3060. [func] New option "dnssec-signzone -X <date>" allows

specification of a separate expiration date for DNSKEY RRSIGs and other RRSIGs. [RT #22141]

3060. [func] New option "dnssec-signzone -X <date>" allows
specification of a separate expiration date for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
61271cde · Evan Hunt · 122e8dba · 61271cde · 61271cde · 61271cde
Commit 61271cde authored Mar 04, 2011 by Evan Hunt
4 changed files
--- a/CHANGES
+++ b/CHANGES
+3060.	[func]		New option "dnssec-signzone -X <date>" allows
+			specification of a separate expiration date
+			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
+
 3059.	[test]		Added a regression test for change #3023.

 3058.	[bug]		Cause named to terminate at startup or rndc reconfig/

--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-signzone.c,v 1.264 2011/03/01 23:48:05 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.265 2011/03/04 22:20:20 each Exp $ */

 /*! \file */

@@ -124,7 +124,7 @@ struct signer_event {
 static dns_dnsseckeylist_t keylist;
 static unsigned int keycount = 0;
 isc_rwlock_t keylist_lock;
-static isc_stdtime_t starttime = 0, endtime = 0, now;
+static isc_stdtime_t starttime = 0, endtime = 0, dnskey_endtime = 0, now;
 static int cycle = -1;
 static int jitter = 0;
 static isc_boolean_t tryverify = ISC_FALSE;
@@ -206,7 +206,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
 	    dns_ttl_t ttl, dns_diff_t *add, const char *logmsg)
 {
 	isc_result_t result;
-	isc_stdtime_t jendtime;
+	isc_stdtime_t jendtime, expiry;
 	char keystr[DST_KEY_FORMATSIZE];
 	dns_rdata_t trdata = DNS_RDATA_INIT;
 	unsigned char array[BUFSIZE];
@@ -216,7 +216,12 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
 	dst_key_format(key, keystr, sizeof(keystr));
 	vbprintf(1, "\t%s %s\n", logmsg, keystr);

-	jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime;
+	if (rdataset->type == dns_rdatatype_dnskey)
+		expiry = dnskey_endtime;
+	else
+		expiry = endtime;
+
+	jendtime = (jitter != 0) ? isc_random_jitter(expiry, jitter) : expiry;
 	isc_buffer_init(&b, array, sizeof(array));
 	result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
 				 mctx, &b, &trdata);
@@ -416,10 +421,16 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	char namestr[DNS_NAME_FORMATSIZE];
 	char typestr[TYPE_FORMATSIZE];
 	char sigstr[SIG_FORMATSIZE];
+	isc_stdtime_t expiry;

 	dns_name_format(name, namestr, sizeof(namestr));
 	type_format(set->type, typestr, sizeof(typestr));

+	if (set->type == dns_rdatatype_dnskey)
+		expiry = dnskey_endtime;
+	else
+		expiry = endtime;
+
 	ttl = ISC_MIN(set->ttl, endtime - starttime);

 	dns_rdataset_init(&sigset);
@@ -3259,10 +3270,16 @@ usage(void) {
 	fprintf(stderr, "update DS records based on child zones' "
 			"dsset-* files\n");
 	fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n");
-	fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n");
+	fprintf(stderr, "\t\tRRSIG start time "
+                                "- absolute|offset (now - 1 hour)\n");
 	fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
-	fprintf(stderr, "\t\tRRSIG end time  - absolute|from start|from now "
+	fprintf(stderr, "\t\tRRSIG end time "
+                                "- absolute|from start|from now "
 				"(now + 30 days)\n");
+	fprintf(stderr, "\t-X [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t\tDNSKEY RRSIG end "
+                                "- absolute|from start|from now "
+				"(matches -e)\n");
 	fprintf(stderr, "\t-i interval:\n");
 	fprintf(stderr, "\t\tcycle interval - resign "
 				"if < interval from end ( (end-start)/4 )\n");
@@ -3355,6 +3372,7 @@ int
 main(int argc, char *argv[]) {
 	int i, ch;
 	char *startstr = NULL, *endstr = NULL, *classname = NULL;
+	char *dnskey_endstr = NULL;
 	char *origin = NULL, *file = NULL, *output = NULL;
 	char *inputformatstr = NULL, *outputformatstr = NULL;
 	char *serialformatstr = NULL;
@@ -3386,7 +3404,7 @@ main(int argc, char *argv[]) {
 	isc_boolean_t set_iter = ISC_FALSE;

 #define CMDLINE_FLAGS \
-	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:xz"
+	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:X:xz"

 	/*
 	 * Process memory debugging argument first.
@@ -3609,6 +3627,10 @@ main(int argc, char *argv[]) {
 				fatal("verbose level must be numeric");
 			break;

+		case 'X':
+			dnskey_endstr = isc_commandline_argument;
+			break;
+
 		case 'x':
 			keyset_kskonly = ISC_TRUE;
 			break;
@@ -3656,11 +3678,19 @@ main(int argc, char *argv[]) {
 	} else
 		starttime = now - 3600;  /* Allow for some clock skew. */

-	if (endstr != NULL) {
+	if (endstr != NULL)
 		endtime = strtotime(endstr, now, starttime);
-	} else
+	else
 		endtime = starttime + (30 * 24 * 60 * 60);

+	if (dnskey_endstr != NULL) {
+		dnskey_endtime = strtotime(dnskey_endstr, now, starttime);
+                if (endstr != NULL && dnskey_endtime == endtime)
+                        fprintf(stderr, "WARNING: -e and -X were both set, "
+                                        "but have identical values.\n");
+	} else 
+		dnskey_endtime = endtime;
+
 	if (cycle == -1)
 		cycle = (endtime - starttime) / 4;


--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.45 2011/03/04 22:20:20 each Exp $ -->
 <refentry id="man.dnssec-signzone">
  <refentryinfo>
    <date>June 05, 2009</date>
@@ -83,6 +83,7 @@
      <arg><option>-t</option></arg>
      <arg><option>-u</option></arg>
      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
      <arg><option>-x</option></arg>
      <arg><option>-z</option></arg>
      <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
@@ -237,6 +238,31 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term>-X <replaceable class="parameter">extended end-time</replaceable></term>
+        <listitem>
+          <para>
+            Specify the date and time when the generated RRSIG records
+            for the DNSKEY RRset will expire.  This is to be used in cases
+            when the DNSKEY signatures need to persist longer than
+            signatures on other records; e.g., when the private component
+            of the KSK is kept offline and the KSK signature is to be
+            refreshed manually.
+          </para>
+          <para>
+            As with <option>start-time</option>, an absolute
+            time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+            to the start time is indicated with +N, which is N seconds from
+            the start time.  A time relative to the current time is
+            indicated with now+N.  If no <option>extended end-time</option> is
+            specified, the value of <option>end-time</option> is used as
+            the default.  (<option>end-time</option>, in turn, defaults to
+            30 days from the start time.) <option>extended end-time</option>
+            must be later than <option>start-time</option>.
+          </para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>-f <replaceable class="parameter">output-file</replaceable></term>
        <listitem>

--- a/bin/tests/system/smartsign/tests.sh
+++ b/bin/tests/system/smartsign/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: tests.sh,v 1.6 2010/08/16 22:21:06 marka Exp $
+# $Id: tests.sh,v 1.7 2011/03/04 22:20:21 each Exp $

 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -63,7 +63,7 @@ cksk4=`$REVOKE $cksk3`
 $SETTIME -A now+20s $cksk2 > /dev/null

 echo I:signing child zone
-czoneout=`$SIGNER -Sg -r $RANDFILE -o $czone $cfile 2>&1`
+czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`

 echo I:generating keys
 pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
@@ -159,6 +159,14 @@ grep "$czsuccessor" other.sigs > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+echo "I:checking RRSIG expiry date correctness"
+dnskey_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
+              awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}'`
+soa_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
+           awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}'`
+[ $dnskey_expiry -gt $soa_expiry ] || ret=1
+status=`expr $status + $ret`
+
 echo "I:waiting 20 seconds for key activation"
 sleep 20
 echo "I:re-signing child zone"