Commit acbfd6ad authored by Tinderbox User's avatar Tinderbox User
Browse files

Merge branch 'master' of /proj/git/prod/bind9

parents 776a8e3f a165a17a
3730. [cleanup] Added "never" as a synonym for "none" when
configuring key event dates in the dnssec tools.
[RT #35277]
3729. [bug] dnssec-kegeyn could set the publication date
incorrectly when only the activation date was
specified on the command line. [RT #35278]
3728. [doc] Expanded native-PKCS#11 documentation,
specifically pkcs11: URI labels. [RT #35287]
3727. [func] The isc_bitstring API is no longer used and
has been removed from libisc. [RT #35284]
3726. [cleanup] Clarified the error message when attempting
to configure more than 32 response-policy zones.
[RT #35283]
3725. [contrib] Updated zkt and nslint to newest versions,
cleaned up and rearranged the contrib
directory, and added a README.
......
......@@ -313,8 +313,8 @@ main(int argc, char **argv) {
if (setdel)
fatal("-D specified more than once");
setdel = ISC_TRUE;
del = strtotime(isc_commandline_argument, now, now);
del = strtotime(isc_commandline_argument,
now, now, &setdel);
break;
case 'K':
dir = isc_commandline_argument;
......@@ -322,18 +322,15 @@ main(int argc, char **argv) {
fatal("directory must be non-empty string");
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
ttl = strtottl(isc_commandline_argument);
setttl = ISC_TRUE;
break;
case 'P':
if (setpub)
fatal("-P specified more than once");
setpub = ISC_TRUE;
pub = strtotime(isc_commandline_argument, now, now);
pub = strtotime(isc_commandline_argument,
now, now, &setpub);
break;
case 'f':
filename = isc_commandline_argument;
......
......@@ -160,7 +160,8 @@
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none'.
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</para>
<variablelist>
......
......@@ -212,10 +212,7 @@ main(int argc, char **argv) {
options |= DST_TYPE_KEY;
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
ttl = strtottl(isc_commandline_argument);
setttl = ISC_TRUE;
break;
case 'l':
......@@ -248,61 +245,41 @@ main(int argc, char **argv) {
if (setpub || unsetpub)
fatal("-P specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setpub = ISC_TRUE;
publish = strtotime(isc_commandline_argument,
now, now);
} else {
unsetpub = ISC_TRUE;
}
publish = strtotime(isc_commandline_argument,
now, now, &setpub);
unsetpub = !setpub;
break;
case 'A':
if (setact || unsetact)
fatal("-A specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setact = ISC_TRUE;
activate = strtotime(isc_commandline_argument,
now, now);
} else {
unsetact = ISC_TRUE;
}
activate = strtotime(isc_commandline_argument,
now, now, &setact);
unsetact = !setact;
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setrev = ISC_TRUE;
revoke = strtotime(isc_commandline_argument,
now, now);
} else {
unsetrev = ISC_TRUE;
}
revoke = strtotime(isc_commandline_argument,
now, now, &setrev);
unsetrev = !setrev;
break;
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setinact = ISC_TRUE;
inactive = strtotime(isc_commandline_argument,
now, now);
} else {
unsetinact = ISC_TRUE;
}
inactive = strtotime(isc_commandline_argument,
now, now, &setinact);
unsetinact = !setinact;
break;
case 'D':
if (setdel || unsetdel)
fatal("-D specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setdel = ISC_TRUE;
delete = strtotime(isc_commandline_argument,
now, now);
} else {
unsetdel = ISC_TRUE;
}
delete = strtotime(isc_commandline_argument,
now, now, &setdel);
unsetdel = !setdel;
break;
case 'F':
/* Reserved for FIPS mode */
......
......@@ -151,9 +151,32 @@
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Specifies the label of the key pair in the crypto hardware.
The label may be preceded by an optional OpenSSL engine name,
separated by a colon, as in "pkcs11:keylabel".
Specifies the label for a key pair in the crypto hardware.
</para>
<para>
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<replaceable>keylabel<replaceable>".
</para>
<para>
When <acronym>BIND</acronym> 9 is built with native PKCS#11
support, the label is a PKCS#11 URI string in the format
"pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
Keywords include "token", which identifies the HSM; "object", which
identifies the key; and "pin-source", which identifies a file from
which the HSM's PIN code can be obtained. The label will be
stored in the on-disk "private" file.
</para>
<para>
If the label contains a
<option>pin-source</option> field, tools using the generated
key files will be able to use the HSM for signing and other
operations without any need for an operator to manually enter
a PIN. Note: Making the HSM's PIN accessible in this manner
may reduce the security advantage of using an HSM; be sure
this is what you want to do before making use of this feature.
</para>
</listitem>
</varlistentry>
......@@ -319,7 +342,8 @@
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</para>
<variablelist>
......@@ -437,7 +461,8 @@
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4034</citetitle>.
<citetitle>RFC 4034</citetitle>,
<citetitle>The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</citetitle>.
</para>
</refsect1>
......
......@@ -347,10 +347,7 @@ main(int argc, char **argv) {
"To generate a key with TYPE=KEY, use -T KEY.\n");
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
ttl = strtottl(isc_commandline_argument);
setttl = ISC_TRUE;
break;
case 'n':
......@@ -407,61 +404,41 @@ main(int argc, char **argv) {
if (setpub || unsetpub)
fatal("-P specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setpub = ISC_TRUE;
publish = strtotime(isc_commandline_argument,
now, now);
} else {
unsetpub = ISC_TRUE;
}
publish = strtotime(isc_commandline_argument,
now, now, &setpub);
unsetpub = !setpub;
break;
case 'A':
if (setact || unsetact)
fatal("-A specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setact = ISC_TRUE;
activate = strtotime(isc_commandline_argument,
now, now);
} else {
unsetact = ISC_TRUE;
}
activate = strtotime(isc_commandline_argument,
now, now, &setact);
unsetact = !setact;
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setrev = ISC_TRUE;
revoke = strtotime(isc_commandline_argument,
now, now);
} else {
unsetrev = ISC_TRUE;
}
revoke = strtotime(isc_commandline_argument,
now, now, &setrev);
unsetrev = !setrev;
break;
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setinact = ISC_TRUE;
inactive = strtotime(isc_commandline_argument,
now, now);
} else {
unsetinact = ISC_TRUE;
}
inactive = strtotime(isc_commandline_argument,
now, now, &setinact);
unsetinact = !setinact;
break;
case 'D':
if (setdel || unsetdel)
fatal("-D specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setdel = ISC_TRUE;
delete = strtotime(isc_commandline_argument,
now, now);
} else {
unsetdel = ISC_TRUE;
}
delete = strtotime(isc_commandline_argument,
now, now, &setdel);
unsetdel = !setdel;
break;
case 'S':
predecessor = isc_commandline_argument;
......@@ -940,9 +917,9 @@ main(int argc, char **argv) {
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, publish);
else if (setact)
else if (setact && !unsetpub)
dst_key_settime(key, DST_TIME_PUBLISH,
activate);
activate - prepub);
else if (!genonly && !unsetpub)
dst_key_settime(key, DST_TIME_PUBLISH, now);
......
......@@ -437,7 +437,8 @@
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</para>
<variablelist>
......@@ -460,7 +461,9 @@
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
default is "now". If set, if and -P is not set, then
the publication date will be set to the activation date
minus the prepublication interval.
</para>
</listitem>
</varlistentry>
......
......@@ -239,10 +239,7 @@ main(int argc, char **argv) {
}
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
ttl = strtottl(isc_commandline_argument);
setttl = ISC_TRUE;
break;
case 'v':
......@@ -255,65 +252,45 @@ main(int argc, char **argv) {
fatal("-P specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetpub = ISC_TRUE;
} else {
setpub = ISC_TRUE;
pub = strtotime(isc_commandline_argument,
now, now);
}
pub = strtotime(isc_commandline_argument,
now, now, &setpub);
unsetpub = !setpub;
break;
case 'A':
if (setact || unsetact)
fatal("-A specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetact = ISC_TRUE;
} else {
setact = ISC_TRUE;
act = strtotime(isc_commandline_argument,
now, now);
}
act = strtotime(isc_commandline_argument,
now, now, &setact);
unsetact = !setact;
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetrev = ISC_TRUE;
} else {
setrev = ISC_TRUE;
rev = strtotime(isc_commandline_argument,
now, now);
}
rev = strtotime(isc_commandline_argument,
now, now, &setrev);
unsetrev = !setrev;
break;
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetinact = ISC_TRUE;
} else {
setinact = ISC_TRUE;
inact = strtotime(isc_commandline_argument,
now, now);
}
inact = strtotime(isc_commandline_argument,
now, now, &setinact);
unsetinact = !setinact;
break;
case 'D':
if (setdel || unsetdel)
fatal("-D specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetdel = ISC_TRUE;
} else {
setdel = ISC_TRUE;
del = strtotime(isc_commandline_argument,
now, now);
}
del = strtotime(isc_commandline_argument,
now, now, &setdel);
unsetdel = !setdel;
break;
case 'S':
predecessor = isc_commandline_argument;
......
......@@ -179,7 +179,7 @@
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none'.
is computed in seconds. To unset a date, use 'none' or 'never'.
</para>
<variablelist>
......
......@@ -3365,17 +3365,18 @@ main(int argc, char *argv[]) {
isc_stdtime_get(&now);
if (startstr != NULL) {
starttime = strtotime(startstr, now, now);
starttime = strtotime(startstr, now, now, NULL);
} else
starttime = now - 3600; /* Allow for some clock skew. */
if (endstr != NULL)
endtime = strtotime(endstr, now, starttime);
endtime = strtotime(endstr, now, starttime, NULL);
else
endtime = starttime + (30 * 24 * 60 * 60);
if (dnskey_endstr != NULL) {
dnskey_endtime = strtotime(dnskey_endstr, now, starttime);
dnskey_endtime = strtotime(dnskey_endstr, now, starttime,
NULL);
if (endstr != NULL && dnskey_endtime == endtime)
fprintf(stderr, "WARNING: -e and -X were both set, "
"but have identical values.\n");
......
......@@ -300,12 +300,21 @@ time_units(isc_stdtime_t offset, char *suffix, const char *str) {
return(0); /* silence compiler warning */
}
static inline isc_boolean_t
isnone(const char *str) {
return (ISC_TF((strcasecmp(str, "none") == 0) ||
(strcasecmp(str, "never") == 0)));
}
dns_ttl_t
strtottl(const char *str) {
const char *orig = str;
dns_ttl_t ttl;
char *endp;
if (isnone(str))
return ((dns_ttl_t) 0);
ttl = strtol(str, &endp, 0);
if (ttl == 0 && endp == str)
fatal("TTL must be numeric");
......@@ -314,13 +323,24 @@ strtottl(const char *str) {
}
isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
strtotime(const char *str, isc_int64_t now, isc_int64_t base,
isc_boolean_t *setp)
{
isc_int64_t val, offset;
isc_result_t result;
const char *orig = str;
char *endp;
int n;
if (isnone(str)) {
if (setp != NULL)
*setp = ISC_FALSE;
return ((isc_stdtime_t) 0);
}
if (setp != NULL)
*setp = ISC_TRUE;
if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
return ((isc_stdtime_t) 0);
......
......@@ -68,7 +68,8 @@ cleanup_entropy(isc_entropy_t **ectx);
dns_ttl_t strtottl(const char *str);
isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base);
strtotime(const char *str, isc_int64_t now, isc_int64_t base,
isc_boolean_t *setp);
dns_rdataclass_t
strtoclass(const char *str);
......
......@@ -1628,8 +1628,12 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
rpz_obj = cfg_listelt_value(element);
if (view->rpzs->p.num_zones >= DNS_RPZ_MAX_ZONES)
return (ISC_R_NOMEMORY);
if (view->rpzs->p.num_zones >= DNS_RPZ_MAX_ZONES) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"limit of %d response policy zones exceeded",
DNS_RPZ_MAX_ZONES);
return (ISC_R_FAILURE);
}
new = isc_mem_get(view->rpzs->mctx, sizeof(*new));
if (new == NULL) {
......
#!/bin/sh -e
#
# Copyright (C) 20122014, 2014 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2012, 2014 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
......
......@@ -174,5 +174,22 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking correct behavior setting activation without publication date ($n)"
ret=0
key=`$KEYGEN -q -r $RANDFILE -A +1w $czone`
pub=`$SETTIME -upP $key | awk '{print $2}'`
act=`$SETTIME -upA $key | awk '{print $2}'`
[ $pub -eq $act ] || ret=1
key=`$KEYGEN -q -r $RANDFILE -A +1w -i 1d $czone`
pub=`$SETTIME -upP $key | awk '{print $2}'`
act=`$SETTIME -upA $key | awk '{print $2}'`
[ $pub -lt $act ] || ret=1
key=`$KEYGEN -q -r $RANDFILE -A +1w -P never $czone`
pub=`$SETTIME -upP $key | awk '{print $2}'`
[ $pub = "UNSET" ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
......@@ -9364,6 +9364,16 @@ deny-answer-aliases { "example.net"; };
<command>allow-query { localhost; };</command>.
</para>
<para>
A <command>response-policy</command> option can support
multiple policy zones. To maximize performance, a radix
tree is used to quickly identify response policy zones
containing triggers that match the current query. This
imposes an upper limit of 32 on the number of policy zones
in a single <command>response-policy</option> option; more
than that is a configuration error.
</para>
<para>
Five policy triggers can be encoded in RPZ records.
<variablelist>
......
......@@ -485,6 +485,13 @@ $ <userinput>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</userinput>
different keylabel, a smaller key size, and omitting "-f KSK"
from the dnssec-keyfromlabel arguments:
</para>
<para>
(Note: When using OpenSSL-based PKCS#11 the label is an arbitrary
string which identifies the key. With native PKCS#11, the label is
a PKCS#11 URI string which may include other details about the key
and the HSM, including its PIN. See
<xref linkend="man.dnssec-keyfromlabel"/> for details.)
</para>
<screen>
$ <userinput>pkcs11-keygen -b 1024 -l sample-zsk</userinput>
$ <userinput>dnssec-keyfromlabel -l sample-zsk example.net</userinput>
......@@ -595,7 +602,7 @@ $ <userinput>dnssec-signzone -E '' -S example.net</userinput>
<para>
Placing the HSM's PIN in a text file in this manner may reduce the
security advantage of using an HSM. Be sure this is what you want to
do before configuring OpenSSL in this way.
do before configuring the system in this way.
</para>
</warning>
</sect2>
......
This diff is collapsed.
......@@ -54,7 +54,7 @@ WIN32OBJS = win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
# Alphabetically