_TRUE;
}
if (have_ksk && have_non_ksk && !isksk(key))
continue;
dns_rdata_init(&rdata);
......@@ -3340,6 +3371,8 @@ usage(void) {
fprintf(stderr, "print statistics\n");
fprintf(stderr, "\t-u:\t");
fprintf(stderr, "update or replace an existing NSEC/NSEC3 chain\n");
fprintf(stderr, "\t-x:\tsign DNSKEY record with KSKs only, not ZSKs\n");
fprintf(stderr, "\t-z:\tsign all records with KSKs\n");
fprintf(stderr, "\t-C:\tgenerate a keyset file, for compatibility\n"
"\t\twith older versions of dnssec-signzone -g\n");
fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
......@@ -3348,8 +3381,6 @@ usage(void) {
fprintf(stderr, "\t-3 NSEC3 salt\n");
fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
fprintf(stderr, "\t-A NSEC3 optout\n");
fprintf(stderr, "\t-z:\t");
fprintf(stderr, "ignore KSK flag in DNSKEYs");
fprintf(stderr, "\n");
......@@ -3424,7 +3455,7 @@ main(int argc, char *argv[]) {
isc_boolean_t set_iter = ISC_FALSE;
#define CMDLINE_FLAGS \
"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:xz"
/*
* Process memory debugging argument first.
......@@ -3644,6 +3675,10 @@ main(int argc, char *argv[]) {
fatal("verbose level must be numeric");
break;
case 'x':
keyset_kskonly = ISC_TRUE;
break;
case 'z':
ignore_kskflag = ISC_TRUE;
break;
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.39 2009/10/05 17:30:49 fdupont Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.40 2009/10/10 01:47:59 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
......@@ -83,6 +83,7 @@
<arg><option>-t</option></arg>
<arg><option>-u</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-x</option></arg>
<arg><option>-z</option></arg>
<arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
<arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
......@@ -552,11 +553,23 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Ignore KSK flag on key when determining what to sign.
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
DNSKEY RRset.
</para>
</listitem>
</varlistentry>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.102 2009/10/08 23:13:05 marka Exp $ */
/* $Id: config.c,v 1.103 2009/10/10 01:47:59 each Exp $ */
/*! \file */
......@@ -200,6 +200,7 @@ options {\n\
check-srv-cname warn;\n\
zero-no-soa-ttl yes;\n\
update-check-ksk yes;\n\
dnskey-ksk-only no;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
};\n\
"
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.41 2009/10/08 23:48:09 tbox Exp $ -->
<!-- $Id: named.conf.docbook,v 1.42 2009/10/10 01:47:59 each Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
......@@ -292,6 +292,7 @@ options {
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
dnskey-ksk-only <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
......@@ -457,6 +458,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
dnskey-ksk-only <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
......@@ -551,6 +553,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
<replaceable>rrtypelist</replaceable>; ...
};
update-check-ksk <replaceable>boolean</replaceable>;
dnskey-ksk-only <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.161 2009/10/08 23:48:09 tbox Exp $ */
/* $Id: update.c,v 1.162 2009/10/10 01:47:59 each Exp $ */
#include <config.h>
......@@ -1810,44 +1810,6 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
return (result);
}
static isc_boolean_t
ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
isc_boolean_t ret = ISC_FALSE;
isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
isc_result_t result;
dns_dbnode_t *node = NULL;
dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_dnskey_t dnskey;
dns_rdataset_init(&rdataset);
CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
&rdataset, NULL));
CHECK(dns_rdataset_first(&rdataset));
while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
dns_rdataset_current(&rdataset, &rdata);
CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
== DNS_KEYOWNER_ZONE) {
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
have_ksk = ISC_TRUE;
else
have_nonksk = ISC_TRUE;
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(&rdataset);
}
if (have_ksk && have_nonksk)
ret = ISC_TRUE;
failure:
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
if (node != NULL)
dns_db_detachnode(db, &node);
return (ret);
}
/*%
* Add RRSIG records for an RRset, recording the change in "diff".
*/
......@@ -1856,7 +1818,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
isc_stdtime_t inception, isc_stdtime_t expire,
isc_boolean_t check_ksk)
isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
{
isc_result_t result;
dns_dbnode_t *node = NULL;
......@@ -1864,7 +1826,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_rdata_t sig_rdata = DNS_RDATA_INIT;
isc_buffer_t buffer;
unsigned char data[1024]; /* XXX */
unsigned int i;
unsigned int i, j;
isc_boolean_t added_sig = ISC_FALSE;
isc_mem_t *mctx = client->mctx;
......@@ -1880,13 +1842,52 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
(isc_stdtime_t) 0, &rdataset, NULL));
dns_db_detachnode(db, &node);
#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) == 1)
#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) == 1)
#define ALG(x) dst_key_alg(x)
/*
* If we are honoring KSK flags then we need to check that we
* have both KSK and non-KSK keys that are not revoked per
* algorithm.
*/
for (i = 0; i < nkeys; i++) {
isc_boolean_t both = ISC_FALSE;
if (check_ksk && type != dns_rdatatype_dnskey &&
(dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
if (!dst_key_isprivate(keys[i]))
continue;
if (!dst_key_isprivate(keys[i]))
if (check_ksk && !REVOKE(keys[i])) {
isc_boolean_t have_ksk, have_nonksk;
if (KSK(keys[i])) {
have_ksk = ISC_TRUE;
have_nonksk = ISC_FALSE;
} else {
have_ksk = ISC_FALSE;
have_nonksk = ISC_TRUE;
}
for (j = 0; j < nkeys; j++) {
if (j == i || ALG(keys[i]) != ALG(keys[j]))
continue;
if (REVOKE(keys[j]))
continue;
if (KSK(keys[j]))
have_ksk = ISC_TRUE;
else
have_nonksk = ISC_TRUE;
both = have_ksk && have_nonksk;
if (both)
break;
}
}
if (both) {
if (type == dns_rdatatype_dnskey) {
if (!KSK(keys[i]) && keyset_kskonly)
continue;
} else if (!KSK(keys[i]))
continue;
} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
continue;
/* Calculate the signature, creating a RRSIG RDATA. */
......@@ -1997,7 +1998,7 @@ add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut,
dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
isc_stdtime_t inception, isc_stdtime_t expire,
isc_boolean_t check_ksk)
isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
{
isc_result_t result;
dns_dbnode_t *node;
......@@ -2043,7 +2044,8 @@ add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
if (flag)
continue;;
result = add_sigs(client, zone, db, ver, name, type, diff,
keys, nkeys, inception, expire, check_ksk);
keys, nkeys, inception, expire,
check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS)
goto cleanup_iterator;
}
......@@ -2073,8 +2075,7 @@ add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
static isc_result_t
update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *oldver, dns_dbversion_t *newver,
dns_diff_t *diff, isc_uint32_t sigvalidityinterval,
isc_boolean_t *deleted_zsk)
dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
{
isc_result_t result;
dns_difftuple_t *t;
......@@ -2093,7 +2094,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
dns_dbnode_t *node = NULL;
isc_boolean_t check_ksk;
isc_boolean_t check_ksk, keyset_kskonly;
isc_boolean_t unsecure;
isc_boolean_t cut;
dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
......@@ -2126,27 +2127,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
*/
check_ksk = ISC_TF((dns_zone_getoptions(zone) &
DNS_ZONEOPT_UPDATECHECKKSK) != 0);
/*
* If we are not checking the ZSK flag then all DNSKEY's are
* already signing all RRsets so we don't need to trigger special
* changes.
*/
if (*deleted_zsk && (!check_ksk || !ksk_sanity(db, oldver)))
*deleted_zsk = ISC_FALSE;
if (check_ksk) {
check_ksk = ksk_sanity(db, newver);
if (!check_ksk && ksk_sanity(db, oldver))
update_log(client, zone, ISC_LOG_WARNING,
"disabling update-check-ksk");
}
/*
* If we have deleted a ZSK and we we still have some ZSK's
* we don't need to convert the KSK's to a ZSK's.
*/
if (*deleted_zsk && check_ksk)
*deleted_zsk = ISC_FALSE;
keyset_kskonly = ISC_TF((dns_zone_getoptions(zone) &
DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
/*
* Get the NSEC/NSEC3 TTL from the SOA MINIMUM field.
......@@ -2213,7 +2195,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
CHECK(add_sigs(client, zone, db, newver, name,
type, &sig_diff, zone_keys,
nkeys, inception, expire,
check_ksk));
check_ksk, keyset_kskonly));
}
skip:
/* Skip any other updates to the same RRset. */
......@@ -2365,7 +2347,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
}
CHECK(add_exposed_sigs(client, zone, db, newver, name,
cut, diff, zone_keys, nkeys,
inception, expire, check_ksk));
inception, expire, check_ksk,
keyset_kskonly));
}
}
......@@ -2427,7 +2410,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
CHECK(add_sigs(client, zone, db, newver, &t->name,
dns_rdatatype_nsec, &sig_diff,
zone_keys, nkeys, inception, expire,
check_ksk));
check_ksk, keyset_kskonly));
} else {
INSIST(0);
}
......@@ -2523,7 +2506,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
} else {
CHECK(add_exposed_sigs(client, zone, db, newver, name,
cut, diff, zone_keys, nkeys,
inception, expire, check_ksk));
inception, expire, check_ksk,
keyset_kskonly));
CHECK(dns_nsec3_addnsec3sx(db, newver, name, nsecttl,
unsecure, privatetype,
&nsec_diff));
......@@ -2557,7 +2541,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
CHECK(add_sigs(client, zone, db, newver, &t->name,
dns_rdatatype_nsec3,
&sig_diff, zone_keys, nkeys,
inception, expire, check_ksk));
inception, expire, check_ksk,
keyset_kskonly));
} else {
INSIST(0);
}
......@@ -3503,7 +3488,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
dns_fixedname_t tmpnamefixed;
dns_name_t *tmpname = NULL;
unsigned int options;
isc_boolean_t deleted_zsk;
dns_difftuple_t *tuple;
dns_rdata_dnskey_t dnskey;
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
......@@ -4107,8 +4091,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
isc_uint32_t interval;
interval = dns_zone_getsigvalidityinterval(zone);
result = update_signatures(client, zone, db, oldver,
ver, &diff, interval,
&deleted_zsk);
ver, &diff, interval);
if (result != ISC_R_SUCCESS) {
update_log(client, zone,
ISC_LOG_ERROR,
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.155 2009/10/08 23:13:06 marka Exp $ */
/* $Id: zoneconf.c,v 1.156 2009/10/10 01:47:59 each Exp $ */
/*% */
......@@ -859,6 +859,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
obj = NULL;
result = ns_config_get(maps, "dnskey-ksk-only", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
} else if (ztype == dns_zone_slave) {
RETERR(configure_zone_acl(zconfig, vconfig, config,
allow_update_forwarding, ac, zone,
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.431 2009/10/08 23:13:06 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.432 2009/10/10 01:47:59 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -4891,6 +4891,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnskey-ksk-only <replaceable>yes_or_no</replaceable>; </optional>
<optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
......@@ -6425,13 +6426,29 @@ options {
request to a secure zone, check the KSK flag on
the DNSKEY RR to determine if this key should be
used to generate the RRSIG. This flag is ignored
if there are not DNSKEY RRs both with and without
a KSK.
if there are not non-revoked DNSKEY RRs both with
and without a KSK for the algorithm.
The default is <command>yes</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>dnskey-ksk-only</command></term>
<listitem>
<para>
When regenerating the RRSIGs following a UPDATE
request to a secure zone and
<command>update-check-ksk</command> is true then
only generate signatures DNSKEY RRSIG using DNSKEY's
with the KSK bit set. This flag is ignored if there
are not non-revoked DNSKEY RRs both with and without
a KSK for the algorithm.