Commit 598b5026 authored by Mark Andrews's avatar Mark Andrews
Browse files

4127. [protocol] CDS and CDNSKEY need to be signed by the key signing

                        key as per RFC 7344, Section 4.1. [RT #37215]
parent a32b6291
4127. [protocol] CDS and CDNSKEY need to be signed by the key signing
key as per RFC 7344, Section 4.1. [RT #37215]
4126. [bug] Addressed a regression introduced in change #4121. 4126. [bug] Addressed a regression introduced in change #4121.
[RT #39611] [RT #39611]
......
...@@ -242,7 +242,7 @@ logkey(dns_rdata_t *rdata) ...@@ -242,7 +242,7 @@ logkey(dns_rdata_t *rdata)
static void static void
emit(unsigned int dtype, isc_boolean_t showall, char *lookaside, emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
dns_rdata_t *rdata) isc_boolean_t cds, dns_rdata_t *rdata)
{ {
isc_result_t result; isc_result_t result;
unsigned char buf[DNS_DS_BUFFERSIZE]; unsigned char buf[DNS_DS_BUFFERSIZE];
...@@ -306,9 +306,12 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside, ...@@ -306,9 +306,12 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
isc_buffer_usedregion(&classb, &r); isc_buffer_usedregion(&classb, &r);
printf("%.*s", (int)r.length, r.base); printf("%.*s", (int)r.length, r.base);
if (lookaside == NULL) if (lookaside == NULL) {
printf(" DS "); if (cds)
else printf(" CDS ");
else
printf(" DS ");
} else
printf(" DLV "); printf(" DLV ");
isc_buffer_usedregion(&textb, &r); isc_buffer_usedregion(&textb, &r);
...@@ -336,6 +339,7 @@ usage(void) { ...@@ -336,6 +339,7 @@ usage(void) {
"(SHA-1, SHA-256, GOST or SHA-384)\n"); "(SHA-1, SHA-256, GOST or SHA-384)\n");
fprintf(stderr, " -1: use SHA-1\n"); fprintf(stderr, " -1: use SHA-1\n");
fprintf(stderr, " -2: use SHA-256\n"); fprintf(stderr, " -2: use SHA-256\n");
fprintf(stderr, " -C: print CDS record\n");
fprintf(stderr, " -l: add lookaside zone and print DLV records\n"); fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n"); fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n");
fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n"); fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n");
...@@ -356,6 +360,7 @@ main(int argc, char **argv) { ...@@ -356,6 +360,7 @@ main(int argc, char **argv) {
char *endp; char *endp;
int ch; int ch;
unsigned int dtype = DNS_DSDIGEST_SHA1; unsigned int dtype = DNS_DSDIGEST_SHA1;
isc_boolean_t cds = ISC_FALSE;
isc_boolean_t both = ISC_TRUE; isc_boolean_t both = ISC_TRUE;
isc_boolean_t usekeyset = ISC_FALSE; isc_boolean_t usekeyset = ISC_FALSE;
isc_boolean_t showall = ISC_FALSE; isc_boolean_t showall = ISC_FALSE;
...@@ -381,8 +386,8 @@ main(int argc, char **argv) { ...@@ -381,8 +386,8 @@ main(int argc, char **argv) {
isc_commandline_errprint = ISC_FALSE; isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv, #define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV"
"12Aa:c:d:Ff:K:l:sT:v:hV")) != -1) { while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
switch (ch) { switch (ch) {
case '1': case '1':
dtype = DNS_DSDIGEST_SHA1; dtype = DNS_DSDIGEST_SHA1;
...@@ -399,6 +404,12 @@ main(int argc, char **argv) { ...@@ -399,6 +404,12 @@ main(int argc, char **argv) {
algname = isc_commandline_argument; algname = isc_commandline_argument;
both = ISC_FALSE; both = ISC_FALSE;
break; break;
case 'C':
if (lookaside != NULL)
fatal("lookaside and CDS are mutually"
" exclusive");
cds = ISC_TRUE;
break;
case 'c': case 'c':
classname = isc_commandline_argument; classname = isc_commandline_argument;
break; break;
...@@ -415,6 +426,9 @@ main(int argc, char **argv) { ...@@ -415,6 +426,9 @@ main(int argc, char **argv) {
filename = isc_commandline_argument; filename = isc_commandline_argument;
break; break;
case 'l': case 'l':
if (cds)
fatal("lookaside and CDS are mutually"
" exclusive");
lookaside = isc_commandline_argument; lookaside = isc_commandline_argument;
if (strlen(lookaside) == 0U) if (strlen(lookaside) == 0U)
fatal("lookaside must be a non-empty string"); fatal("lookaside must be a non-empty string");
...@@ -533,11 +547,11 @@ main(int argc, char **argv) { ...@@ -533,11 +547,11 @@ main(int argc, char **argv) {
if (both) { if (both) {
emit(DNS_DSDIGEST_SHA1, showall, lookaside, emit(DNS_DSDIGEST_SHA1, showall, lookaside,
&rdata); cds, &rdata);
emit(DNS_DSDIGEST_SHA256, showall, lookaside, emit(DNS_DSDIGEST_SHA256, showall, lookaside,
&rdata); cds, &rdata);
} else } else
emit(dtype, showall, lookaside, &rdata); emit(dtype, showall, lookaside, cds, &rdata);
} }
} else { } else {
unsigned char key_buf[DST_KEY_MAXSIZE]; unsigned char key_buf[DST_KEY_MAXSIZE];
...@@ -546,10 +560,12 @@ main(int argc, char **argv) { ...@@ -546,10 +560,12 @@ main(int argc, char **argv) {
DST_KEY_MAXSIZE, &rdata); DST_KEY_MAXSIZE, &rdata);
if (both) { if (both) {
emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata); emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds,
emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata); &rdata);
emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
&rdata);
} else } else
emit(dtype, showall, lookaside, &rdata); emit(dtype, showall, lookaside, cds, &rdata);
} }
if (dns_rdataset_isassociated(&rdataset)) if (dns_rdataset_isassociated(&rdataset))
......
...@@ -41,6 +41,7 @@ ...@@ -41,6 +41,7 @@
<year>2011</year> <year>2011</year>
<year>2012</year> <year>2012</year>
<year>2014</year> <year>2014</year>
<year>2015</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder> <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright> </copyright>
</docinfo> </docinfo>
...@@ -52,6 +53,7 @@ ...@@ -52,6 +53,7 @@
<arg><option>-1</option></arg> <arg><option>-1</option></arg>
<arg><option>-2</option></arg> <arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg> <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg><option>-C</option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg> <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg> <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="req">keyfile</arg> <arg choice="req">keyfile</arg>
...@@ -122,6 +124,16 @@ ...@@ -122,6 +124,16 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-T <replaceable class="parameter">TTL</replaceable></term> <term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem> <listitem>
...@@ -182,7 +194,8 @@ ...@@ -182,7 +194,8 @@
<option>domain</option> is appended to the name for each <option>domain</option> is appended to the name for each
record in the set. record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. in RFC 4431. This is mutually exclusive with generating
CDS records.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -688,7 +688,9 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, ...@@ -688,7 +688,9 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
(iszsk(key) && !keyset_kskonly)) (iszsk(key) && !keyset_kskonly))
signwithkey(name, set, key->key, ttl, add, signwithkey(name, set, key->key, ttl, add,
"signing with dnskey"); "signing with dnskey");
} else if (iszsk(key)) { } else if (set->type == dns_rdatatype_cds ||
set->type == dns_rdatatype_cdnskey ||
iszsk(key)) {
signwithkey(name, set, key->key, ttl, add, signwithkey(name, set, key->key, ttl, add,
"signing with dnskey"); "signing with dnskey");
} }
......
...@@ -3098,6 +3098,19 @@ update_action(isc_task_t *task, isc_event_t *event) { ...@@ -3098,6 +3098,19 @@ update_action(isc_task_t *task, isc_event_t *event) {
goto failure; goto failure;
} }
} }
if (! ISC_LIST_EMPTY(diff.tuples)) {
result = dns_zone_cdscheck(zone, db, ver);
if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) {
update_log(client, zone, LOGLEVEL_PROTOCOL,
"update rejected: bad %s RRset",
result == DNS_R_BADCDS ? "CDS" : "CDNSKEY");
result = DNS_R_REFUSED;
goto failure;
}
if (result != ISC_R_SUCCESS)
goto failure;
}
/* /*
* If any changes were made, increment the SOA serial number, * If any changes were made, increment the SOA serial number,
......
...@@ -16,72 +16,79 @@ ...@@ -16,72 +16,79 @@
# PERFORMANCE OF THIS SOFTWARE. # PERFORMANCE OF THIS SOFTWARE.
rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
rm -f */trusted.conf */managed.conf */revoked.conf rm -f */example.bk
rm -f */named.memstats
rm -f */named.run
rm -f */named.secroots
rm -f */tmp* */*.jnl */*.bk */*.jbk rm -f */tmp* */*.jnl */*.bk */*.jbk
rm -f */trusted.conf */managed.conf */revoked.conf
rm -f Kexample.*
rm -f canonical?.*
rm -f delv.out*
rm -f delve.out*
rm -f dig.out.*
rm -f keygen.err
rm -f named.secroots.test*
rm -f nosign.before
rm -f ns*/*.nta
rm -f ns*/named.lock
rm -f ns1/managed.key.id
rm -f ns1/root.db ns2/example.db ns3/secure.example.db rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db rm -f ns2/algroll.db
rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns3/split-dnssec.example.db
rm -f ns3/expiring.example.db ns3/nosign.example.db
rm -f ns2/private.secure.example.db
rm -f ns2/badparam.db ns2/badparam.db.bad rm -f ns2/badparam.db ns2/badparam.db.bad
rm -f ns2/single-nsec3.db rm -f ns2/cdnskey-update.secure.db
rm -f ns2/nsec3chain-test.db rm -f ns2/cdnskey.secure.db
rm -f ns2/in-addr.arpa.db rm -f ns2/cds-auto.secure.db ns2/cds-auto.secure.db.jnl
rm -f */example.bk rm -f ns2/cds-update.secure.db ns2/cds-update.secure.db.jnl
rm -f dig.out.* rm -f ns2/cds.secure.db
rm -f rndc.out.*
rm -f delv.out*
rm -f ns2/dlv.db rm -f ns2/dlv.db
rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db rm -f ns2/in-addr.arpa.db
rm -f ns3/optout-unknown.example.db ns3/optout.example.db rm -f ns2/nsec3chain-test.db
rm -f ns2/private.secure.example.db
rm -f ns2/single-nsec3.db
rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
rm -f ns3/badds.example.db
rm -f ns3/dnskey-nsec3-unknown.example.db
rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
rm -f ns3/dnskey-unknown.example.db
rm -f ns3/dnskey-unknown.example.db.tmp
rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
rm -f ns3/expired.example.db ns3/update-nsec3.example.db rm -f ns3/expired.example.db ns3/update-nsec3.example.db
rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk rm -f ns3/expiring.example.db ns3/nosign.example.db
rm -f */named.memstats rm -f ns3/future.example.db ns3/trusted-future.key
rm -f */named.run rm -f ns3/inline.example.db.signed
rm -f ns3/kskonly.example.db
rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
rm -f ns3/nsec3.nsec3.example.db rm -f ns3/nsec3.nsec3.example.db
rm -f ns3/nsec3.optout.example.db rm -f ns3/nsec3.optout.example.db
rm -f ns3/optout-unknown.example.db ns3/optout.example.db
rm -f ns3/optout.nsec3.example.db rm -f ns3/optout.nsec3.example.db
rm -f ns3/optout.optout.example.db rm -f ns3/optout.optout.example.db
rm -f ns3/publish-inactive.example.db
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns3/secure.below-cname.example.db
rm -f ns3/secure.nsec3.example.db rm -f ns3/secure.nsec3.example.db
rm -f ns3/secure.optout.example.db rm -f ns3/secure.optout.example.db
rm -f */named.secroots rm -f ns3/siginterval.conf
rm -f ns1/managed.key.id rm -f ns3/siginterval.example.db
rm -f signer/*.db rm -f ns3/split-dnssec.example.db
rm -f signer/signer.out.* rm -f ns3/split-smart.example.db
rm -f ns2/algroll.db rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/kskonly.example.db rm -f ns3/ttlpatch.example.db.patched
rm -f ns4/named.conf ns5/named.conf rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
rm -f ns4/managed-keys.bind* rm -f ns4/managed-keys.bind*
rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db rm -f ns4/named.conf
rm -f ns3/secure.below-cname.example.db rm -f ns4/named.conf ns5/named.conf
rm -f ns3/publish-inactive.example.db rm -f ns4/named_dump.db
rm -f ns6/optout-tld.db
rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk
rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
rm -f nsupdate.out*
rm -f rndc.out.*
rm -f signer/*.db
rm -f signer/example.db.after signer/example.db.before rm -f signer/example.db.after signer/example.db.before
rm -f signer/example.db.changed rm -f signer/example.db.changed
rm -f signer/nsec3param.out rm -f signer/nsec3param.out
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed rm -f signer/signer.out.*
rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/split-smart.example.db
rm -f ns3/siginterval.example.db
rm -f ns3/inline.example.db.signed
rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
rm -f ns6/optout-tld.db
rm -f nosign.before
rm -f signing.out* rm -f signing.out*
rm -f canonical?.*
rm -f ns3/siginterval.conf
rm -f ns4/named_dump.db
rm -f ns3/badds.example.db
rm -f delve.out*
rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
rm -f Kexample.*
rm -f keygen.err
rm -f ns3/future.example.db ns3/trusted-future.key
rm -f ns3/dnskey-nsec3-unknown.example.db
rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
rm -f ns3/dnskey-unknown.example.db
rm -f ns3/dnskey-unknown.example.db.tmp
rm -f ns*/named.lock
rm -f ns*/*.nta
rm -f named.secroots.test*
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
...@@ -107,4 +107,40 @@ zone "in-addr.arpa" { ...@@ -107,4 +107,40 @@ zone "in-addr.arpa" {
file "in-addr.arpa.db.signed"; file "in-addr.arpa.db.signed";
}; };
zone "cds.secure" {
type master;
file "cds.secure.db.signed";
};
zone "cds-update.secure" {
type master;
file "cds-update.secure.db.signed";
allow-update { any; };
};
zone "cds-auto.secure" {
type master;
file "cds-auto.secure.db.signed";
auto-dnssec maintain;
allow-update { any; };
};
zone "cdnskey.secure" {
type master;
file "cdnskey.secure.db.signed";
};
zone "cdnskey-update.secure" {
type master;
file "cdnskey-update.secure.db.signed";
allow-update { any; };
};
zone "cdnskey-auto.secure" {
type master;
file "cdnskey-auto.secure.db.signed";
auto-dnssec maintain;
allow-update { any; };
};
include "trusted.conf"; include "trusted.conf";
...@@ -192,3 +192,53 @@ key1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone` ...@@ -192,3 +192,53 @@ key1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
key2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` key2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
cat $key1.key $key2.key >> $zonefile cat $key1.key $key2.key >> $zonefile
$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $key1 $zonefile $key2 > /dev/null $SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $key1 $zonefile $key2 > /dev/null
zone=cds.secure
infile=cds.secure.db.in
zonefile=cds.secure.db
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
$DSFROMKEY -C $key1.key > $key1.cds
cat $infile $key1.key $key2.key $key1.cds >$zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=cds-update.secure
infile=cds-update.secure.db.in
zonefile=cds-update.secure.db
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=cds-auto.secure
infile=cds-auto.secure.db.in
zonefile=cds-auto.secure.db
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
$DSFROMKEY -C $key1.key > $key1.cds
cat $infile $key1.cds > $zonefile.signed
zone=cdnskey.secure
infile=cdnskey.secure.db.in
zonefile=cdnskey.secure.db
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds
cat $infile $key1.key $key2.key $key1.cds >$zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=cdnskey-update.secure
infile=cdnskey-update.secure.db.in
zonefile=cdnskey-update.secure.db
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
cat $infile $key1.key $key2.key > $zonefile
$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
zone=cdnskey-auto.secure
infile=cdnskey-auto.secure.db.in
zonefile=cdnskey-auto.secure.db
key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`