Commit 529a6b52 authored by Brian Wellington's avatar Brian Wellington
Browse files

358. [cleanup] Rename the intermediate files used by the dnssec

                        programs.
parent 862a026a
358. [cleanup] Rename the intermediate files used by the dnssec
programs.
357. [bug] The zone file parser crashed when seeing a quoted
$INCLUDE.
......
......@@ -13,7 +13,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-makekeyset.8,v 1.5 2000/07/27 09:42:33 tale Exp $
.\" $Id: dnssec-makekeyset.8,v 1.6 2000/07/31 15:28:19 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
......@@ -147,14 +147,14 @@ to print a short summary of its options and arguments.
If
.Nm dnssec-makekeyset
is successful, it creates a file name of the form
.Ar nnnn.keyset .
.Ar keyset-nnnn. .
This file contains the KEY and SIG records for domain
.Dv nnnn ,
the domain name part from the key file identifier produced when
.Nm dnssec-keygen
created the domain's public and private keys.
The
.Ar .keyset
.Ar keyset
file can then be transferred to the DNS administrator of the parent
zone for them to sign the contents with
.Xr dnssec-signkey 8 .
......@@ -174,7 +174,7 @@ the command line when running
.Pp
.Nm dnssec-makekeyset
will create a file called
.Pa example.com.keyset
.Pa keyset-example.com.
containing a SIG and KEY record for
.Dv example.com.
These records will have a TTL of 86400 seconds (1 day).
......@@ -184,7 +184,7 @@ The SIG record becomes valid at noon UTC on July 1st 2000 and expires
The DNS administrator for
.Dv example.com
could then send
.Pa example.com.keyset
.Pa keyset-example.com.
to the DNS administrator for
.Dv .com
so that they could sign the resource records in the file.
......
......@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-makekeyset.c,v 1.29 2000/07/30 20:53:49 bwelling Exp $ */
/* $Id: dnssec-makekeyset.c,v 1.30 2000/07/31 15:28:12 bwelling Exp $ */
#include <config.h>
......@@ -103,6 +103,8 @@ usage(void) {
fprintf(stderr, "\t\tSIG end time - "
"absolute|from start|from now (now + 30 days)\n");
fprintf(stderr, "\t-t ttl\n");
fprintf(stderr, "\t-p\n");
fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
fprintf(stderr, "\t-r randomdev:\n");
fprintf(stderr, "\t\ta file containing random data\n");
fprintf(stderr, "\t-v level:\n");
......@@ -138,6 +140,8 @@ main(int argc, char *argv[]) {
isc_log_t *log = NULL;
keynode_t *keynode;
dns_name_t *savedname = NULL;
unsigned int eflags;
isc_boolean_t pseudorandom = ISC_FALSE;
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
......@@ -146,7 +150,7 @@ main(int argc, char *argv[]) {
dns_result_register();
while ((ch = isc_commandline_parse(argc, argv, "s:e:t:r:v:h")) != -1)
while ((ch = isc_commandline_parse(argc, argv, "s:e:t:r:v:ph")) != -1)
{
switch (ch) {
case 's':
......@@ -184,6 +188,10 @@ main(int argc, char *argv[]) {
fatal("verbose level must be numeric");
break;
case 'p':
pseudorandom = ISC_TRUE;
break;
case 'h':
default:
usage();
......@@ -200,8 +208,10 @@ main(int argc, char *argv[]) {
setup_entropy(mctx, randomfile, &ectx);
if (randomfile != NULL)
isc_mem_free(mctx, randomfile);
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
eflags = ISC_ENTROPY_BLOCKING;
if (!pseudorandom)
eflags |= ISC_ENTROPY_GOODONLY;
result = dst_lib_init(mctx, ectx, eflags);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst");
......@@ -266,12 +276,12 @@ main(int argc, char *argv[]) {
}
if (output == NULL) {
output = isc_mem_allocate(mctx,
strlen(namestr) +
strlen("keyset") + 1);
strlen("keyset-") +
strlen(namestr) + 1);
if (output == NULL)
fatal("out of memory");
strcpy(output, namestr);
strcat(output, "keyset");
strcpy(output, "keyset-");
strcat(output, namestr);
}
if (domain == NULL) {
dns_fixedname_init(&fdomain);
......
......@@ -13,7 +13,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signkey.8,v 1.6 2000/07/27 09:42:34 tale Exp $
.\" $Id: dnssec-signkey.8,v 1.7 2000/07/31 15:28:20 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
......@@ -34,7 +34,7 @@
.Nm dnssec-signkey
is used to sign a key set for a child zone.
Typically this would be provided by a
.Ar .keyset
.Ar keyset
file generated by
.Xr dnssec-makekeyset 8 .
This provides a mechanism for a DNSSEC-aware zone to sign the keys of
......@@ -43,7 +43,7 @@ The child zone's key set gets signed with the zone keys for its parent
zone.
.Ar keyset
will be the pathname of the child zone's
.Ar .keyset
.Ar keyset
file.
Each
.Ar keyfile
......@@ -102,7 +102,7 @@ The default level is zero.
When
.Nm dnssec-signkey
completes successfully, it generates a file called
.Ar nnnn.signedkey
.Ar signedkey-nnnn.
containing the signed keys for child zone
.Ar nnnn .
The keys from the
......@@ -125,13 +125,13 @@ The DNS administrator for a DNSSEC-aware
zone would use the following command to make
.Nm dnssec-signkey
sign the
.Ar .keyset
.Ar keyset
file for
.Dv example.com
created in the example shown in the man page for
.Xr dnssec-makekeyset 8 :
.Pp
.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944
.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
.Pp
where
.Dv Kcom.+003+51944
......@@ -143,7 +143,7 @@ zone.
.Pp
.Nm dnssec-signkey
will produce a file called
.Dv example.com.signedkey
.Dv signedkey-example.com.
which has the keys for
.Dv example.com
signed by the
......
......@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signkey.c,v 1.28 2000/06/22 21:49:03 tale Exp $ */
/* $Id: dnssec-signkey.c,v 1.29 2000/07/31 15:28:13 bwelling Exp $ */
#include <config.h>
......@@ -212,14 +212,14 @@ main(int argc, char *argv[]) {
setup_logging(verbose, mctx, &log);
if (strlen(argv[0]) < 8 ||
strcmp(argv[0] + strlen(argv[0]) - 7, ".keyset") != 0)
fatal("keyset file must end in .keyset");
if (strlen(argv[0]) < 8 || strncmp(argv[0], "keyset-", 7) != 0)
fatal("keyset file '%s' must start with keyset-", argv[0]);
dns_fixedname_init(&fdomain);
domain = dns_fixedname_name(&fdomain);
isc_buffer_init(&b, argv[0], strlen(argv[0]) - 7);
isc_buffer_add(&b, strlen(argv[0]) - 7);
isc_buffer_init(&b, argv[0] + strlen("keyset-"),
strlen(argv[0]) - strlen("keyset-"));
isc_buffer_add(&b, strlen(argv[0]) - strlen("keyset-"));
result = dns_name_fromtext(domain, &b, dns_rootname, ISC_FALSE, NULL);
if (result != ISC_R_SUCCESS)
fatal("'%s' does not contain a valid domain name", argv[0]);
......@@ -230,11 +230,11 @@ main(int argc, char *argv[]) {
tdomain[r.length] = 0;
output = isc_mem_allocate(mctx,
strlen(tdomain) + strlen("signedkey") + 1);
strlen("signedkey-") + strlen(tdomain) + 1);
if (output == NULL)
fatal("out of memory");
strcpy(output, tdomain);
strcat(output, "signedkey");
strcpy(output, "signedkey-");
strcat(output, tdomain);
db = NULL;
result = dns_db_create(mctx, "rbt", domain, dns_dbtype_zone,
......
......@@ -13,7 +13,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.8 2000/07/27 09:42:35 tale Exp $
.\" $Id: dnssec-signzone.8,v 1.9 2000/07/31 15:28:21 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
......@@ -40,7 +40,7 @@
.Nm dnssec-signzone
is used to sign a zone.
Any
.Ar .signedkey
.Ar signedkey
files for the zone to be signed should be present in the current
directory, along with the keys that will be used to sign the zone.
If no
......@@ -57,7 +57,7 @@ Each
argument would be an identification string for a key created with
.Xr dnssec-keygen 8 .
If the zone to be signed has any secure subzones, the
.Ar .signedkey
.Ar signedkey
files for those subzones need to be available in the
current working directory used by
.Nm dnssec-signzone .
......@@ -222,18 +222,14 @@ The zone file for this zone is
which is the same as the origin, so there is no need to use the
.Fl o
option to set the origin.
This zone file contains the keyset for
.Dv example.com
that was created by
.Xr dnssec-makekeyset 8 .
The zone's keys were either appended to the zone file or
incorporated using a
.Dv $INCLUDE
statement.
If there was a
.Ar .signedkey
.Ar signedkey
file from the parent zone - i.e.
.Dv example.com.signedkey
.Dv signedkey-example.com.
- it should be present in the current directory.
This allows the parent zone's signature to be included in the signed
version of the
......@@ -258,5 +254,4 @@ so that it can be loaded by the name server.
.Sh SEE ALSO
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 .
......@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.81 2000/06/22 21:49:04 tale Exp $ */
/* $Id: dnssec-signzone.c,v 1.82 2000/07/31 15:28:14 bwelling Exp $ */
#include <config.h>
......@@ -512,18 +512,19 @@ importparentsig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
{
unsigned char filename[256];
isc_buffer_t b;
isc_region_t r;
dns_db_t *newdb = NULL;
dns_dbnode_t *newnode = NULL;
dns_rdataset_t newset, sigset;
dns_rdata_t rdata, newrdata;
isc_result_t result;
isc_buffer_init(&b, filename, sizeof(filename) - 10);
isc_buffer_init(&b, filename, sizeof(filename));
isc_buffer_putstr(&b, "signedkey-");
result = dns_name_totext(name, ISC_FALSE, &b);
check_result(result, "dns_name_totext()");
isc_buffer_usedregion(&b, &r);
strcpy((char *)r.base + r.length, "signedkey");
if (isc_buffer_availablelength(&b) == 0)
fatal("name '%s' is too long", nametostr(name));
isc_buffer_putmem(&b, "", 1);
result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
dns_db_class(db), 0, NULL, &newdb);
check_result(result, "dns_db_create()");
......@@ -588,7 +589,6 @@ static isc_boolean_t
haschildkey(dns_db_t *db, dns_name_t *name) {
unsigned char filename[256];
isc_buffer_t b;
isc_region_t r;
dns_db_t *newdb = NULL;
dns_dbnode_t *newnode = NULL;
dns_rdataset_t set, sigset;
......@@ -601,11 +601,13 @@ haschildkey(dns_db_t *db, dns_name_t *name) {
dns_rdataset_init(&set);
dns_rdataset_init(&sigset);
isc_buffer_init(&b, filename, sizeof(filename) - 10);
isc_buffer_init(&b, filename, sizeof(filename));
isc_buffer_putstr(&b, "signedkey-");
result = dns_name_totext(name, ISC_FALSE, &b);
check_result(result, "dns_name_totext()");
isc_buffer_usedregion(&b, &r);
strcpy((char *)r.base + r.length, "signedkey");
if (isc_buffer_availablelength(&b) == 0)
fatal("name '%s' is too long", nametostr(name));
isc_buffer_putmem(&b, "", 1);
result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
dns_db_class(db), 0, NULL, &newdb);
check_result(result, "dns_db_create()");
......@@ -839,6 +841,10 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
signset(db, version, node, name, &keyset);
alreadyhavenullkey:
dns_rdataset_disassociate(&keyset);
} else if (isdelegation) {
vbprintf(2, "child key for %s found\n",
nametostr(name));
}
#endif
}
......
......@@ -15,9 +15,9 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.6 2000/07/27 09:39:19 tale Exp $
# $Id: clean.sh,v 1.7 2000/07/31 15:28:15 bwelling Exp $
rm -f */K* */.keyset */*.keyset */*.signedkey */*.signed */trusted.conf
rm -f */K* */keyset-* */signedkey-* */*.signed */trusted.conf
rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns3/unsecure.example.db ns3/bogus.example.db
rm -f dig.out.*
......
......@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.8 2000/07/27 09:39:24 tale Exp $
# $Id: sign.sh,v 1.9 2000/07/31 15:28:16 bwelling Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -30,11 +30,11 @@ keyname=`$KEYGEN -a RSA -b 768 -n zone -r $RANDFILE $zone`
(cd ../ns2 && sh sign.sh )
cp ../ns2/example.keyset .
cp ../ns2/keyset-example. .
$KEYSIGNER -r $RANDFILE example.keyset $keyname
$KEYSIGNER -r $RANDFILE keyset-example. $keyname
cat example.signedkey >> ../ns2/example.db.signed
cat signedkey-example. >> ../ns2/example.db.signed
$KEYSETTOOL -r $RANDFILE -t 3600 $keyname
......
......@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.11 2000/07/27 09:39:31 tale Exp $
# $Id: sign.sh,v 1.12 2000/07/31 15:28:18 bwelling Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -33,21 +33,21 @@ keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`
( cd ../ns3 && sh sign.sh )
cp ../ns3/secure.example.keyset .
cp ../ns3/keyset-secure.example. .
$KEYSIGNER -r $RANDFILE secure.example.keyset $keyname
$KEYSIGNER -r $RANDFILE keyset-secure.example. $keyname
# This will leave two copies of the child's zone key in the signed db file;
# that shouldn't cause any problems.
cat secure.example.signedkey >>../ns3/secure.example.db.signed
cat signedkey-secure.example. >>../ns3/secure.example.db.signed
cp ../ns3/bogus.example.keyset .
cp ../ns3/keyset-bogus.example. .
$KEYSIGNER -r $RANDFILE bogus.example.keyset $keyname
$KEYSIGNER -r $RANDFILE keyset-bogus.example. $keyname
# This will leave two copies of the child's zone key in the signed db file;
# that shouldn't cause any problems.
cat bogus.example.signedkey >>../ns3/bogus.example.db.signed
cat signedkey-bogus.example. >>../ns3/bogus.example.db.signed
$KEYSETTOOL -r $RANDFILE -t 3600 $keyname
......
......@@ -13,7 +13,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-makekeyset.8,v 1.5 2000/07/27 09:42:33 tale Exp $
.\" $Id: dnssec-makekeyset.8,v 1.6 2000/07/31 15:28:19 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
......@@ -147,14 +147,14 @@ to print a short summary of its options and arguments.
If
.Nm dnssec-makekeyset
is successful, it creates a file name of the form
.Ar nnnn.keyset .
.Ar keyset-nnnn. .
This file contains the KEY and SIG records for domain
.Dv nnnn ,
the domain name part from the key file identifier produced when
.Nm dnssec-keygen
created the domain's public and private keys.
The
.Ar .keyset
.Ar keyset
file can then be transferred to the DNS administrator of the parent
zone for them to sign the contents with
.Xr dnssec-signkey 8 .
......@@ -174,7 +174,7 @@ the command line when running
.Pp
.Nm dnssec-makekeyset
will create a file called
.Pa example.com.keyset
.Pa keyset-example.com.
containing a SIG and KEY record for
.Dv example.com.
These records will have a TTL of 86400 seconds (1 day).
......@@ -184,7 +184,7 @@ The SIG record becomes valid at noon UTC on July 1st 2000 and expires
The DNS administrator for
.Dv example.com
could then send
.Pa example.com.keyset
.Pa keyset-example.com.
to the DNS administrator for
.Dv .com
so that they could sign the resource records in the file.
......
......@@ -13,7 +13,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signkey.8,v 1.6 2000/07/27 09:42:34 tale Exp $
.\" $Id: dnssec-signkey.8,v 1.7 2000/07/31 15:28:20 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
......@@ -34,7 +34,7 @@
.Nm dnssec-signkey
is used to sign a key set for a child zone.
Typically this would be provided by a
.Ar .keyset
.Ar keyset
file generated by
.Xr dnssec-makekeyset 8 .
This provides a mechanism for a DNSSEC-aware zone to sign the keys of
......@@ -43,7 +43,7 @@ The child zone's key set gets signed with the zone keys for its parent
zone.
.Ar keyset
will be the pathname of the child zone's
.Ar .keyset
.Ar keyset
file.
Each
.Ar keyfile
......@@ -102,7 +102,7 @@ The default level is zero.
When
.Nm dnssec-signkey
completes successfully, it generates a file called
.Ar nnnn.signedkey
.Ar signedkey-nnnn.
containing the signed keys for child zone
.Ar nnnn .
The keys from the
......@@ -125,13 +125,13 @@ The DNS administrator for a DNSSEC-aware
zone would use the following command to make
.Nm dnssec-signkey
sign the
.Ar .keyset
.Ar keyset
file for
.Dv example.com
created in the example shown in the man page for
.Xr dnssec-makekeyset 8 :
.Pp
.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944
.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
.Pp
where
.Dv Kcom.+003+51944
......@@ -143,7 +143,7 @@ zone.
.Pp
.Nm dnssec-signkey
will produce a file called
.Dv example.com.signedkey
.Dv signedkey-example.com.
which has the keys for
.Dv example.com
signed by the
......
......@@ -13,7 +13,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.8 2000/07/27 09:42:35 tale Exp $
.\" $Id: dnssec-signzone.8,v 1.9 2000/07/31 15:28:21 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
......@@ -40,7 +40,7 @@
.Nm dnssec-signzone
is used to sign a zone.
Any
.Ar .signedkey
.Ar signedkey
files for the zone to be signed should be present in the current
directory, along with the keys that will be used to sign the zone.
If no
......@@ -57,7 +57,7 @@ Each
argument would be an identification string for a key created with
.Xr dnssec-keygen 8 .
If the zone to be signed has any secure subzones, the
.Ar .signedkey
.Ar signedkey
files for those subzones need to be available in the
current working directory used by
.Nm dnssec-signzone .
......@@ -222,18 +222,14 @@ The zone file for this zone is
which is the same as the origin, so there is no need to use the
.Fl o
option to set the origin.
This zone file contains the keyset for
.Dv example.com
that was created by
.Xr dnssec-makekeyset 8 .
The zone's keys were either appended to the zone file or
incorporated using a
.Dv $INCLUDE
statement.
If there was a
.Ar .signedkey
.Ar signedkey
file from the parent zone - i.e.
.Dv example.com.signedkey
.Dv signedkey-example.com.
- it should be present in the current directory.
This allows the parent zone's signature to be included in the signed
version of the
......@@ -258,5 +254,4 @@ so that it can be loaded by the name server.
.Sh SEE ALSO
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 .
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment