2924. [func] 'rndc secroots' dump a combined summary of the

                        current managed keys combined with trusted keys.
                        [RT #20904]

CHANGES

+2924.	[func]		'rndc  secroots'  dump a combined summary of the
+			current managed keys combined with trusted keys.
+			[RT #20904]
+
 2923.	[bug]		'dig +trace' could drop core after "connection
 			timeout". [RT #21514]
 

bin/named/config.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.110 2010/06/22 23:46:52 tbox Exp $ */
+/* $Id: config.c,v 1.111 2010/06/25 03:24:05 marka Exp $ */
 
 /*! \file */
 
@@ -80,6 +80,7 @@ options {\n\
 	bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
 	port 53;\n\
 	recursing-file \"named.recursing\";\n\
+	secroots-file \"named.secroots\";\n\
 "
 #ifdef PATH_RANDOMDEV
 "\

bin/named/control.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.36 2009/10/12 20:48:11 each Exp $ */
+/* $Id: control.c,v 1.37 2010/06/25 03:24:05 marka Exp $ */
 
 /*! \file */
 
@@ -153,6 +153,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
 		ns_server_dumpdb(ns_g_server, command);
 		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NS_COMMAND_SECROOTS)) {
+		result = ns_server_dumpsecroots(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_TRACE)) {
 		result = ns_server_setdebuglevel(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_NOTRACE)) {

bin/named/include/named/control.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.27 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: control.h,v 1.28 2010/06/25 03:24:05 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -42,6 +42,7 @@
 #define NS_COMMAND_DUMPSTATS	"stats"
 #define NS_COMMAND_QUERYLOG	"querylog"
 #define NS_COMMAND_DUMPDB	"dumpdb"
+#define NS_COMMAND_SECROOTS	"secroots"
 #define NS_COMMAND_TRACE	"trace"
 #define NS_COMMAND_NOTRACE	"notrace"
 #define NS_COMMAND_FLUSH	"flush"

bin/named/include/named/server.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.106 2010/05/14 23:50:39 tbox Exp $ */
+/* $Id: server.h,v 1.107 2010/06/25 03:24:05 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -54,6 +54,7 @@ struct ns_server {
 	dns_acl_t		*blackholeacl;
 	char *			statsfile;	/*%< Statistics file name */
 	char *			dumpfile;	/*%< Dump file name */
+	char *			secrootsfile;	/*%< Secroots file name */
 	char *			bindkeysfile;	/*%< bind.keys file name */
 	char *			recfile;	/*%< Recursive file name */
 	isc_boolean_t		version_set;	/*%< User has set version */
@@ -244,6 +245,12 @@ ns_server_dumpstats(ns_server_t *server);
 isc_result_t
 ns_server_dumpdb(ns_server_t *server, char *args);
 
+/*%
+ * Dump the current security roots to the secroots file.
+ */
+isc_result_t
+ns_server_dumpsecroots(ns_server_t *server, char *args);
+
 /*%
  * Change or increment the server debug level.
  */

bin/named/server.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.569 2010/06/22 03:58:36 marka Exp $ */
+/* $Id: server.c,v 1.570 2010/06/25 03:24:05 marka Exp $ */
 
 /*! \file */
 
@@ -4352,6 +4352,12 @@ load_configuration(const char *filename, ns_server_t *server,
 	CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
 	       "strdup");
 
+	obj = NULL;
+	result = ns_config_get(maps, "secroots-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
 	obj = NULL;
 	result = ns_config_get(maps, "recursing-file", &obj);
 	INSIST(result == ISC_R_SUCCESS);
@@ -4763,6 +4769,11 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 
+	server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
+	CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
+						  ISC_R_SUCCESS,
+		   "isc_mem_strdup");
+
 	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
 	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
@@ -4833,6 +4844,7 @@ ns_server_destroy(ns_server_t **serverp) {
 	isc_mem_free(server->mctx, server->statsfile);
 	isc_mem_free(server->mctx, server->bindkeysfile);
 	isc_mem_free(server->mctx, server->dumpfile);
+	isc_mem_free(server->mctx, server->secrootsfile);
 	isc_mem_free(server->mctx, server->recfile);
 
 	if (server->version != NULL)
@@ -5693,6 +5705,68 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
 	return (result);
 }
 
+isc_result_t
+ns_server_dumpsecroots(ns_server_t *server, char *args) {
+	dns_view_t *view;
+	dns_keytable_t *secroots = NULL;
+	isc_result_t result;
+	char *ptr;
+	FILE *fp = NULL;
+	isc_time_t now;
+	char tbuf[64];
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	ptr = next_token(&args, " \t");
+
+	CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
+		"could not open secroots dump file", server->secrootsfile);
+	TIME_NOW(&now);
+	isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
+	fprintf(fp, "%s\n", tbuf);
+
+ nextview:
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (ptr != NULL && strcmp(view->name, ptr) != 0)
+			continue;
+		if (secroots != NULL)
+			dns_keytable_detach(&secroots);
+		result = dns_view_getsecroots(view, &secroots);
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+			continue;
+		}			
+		fprintf(fp, "\n Start view %s\n\n", view->name);
+		CHECK(dns_keytable_dump(secroots, fp));
+	}
+	if (ptr != NULL) {
+		ptr = next_token(&args, " \t");
+		if (ptr != NULL)
+			goto nextview;
+	}
+
+ cleanup:
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
+	if (fp != NULL)
+		(void)isc_stdio_close(fp);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpsecroots complete");
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumpsecroots failed: %s",
+			      dns_result_totext(result));
+	return (result);
+}
+
 isc_result_t
 ns_server_dumprecursing(ns_server_t *server) {
 	FILE *fp = NULL;

bin/rndc/rndc.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.127 2009/12/18 07:59:43 each Exp $ */
+/* $Id: rndc.c,v 1.128 2010/06/25 03:24:05 marka Exp $ */
 
 /*! \file */
 
@@ -123,6 +123,8 @@ command is one of the following:\n\
   querylog	Toggle query logging.\n\
   dumpdb [-all|-cache|-zones] [view ...]\n\
 		Dump cache(s) to the dump file (named_dump.db).\n\
+  secroots [view ...]\n\
+		Write security roots to the secroots file.\n\
   stop		Save pending updates to master files and stop the server.\n\
   stop -p	Save pending updates to master files and stop the server\n\
 		reporting process id.\n\

bin/tests/system/dnssec/clean.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.27 2010/06/03 23:51:05 tbox Exp $
+# $Id: clean.sh,v 1.28 2010/06/25 03:24:05 marka Exp $
 
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
@@ -37,4 +37,6 @@ rm -f ns3/optout.nsec3.example.db
 rm -f ns3/optout.optout.example.db
 rm -f ns3/secure.nsec3.example.db
 rm -f ns3/secure.optout.example.db
+rm -f */named.secroots
+rm -f ns1/managed.key.id
 rm -f signer/example.db

bin/tests/system/dnssec/ns1/sign.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $
+# $Id: sign.sh,v 1.31 2010/06/25 03:24:05 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -53,3 +53,8 @@ cp trusted.conf ../ns3/trusted.conf
 cp trusted.conf ../ns4/trusted.conf
 cp trusted.conf ../ns6/trusted.conf
 cp trusted.conf ../ns7/trusted.conf
+#
+#  Save keyid for managed key id test.
+#
+keyid=`expr $keyname : 'K.+001+\(.*\)'`
+echo "$keyid" > managed.key.id

bin/tests/system/dnssec/ns4/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.28 2007/06/18 23:47:28 tbox Exp $ */
+/* $Id: named.conf,v 1.29 2010/06/25 03:24:05 marka Exp $ */
 
 // NS4
 
@@ -36,6 +36,15 @@ options {
 	dnssec-must-be-secure mustbesecure.example yes;
 };
 
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-md5;
+};
+
+controls {
+        inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
+};
+
 zone "." {
 	type hint;
 	file "../../common/root.hint";

bin/tests/system/dnssec/tests.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.61 2010/06/04 00:04:39 marka Exp $
+# $Id: tests.sh,v 1.62 2010/06/25 03:24:05 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -933,6 +933,19 @@ grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - IQF9LQTLKKNF
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+# Test that "rndc secroots" is able to dump trusted keys
+echo "I:checking rndc secroots ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots 2>&1 | sed 's/^/I:ns1 /'
+keyid=`cat ns1/managed.key.id`
+linecount=`grep "./RSAMD5/$keyid ; trusted" ns4/named.secroots | wc -l`
+[ "$linecount" -eq 2 ] || ret=1
+linecount=`cat ns4/named.secroots | wc -l`
+[ "$linecount" -eq 9 ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 # Run a minimal update test if possible.  This is really just
 # a regression test for RT #2399; more tests should be added.
 

doc/arm/Bv9ARM-book.xml

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.458 2010/06/22 06:16:34 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.459 2010/06/25 03:24:05 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -1305,6 +1305,19 @@ zone "eng.example.com" {
                     </listitem>
                   </varlistentry>
 
+                  <varlistentry>
+                    <term><userinput>secroots
+                        <optional><replaceable>view ...</replaceable></optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Dump the server's security roots to the secroots
+                        file for the specified views.  If no view is
+                        specified, security roots for all
+                        views are dumped.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
                   <varlistentry>
                     <term><userinput>stop <optional>-p</optional></userinput></term>
                     <listitem>
@@ -5365,6 +5378,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
             </listitem>
           </varlistentry>
 
+          <varlistentry>
+            <term><command>secroots-file</command></term>
+            <listitem>
+              <para>
+                The pathname of the file the server dumps
+                security roots to when instructed to do so with
+                <command>rndc secroots</command>.
+                If not specified, the default is <filename>named.secroots</filename>.
+              </para>
+            </listitem>
+          </varlistentry>
+
           <varlistentry>
             <term><command>session-keyfile</command></term>
             <listitem>

lib/dns/include/dns/keytable.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.h,v 1.22 2010/01/12 23:48:57 tbox Exp $ */
+/* $Id: keytable.h,v 1.23 2010/06/25 03:24:05 marka Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
@@ -410,6 +410,12 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
  *\li	Any other result is an error.
  */
 
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp);
+/*%<
+ * Dump the keytable on fp.
+ */
+
 dst_key_t *
 dns_keynode_key(dns_keynode_t *keynode);
 /*%<

lib/dns/keytable.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.c,v 1.39 2009/12/03 15:40:02 each Exp $ */
+/* $Id: keytable.c,v 1.40 2010/06/25 03:24:05 marka Exp $ */
 
 /*! \file */
 
@@ -553,6 +553,44 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
 	return (result);
 }
 
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
+{
+	isc_result_t result;
+	dns_keynode_t *knode;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain, keytable->mctx);
+	result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+		goto cleanup;
+	for (;;) {
+		char pbuf[DST_KEY_FORMATSIZE];
+
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		for (knode = node->data; knode != NULL; knode = knode->next) {
+			dst_key_format(knode->key, pbuf, sizeof(pbuf));
+			fprintf(fp, "%s ; %s\n", pbuf,
+				knode->managed ? "managed" : "trusted");
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			break;
+		}
+	}
+
+   cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
 dst_key_t *
 dns_keynode_key(dns_keynode_t *keynode) {
 

lib/isccfg/namedconf.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.118 2010/06/22 03:58:38 marka Exp $ */
+/* $Id: namedconf.c,v 1.119 2010/06/25 03:24:05 marka Exp $ */
 
 /*! \file */
 
@@ -868,6 +868,7 @@ options_clauses[] = {
 	{ "random-device", &cfg_type_qstring, 0 },
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reserved-sockets", &cfg_type_uint32, 0 },
+	{ "secroots-file", &cfg_type_qstring, 0 },
 	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "serial-query-rate", &cfg_type_uint32, 0 },
 	{ "server-id", &cfg_type_serverid, 0 },