Commit 7865ea95 authored by Mark Andrews's avatar Mark Andrews

3339. [func] Allow the maximum supported rsa exponent size to be ...

3339.   [func]          Allow the maximum supported rsa exponent size to be                        specified: "max-rsa-exponent-size <value>;" [RT #29228]
parent 3ffb69c9
3339. [func] Allow the maximum supported rsa exponent size to be
specified: "max-rsa-exponent-size <value>;" [RT #29228]
3338. [bug] Address race condition in units tests: asyncload_zone
and asyncload_zt. [RT #26100]
......
......@@ -33,7 +33,7 @@
dnssec\-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 14
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
......@@ -103,11 +103,6 @@ Indicates that the DNS record containing the key should have the specified class
Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
.RE
.PP
\-e
.RS 4
If generating an RSAMD5/RSASHA1 key, use a large exponent.
.RE
.PP
\-f \fIflag\fR
.RS 4
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
......
......@@ -124,7 +124,6 @@ usage(void) {
#else
fprintf(stderr, " -E <engine name>\n");
#endif
fprintf(stderr, " -e: use large exponent (RSAMD5/RSASHA1 only)\n");
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
fprintf(stderr, " -g <generator>: use specified generator "
"(DH only)\n");
......@@ -212,7 +211,7 @@ main(int argc, char **argv) {
isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE;
isc_boolean_t oldstyle = ISC_FALSE;
isc_mem_t *mctx = NULL;
int ch, rsa_exp = 0, generator = 0, param = 0;
int ch, generator = 0, param = 0;
int protocol = -1, size = -1, signatory = 0;
isc_result_t ret;
isc_textregion_t r;
......@@ -311,7 +310,9 @@ main(int argc, char **argv) {
engine = isc_commandline_argument;
break;
case 'e':
rsa_exp = 1;
fprintf(stderr,
"phased-out option -e "
"(was 'use (RSA) large exponent)\n");
break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
......@@ -789,13 +790,6 @@ main(int argc, char **argv) {
break;
}
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST ||
alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384) &&
rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0)
fatal("specified DH generator for a non-DH key");
......@@ -855,7 +849,6 @@ main(int argc, char **argv) {
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
case DNS_KEYALG_RSASHA512:
param = rsa_exp;
show_progress = ISC_TRUE;
break;
......
......@@ -68,7 +68,6 @@
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
......@@ -233,15 +232,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-e</term>
<listitem>
<para>
If generating an RSAMD5/RSASHA1 key, use a large exponent.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
......
......@@ -29,10 +29,10 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543594"></a><h2>DESCRIPTION</h2>
<a name="id2543590"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
......@@ -46,7 +46,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543612"></a><h2>OPTIONS</h2>
<a name="id2543608"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
......@@ -139,10 +139,6 @@
support it defaults to pkcs11; the empty name resets it to
no engine.
</p></dd>
<dt><span class="term">-e</span></dt>
<dd><p>
If generating an RSAMD5/RSASHA1 key, use a large exponent.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
......@@ -260,7 +256,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544204"></a><h2>TIMING OPTIONS</h2>
<a name="id2544187"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
......@@ -331,7 +327,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544394"></a><h2>GENERATED KEYS</h2>
<a name="id2544377"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
......@@ -377,7 +373,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544476"></a><h2>EXAMPLE</h2>
<a name="id2544459"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
......@@ -398,7 +394,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544588"></a><h2>SEE ALSO</h2>
<a name="id2544571"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
......@@ -407,7 +403,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544619"></a><h2>AUTHOR</h2>
<a name="id2544602"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
......
......@@ -73,6 +73,7 @@ options {\n\
listen-on {any;};\n\
listen-on-v6 {none;};\n\
match-mapped-addresses no;\n\
max-rsa-exponent-size 0; /* no limit */\n\
memstatistics-file \"named.memstats\";\n\
multiple-cnames no;\n\
# named-xfer <obsolete>;\n\
......
......@@ -2927,7 +2927,7 @@ get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
static isc_boolean_t
verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired)
dns_rdata_t *rdata, ns_client_t *client)
{
isc_result_t result;
dns_fixedname_t fixed;
......@@ -2936,9 +2936,10 @@ verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
dns_fixedname_init(&fixed);
again:
result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx,
result = dns_dnssec_verify3(name, rdataset, key, ignore,
client->view->maxbits, client->mctx,
rdata, NULL);
if (result == DNS_R_SIGEXPIRED && acceptexpired) {
if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) {
ignore = ISC_TRUE;
goto again;
}
......@@ -2981,8 +2982,7 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
do {
if (!get_key(client, db, &rrsig, &keyrdataset, &key))
break;
if (verify(key, name, rdataset, &rdata, client->mctx,
client->view->acceptexpired)) {
if (verify(key, name, rdataset, &rdata, client)) {
dst_key_free(&key);
dns_rdataset_disassociate(&keyrdataset);
mark_secure(client, db, name,
......
......@@ -1609,6 +1609,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
const char *cachename = NULL;
dns_order_t *order = NULL;
isc_uint32_t udpsize;
isc_uint32_t maxbits;
unsigned int resopts = 0;
dns_zone_t *zone = NULL;
isc_uint32_t max_clients_per_query;
......@@ -2237,6 +2238,19 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
udpsize = 4096;
view->maxudp = udpsize;
/*
* Set the maximum rsa exponent bits.
*/
obj = NULL;
result = ns_config_get(maps, "max-rsa-exponent-size", &obj);
INSIST(result == ISC_R_SUCCESS);
maxbits = cfg_obj_asuint32(obj);
if (maxbits != 0 && maxbits < 35)
maxbits = 35;
if (maxbits > 4096)
maxbits = 4096;
view->maxbits = maxbits;
/*
* Set supported DNSSEC algorithms.
*/
......
......@@ -21,7 +21,7 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
SUBDIRS = dlzexternal filter-aaaa lwresd rpz tkey tsiggss
SUBDIRS = dlzexternal filter-aaaa lwresd rpz rsabigexponent tkey tsiggss
TARGETS =
@BIND9_MAKE_RULES@
......
......@@ -57,8 +57,8 @@ SUBDIRS="acl allow_query addzone autosign builtin cacheclean checkconf
dname dns64 dnssec ecdsa forward glue gost ixfr inline limits
logfileconfig lwresd masterfile masterformat metadata notify
nsupdate pending pkcs11 redirect resolver rndc rpz rrsetorder
sortlist smartsign staticstub statistics stub tkey tsig tsiggss
unknown upforwd views xfer xferquota zonechecks"
rsabigexponent sortlist smartsign staticstub statistics stub
tkey tsig tsiggss unknown upforwd views xfer xferquota zonechecks"
# PERL will be an empty string if no perl interpreter was found.
PERL=@PERL@
......
# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id$
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
CDEFINES = @USE_OPENSSL@
CWARNINGS =
DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@
DNSDEPLIBS = ../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
TARGETS = bigkey@EXEEXT@
OBJS = bigkey.@O@
SRCS = bigkey.c
@BIND9_MAKE_RULES@
all: bigkey@EXEEXT@
bigkey@EXEEXT@: ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LIBS}
clean distclean::
rm -f ${TARGETS}
/*
* Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
#ifdef OPENSSL
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <isc/buffer.h>
#include <isc/entropy.h>
#include <isc/mem.h>
#include <isc/region.h>
#include <isc/string.h>
#include <isc/util.h>
#define DST_KEY_INTERNAL
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/result.h>
#include <dns/secalg.h>
#include <dst/dst.h>
#include <dst/result.h>
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
#if OPENSSL_VERSION_NUMBER <= 0x00908000L
#error Require an OpenSSL version >= 9.8.0a
#endif
#include <openssl/bn.h>
#include <openssl/evp.h>
dst_key_t *key;
dns_fixedname_t fname;
dns_name_t *name;
unsigned int bits = 1024U;
isc_entropy_t *ectx;
isc_entropysource_t *source;
isc_mem_t *mctx;
isc_log_t *log_;
isc_logconfig_t *logconfig;
int level = ISC_LOG_WARNING;
isc_logdestination_t destination;
char filename[255];
isc_result_t result;
isc_buffer_t buf;
RSA *rsa;
BIGNUM *e;
EVP_PKEY *pkey;
#define CHECK(op, msg) \
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
fprintf(stderr, \
"fatal error: %s returns %s at file %s line %d\n", \
msg, isc_result_totext(result), __FILE__, __LINE__); \
exit(1); \
} \
} while (0)
int
main(int argc, char **argv) {
UNUSED(argc);
UNUSED(argv);
rsa = RSA_new();
e = BN_new();
pkey = EVP_PKEY_new();
if ((rsa == NULL) || (e == NULL) || (pkey == NULL) ||
!EVP_PKEY_set1_RSA(pkey, rsa)) {
fprintf(stderr, "fatal error: basic OpenSSL failure\n");
exit(1);
}
/* e = 0x1000000000001 */
BN_set_bit(e, 0);
BN_set_bit(e, 48);
if (RSA_generate_key_ex(rsa, bits, e, NULL)) {
BN_free(e);
RSA_free(rsa);
} else {
fprintf(stderr,
"fatal error: RSA_generate_key_ex() fails "
"at file %s line %d\n",
__FILE__, __LINE__);
exit(1);
}
dns_result_register();
CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
CHECK(isc_entropy_usebestsource(ectx, &source,
"random.data", ISC_ENTROPY_KEYBOARDNO),
"isc_entropy_usebestsource(\"random.data\")");
CHECK(dst_lib_init2(mctx, ectx, NULL, 0), "dst_lib_init2()");
CHECK(isc_log_create(mctx, &log_, &logconfig), "isc_log_create()");
isc_log_setcontext(log_);
dns_log_init(log_);
dns_log_setcontext(log_);
CHECK(isc_log_settag(logconfig, "bigkey"), "isc_log_settag()");
destination.file.stream = stderr;
destination.file.name = NULL;
destination.file.versions = ISC_LOG_ROLLNEVER;
destination.file.maximum_size = 0;
CHECK(isc_log_createchannel(logconfig, "stderr",
ISC_LOG_TOFILEDESC,
level,
&destination,
ISC_LOG_PRINTTAG | ISC_LOG_PRINTLEVEL),
"isc_log_createchannel()");
CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL),
"isc_log_usechannel()");
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
isc_buffer_init(&buf, "example.", strlen("example."));
isc_buffer_add(&buf, strlen("example."));
CHECK(dns_name_fromtext(name, &buf, dns_rootname, 0, NULL),
"dns_name_fromtext(\"example.\")");
CHECK(dst_key_buildinternal(name, DNS_KEYALG_RSASHA1,
bits, DNS_KEYOWNER_ZONE,
DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
pkey, mctx, &key),
"dst_key_buildinternal(...)");
CHECK(dst_key_tofile(key, DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, NULL),
"dst_key_tofile()");
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
isc_buffer_clear(&buf);
CHECK(dst_key_buildfilename(key, 0, NULL, &buf),
"dst_key_buildfilename()");
printf("%s\n", filename);
dst_key_free(&key);
isc_log_destroy(&log_);
isc_log_setcontext(NULL);
dns_log_setcontext(NULL);
if (source != NULL)
isc_entropy_destroysource(&source);
isc_entropy_detach(&ectx);
dst_lib_destroy();
dns_name_destroy();
isc_mem_destroy(&mctx);
return (0);
}
#else /* OPENSSL */
#include <stdio.h>
#include <stdlib.h>
int
main(int argc, char **argv) {
fprintf(stderr, "Compiled without OpenSSL\n");
exit(1);
}
#endif /* OPENSSL */
/*! \file */
#!/bin/sh
#
# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id$
rm -f K* */K* */dsset-*. */*.signed */trusted.conf */tmp*
rm -f random.data
rm -f ns*/named.run
rm -f ns*/named.memstats
rm -f ns1/root.db
rm -f ns2/signer.err
rm -f dig.out.*
options {
max-rsa-exponent-size 1;
};
options {
max-rsa-exponent-size 34;
};
options {
max-rsa-exponent-size 4097;
};
options {
max-rsa-exponent-size 0;
};
options {
max-rsa-exponent-size 35;
};
options {
max-rsa-exponent-size 4096;
};
/*
* Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
// NS1
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." {
type master;
file "root.db.signed";
};
include "trusted.conf";
; Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE