2893. [bug] Improve managed keys support. New named.conf option

                        managed-keys-directory. [RT #20924]

CHANGES

+2893.	[bug]		Improve managed keys support.  New named.conf option
+			managed-keys-directory. [RT #20924]
+
 2892.	[bug]		Handle REVOKED keys better. [RT #20961]
 
 2891.	[maint]		Update empty-zones list to match

bin/named/config.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.106 2009/12/04 21:09:32 marka Exp $ */
+/* $Id: config.c,v 1.107 2010/05/14 04:48:28 marka Exp $ */
 
 /*! \file */
 
@@ -238,18 +238,6 @@ view \"_bind\" chaos {\n\
 	};\n\
 };\n\
 "
-
-"#\n\
-#  The \"_meta\" view is for zones that are used to store internal\n\
-#  information for named, such as managed keys.  The zones are defined\n\
-#  elsewhere.\n\
-#\n\
-view \"_meta\" in {\n\
-	recursion no;\n\
-	notify no;\n\
-};\n\
-"
-
 "#\n\
 #  Default trusted key(s) for builtin DLV support\n\
 #  (used if \"dnssec-lookaside auto;\" is set and\n\

bin/named/include/named/server.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.104 2009/11/28 15:57:37 vjs Exp $ */
+/* $Id: server.h,v 1.105 2010/05/14 04:48:28 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -55,8 +55,6 @@ struct ns_server {
 	char *			statsfile;	/*%< Statistics file name */
 	char *			dumpfile;	/*%< Dump file name */
 	char *			bindkeysfile;	/*%< bind.keys file name */
-	isc_boolean_t           managedkeys;    /*%< A managed-keys
-						     statement exists */
 	char *			recfile;	/*%< Recursive file name */
 	isc_boolean_t		version_set;	/*%< User has set version */
 	char *			version;	/*%< User-specified version */

bin/named/named.conf.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.45 2010/05/14 04:48:28 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -349,6 +349,7 @@ options {
 
 	zone-statistics <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
+	managed-keys-directory <replaceable>quoted_string</replaceable>;
 	auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>;
 	try-tcp-refresh <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;

bin/named/server.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.565 2010/05/14 03:24:24 marka Exp $ */
+/* $Id: server.c,v 1.566 2010/05/14 04:48:28 marka Exp $ */
 
 /*! \file */
 
@@ -23,6 +23,7 @@
 
 #include <stdlib.h>
 #include <unistd.h>
+#include <limits.h>
 
 #include <isc/app.h>
 #include <isc/base64.h>
@@ -36,6 +37,7 @@
 #include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/resource.h>
+#include <isc/sha2.h>
 #include <isc/socket.h>
 #include <isc/stat.h>
 #include <isc/stats.h>
@@ -104,6 +106,10 @@
 #include <stdlib.h>
 #endif
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif
+
 /*%
  * Check an operation for failure.  Assumes that the function
  * using it has a 'result' variable and a 'cleanup' label.
@@ -280,7 +286,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	       cfg_aclconfctx_t *aclconf);
 
 static isc_result_t
-add_keydata_zone(dns_view_t *view, isc_mem_t *mctx);
+add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
 
 static void
 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
@@ -635,13 +641,15 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	isc_result_t result = ISC_R_SUCCESS;
 	const cfg_obj_t *view_keys = NULL;
 	const cfg_obj_t *global_keys = NULL;
+	const cfg_obj_t *view_managed_keys = NULL;
 	const cfg_obj_t *global_managed_keys = NULL;
 	const cfg_obj_t *builtin_keys = NULL;
 	const cfg_obj_t *builtin_managed_keys = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
-	isc_boolean_t meta;
+	const cfg_obj_t *obj = NULL;
+	const char *directory;
 	int i = 0;
 
 	/* We don't need trust anchors for the _bind view */
@@ -650,14 +658,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 		return (ISC_R_SUCCESS);
 	}
 
-	meta = ISC_TF(strcmp(view->name, "_meta") == 0 &&
-		      view->rdclass == dns_rdataclass_in);
-
 	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
 		if (voptions != NULL) {
 			(void) cfg_map_get(voptions, "trusted-keys",
 					   &view_keys);
+			(void) cfg_map_get(voptions, "managed-keys",
+					   &view_managed_keys);
 			maps[i++] = voptions;
 		}
 	}
@@ -682,10 +689,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 		return (ISC_R_UNEXPECTED);
 	}
 
-	if (global_managed_keys != NULL)
-		ns_g_server->managedkeys = ISC_TRUE;
-
-	if (auto_dlv) {
+	if (auto_dlv && view->rdclass == dns_rdataclass_in) {
 		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
 			      "using built-in trusted-keys for view %s",
@@ -707,22 +711,30 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 					  &builtin_managed_keys);
 		}
 
+		if (builtin_keys != NULL)
+			CHECK(load_view_keys(builtin_keys, vconfig, view,
+					     ISC_FALSE, mctx));
 		if (builtin_managed_keys != NULL)
-			ns_g_server->managedkeys = ISC_TRUE;
-		CHECK(load_view_keys(builtin_keys, vconfig, view,
-				     ISC_FALSE, mctx));
-
-		if (meta)
 			CHECK(load_view_keys(builtin_managed_keys, vconfig,
 					     view, ISC_TRUE, mctx));
 	}
 
 	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
-	CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE, mctx));
-
-	if (meta)
+	CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE, mctx));
+	if (view->rdclass == dns_rdataclass_in) {
+		CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
+				     mctx));
 		CHECK(load_view_keys(global_managed_keys, vconfig, view,
-			       ISC_TRUE, mctx));
+				     ISC_TRUE, mctx));
+	}
+
+	/*
+	 * Add key zone for managed-keys.
+	 */
+	obj = NULL;
+	(void)ns_config_get(maps, "managed-keys-directory", &obj);
+	directory = obj != NULL ? cfg_obj_asstring(obj) : NULL;
+	CHECK(add_keydata_zone(view, directory, ns_g_mctx));
 
   cleanup:
 	return (result);
@@ -2929,30 +2941,33 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
  */
 
 #define KEYZONE "managed-keys.bind"
+#define MKEYS ".mkeys"
 
 static isc_result_t
-add_keydata_zone(dns_view_t *view, isc_mem_t *mctx) {
+add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
 	dns_acl_t *none = NULL;
-	dns_name_t zname;
-
-	if (!ns_g_server->managedkeys)
-		return (ISC_R_SUCCESS);
+	char filename[PATH_MAX];
+	char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
+	int n;
 
 	REQUIRE(view != NULL);
 
 	CHECK(dns_zone_create(&zone, mctx));
 
-	dns_name_init(&zname, NULL);
-	CHECK(dns_name_fromstring(&zname, KEYZONE, 0, mctx));
-	CHECK(dns_zone_setorigin(zone, &zname));
-	dns_name_free(&zname, mctx);
+	CHECK(dns_zone_setorigin(zone, dns_rootname));
 
-	CHECK(dns_zone_setfile(zone, KEYZONE));
-
-	if (view->hints == NULL)
-		dns_view_sethints(view, ns_g_server->in_roothints);
+	isc_sha256_data(view->name, strlen(view->name), buffer);
+	strcat(buffer, MKEYS);
+	n = snprintf(filename, sizeof(filename), "%s%s%s",
+		     directory ? directory : "", directory ? "/" : "",
+		     strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
+	if (n < 0 || (size_t)n >= sizeof(filename)) {
+		result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
+		goto cleanup;
+	}
+	CHECK(dns_zone_setfile(zone, filename));
 
 	dns_zone_setview(zone, view);
 	dns_zone_settype(zone, dns_zone_key);
@@ -2976,11 +2991,14 @@ add_keydata_zone(dns_view_t *view, isc_mem_t *mctx) {
 	dns_zone_setstats(zone, ns_g_server->zonestats);
 	CHECK(setquerystats(zone, mctx, ISC_FALSE));
 
-	CHECK(dns_view_addzone(view, zone));
+	if (view->managed_keys != NULL)
+		dns_zone_detach(&view->managed_keys);
+	dns_zone_attach(zone, &view->managed_keys);
 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "set up %s meta-zone", KEYZONE);
+		      "set up managed keys zone for view %s, file '%s'",
+		      view->name, filename);
 
 cleanup:
 	if (zone != NULL)
@@ -4113,12 +4131,6 @@ load_configuration(const char *filename, ns_server_t *server,
 		CHECK(configure_view(view, config, vconfig,
 				     &cachelist, bindkeys,
 				     ns_g_mctx, &aclconfctx, ISC_FALSE));
-
-		if (!strcmp(view->name, "_meta")) {
-			result = add_keydata_zone(view, ns_g_mctx);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		}
-
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 		view = NULL;
@@ -4469,6 +4481,8 @@ load_zones(ns_server_t *server, isc_boolean_t stop) {
 	     view = ISC_LIST_NEXT(view, link))
 	{
 		CHECK(dns_view_load(view, stop));
+		if (view->managed_keys != NULL)
+			CHECK(dns_zone_load(view->managed_keys));
 	}
 
 	/*
@@ -4743,8 +4757,6 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 						  ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 
-	server->managedkeys = ISC_FALSE;
-
 	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
 	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
@@ -6415,8 +6427,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 
 	view = dns_zone_getview(zone);
 	if (strcmp(view->name, "_default") == 0 ||
-	    strcmp(view->name, "_bind") == 0 ||
-	    strcmp(view->name, "_meta"))
+	    strcmp(view->name, "_bind") == 0)
 	{
 		vname = "";
 		sep = "";

doc/arm/Bv9ARM-book.xml

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.456 2010/02/25 04:39:12 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.457 2010/05/14 04:48:28 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -4870,6 +4870,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
     <optional> directory <replaceable>path_name</replaceable>; </optional>
     <optional> key-directory <replaceable>path_name</replaceable>; </optional>
+    <optional> managed-keys-directory <replaceable>path_name</replaceable>; </optional>
     <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
     <optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
     <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
@@ -5190,6 +5191,19 @@ badresp:1,adberr:0,findfail:0,valfail:0]
             </listitem>
           </varlistentry>
 
+          <varlistentry>
+            <term><command>managed-keys-directory</command></term>
+            <listitem>
+              <para>
+		The directory used to hold the files used to track managed keys.
+		By default it is the working directory.  It there are no
+		views then the file <filename>managed-keys.bind</filename>
+		otherwise a SHA256 hash of the view name is used with
+		<filename>.mkeys</filename> extension added.
+              </para>
+            </listitem>
+          </varlistentry>
+
           <varlistentry>
             <term><command>named-xfer</command></term>
 	    <listitem>

lib/dns/include/dns/view.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.121 2010/05/14 04:38:52 marka Exp $ */
+/* $Id: view.h,v 1.122 2010/05/14 04:48:28 marka Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -175,6 +175,8 @@ struct dns_view {
 	/* Under owner's locking control. */
 	ISC_LINK(struct dns_view)	link;
 	dns_viewlist_t *		viewlist;
+	
+	dns_zone_t *			managed_keys;
 };
 
 #define DNS_VIEW_MAGIC			ISC_MAGIC('V','i','e','w')

lib/dns/view.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.162 2010/05/14 04:38:51 marka Exp $ */
+/* $Id: view.c,v 1.163 2010/05/14 04:48:28 marka Exp $ */
 
 /*! \file */
 
@@ -183,6 +183,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->v4_aaaa = dns_v4_aaaa_ok;
 #endif
 	dns_fixedname_init(&view->dlv_fixed);
+	view->managed_keys = NULL;
 
 #ifdef BIND9
 	result = dns_order_create(view->mctx, &view->order);
@@ -361,6 +362,8 @@ destroy(dns_view_t *view) {
 		dns_stats_detach(&view->resquerystats);
 	if (view->secroots_priv != NULL)
 		dns_keytable_detach(&view->secroots_priv);
+	if (view->managed_keys != NULL)
+		dns_zone_detach(&view->managed_keys);
 	dns_fwdtable_destroy(&view->fwdtable);
 	dns_aclenv_destroy(&view->aclenv);
 	DESTROYLOCK(&view->lock);
@@ -423,6 +426,11 @@ view_flushanddetach(dns_view_t **viewp, isc_boolean_t flush) {
 			dns_zt_flushanddetach(&view->zonetable);
 		else
 			dns_zt_detach(&view->zonetable);
+		if (view->managed_keys != NULL) {
+			if (view->flush)
+				dns_zone_flush(view->managed_keys);
+			dns_zone_detach(&view->managed_keys);
+		}
 #endif
 		done = all_done(view);
 		UNLOCK(&view->lock);

lib/dns/zone.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.562 2010/05/14 04:38:51 marka Exp $ */
+/* $Id: zone.c,v 1.563 2010/05/14 04:48:28 marka Exp $ */
 
 /*! \file */
 
@@ -11087,7 +11087,8 @@ dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", zone->strnamerd, message);
+		      level, "%s %s: %s", (zone->type == dns_zone_key) ?
+		      "managed-keys-zone" : "zone", zone->strnamerd, message);
 }
 
 void
@@ -11102,7 +11103,8 @@ dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", zone->strnamerd, message);
+		      level, "%s %s: %s", (zone->type == dns_zone_key) ?
+		      "managed-keys-zone" : "zone", zone->strnamerd, message);
 }
 
 static void