Commit 61271cde authored by Evan Hunt's avatar Evan Hunt

3060. [func] New option "dnssec-signzone -X <date>" allows

			specification of a separate expiration date
			for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
parent 122e8dba
3060. [func] New option "dnssec-signzone -X <date>" allows
specification of a separate expiration date
for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
3059. [test] Added a regression test for change #3023.
3058. [bug] Cause named to terminate at startup or rndc reconfig/
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.264 2011/03/01 23:48:05 tbox Exp $ */
/* $Id: dnssec-signzone.c,v 1.265 2011/03/04 22:20:20 each Exp $ */
/*! \file */
......@@ -124,7 +124,7 @@ struct signer_event {
static dns_dnsseckeylist_t keylist;
static unsigned int keycount = 0;
isc_rwlock_t keylist_lock;
static isc_stdtime_t starttime = 0, endtime = 0, now;
static isc_stdtime_t starttime = 0, endtime = 0, dnskey_endtime = 0, now;
static int cycle = -1;
static int jitter = 0;
static isc_boolean_t tryverify = ISC_FALSE;
......@@ -206,7 +206,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
dns_ttl_t ttl, dns_diff_t *add, const char *logmsg)
{
isc_result_t result;
isc_stdtime_t jendtime;
isc_stdtime_t jendtime, expiry;
char keystr[DST_KEY_FORMATSIZE];
dns_rdata_t trdata = DNS_RDATA_INIT;
unsigned char array[BUFSIZE];
......@@ -216,7 +216,12 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
dst_key_format(key, keystr, sizeof(keystr));
vbprintf(1, "\t%s %s\n", logmsg, keystr);
jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime;
if (rdataset->type == dns_rdatatype_dnskey)
expiry = dnskey_endtime;
else
expiry = endtime;
jendtime = (jitter != 0) ? isc_random_jitter(expiry, jitter) : expiry;
isc_buffer_init(&b, array, sizeof(array));
result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
mctx, &b, &trdata);
......@@ -416,10 +421,16 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
char namestr[DNS_NAME_FORMATSIZE];
char typestr[TYPE_FORMATSIZE];
char sigstr[SIG_FORMATSIZE];
isc_stdtime_t expiry;
dns_name_format(name, namestr, sizeof(namestr));
type_format(set->type, typestr, sizeof(typestr));
if (set->type == dns_rdatatype_dnskey)
expiry = dnskey_endtime;
else
expiry = endtime;
ttl = ISC_MIN(set->ttl, endtime - starttime);
dns_rdataset_init(&sigset);
......@@ -3259,10 +3270,16 @@ usage(void) {
fprintf(stderr, "update DS records based on child zones' "
"dsset-* files\n");
fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n");
fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n");
fprintf(stderr, "\t\tRRSIG start time "
"- absolute|offset (now - 1 hour)\n");
fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now "
fprintf(stderr, "\t\tRRSIG end time "
"- absolute|from start|from now "
"(now + 30 days)\n");
fprintf(stderr, "\t-X [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
fprintf(stderr, "\t\tDNSKEY RRSIG end "
"- absolute|from start|from now "
"(matches -e)\n");
fprintf(stderr, "\t-i interval:\n");
fprintf(stderr, "\t\tcycle interval - resign "
"if < interval from end ( (end-start)/4 )\n");
......@@ -3355,6 +3372,7 @@ int
main(int argc, char *argv[]) {
int i, ch;
char *startstr = NULL, *endstr = NULL, *classname = NULL;
char *dnskey_endstr = NULL;
char *origin = NULL, *file = NULL, *output = NULL;
char *inputformatstr = NULL, *outputformatstr = NULL;
char *serialformatstr = NULL;
......@@ -3386,7 +3404,7 @@ main(int argc, char *argv[]) {
isc_boolean_t set_iter = ISC_FALSE;
#define CMDLINE_FLAGS \
"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:xz"
"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:X:xz"
/*
* Process memory debugging argument first.
......@@ -3609,6 +3627,10 @@ main(int argc, char *argv[]) {
fatal("verbose level must be numeric");
break;
case 'X':
dnskey_endstr = isc_commandline_argument;
break;
case 'x':
keyset_kskonly = ISC_TRUE;
break;
......@@ -3656,11 +3678,19 @@ main(int argc, char *argv[]) {
} else
starttime = now - 3600; /* Allow for some clock skew. */
if (endstr != NULL) {
if (endstr != NULL)
endtime = strtotime(endstr, now, starttime);
} else
else
endtime = starttime + (30 * 24 * 60 * 60);
if (dnskey_endstr != NULL) {
dnskey_endtime = strtotime(dnskey_endstr, now, starttime);
if (endstr != NULL && dnskey_endtime == endtime)
fprintf(stderr, "WARNING: -e and -X were both set, "
"but have identical values.\n");
} else
dnskey_endtime = endtime;
if (cycle == -1)
cycle = (endtime - starttime) / 4;
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.45 2011/03/04 22:20:20 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
......@@ -83,6 +83,7 @@
<arg><option>-t</option></arg>
<arg><option>-u</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
<arg><option>-x</option></arg>
<arg><option>-z</option></arg>
<arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
......@@ -237,6 +238,31 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-X <replaceable class="parameter">extended end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
for the DNSKEY RRset will expire. This is to be used in cases
when the DNSKEY signatures need to persist longer than
signatures on other records; e.g., when the private component
of the KSK is kept offline and the KSK signature is to be
refreshed manually.
</para>
<para>
As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <option>extended end-time</option> is
specified, the value of <option>end-time</option> is used as
the default. (<option>end-time</option>, in turn, defaults to
30 days from the start time.) <option>extended end-time</option>
must be later than <option>start-time</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">output-file</replaceable></term>
<listitem>
......
......@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.6 2010/08/16 22:21:06 marka Exp $
# $Id: tests.sh,v 1.7 2011/03/04 22:20:21 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -63,7 +63,7 @@ cksk4=`$REVOKE $cksk3`
$SETTIME -A now+20s $cksk2 > /dev/null
echo I:signing child zone
czoneout=`$SIGNER -Sg -r $RANDFILE -o $czone $cfile 2>&1`
czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
echo I:generating keys
pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
......@@ -159,6 +159,14 @@ grep "$czsuccessor" other.sigs > /dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking RRSIG expiry date correctness"
dnskey_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
awk '$4 == "RRSIG" && $5 == "DNSKEY" {print $9; exit}'`
soa_expiry=`$CHECKZONE -o - $czone $cfile.signed 2> /dev/null |
awk '$4 == "RRSIG" && $5 == "SOA" {print $9; exit}'`
[ $dnskey_expiry -gt $soa_expiry ] || ret=1
status=`expr $status + $ret`
echo "I:waiting 20 seconds for key activation"
sleep 20
echo "I:re-signing child zone"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment