Commit 39d8cdb6 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Also treat offline keys when going insecure

When going insecure, BIND checks if there exist key state files. This
is an indication that the zone is transitioning to insecure. Also here,
we need to consider offline keys.
parent df2ed25b
......@@ -5883,22 +5883,68 @@ dns_zone_getkasp(dns_zone_t *zone) {
 
static bool
statefile_exist(dns_zone_t *zone) {
isc_result_t ret;
dns_dnsseckeylist_t keys;
dns_dnsseckey_t *key = NULL;
isc_result_t result;
dns_dnsseckeylist_t keys, dnskeys;
dns_dnsseckey_t *key = NULL, *key_next = NULL;
isc_stdtime_t now;
isc_time_t timenow;
bool found = false;
const char *dir;
dns_name_t *origin;
dns_db_t *db = NULL;
dns_dbnode_t *node = NULL;
dns_dbversion_t *version = NULL;
dns_rdataset_t keyset;
 
TIME_NOW(&timenow);
now = isc_time_seconds(&timenow);
 
ISC_LIST_INIT(keys);
ISC_LIST_INIT(dnskeys);
 
ret = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone),
dns_zone_getkeydirectory(zone), now,
dns_zone_getmctx(zone), &keys);
if (ret == ISC_R_SUCCESS) {
/* Get DNSSEC keys */
dns_rdataset_init(&keyset);
dir = dns_zone_getkeydirectory(zone);
origin = dns_zone_getorigin(zone);
CHECK(dns_zone_getdb(zone, &db));
CHECK(dns_db_findnode(db, origin, false, &node));
dns_db_currentversion(db, &version);
/* Get public keys (dnskeys). */
result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
dns_rdatatype_none, 0, &keyset, NULL);
if (result == ISC_R_SUCCESS) {
CHECK(dns_dnssec_keylistfromrdataset(
origin, dir, dns_zone_getmctx(zone), &keyset, NULL,
NULL, false, false, &dnskeys));
}
failure:
/* Get keys from private key files. */
result = dns_dnssec_findmatchingkeys(origin, dir, now,
dns_zone_getmctx(zone), &keys);
/* Add new 'dnskeys' to 'keys'. */
for (dns_dnsseckey_t *k1 = ISC_LIST_HEAD(dnskeys); k1 != NULL;
k1 = key_next) {
dns_dnsseckey_t *k2 = NULL;
key_next = ISC_LIST_NEXT(k1, link);
for (k2 = ISC_LIST_HEAD(keys); k2 != NULL;
k2 = ISC_LIST_NEXT(k2, link)) {
if (dst_key_id(k1->key) == dst_key_id(k2->key) &&
dst_key_alg(k1->key) == dst_key_alg(k2->key))
{
break;
}
}
/* No match found, add the new key. */
if (k2 == NULL) {
ISC_LIST_UNLINK(dnskeys, k1, link);
ISC_LIST_APPEND(keys, k1, link);
}
}
if (result == ISC_R_SUCCESS) {
for (key = ISC_LIST_HEAD(keys); key != NULL;
key = ISC_LIST_NEXT(key, link)) {
if (dst_key_haskasp(key->key)) {
......@@ -5908,7 +5954,25 @@ statefile_exist(dns_zone_t *zone) {
}
}
 
/* Clean up keys */
/* Clean up */
if (dns_rdataset_isassociated(&keyset)) {
dns_rdataset_disassociate(&keyset);
}
if (node != NULL) {
dns_db_detachnode(db, &node);
}
if (version != NULL) {
dns_db_closeversion(db, &version, false);
}
if (db != NULL) {
dns_db_detach(&db);
}
while (!ISC_LIST_EMPTY(dnskeys)) {
key = ISC_LIST_HEAD(dnskeys);
ISC_LIST_UNLINK(dnskeys, key, link);
dns_dnsseckey_destroy(dns_zone_getmctx(zone), &key);
}
while (!ISC_LIST_EMPTY(keys)) {
key = ISC_LIST_HEAD(keys);
ISC_LIST_UNLINK(keys, key, link);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment