Commit 50105afc authored by Mark Andrews's avatar Mark Andrews
Browse files

1589. [func] DNSSEC lookaside validation.

enable-dnssec -> dnssec-enable
parent fa7ee558
1589. [func] DNSSEC lookaside validation.
1588. [bug] win32: TCP sockets could become blocked. [RT #10115]
1587. [bug] dns_message_settsigkey() failed to clear existing key.
......@@ -17,7 +19,7 @@
than 32 elements. [RT #10381]
1581. [func] Disable DNSSEC support by default. To enable
DNSSEC specify "enable-dnssec yes;" in named.conf.
DNSSEC specify "dnssec-enable yes;" in named.conf.
1580. [bug] Zone destuction on final detach takes a long time.
[RT #3746]
......
......@@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.65 2004/03/05 05:48:18 marka Exp $ */
/* $Id: dnssec-keygen.c,v 1.66 2004/03/10 02:19:51 marka Exp $ */
#include <config.h>
......@@ -85,6 +85,7 @@ usage(void) {
"records with (default: 0)\n");
fprintf(stderr, " -r <randomdev>: a file containing random data\n");
fprintf(stderr, " -v <verbose level>\n");
fprintf(stderr, " -k : generate a TYPE=KEY key\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
......@@ -113,6 +114,7 @@ main(int argc, char **argv) {
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
if (argc == 1)
usage();
......@@ -122,7 +124,7 @@ main(int argc, char **argv) {
dns_result_register();
while ((ch = isc_commandline_parse(argc, argv,
"a:b:c:ef:g:n:t:p:s:r:v:h")) != -1)
"a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1)
{
switch (ch) {
case 'a':
......@@ -152,6 +154,9 @@ main(int argc, char **argv) {
if (*endp != '\0' || generator <= 0)
fatal("-g requires a positive number");
break;
case 'k':
options |= DST_TYPE_KEY;
break;
case 'n':
nametype = isc_commandline_argument;
break;
......@@ -374,7 +379,7 @@ main(int argc, char **argv) {
fatal("cannot generate a null key when a key with id 0 "
"already exists");
ret = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, NULL);
ret = dst_key_tofile(key, options, NULL);
if (ret != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(key, keystr, sizeof(keystr));
......
......@@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.176 2004/03/05 05:48:19 marka Exp $ */
/* $Id: dnssec-signzone.c,v 1.177 2004/03/10 02:19:51 marka Exp $ */
#include <config.h>
......@@ -120,6 +120,9 @@ static isc_boolean_t nokeys = ISC_FALSE;
static isc_boolean_t removefile = ISC_FALSE;
static isc_boolean_t generateds = ISC_FALSE;
static isc_boolean_t ignoreksk = ISC_FALSE;
static dns_name_t *dlv = NULL;
static dns_fixedname_t dlv_fixed;
static dns_master_style_t *dsstyle = NULL;
#define INCSTAT(counter) \
if (printstats) { \
......@@ -868,11 +871,18 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
if (rdataset.type != dns_rdatatype_nsec &&
rdataset.type != dns_rdatatype_ds)
goto skip;
#if 0
/*
* The current draft allows DS not at a zone cut.
* This is a bad idea. Update once the RFC is published.
* XXXMPA.
*/
} else if (rdataset.type == dns_rdatatype_ds) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(name, namebuf, sizeof(namebuf));
fatal("'%s': found DS RRset without NS RRset\n",
namebuf);
#endif
}
signset(&diff, node, name, &rdataset);
......@@ -1407,40 +1417,45 @@ warnifallksk(dns_db_t *db) {
}
static void
writekeyset(void) {
writeset(const char *prefix, dns_rdatatype_t type) {
char *filename;
char namestr[DNS_NAME_FORMATSIZE];
isc_buffer_t namebuf;
unsigned int filenamelen;
char *keyfile;
signer_key_t *key;
unsigned char keybuf[DST_KEY_MAXSIZE];
dns_diff_t diff;
dns_difftuple_t *tuple = NULL;
dns_db_t *db = NULL;
dns_dbversion_t *version = NULL;
dns_rdata_t rdata;
dns_diff_t diff;
dns_difftuple_t *tuple = NULL;
dns_fixedname_t fixed;
dns_name_t *name;
dns_rdata_t rdata, ds;
isc_boolean_t have_ksk = ISC_FALSE;
isc_boolean_t have_non_ksk = ISC_FALSE;
isc_buffer_t b;
isc_buffer_t namebuf;
isc_region_t r;
isc_result_t result;
isc_boolean_t have_non_ksk = ISC_FALSE;
isc_boolean_t have_ksk = ISC_FALSE;
signer_key_t *key;
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
unsigned char keybuf[DST_KEY_MAXSIZE];
unsigned int filenamelen;
const dns_master_style_t *style =
(type == dns_rdatatype_dnskey) ? masterstyle : dsstyle;
isc_buffer_init(&namebuf, namestr, sizeof(namestr));
result = dns_name_tofilenametext(gorigin, ISC_FALSE, &namebuf);
check_result(result, "dns_name_tofilenametext");
isc_buffer_putuint8(&namebuf, 0);
filenamelen = strlen("keyset-") + strlen(namestr);
filenamelen = strlen(prefix) + strlen(namestr);
if (directory != NULL)
filenamelen += strlen(directory) + 1;
keyfile = isc_mem_get(mctx, filenamelen + 1);
if (keyfile == NULL)
filename = isc_mem_get(mctx, filenamelen + 1);
if (filename == NULL)
fatal("out of memory");
if (directory != NULL)
sprintf(keyfile, "%s/", directory);
sprintf(filename, "%s/", directory);
else
keyfile[0] = 0;
strcat(keyfile, "keyset-");
strcat(keyfile, namestr);
filename[0] = 0;
strcat(filename, prefix);
strcat(filename, namestr);
dns_diff_init(mctx, &diff);
......@@ -1460,6 +1475,20 @@ writekeyset(void) {
break;
}
if (type == dns_rdatatype_dlv) {
dns_name_t tname;
unsigned int labels;
dns_name_init(&tname, NULL);
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
labels = dns_name_countlabels(gorigin);
dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname);
result = dns_name_concatenate(&tname, dlv, name, NULL);
check_result(result, "dns_name_concatenate");
} else
name = gorigin;
for (key = ISC_LIST_HEAD(keylist);
key != NULL;
key = ISC_LIST_NEXT(key, link))
......@@ -1467,13 +1496,25 @@ writekeyset(void) {
if (have_ksk && have_non_ksk && !key->isksk)
continue;
dns_rdata_init(&rdata);
dns_rdata_init(&ds);
isc_buffer_init(&b, keybuf, sizeof(keybuf));
result = dst_key_todns(key->key, &b);
check_result(result, "dst_key_todns");
isc_buffer_usedregion(&b, &r);
dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r);
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, gorigin,
zonettl, &rdata, &tuple);
if (type != dns_rdatatype_dnskey) {
result = dns_ds_buildrdata(gorigin, &rdata,
DNS_DSDIGEST_SHA1,
dsbuf, &ds);
check_result(result, "dns_ds_buildrdata");
if (type == dns_rdatatype_dlv)
ds.type = dns_rdatatype_dlv;
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
name, 0, &ds, &tuple);
} else
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
gorigin, zonettl,
&rdata, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(&diff, &tuple);
}
......@@ -1489,10 +1530,10 @@ writekeyset(void) {
check_result(result, "dns_diff_apply");
dns_diff_clear(&diff);
result = dns_master_dump(mctx, db, version, masterstyle, keyfile);
result = dns_master_dump(mctx, db, version, style, filename);
check_result(result, "dns_master_dump");
isc_mem_put(mctx, keyfile, filenamelen + 1);
isc_mem_put(mctx, filename, filenamelen + 1);
dns_db_closeversion(db, &version, ISC_FALSE);
dns_db_detach(&db);
......@@ -1550,6 +1591,7 @@ usage(void) {
fprintf(stderr, "print statistics\n");
fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
fprintf(stderr, "\t-k key_signing_key\n");
fprintf(stderr, "\t-l lookasidezone\n");
fprintf(stderr, "\n");
......@@ -1609,6 +1651,9 @@ main(int argc, char *argv[]) {
dns_rdataclass_t rdclass;
dns_db_t *udb = NULL;
isc_task_t **tasks = NULL;
isc_buffer_t b;
int len;
masterstyle = &dns_master_style_explicitttl;
check_result(isc_app_start(), "isc_app_start");
......@@ -1620,7 +1665,7 @@ main(int argc, char *argv[]) {
dns_result_register();
while ((ch = isc_commandline_parse(argc, argv,
"ac:d:e:f:ghi:k:n:o:pr:s:Stv:z"))
"ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"))
!= -1) {
switch (ch) {
case 'a':
......@@ -1660,6 +1705,19 @@ main(int argc, char *argv[]) {
"positive");
break;
case 'l':
dns_fixedname_init(&dlv_fixed);
len = strlen(isc_commandline_argument);
isc_buffer_init(&b, isc_commandline_argument, len);
isc_buffer_add(&b, len);
dns_fixedname_init(&dlv_fixed);
dlv = dns_fixedname_name(&dlv_fixed);
result = dns_name_fromtext(dlv, &b, dns_rootname,
ISC_FALSE, NULL);
check_result(result, "dns_name_fromtext(dlv)");
break;
case 'k':
if (ndskeys == MAXDSKEYS)
fatal("too many key-signing keys specified");
......@@ -1767,6 +1825,11 @@ main(int argc, char *argv[]) {
sprintf(output, "%s.signed", file);
}
result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL,
0, 24, 0, 0, 0, 8, mctx);
check_result(result, "dns_master_stylecreate");
gdb = NULL;
TIME_NOW(&timer_start);
loadzone(file, origin, rdclass, &gdb);
......@@ -1868,8 +1931,13 @@ main(int argc, char *argv[]) {
nsecify();
if (!nokeys)
writekeyset();
if (!nokeys) {
writeset("keyset-", dns_rdatatype_dnskey);
writeset("dsset-", dns_rdatatype_ds);
if (dlv != NULL) {
writeset("dlvset-", dns_rdatatype_dlv);
}
}
tempfilelen = strlen(output) + 20;
tempfile = isc_mem_get(mctx, tempfilelen);
......@@ -1965,6 +2033,8 @@ main(int argc, char *argv[]) {
if (free_output)
isc_mem_free(mctx, output);
dns_master_styledestroy(&dsstyle, mctx);
cleanup_logging(&log);
dst_lib_destroy();
cleanup_entropy(&ectx);
......
......@@ -16,7 +16,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.9 2004/03/05 04:57:41 marka Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.10 2004/03/10 02:19:51 marka Exp $ -->
<refentry>
<refentryinfo>
......@@ -45,6 +45,7 @@
<arg><option>-g</option></arg>
<arg><option>-h</option></arg>
<arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
......@@ -105,6 +106,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.45 2004/03/05 04:57:46 marka Exp $ */
/* $Id: config.c,v 1.46 2004/03/10 02:19:52 marka Exp $ */
#include <config.h>
......@@ -123,7 +123,7 @@ options {\n\
check-names master fail;\n\
check-names slave warn;\n\
check-names response ignore;\n\
enable-dnssec no; /* Make yes for 9.4. */ \n\
dnssec-enable no; /* Make yes for 9.4. */ \n\
\n\
/* zone */\n\
allow-query {any;};\n\
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.256 2004/03/05 04:57:48 marka Exp $ */
/* $Id: query.c,v 1.257 2004/03/10 02:19:52 marka Exp $ */
#include <config.h>
......@@ -1547,7 +1547,7 @@ query_addns(ns_client_t *client, dns_db_t *db) {
static inline isc_result_t
query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
dns_ttl_t ttl, dns_name_t **anamep, dns_rdatatype_t type)
dns_trust_t trust, dns_name_t **anamep, dns_rdatatype_t type)
{
dns_rdataset_t *rdataset;
dns_rdatalist_t *rdatalist;
......@@ -1583,7 +1583,7 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
rdatalist->type = type;
rdatalist->covers = 0;
rdatalist->rdclass = client->message->rdclass;
rdatalist->ttl = ttl;
rdatalist->ttl = 0;
dns_name_toregion(tname, &r);
rdata->data = r.base;
......@@ -1595,6 +1595,7 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
== ISC_R_SUCCESS);
rdataset->trust = trust;
query_addrrset(client, anamep, &rdataset, NULL, NULL,
DNS_SECTION_ANSWER);
......@@ -3076,7 +3077,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
*/
dns_name_init(tname, NULL);
(void)query_addcnamelike(client, client->query.qname, fname,
0, &tname, dns_rdatatype_cname);
trdataset->trust, &tname,
dns_rdatatype_cname);
if (tname != NULL)
dns_message_puttempname(client->message, &tname);
/*
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.416 2004/03/05 04:57:48 marka Exp $ */
/* $Id: server.c,v 1.417 2004/03/10 02:19:52 marka Exp $ */
#include <config.h>
......@@ -1118,10 +1118,24 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
view->provideixfr = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "enable-dnssec", &obj);
result = ns_config_get(maps, "dnssec-enable", &obj);
INSIST(result == ISC_R_SUCCESS);
view->enablednssec = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "dnssec-lookaside", &obj);
if (result == ISC_R_SUCCESS) {
const char *dlv;
isc_buffer_t b;
dlv = cfg_obj_asstring(obj);
isc_buffer_init(&b, dlv, strlen(dlv));
isc_buffer_add(&b, strlen(dlv));
CHECK(dns_name_fromtext(dns_fixedname_name(&view->dlv_fixed),
&b, dns_rootname, ISC_TRUE, NULL));
view->dlv = dns_fixedname_name(&view->dlv_fixed);
} else
view->dlv = NULL;
/*
* For now, there is only one kind of trusted keys, the
* "security roots".
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.19 2004/03/05 05:00:12 marka Exp $ */
/* $Id: named.conf,v 1.20 2004/03/10 02:19:53 marka Exp $ */
// NS1
......@@ -31,7 +31,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
enable-dnssec yes;
dnssec-enable yes;
};
zone "." {
......
......@@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db.in,v 1.7 2004/03/05 05:00:12 marka Exp $
; $Id: root.db.in,v 1.8 2004/03/10 02:19:53 marka Exp $
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
......@@ -28,3 +28,5 @@ a.root-servers.nil. A 10.53.0.1
example. NS ns2.example.
ns2.example. A 10.53.0.2
dlv. NS ns2.dlv.
ns2.dlv. A 10.53.0.2
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.18 2004/03/05 05:00:12 marka Exp $
# $Id: sign.sh,v 1.19 2004/03/10 02:19:53 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -29,6 +29,7 @@ zonefile=root.db
(cd ../ns2 && sh sign.sh )
cp ../ns2/keyset-example. .
cp ../ns2/keyset-dlv. .
keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.22 2004/03/05 05:00:16 marka Exp $ */
/* $Id: named.conf,v 1.23 2004/03/10 02:19:53 marka Exp $ */
// NS2
......@@ -31,7 +31,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
enable-dnssec yes;
dnssec-enable yes;
};
zone "." {
......@@ -39,6 +39,11 @@ zone "." {
file "../../common/root.hint";
};
zone "dlv" {
type master;
file "dlv.db.signed";
};
zone "example" {
type master;
file "example.db.signed";
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.23 2004/03/05 05:00:16 marka Exp $
# $Id: sign.sh,v 1.24 2004/03/10 02:19:53 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -52,4 +52,17 @@ privkeyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $privzone`
cat $privinfile $privkeyname.key >$privzonefile
$SIGNER -g -r $RANDFILE -o $privzone $privzonefile > /dev/null
$SIGNER -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
# Sign the DLV secure zone.
dlvzone=dlv.
dlvinfile=dlv.db.in
dlvzonefile=dlv.db
dlvkeyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $dlvzone`
cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
$SIGNER -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.24 2004/03/05 05:00:20 marka Exp $ */
/* $Id: named.conf,v 1.25 2004/03/10 02:19:54 marka Exp $ */
// NS3
......@@ -31,7 +31,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
enable-dnssec yes;
dnssec-enable yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.21 2004/03/05 05:00:24 marka Exp $ */
/* $Id: named.conf,v 1.22 2004/03/10 02:19:54 marka Exp $ */
// NS4
......@@ -30,7 +30,7 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
enable-dnssec yes;
dnssec-enable yes;
};
zone "." {
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.19 2004/03/05 05:00:31 marka Exp $ */
/* $Id: named.conf,v 1.20 2004/03/10 02:19:54 marka Exp $ */
// NS5
......@@ -30,7 +30,7 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
enable-dnssec yes;
dnssec-enable yes;
};
zone "." {
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.5 2004/03/05 05:00:35 marka Exp $ */
/* $Id: named.conf,v 1.6 2004/03/10 02:19:54 marka Exp $ */
// NS6
......@@ -31,7 +31,8 @@ options {
recursion yes;
notify yes;
disable-algorithms . { DSA; };